A legal opinion by law firm Prakken d'Oliveira argues that five major Dutch banks (ING, Rabobank, ABN AMRO, de Volksbank and Triodos) may have acted criminally in their cooperation under Transaction Monitoring Netherlands (TMNL). The Human Rights in Finance Foundation has been critical of the project for years and dragged De Nederlandsche Bank to court to force enforcement. But the damage has actually been done; after three years of unlawful processing, TMNL has stored and analyzed an estimated 10 billion transaction records.
Working together to fight fraud that otherwise could not have been detected, sounded the justification for the years of cooperation under TMNL. Concrete evidence for this assumption does not exist to this day. However, experts do point out the risks that public-private cooperation entails. Moreover, we are talking about one of the most advanced and far-reaching AI applications to date, as virtually every Dutch citizen has been subjected - directly or indirectly - to TMNL's algorithms.
Before going into details, a summary of the TMNL project. The project consisted of a collaboration between the five banks, the Ministry of Finance, the Dutch Banking Association (NVB) and De Nederlandsche Bank (DNB). Under the TMNL partnership, data were shared for some three years, presumably without a legal basis, in what the Raad van State called an "unprecedented scale of data sharing.
Simon Lelieveldt, director of the Human Rights in Finance Foundation (HRIF), estimates that banks have processed some 10 billion transaction records over the past three years. The foundation also argues that the banks are violating the outsourcing ban in the Money Laundering Financing Terrorism Act (Wwft). This contention has been validated by the legal opinion of human rights lawyer Dr. mr. Kris Zeegers, who also argues that the banks acted criminally. For director of the Human Rights in Finance Foundation Simon Lelieveldt, it is clear: "Transaction Monitoring Netherlands is a wolf in sheep's clothing, which is being justified by legal chatter."
The five banks responded to the legal opinion in a joint statement to PONT | Data & Privacy. The banks deny that there was any data exchange between banks and claim that no outsourcing of transaction monitoring to TMNL took place.
Tackling money laundering and fraud through joint monitoring by banks and Artificial Intellegence (AI) was the outline for the Transaction Monitoring Project (TMNL). It became a global outlier in the fight against growing criminal money flows, led by the Rutte III-IV administration. Its creation stems from the Ministry of Finance's ambitions to become a global leader in the fight against fraud. When the largest five banks, through the project's spokesperson -- the Dutch Banking Association (NVB) -- announced the cooperation in 2021, the Ministry of Finance and the regulator responded enthusiastically.
At that time, joint transaction monitoring is still prohibited under the Wwft. There will be a bill to allow this anyway, and the regulator is allowing the cooperation. Of particular note is that De Nederlandsche Bank is involved in the establishment and, it says, is contributing by sharing knowledge with TMNL. In a report, the regulator writes that initiatives such as TMNL should be encouraged; https://www.dnb.nl/media/r1ens11b/jaarverslag-dnb-2021-pdf2a.pdf, page 43.
According to the HRIF foundation, however, the data sharing covers almost the entire payment traffic at the five largest banks in the Netherlands. Only transfers between private individuals and the payment traffic of companies with an annual turnover above EUR 250 million are excluded from monitoring by TMNL, according to the foundation.
TMNL's work will continue until the legal issue is finally settled by adoption of the Anti Money Laundering (AML) regulation by the European Council this spring. In it, a different route is chosen regarding joint monitoring. Europe is thus putting a definitive line through the plans of the Ministry, De Nederlandsche Bank and TMNL.
The ultimate goal of the cooperation is to provide information to the Financial Intelligence Unit (FIU-Nederland) so they can track down money-laundering criminals. But data sharing by banks to TMNL could potentially qualify as a cybercrime, according to Dr. Krit Zeegers, a lawyer in financial criminal law at Prakken d'Oliveira. Indeed, sharing automatically recorded non-public data has been a cybercrime since 2019. In his legal opinion Zeegers concludes:
"There is no legal ground or authority for the transmission of the transaction data by banks to TMNL - the establishment of TMNL is an independent initiative of the participating banks. Therefore, the transmission of this data seems to qualify as unlawful. Especially since, as noted above, the Wwft prohibits financial institutions from outsourcing their transaction monitoring obligation to third parties. At least, the authority to outsource parts of the client screening process to third parties explicitly excludes transaction monitoring.
The passing on of banking transaction data of business customers by ABN AMRO, ING, Rabobank, Triodos Bank and Volksbank to TMNL (and, through TMNL, to the other participating banks) thus fulfills all the components of the offense description in Article 138c of the Criminal Code and thus qualifies as a criminal offense. Similarly, the feedback from TMNL to individual banks qualifies as such as it transmits for the banks (the other) an adaptation of the previously unlawful information."
The opinion disputes TMNL's positions and is clear: "Data sharing with TMNL is criminally qualified under Section 138c of the Criminal Code. According to Lelieveldt, the situation is reminiscent of a quote from Nietzsche: "Beware that, when fighting monsters, you yourself do not become a monster."
However, the major banks disagree with the factual and legal contentions as formulated by Zeegers. In a response to PONT | Data & Privacy, the banks collectively let us know the following about the legal opinion:
"First of all, the banks do not share transaction data with each other through Transaction Monitoring Netherlands (TMNL), as falsely stated by the law firm. The signals issued by TMNL to the individual banks relate only to the customers of the bank in question. In doing so, the banks see no data from any of the other banks.
Moreover, none of the five participating Dutch banks has ever "outsourced" their activities to TMNL, either in a legal or factual sense, let alone in a way that would violate applicable anti-money laundering laws and regulations, and/or even Dutch criminal law, as the law firm's analysis falsely suggests.
As gatekeepers of the financial system, all participating banks have always independently conducted their own customer due diligence, including ongoing transaction monitoring. The banks have never leaned on TMNL's services for such activities, let alone replacing their own activities as if they were "outsourced" to TMNL as an external party. As such, the TMNL processes fall within the permissible legal framework and will continue to do so, with relevance that this framework is being reshaped now that the European authorities have recently introduced the new EU Anti-Money Laundering Regulation (AMLR)."
The banks thus argue that 1) no transaction data is shared by banks among themselves through TMNL. And 2) that there is no outsourcing in the factual or legal sense.
The statement conflicts with the privacy statements and terms and conditions of several of the participating banks. For example, ABN AMRO states the following in its 2021 privacy statement:
To better combat financial and economic crime, banks have established TMNL. TMNL helps
by order
of banks including ABN AMRO with improving the detection of financial crime and terrorist financing.
https://www.abnamro.nl/nl/media/Privacyverklaring%202024_tcm16-225162.pdf, page 8.
ING says in an annual report it is providing data for a shared database:
Throughout 2022, ING continued to work in a consortium of Dutch banks on Transaction Monitoring Netherlands (TMNL). The initiative,
which monitors transactions within a combined database
, is operational and intersecting with thematic areas of focus for law enforcement, enabling us to better understand potential criminal money flows, and improve our detection controls in response to these insights.
https://www.ing.com/MediaEditPage/2022-Annual-Report-ING-Bank-N.V..htm, page 124.
Also in Rabobank's privacy statement, the bank states that it engages TMNL as a processor to better meet its legal obligation.
We can also provide other parties
engage as a processor
to better meet our own legal obligations. For example, we use Transaction Monitoring Netherlands to improve banks' transaction monitoring.
https://media.rabobank.com/m/5122985e66bb9c88/original/Privacy-Statement-2023-NL.pdf, page 19.
In short, although the banks do not share data with each other through TMNL, they do share transaction data with TMNL. In doing so, TMNL performs work on behalf of the banks and is considered a processor. However, the banks argue that there is no outsourcing in either legal or factual terms.
According to the legislative history Wwft, the Wft definition of outsourcing applies. In it, the definition is as follows:
outsourcing : the giving by a financial company of an assignment to a third party to perform work on its behalf:
that are part of or arise out of the conduct of its business or the provision of financial services; or
that are part of the essential business processes supporting them. https://wetten.overheid.nl/BWBR0020368/2024-07-01
Regarding the legal meaning of outsourcing, the banks' statement seems difficult to defend anyway.
"Unprecedented mass surveillance. That's what the Autoriteit Persoonsgegevens (AP) called the bill submitted to formalize the TMNL project on Jan. 26, 2023. The AP considers the bill a form of indiscriminate mass surveillance by private parties, in violation of the principle of proportionality and the Charter of Fundamental Rights of the European Union, resulting in unlawful infringement of fundamental rights.
Records show that on August 31, 2021, the Ministry of Finance knew that TMNL's activities were beyond what was permitted and that TMNL had misinformed the Ministry:
"Following the critical opinion of the RvS, we have had intensive discussions with the banks about the possibilities of limiting the legal basis for joint transaction monitoring. It emerged from these discussions that TMNL's current activities extend beyond what was previously known to the ministry."
https://open.overheid.nl/documenten/ronl-e333903480c1fbe1cf4f9b529d34f6030f405a42/pdf, page 33.
Even more uncomfortable is the fact that the Ministry knew on that Jan. 18, 2021, special personal data was being processed by TMNL without a legal basis. In its opinion, the Raad van State notes the following with respect to joint transaction monitoring by TMNL: "Special and criminal data are processed." To which the Ministry responds in the affirmative: "This is correct, transactional data may contain special and criminal personal data." https://open.overheid.nl/documenten/ronl-e333903480c1fbe1cf4f9b529d34f6030f405a42/pdf, page 27.
In conclusion, the ministry, led by Wopke Hoekstra (CDA), made a conscious decision to allow TMNL to continue the unlawful processing of special personal data. The only question is on what scale. What is known is that TMNL was not stopped by the D66 ministers who succeeded Hoekstra under Rutte IV. Indeed, the termination of TMNL did not follow until last July 1, 2024.
In Follow the Money reporting, DNB does not answer whether the regulator can clarify whether TMNL and the banks are violating the outsourcing ban. When asked whether the cooperation has been tested against the law, the spokesperson replies that this is "supervisory confidentiality. The AP also let it be known that it cannot make any statements about investigations, ongoing or otherwise.
Although TMNL has announced it is winding down its operations because of new European legislation that allows joint monitoring only in limited cases, the Human Rights in Finance Foundation does not intend to stop litigating. Lelieveldt: "so that DNB guarantees that all transactions and algorithms are completely destroyed and can never be reused."
In anticipation of a possible mass claim in the future, the foundation has published a standard letter publishedso that individuals who become the subject of investigation by the banks and are concerned about their privacy can object.
The question remains as to why regulators remain reluctant. What is clear, however, is that public-private cooperation in the context of what was traditionally a public task, namely investigation, is creating new problems and areas of tension between the various implementing agencies, industry and the public. Public-private cooperation, according to experts lead to a surveillance and intelligence apparatus that can be used for detection beyond the relevant safeguards of criminal law.
