Privacy First advocates safeguards to prevent citizens from losing out to new European crime-fighting rules (anti-money laundering package)
Privacy First participated in the legislative consultation on the implementation law that implements the new European anti-money laundering regulations. In our consultation contribution, we make numerous suggestions to better protect citizens, small and medium-sized businesses and small and medium-sized nonprofit organizations from the harmful effects these regulations may have on them.
Under European regulations, crime-fighting tasks are already performed by companies, including banks, notaries and accountants. Those companies ("money-laundering obligors") are required to make a risk profile of each customer, assessing whether the customer could be criminal. Furthermore, they must monitor the relationship with the customer and the transactions in which they are involved and are obliged to report crime suspicions to the government (FIU Netherlands). These rules are currently laid down in a Dutch law, the Money Laundering and Terrorist Financing (Prevention) Act (Wwft).
These regulations have resulted in great social harm: among other things, it has become difficult for certain business sectors and nonprofit organizations to open a bank account, and people are sometimes confronted with discriminatory practices by money-laundering offenders. Furthermore, money-launderers sometimes request very large amounts of confidential and privacy-sensitive data from their customers, going much further than necessary for fear of government sanctions. In a letter dated May of this year, the Minister of Finance acknowledged that the anti-money-laundering effort has gone too far and promised to take action. The question for Privacy First, however, is whether the minister can keep his promises now that the Netherlands will soon have little say in the fight against money laundering.
In mid-2027, the new European Anti-Money Laundering Regulation (AMLR) and other parts of the European Anti-Money Laundering Package will enter into force. A lot is going to change then, and not always for the better.
Privacy First considered the consultation as a good opportunity to urge the Dutch government to take measures to reduce the harmful effects of money laundering. We emphasize that we are not opposed to involving companies in crime fighting. Our objections are directed against assigning tasks to companies that are not suitable for them, against the disproportionate costs incurred by money laundering fighters that are passed on to the client, and against the failure to respect the fundamental rights of citizens, small and medium-sized businesses and small and medium-sized nonprofit organizations.
Privacy First sees the implementation of European regulations as a good time to improve safeguards for citizens. To this end, we make numerous proposals in our consultation response, including these:
The legal protection of consumers, SMEs and small and medium-sized nonprofit organizations will be dramatically improved, including through the establishment of a financial ombudsman to handle all complaints on anti-money laundering issues and through low-threshold access to the independent courts.
Money-laundering firms should be required to communicate about their customer research through a secure channel. They should be prohibited from requiring customers to use the European Digital Identity (EUDI) wallet. They should also be explicitly prohibited from requesting access to customers' bank accounts through open banking or open finance.
Automated risk profiling of customers by large money-laundering firms, such as banks, should follow the principles of the European AI Regulation, including a fundamental rights compliance assessment (FRIA).
Anti-money laundering supervisors, such as DNB, should be required to also enforce non-compliance with data protection rules and respect for customers' fundamental rights. When sanctioning, they should consider whether the sanctions could result in fundamental rights violations.
Monitoring of compliance by both anti-money laundering and public authorities with data protection, anti-discrimination and other fundamental rights rules will be improved by increasing the capacity of the Data Protection Authority and by mandatory audits that will take place periodically.
We urge the Dutch government to promote the removal of elements of the European anti-money laundering rules that violate fundamental rights. One example is the far too broad definition of "politically exposed person" (PEP), which leads to a large group of innocent citizens being classified as high risk of crime on incorrect grounds. For example, all parents and children of members of the House of Representatives are supposedly high risk for crime.
Privacy First hopes that a public discussion can begin about concepts behind the privatization of crime fighting. Privacy First also hopes that politicians will retrace their steps and urge Brussels to reconsider and adjust the rules. Fundamental rights of citizens deserve far more protection than is provided under these rules.
Our full consultation response is HERE at.