Dutch Data Protection Authority on Collision Course with Anti-Money Laundering Legislation

Last month, the Dutch government proposed sweeping changes to the country’s Anti-Money Laundering and Anti-Terrorism Financing Act, which would give banks new powers to investigate suspicious activity.

Existing laws have been criticised for failing to adequately prevent financial crimes, but opponents of the new bill suggest that it swings too far in the other direction, impinging on individuals’ data privacy rights.

With the GDPR (General Data Protection Regulation) containing strict requirements on the way personal data must be processed, it puts the bill in a precarious position.

Why is the bill controversial?

Under the bill, Dutch banks would be given more freedom to combine and analyse their customers’ payment data. The Dutch government noted that criminals often store funds in different banks to prevent authorities from spotting patterns of large deposits. It believes that joint transaction monitoring would combat this threat.

Five of the nation’s banks – ABN AMRO, ING, Rabobank, Triodos Bank and de Volksbank – have already implemented TMNL (Transaction Monitoring Netherlands) as part of a joint effort to tackle money laundering.

However, by expanding cooperation in transaction monitoring, the government hopes that banks will be better equipped to spot fraudulent behaviour. One way that it hopes to do this is with AI (artificial intelligence) software that would collect and disseminate customer information.

Commenting on the plans, cyber security lawyer Wouter Seinen said: “We believe that it is time to use AI to more effectively track down criminal money flows. The recent past has shown that banks have difficulty to do this in a cost-effective way on an individual basis.

“The fact that banks can tackle this jointly with the amended Act will certainly contribute to the aim of the [bill]. Nevertheless, safeguards will have to be given on parts to protect the rights of customers.”

What about the GDPR?

The bill gives banks more freedom to use individuals’ financial data, which is considered a special category of personal information under the GDPR and is therefore subject to extra precautions.

“For banks, this means that the data will have to be made available to an independent institution that will collect and analyse all this data from and on behalf of the banks,” Seinen noted.

“Yet the underlying privacy challenges should not be underestimated. Many critical questions remain to be answered, such as how is the ‘independence’ of this institute guaranteed; who makes the decisions in regard to that; how does the feedback to banks take place; how are the rights of the consumer safeguarded and how are the fundamental rights like access to financial services of customers guaranteed?” he added.

Seinen also noted that the Dutch data protection authority recently issued enforcement action against the country’s tax authority over its use of individuals’ financial data. It was found to have no lawful basis for processing personal data, plus its records were incorrect, improperly protected and stored without a retention period.

As a result, the Dutch regulator imposed a €3.7 million fine – setting a precedent over the conflict between the GDPR’s compliance requirements and the use of personal data for crime detection.

A similar issue occurred recently with Clearview AI, an organisation that built an AI-powered facial recognition software that it sells to law enforcement.

Clearview has repeatedly insisted that it is isn’t subject to the GDPR, with its CEO Hoan Ton-That claiming that its technology is designed “to make communities safer and assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts”.

Nonetheless, the organisation has received almost half a dozen GDPR fines, while Sweden’s police force – which uses Clearview’s tech – has also been fined.

Based on these examples, it’s clear that the GDPR cannot be circumvented even if the information is being used to prevent crime. And as Wouter Seinen adds: “It is not inconceivable that the supervisory authority could take the same stance on the proposed anti-money laundering bill.”

Whether that happens or not remains to be seen, but it demonstrates the power that the GDPR has and how easy it is to overlook circumstances where it applies.

If you’re among those questioning whether your practices fall short of your legal requirements, IT Governance can help you find an answer.

Our team of experts are on hand to help you with whatever issues you face – whether that’s uncertainty over whether certain practices are within the GDPR’s scope or the need for ongoing compliance support.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.