EU AML/CTF & the Duality of Financial Data: Rule Based Processing & Risk Based Compliance

I have argued that the dual nature of financial data means that it is simultaneously governed by two regimes: anti-money-laundering (AML) and counter-terrorism finance (CTF) laws that seek to protect the financial system from fraud, crime, and political violence; and data protection and privacy laws that seek to protect an individual’s identity and choices from government and private abuse. However, neither set of regulations adequately addresses financial data’s dual role.

Much of my research focused on the challenges this poses for multinational financial institutions, but the same issues apply to law enforcement authorities operating in the financial crime space. The most recent example pertains to FIU.net, a decentralized data-sharing platform housed within Europol that gives EU Financial Intelligence Units (FIUs) control over the information they share with their European counterparts, while maintaining control of that data within EU jurisdictions.[1]

In December 2019, the European Data Protection Supervisor (EDPS) imposed a year-long ban on Europol’s technical operation of FIU.net because it was a breach of the Europol Regulation that limits processing to police data and suspects.  However, the definition of a suspect varies according to Member State law, and for that reason the Europol Cooperation Board could not “consistently ensure that Europol is legally competent” to process all types of suspicious transaction data that passed through FIU.net since it also contained those not suspect of financial crimes. In the words of the report:

To comply with the [Europol] rules, individuals involved in suspicious transactions would have to be considered as suspects. FIUs, however, act before the start of any criminal proceeding or investigation has begun.

This is true, but the core of the AML risk-based method as recommended by the Financial Action Task Force (FATF) and the EU’s 4th Anti-money Laundering Directive (4AMLD) stipulates that financial institutions must report suspicious actions to FIUs. Suspicion is determined not by a legal standard, but by unique risk assessments dependent on factors endemic to the institution. Furthermore, there are mandatory thresholds for reporting currency transactions, which again do not denote illegal acts. As a result, most reports FIUs receive do not make an individual a suspect under the law and present insufficient grounds for FIU.net to operate under the technical care of Europol.

The current rule-based framework for the collection and transfer of financial crime data among private entities, authorities, and EU organizations is incompatible with the risk-based method and mapping the the illicit economy. It is difficult to determine a suspect from the contents of a single report, as one piece of information may not signal an illicit act on its own – it must be combined and analyzed with multiple pieces of information held by several groups to unmask illicit networks and reach legal thresholds of intent, determine suspects, and initiate investigations.  

Thus, as the legal foundation of the EDPS decision was clear, it was not in balance with the anti-financial crime regime in which it operates. The EDPS suspension was to give time for a “smooth transition of the technical administration of FIU.net to another entity” by December 2020, which is now less than 7 months away. It is difficult to determine the suspension’s impact on inter-European cooperation, (although the Egmont Secure Web (ESW) email system maintained by the US FIU FinCEN is still available to EU FIUs).   

On June 17, 2020, the European Council’s “CONCLUSIONS on enhancing financial investigations to fight serious and organised crime” seemed to acknowledge the problem, reaffirming a fundamental fact of combating financial crime- that the private sector possesses “significant amounts of personal data possibly [emphasis added] relevant for law enforcement authorities.” While calling for the Commission to make a “temporary arrangement” for FIU.net and to “table a proposal for a long term solution” the Council encouraged the creation of legal frameworks for cross-border cooperation and information sharing among FIUs, FIUs and Europol, and between public-private parties. 

In the case of Europol and FIU.net, it is difficult to surmise what EU institution could legally, and operationally, process potentially criminal data to support FIUs, to support the financial crime regime, the new Europol Financial and Economic Crime Centre (EFECC), and unite the EU’s AML supervisory capabilities.  Legal frameworks must address the realities of risk-based reporting, and suspicion, without depending on rule-based data processing.  To bridge the gap, the Commission and EDPS should focus on outlining safeguards for processing AML data for both public and private entities as suggested in 4AMLD, GDPR, Directive (EU) 2019/1153, Regulation (EU) 2016/794, and other applicable laws.  


[1] In 2014, I spent the day at Europol learning the FIU.net model. It influenced my work on a transaction monitoring methodology with standardized yet flexible data sets that can be used across business lines and inform risk assessments, which can set standards for suspicion and mitigate this issue. (Happy to discuss in DM).