Is there no limit to how much personal data governments think they should control?
The Fourth Money Laundering Directive (2015) requires all member states to set up centralised national bank and payment account registers.
It also requires that that information must be made available to law enforcement agencies.
This requirement was not contained in the Directive when it was passed.
Instead it was announced in a circular dated 2 February 2016 saying “Centralised national bank and payment account registers or central data retrieval systems in all Member States: the Directive will be amended to give Financial Intelligence Units easier and faster access to information on the holders of bank and payment accounts”.
The circular said that this, and other changes, should be “carried out by the end of 2017.” As a result, we got the Fifth Money Laundering Directive which came into force on 30 May 2018.
Here’s the part that should worry everyone.
Delayed access to information by FIUs and other competent authorities on the identity of holders of bank and payment accounts and safe-deposit boxes, especially anonymous ones, hampers the detection of transfers of funds relating to terrorism. National data allowing the identification of bank and payments accounts and safe-deposit boxes belonging to one person is fragmented and therefore not accessible to FIUs and to other competent authorities in a timely manner. It is therefore essential to establish centralised automated mechanisms, such as a register or data retrieval system, in all Member States as an efficient means to get timely access to information on the identity of holders of bank and payment accounts and safe-deposit boxes, their proxy holders, and their beneficial owners. When applying the access provisions, it is appropriate for pre-existing mechanisms to be used provided that national FIUs can access the data for which they make inquiries in an immediate and unfiltered manner. Member States should consider feeding such mechanisms with other information deemed necessary and proportionate for the more effective mitigation of risks relating to money laundering and the financing of terrorism. Full confidentiality should be ensured in respect of such inquiries and requests for related information by FIUs and competent authorities other than those authorities responsible for prosecution.
It’s remarkable that this has slipped into law without public outcry.
I ask myself this: if the general thrust of the media and social media was not to undermine the will of the British people as shown in the “Brexit” vote, would the imposition of such a measure by the EU have received more attention?
One of the reasons that so many voted to leave the EU was over excessive intrusion into personal lives.
This is in addition to the requirement that “Member States should ensure that beneficial ownership information is stored in a central register located outside the company, in full compliance with Union law. Member States can, for that purpose, use a central database which collects beneficial ownership information, or the business register, or another central register.” (D IV recital 15 and Article 30).
As we know, states have been busy putting this into place this year.
The Fifth Directive does far more than this, including a long-overdue requirement for member states to produce lists of Politically Exposed Persons and to indicate their function.
However, that looks to be fraught with problems: the list is of no use unless obvious personal identifiers are included and if that’s the case it will conflict with, inter alia, GDPR. Recital 40 says “This Directive is without prejudice to the protection of personal data processed by competent authorities in accordance with Directive (EU) 2016/680.”
The list should also include “international organisations accredited on their territories” but that’s a request, not a requirement. And, of course, those headquartered in New York, Switzerland and various Asian countries are, on the face of it, not included.
And now the EU is already working on D VI.
How are financial institutions, etc., supposed to keep up?
Does the EU not realise that constantly changing compliance militates against effectiveness and diverts resources away from the far more important risk management.
For heaven’s sake: just stop changing stuff. Or if you have to change it, take time, get it right first time and give it a planned life of at least five years.
And stop turning Europe into a police state.