EU Article 75 – Pan EU information sharing is coming, but will it be enough?
The new EU AML package passed in April by the European Parliament marks almost the end of “so what’s next” to 2030 in the EU’s response to improving the bloc’s approach to fighting financial crime targeting money laundering and terrorism finance, with effectiveness the key challenge.
In passing the AML package, which is subject to a nod through by the EU Council, the headlines have gone to the establishment of the new AML Authority to be established after a contest in Frankfurt to protect the bloc from weak supervision and by extension improve the response from the blocs regulated entities, focussed on the large regional banks, and FIUs, to the establishment of a common EU AML rule book to ensure minimum standards, and new elements which include more restrictions on purchases of high value goods and transactions, and even possible regulation on football clubs.
Whilst these are genuinely positive developments they are not quite “old wine in new bottles” and are generally “evidence based” necessary changes but they can’t be described as bold innovations either, even though the AMLA is important – its aim is to do what had already been expected but couldn’t be achieved through domestic supervision alone.
The context for the EU AML Action Plan was revealed recently by Europol who released findings that the EU was facing its most serious organised crime threats from 821 organised crime (OC) groups represented by about 20,000 criminal members. These groups targeted drugs fraud, human and arms trafficking, migrant smuggling, acquisitive crime etc which all generate large sums which are then laundered via legitimate businesses for 86% of these groups via construction, hospitality and logistics and additionally through real estate, cash intensive businesses, high value goods and crypto. Just 6% are fully based outside the EU.
This report delves into the inner workings of the criminal networks that pose the highest threat to the EU’s security. The report, which features a Europe-wide analysis from the perspective of law enforcement, is a first of its kind. It describes, in detail, how the most threatening criminal networks are organised, which criminal activities they engage in, and how and where they operate. The report also assesses which specific characteristics the criminal networks hold that increase the threat to the EU’s internal security.
All EU Member States and 17 of Europol’s partner countries contributed data to identify the most threatening criminal networks in Europe. This resulted in a unique dataset of 821 most threatening criminal networks, with extensive information on all aspects that describe them and help assess their threat.
This mapping report is one of the key deliverables of the Belgian presidency of the Council of the European Union, which strongly encouraged the efforts of Europol in this respect. It will be an essential tool to fight organised crime going forward, which is a top EU priority, as outlined in the recent roadmap presented by the European Commission.
Cite this publication: Europol (2024), Decoding the EU’s most threatening criminal networks, Publications Office of the European Union, Luxembourg.
The thing about this excellent report is that nothing is that surprising or even new, apart from crypto and the risk from cybercrime through fraud and scams and they are really not new anymore either, which means we know what the enemy looks like and what it’s doing and have known most of it for years. So whilst the AML package is important it’s really signalling a need for more to be done by those we expect to do better to prevent money laundering to create a more hostile financial system in the EU to criminals and more from those we expect to confront the forces of financial crime with the system expected to generate better intelligence for law enforcement to tackle at least many of these 821 OC groups.
Taking these 20,000 serious criminals on doesn’t seem unsurmountable especially considering the bloc had 1,522,106 police officers in 2022.
These new AML measures should help albeit they are very downstream and will only be a real success if they translate upstream in materially impacting negatively these criminal groups.
New laws, rule books and regulators are useful but are a means to an end and it’s not so clear how these ends translate into effectively taking down these 821 most serious of groups in the EU. The EU’s own measurement of success for these measures is much more portrait than landscape and won’t be officially communicated until 2030.
Hidden away and not making it to the press releases is a potential new weapon, which has finally been added, on information sharing, which has been endlessly discussed and promoted by both the public and the private sectors over the last years. Article 75 can be found at pages 281 – 288 out of 326 pages of the AML Regulation and whilst it’s a very welcome addition to the fighting financial crime armoury, whether it will supercharge the fight against financial crime or remains a paper promise remains to be seen. It isn’t designed in support of a particular type of detailed initiative like in Singapore (see below) and/or ins’t a simple or easy to use gateway like that available in the USA for decades (see also below) with much of the text still to be interpreted and clarified.
The gold standard on information sharing is more than 20 years old and can be found in the USA where Section 314(b) of the Patriot Act 2001 allows, for example financial institutions to exchange information on customers and their transactions amongst themselves voluntarily to combat money laundering and terrorism finance, including on customers. Financial Institutions can establish information sharing partnerships and share information by just complying with notification protocols to the US AML/CTF Regulator and FIU, FinCEN.
Singapore has taken a different approach and instead of making available broad gateways for information sharing amongst for example FI’s they have identified a specific use case and developed an impressive information sharing public private partnership called COSMIC (Collaborative Sharing of Money Laundering/Terrorism Financing) and passed laws to expressly permit the intended activity which will be carried out via this platform. Cosmic went live in early April with its initial focus on sharing information between 6 large commercial Banks and the MAS on a few initial use cases after years of close co ordinated public and private dialogue.
The EU has taken another approach with its Article 75, which doesn’t have the advantages of the broad US market approach or the State led approach preferred in Singapore, and instead has decided to chart a middle course which provides for a more complex process through which some information sharing is possible, but to be done, will need supervisors to support all initiatives as they are mandated as the agency which is authorised to pre approve “partnerships” and in so doing to be satisfied with the arrangements put in place including the data protection arrangements, with supervisors expected to also consult with data protection agencies and where SAR’s are proposed to be exchanged also with FIU’s.
Whilst the information that can be exchanged in a partnership is extensive, under Article 75, restrictions apply to the type of customers that can be in scope for information exchange, with post suspicion/higher risk cases a condition precedent for exchange, limiting potential exchange to a small percentage of overall EU citizens with accounts and in limiting the sharing permitted, which is more likely to be acceptable to data protection agencies that look for proportionality, though the threat from financial crime and organised crime across the EU is clearly a significant one.
Whilst no doubt a political compromise, to take into account concerns of EU data protection agencies, the result may be that the Bloc’s most prominent attempt to do AML/CTF information sharing at scale to date, in the form of Transaction Monitoring Nederland established in 2022 by the large Dutch Banks and having invested tens of millions of Euros may not have quite the future that was hoped, at least in terms of sharing non entity information, i. e. information on individual account holders at scale. Whilst the Dutch government had given assurances that laws would be changed to also share individual customer data into a secure platform, that particular Dutch government is no more.
Article 75 doesn’t appear to go as far as many financial crime fighters would have hoped, and focusses essentially on higher risk customers and or post suspicion sharing and is less permissive on sharing information on lower risk customers, though intriguingly, Article 75 provides for sharing where, FI’s, “need to collect additional information in order to determine whether they are associated with a higher level of risk of ML, it’s predicate offences or TF” – which may be sufficient to justify some of the wider objectives of partnerships such as TMNL, at least to some, but would need supervisory support.
If this is not the case, then those sophisticated professional money launderers that operate today in many jurisdictions, under the radar of existing individual Bank/FI detection systems, which could have been identified using network data shared and analysed, will be relieved.
Any Partnership is subject to the approval of supervisors. Supervisory responsibilities include:
- Reviewing the partnership application to ensure it conforms strictly with the requirements of article 75
- Consulting with Data protection bodies, seeking their opinion on data protection matters, including reviewing the Partnership’s Data Protection Impact Assessments (“DPIA”)and measures taken to protect information
- Consulting with FIU’s and seeking FIU consent of SAR related data if proposed to be shared
- Considering whether to call for annual independent audits to confirm the functioning of the partnership – that it is compliant with the terms of the partnership and Article 75 – to be paid for by the partnership.
It should be noted also that Supervisors may themselves be partners in a partnership, as may FIU’s and Law Enforcement Agencies, though these partnerships will not give public sector bodies any additional information sharing powers to provide additional information to those in the private sector in these partnerships.
Supervisors will be the key to whether Partnerships that make a difference are established and thrive. Supervisors will need to take an active and at times decisive role in providing clear guidance on its interpretations of the various Article 75 provisions. These interpretations will inevitably involve balancing the expected outcomes from the information sharing, in fighting financial crime terms, with the rights of those customers whose information is being shared, based on the terms set out in Article 75.
Supervisors should be open to partnerships, that both want to share information on a select number of customers/transactions presenting obvious high risks, as well as those where for example more data is in scope and pseudo anonymised network analysis is used to identify higher risk customers and transactions. Supervisors may also be much more relaxed about entity data than individual data and first, second and third party data versus so called “zero” party data.
Whilst supervisors should also be concerned to ensure partnerships comply with the terms of their application and conform to Article 75, successful partnerships should reflect credit back on the partners they regulate, and an expectation that in doing more targeting of higher risk customers/transactions its likely the partners are doing less in other none higher risk areas.
It may be wise for partners in requesting approval from supervisors that voluntarily want to share more information on high-risk customers and transactions with other partners, that they explicitly include as part of their application the dialling down of other activities that are lower risk to compensate and to make the best use of resources.
Potential partners should be thinking therefore not only of the use cases that may be possible under Article 75 but also what activities risk based can be reduced and a discussion on both would be helpful, including having a dialogue with supervisors.
There are other challenges with the text that has been passed by the Parliament in Article 75 that have experts worried that interpretations may differ substantially or be insufficiently clear to green light what ought to be reasonable partnerships, before they get to the submission for approval state. Three key areas, include “Strictly Necessary”, “Customers” and Information” and will need further analysing in order to determine successful future use cases. For more details see some initial analysis below:
Final Remarks/Conclusion
Article 75 could still be a game changer across the EU in helping, in particular, Banks and FI’s that successfully establish partnerships, to better manage their AML/CTF risk and to improve the effectiveness of Bank/FI programmes by identifying otherwise hidden risk, which is also a benefit to FIU’s. Article 75 can likely be used to share the 2-5% of customers or transactions that represent increased risks, true positive hits, substantive private list entries, RFI data, etc as well as being an accelerant for traditional PPPs where FIUs, Supervisors and the private sector work more closely together and become more operational, focussing on agreed higher risk priorities.
Of course, these can now become more international and not simply domestic with the ability to share information across the EU (and who knows internationally as Article 75 doesn’t preclude information sharing with others outside the EU – but it doesn’t expressly permit it either and that third country would in any event need EU type Article 75 powers to do so).
The ability to generate real efficiencies in AML/CTF programmes is likely more limited as the customers/transactions in scope are limited and represent a small %age of likely total customers/transactions where most of the cost comes in current Bank/FI AML/CTF programmes.
To capture effectiveness gains, which is of course of benefit for Banks/FI’s and FIU’s, comes at a new cost, with a need to deploy resources to work in any partnership. Whilst there is no express provision in Article 75, for partners to be able to do less elsewhere by focussing on higher risk areas, this should be a reasonable expectation. Whilst the activities of the partnership will be subject to regulatory oversight and as such increasing regulatory risk, participating Banks/FI’s should expect to receive some credit if the partnership is successful, despite it being a voluntary activity.
Whether the advantages and benefits outweigh the limitations and challenges, time will tell. For any partnership to succeed it will need smart and dedicated financial crime fighters to work through the limitations and challenges of Article 75 to produce something really valuable and proactive forward-thinking supervisors. Thankfully there are enough smart and dedicated financial crime fighters that will want to take a shot at this and hopefully enough supervisors who will support them.
Reporting by John Cusak, Financial Crime News, 10th May 2024