Anti-money laundering or data protection: What takes precedence?

It is estimated that up to $2 trillion is laundered every year, almost 5% of global GDP. To combat this, the implementation of anti-money laundering (‘AML’) laws has aimed to increased transparency within financial services, but this creates an inherent conflict with data privacy laws, such as the EU’s General Data Protection Regulation (‘GDPR’). This conflict was the subject of a recent judgement by the European Court of Justice (‘ECJ’) in November 2022.

In the Joined Cases C-37/20 – Luxembourg Business Registers, and C-601/20, the ECJ ruled that access by the general public to beneficial ownership information of companies incorporated in the European Union, as prescribed by article 30(5)(c) of the 5th EU Anti-Money Laundering Directive (2018/843) is invalid.  Further, the ECJ ruled that Luxembourg’s facilitation of general public access to information on beneficial ownership of Luxembourg entities following Luxembourg’s implementation of the 4th EU AML Directive (2015/849), is invalid.

The ECJ ruled that public access to information on beneficial ownership constituted a serious interference with the fundamental rights to respect for private life and to the protection of personal data.

The judgment served to highlight the inherent conflict between:

  1. beneficial ownership disclosures that assist in combating anti-money laundering and terrorist financing (i.e. establishing who sits behind a company or other structure); and
  2. the protection of individuals’ personal data.

In short, it is necessary to compromise on one set of laws to properly implement the other.

The privacy versus transparency debate

Both transparency and privacy are incredibly important.  But the new judgment reignites the debate about which should take precedence. Individual personal data has for too long been used freely and with utter disregard to any adverse consequences, by governments and corporates, often for selfish commercial purposes. Recent technological advancements and the exponential growth in the use and influence of social media means that it is critical to limit the use of personal data to manage our right to privacy and safety.

The EU General Data Protection Regulation (2016/679) came into effect in May 2018 with the aim of protecting EU citizens by giving individuals control over their personal data, including the right to access, correct, and delete it. The GDPR has helped deter governments and corporates from using and abusing personal data without regard for the rights of individuals.

The continued efforts of the Financial Action Task Force and the EU, among others (notwithstanding the leading nations’ double-standards on the use of sanctions and enforcement of AML laws), have undoubtedly helped restrict some financial crime. Scandals such as “The Panama Papers” and offshore data leaks created momentum towards complete transparency.  Nevertheless, money laundering and terrorist financing remains endemic across the global economy, including in onshore and offshore finance centres to varying degrees.

The drive to fight money laundering

The identification of beneficial owners of structures and investments is fundamental to combatting anti-money laundering. The EU largely took the lead with the implementation of beneficial ownership registers disclosing an individuals’ name, date and place of birth, country of residence and interest in a company. Luxembourg was a leader in allowing such data to be publicly accessible. (It should be noted that Luxembourg AML laws did already allow public access to beneficial ownership information to be restricted in the event of security risk on a limited case-by-case basis.) Such public access to personal data has undoubtedly deterred some money launderers from investing in the EU.

However, public access to the beneficial ownership of EU companies undoubtedly cuts across GDPR and arguably brings unwanted and unfair attention to numerous law-abiding individuals and families.

We believe it is perfectly possible to implement and enforce strong rules for both initiatives that clearly manage the inherent conflicts.

To start, supranational and national authorities should explicitly take into account the inherent conflicts between transparency and privacy when reviewing and updating relevant rules. For example, which takes priority and when? Such an approach would be preferable to relying on the courts to determine precedence. This will help ensure that everyone, including players in the European financial services industry, can apply clear and consistent rules and avoid future confusion.

There are also practical ways that these conflicts could be better managed, including the use of secure data-sharing platforms and standardised reporting templates at a national level for regulated financial services providers.

Langham Hall has policies and practices to comply with both sets of laws and manage the conflicts to ensure compliance with both. Staff members are trained on risks related to both the fight against money laundering and the protection of personal data. Our systems are built to appropriately protect information gathered during our due diligence process.

From a contractual perspective, investor and client consents in relation to sharing personal data in order to comply with AML rules are typically contained in client contracts or fund subscription agreements. It is these provisions that often facilitate Langham Hall and other financial services businesses sharing of personal data between other regulated counterparties, but only where it is strictly necessary to do so in order to comply with AML rules.