In the ever-widening wake of the Danske Bank scandal, a series of discussions has begun in European Union (EU) banking circles about possible information-sharing agreements to improve anti-money laundering (AML) oversight.
There are strong indications that bank regulators across the EU are actively discussing how they can share certain data related to customers. According to Yahoo Finance UK, Marius Jurgilas, a Bank of Lithuania board member, said “that regulators from Sweden, Norway, Finland, Denmark, Estonia, Latvia, and Lithuania are in talks about sharing transaction-level banking data” as part of AML efforts. Although he declined to provide specific examples of topics under discussion, Jurgilas stated that EU national regulators were discussing how “to create something better,” such as “sharing of data across the regulators, identifying illicit transactions by using transaction-level data across the region, and all of a sudden that region becomes the best ever in terms of risk management.” (Jurgilas also briefly stated “that regulators were prioritising a joint investigation into all the banks involved in the [Danske Bank] scandal.”)
Confirming Jurgilas’s remarks, Bloomberg reported that Jesper Berg, Director-General of the Danish Financial Supervisory Authority (FSA), “has started lobbying counterparts elsewhere for a broader discussion” about secrecy of bank clients’ data. Berg reportedly said that “it’s worth considering whether banks should be allowed to share reports of suspicious customers before the police confirm illegal activity, and that a common infrastructure for such reporting “could include ‘customers that have been thrown out of one bank, so they’re not allowed to go to the next bank’.”
Berg acknowledged that “huge privacy issues,” but declared that “we need to figure out how to resolve this.” He also stated that “letting banks share data would be a more effective tool than creating a single European entity to target money launderers.”
Samu Kurri, head of the financial analysis and operational risks department at the Finnish FSA, seconded Berg’s proposal, calling it “extremely good and supportable.” Kurri cautioned that this concept of authorizing banks to share data would “represent a fundamental change to traditional tight banking secrecy on a philosophical level”, and “would take very careful preparation to draw up.”
Philippe Vollot, Danske Bank’s head of compliance since October 2018, sounded another cautionary note. He commented, according to Bloomberg, “that while it makes sense to share general information, privacy concerns make it more challenging to distribute suspicious-activity reports. The subject of such a report may ultimately be found innocent of any involvement. Vollot also commented, “To have somewhere in the system a capacity that criminals would not be able to move from one financial institution to another – that would be something extremely effective to combat financial crime . . . . The issue here is the data privacy regulation, and it’s actually a philosophical debate about where does it start? Where do you draw the line?”
Note: Regulatory and AML compliance teams at financial institutions in the EU and elsewhere should continue to watch for further indications that the idea of expanding AML-related information-sharing is gaining traction within the EU. Key to those discussions, of course – as Vollot rightly indicated – is whether sufficient political will can be mustered to revise the General Data Protection Regulation (GDPR) to facilitate such information-sharing. Any efforts to revise the GDPR would involve extraordinarily complex debates about how to strike a different balance between individual privacy and law enforcement or financial-sector needs.
As part of that debate, the EU would also need to take into account its Directive (EU) 2016/680, which applies to the processing and movement of personal data for purposes of prevention, investigation, detection, and prosecution of criminal offences. Because Member States had until May 2018 to translate that latter Directive into law, they would have to revise their own domestic legislation implementing both Directives should the EU revise the GDPR.
At one point, the EU viewed the GDPR as meaning that “businesses benefit from a level playing field.” Thanks to the Danske Bank scandal, the EU and its Member States are starting to recognize that, as between financial institutions and criminals bent on exploiting them, the playing field is tilted very much in the criminals’ favor. Releveling that playing field will require more than structural revisions in EU AML oversight.