Machine translations by Deepl


In December 2022, Privacy First sent a critical letter and memo to the House of Representatives, on the bill to, among other things, allow banks to collectively analyse their customers' financial transactions. We believe that this banking dragnet will entail unprecedented mass surveillance and that citizens' fundamental rights are insufficiently safeguarded.

Money laundering

How the bill will proceed is not known at this time. Members of the House of Representatives on 23 February last a large number of questions about the bill. Those questions have not yet been answered by the responsible finance and security ministers.

International trend: more data sharing and integrated analysis

We are not confident of a good outcome of the Dutch legislative process. The reason is that there are all kinds of groups internationally - both from the government and outside - advocating joint analysis of financial transaction data of every account holder. The argument often used is that data from everyone is needed to use it to 'train' computers. Financial institutions are keen to jointly analyse transactions to reduce costs. In practice, this amounts to profiling every account holder, with no visibility on how this is done and no adequate protection against errors.

One of the organisations engaged in a study on joint transaction monitoring is the Bank for International Settlements (BIS) through the 'Aurora' project. In the explanation of the project BIS argues that the current system of fighting crime has failed, partly due to 'over-reporting'. Banks now report too many transactions as 'suspicious' because of the high fines they were previously imposed.

Furthermore, banks are quick to say goodbye to certain groups of customers because of the high cost of their crime-fighting duties ('de-risking'). Some countries are also excluded from the financial system if a high risk of crime is believed to be present. BIS believes it can improve the effectiveness of crime fighting by banks through joint data analysis of transactions at multiple banks and in multiple countries. The idea is that through machine learning can detect criminal patterns and typologies, which would respect citizens' fundamental rights.

Another proposal is to analyse SWIFT transaction data. SWIFT is the international organisation responsible for much of the global payments system. This idea comes from the European-funded 'TRACE' project, which also involves private parties (such as companies providing crime-fighting services).

In March this year, TRACE published a report on SWIFT, written by four staff members of the lobbying organisation Tax Justice Network (commissioned by TRACE). In it, they advocate modifying the SWIFT messaging system - through which banks exchange data with each other - to enable integral analysis of all transactions. The authors advocate that for every payment transaction, a multitude of data should be included in the SWIFT message. Not only the names and account numbers of payer and payee, but also their date and place of birth, and in the case of non-natural persons, the entity identification number (legal entity identifier) and the names of beneficial owners (ubo's). In this way, the payment traffic of all entities and individuals can be analysed, both to predict crime (predictive policing) and to detect offences. This would involve checking immediately whether account holders have been convicted, or are suspected of something. The report does not address the problems that current systems already pose for citizens, nor the risks of predictive policing.

Criticism from data protection regulators

In the context of 'anti-money laundering', the European legislator is undertaking a complete overhaul of the regulation of crime-fighting functions of private companies, such as banks. In particular, it proposes to allow much more data sharing. That proposal has drawn criticism from data protection regulators in EU countries, working together in the European Data Protection Board (EDPB).

On March 28, the EDPB sent a letter to the European Parliament, the Council and the Commission. In it, EDPB criticises the proposal to allow data sharing between companies on crime, while the proportionality and necessity have not been demonstrated, and safeguards to protect citizens' fundamental rights are lacking. In practice, the far-reaching data exchange will be particularly relevant for banks and other financial institutions.

No financial surveillance

Privacy First believes that fighting crime is a government task. Outsourcing such tasks only makes sense if the companies are suitable for it, if it is effective, and if compliance does not incur disproportionate costs. The effectiveness of the current system is already unproven, while the rules create many problems, such as discrimination and exclusion.

Of course, IT companies are eager to get to work on the financial transaction data goldmine. However, we think it will lead to financial mass surveillance and we should not want that.