Machine translations by Deepl

Crime fight not served by bank dragnet and enquiry requirement

Recent warned Privacy First in favour of the Cabinet proposal Money Laundering Plan Act that threatens to introduce a banking dragnet. Today, Privacy First sent a letter with associated memorandum to the House of Representatives:  

On 21 October last year, the cabinet approved the draft law on money laundering submitted. On the same day, the Personal Data Authority warned in a news release "New law opens door to unprecedented mass surveillance by banks".

Privacy First Foundation believes that in the bill, the government has failed to heed the earlier criticisms of the Advisory Division of the Council of State and the Personal Data Authority. The bill unjustifiably infringes on the fundamental rights of Dutch citizens and this proposal should therefore not become law.

The proposal is part of anti-crime ('money laundering') regulations as contained in the Prevention of Money Laundering and Terrorist Financing Act (Wwft). The Wwft places government tasks in the hands of private companies such as banks without careful consideration of whether those private companies are fit for purpose.

The current proposal adds new unwise elements to regulation:

  1. The banking dragnet.
  2. A 'duty to inquire': the obligation of Wwft-regulated firms to inquire from their competitor about crime risks among 'high-risk' customers.
  3. Processing of criminal and other special personal data by companies subject to Wwft.

Against all these elements, Privacy First has strong objections.

1. Banking trawl

According to the cabinet's proposal, all payment transactions that go through Dutch banks (It may be assumed that payment service providers will be added in the future.) will be analysed by means of a separate entity for the purpose of crime detection (detecting 'unusual transactions'). This means that a profile will be drawn up of every citizen and organisation in the Netherlands, predicting whether the account holder might be a criminal. This makes joint transaction monitoring by banks a banking dragnet that violates citizens' fundamental rights. Such an infringement should be properly substantiated, however, that substantiation is lacking.

The proposal is symptomatic of a 'data-driven' government that believes social problems can only be solved by unlimited tracking and analysis of citizens and collection of data on every citizen through many avenues. Privacy First believes the government has too optimistic expectations of IT's potential and underestimates the downsides.

Interestingly, the explanatory memorandum acknowledges that the current system of crime fighting by banks under the Wwft is not working. This should be reason to rethink the whole system and reallocate the large sums of money that banks currently spend on detecting unusual transactions. Unfortunately, this is not happening.

Our position

  1. There is no evidence that this intrusion into citizens' financial data protection rights is justified and ensures that the harm now caused by banks' crime-fighting activities is reduced. The banking dragnet should not be there. And to the extent that the dragnet would:
  2. The dragnet should only be there if the need is demonstrated and it is also shown that there are no alternatives and that the dragnet will lead to a reduction in current crime-fighting harm.
  3. There should be no data analysis and profiling of natural persons (both consumers and sole traders). (If nothing else, only above a certain threshold).
  4. There should be full transparency from government and banks on risk indicators and the use of artificial intelligence. Damage caused by unnecessary queries should also be measured. There is independent review of systems and implementation practices.
  5. Adequate governance is ensured: the entity conducting the analyses is independent from the banks, complies with the Top Income Standardisation Act and European procurement regulations, and only sources IT from European suppliers.
  6. Legal protection for consumers and SMEs should be improved.

2. Enquiry duty

The proposal on the enquiry requirement applies to all companies that have to comply with the Wwft, i.e. from estate agents and accountancy firms to banks and from sole traders to large companies. The intention of the proposal is that in 'high-risk' situations, enquiries will be made to colleagues in the same sector.

Privacy First opposes this:

  1. The 'high risk' category is far too broad, so it is almost always the case. For safety's sake and fear of fines, Wwft duty holders will be very quick to inquire.
  2. There is no substantiation that this enquiry requirement would be useful for all types of Wwft duty holders and all types of services.
  3. Alternatives have not been explored.
  4. In some sectors, there are so many Wwft duty holders that making enquiries is impracticable.
  5. In the financial sector, the enquiry requirement will lead to even further restriction of competition (which is already almost non-existent, except for some consumer products).
    and in the unlikely event that the enquiry requirement comes about:
  1. Enquiries should be limited to specifically defined services, to specifically defined perceived high risks and to specifically designated Wwft obligated persons. The delineation will be carefully reviewed.
  2. A time provision should be included for enquiries, as some Wwft obligated persons have long-term relationships with their clients.
  3. Regulating the exchange between different types of Wwft duty holders (Article 3b(6) proposal) does not belong in an Order in Council but in the law.
  4. Both the client and those involved should be informed in advance about the enquiry as well as the alleged risk profile.
  5. Legal protection for consumers and SMEs should be improved.

3. Processing of criminal and other personal data

Privacy First considers it undesirable that all types of Wwft duty holders should be allowed to process criminal and other personal data. Our view:

  1. The processing necessity for each type of Wwft obligation must be substantiated and demonstrated.
  2. It should only be allowed to Wwft-compliant firms that are regulated, have integrity oversight and demonstrably meet all the obligations of the AVG.
  3. Further data protection rules do not belong in an order in council (as is proposed) but in the UAVG.
  4. Legal protection for consumers and SMEs should be improved.

4. Improved legal protection for consumers and SMEs

Currently, the legal protection of clients of financial institutions - especially consumers and SMEs - is insufficient. Privacy First believes that Wwft obligated parties should be accountable to their clients and data subjects (within the meaning of the AVG) for the assigned risk profile and how they conduct Wwft client screening.

Independent judge and financial ombudsman

It is desirable that dispute resolution through the independent courts be established for the benefit of consumers and SMEs, with jurisdiction over money laundering, credit registration, blacklists and other disputes with financial institutions.

It is also desirable that an independent financial ombudsman be established to receive complaints about financial institutions and money-laundering offenders in a low-threshold manner and conduct investigations into money-laundering practices, credit registration, blacklists and the like.

Kifid

Kifid can be abolished, in our opinion, because of the lack of quality and independence there. This is evident from, among other things, the serious lapse in the Accidental American case, which was condemned by the Kifid disputes committee for forgery (ruling of 27 May 2019). This judgement was immediately dismissed by the judge in summary proceedings (ECLI:NL:RBMNE:2020:5647). The judge on the merits came then come to a different judgement and shows that Kifid lacks depth.

In conclusion

For a more detailed explanation, see our memorandum (pdf) (pdf) attached to our letter( pdf). Of course, we are happy to explain our position in more detail.