Permanent surveillance threatened under new anti-money laundering rules

Under European regulations, crime-fighting tasks are already performed by companies, including banks, notaries and accountants. Those firms ('money-laundering duty holders') are obliged to make a risk profile of each customer, assessing whether the customer could be criminal. Furthermore, they must monitor the relationship with the customer and the transactions they are involved in and are obliged to report crime suspicions to the government (FIU Netherlands). These rules are currently still laid down in a Dutch law, the Money Laundering and Terrorist Financing (Prevention) Act (Wwft).

These regulations have caused great social harm: among other things, it has become difficult for certain business sectors and non-profit organisations to open a bank account, and people sometimes face discriminatory practices by money-laundering offenders. Furthermore, money-launderers sometimes request very large amounts of confidential and privacy-sensitive data from their customers, going much further than necessary for fear of government sanctions. In a letter in May this year, the finance minister acknowledged that the anti-money-laundering regime had gone too far and promised to take action. The question for Privacy First, however, is whether the minister can keep his promises, now that the Netherlands will soon have little say in the fight against money laundering.

In mid-2027, the new European Anti-Money Laundering Regulation (AMLR) and other parts of the European Anti-Money Laundering Package will come into force. A lot will change then, and not always for the better.

Privacy First considered the consultation as a good opportunity to urge the Dutch government to take measures to reduce the harmful effects of money laundering. We stress that we are not opposed to involving companies in crime fighting. Our objections are directed against assigning tasks to companies that are not suitable for them, against the disproportionate costs incurred by money-laundering offenders that are passed on to the customer, and against the failure to respect the fundamental rights of citizens, SMEs and small and medium-sized non-profit organisations.

Privacy First sees the implementation of European regulations as a good time to improve safeguards for citizens. To this end, we make a large number of proposals in our consultation response, including these:

• The legal protection of consumers, SMEs and small and medium-sized nonprofit organisations will be dramatically improved, including through the establishment of a financial ombudsman to handle all complaints on anti-money laundering issues and through low-threshold access to the independent courts.
• Money-laundering firms should be required to communicate about their customer research through a secure channel. They should be prohibited from requiring customers to use the European Digital Identity (EUDI) wallet. It should also be explicitly stated that access to the customer's bank account should not be requested through open banking or open finance.
• Automated risk profiling of customers by large money-laundering firms, such as banks, should follow the principles of the European AI Regulation, including a fundamental rights compliance assessment (FRIA).
• Anti-money laundering supervisors, such as the DNB, should be obliged to also enforce non-compliance with data protection rules and respect for customers' fundamental rights. When sanctioning, they should consider whether the sanctions could result in fundamental rights violations.
• Monitoring of compliance by both anti-money laundering and public authorities with data protection, anti-discrimination and other fundamental rights rules will be improved by increasing the capacity of the Personal Data Authority and by mandatory audits that will take place periodically.

We urge the Dutch government to promote the removal of elements of the European anti-money laundering rules that violate fundamental rights. One example is the far too broad definition of 'politically exposed person' (PEP), which leads to a large group of innocent citizens being classified as high risk of crime on incorrect grounds. For example, all parents and children of members of the House of Representatives are supposedly high risk of crime.

Privacy First hopes that a public discussion can be initiated on concepts behind the privatisation of crime fighting. Privacy First also hopes that politicians will retrace their steps and urge Brussels to reconsider and adjust the rules. Fundamental rights of citizens deserve far more protection than is provided under these rules.

Our full consultation response is HERE find.