Dutch money laundering amendments to prompt greater AI use in transaction monitoring

The Council of State was unusually critical about the lack of data protection safeguards in a previous draft of the Act. The current version contains 18 additional subparagraphs that relate to personal data.The Dutch government has finalised a bill to amend the Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft). The number of proposed changes to the law is limited, but their implication is far-reaching, according to Pinsent Masons’ technology and data law experts.

For the financial services sector, one of the most significant changes proposed by the bill, known as “Plan of approach to money laundering”, is the possibility of joint transaction monitoring for banks and outsource this.

Criminals often store sums of money at different banks in order to stay under the radar, said the Dutch government in its official statement. Joint transaction monitoring will enable banks to better identify unusual transaction patterns.

Five Dutch banks – ABN AMRO, ING, Rabobank, Triodos Bank and de Volksbank - have already established Transaction Monitoring Netherlands (TMNL) as part of joint efforts to tackle money laundering. The TMNL is an addition to the banks’ individual transaction monitoring activities and focuses on identifying unusual patterns in payments traffic that individual banks cannot identify.

The bill, if passed, will enable more banks to combine and analyse their customers’ payment data. The expanding cross-bank cooperation in transaction monitoring is expected to drive up efficiency and effectiveness in tackling money laundering, particularly with the help of artificial intelligence (AI).

“We believe that it is time to use AI to more effectively track down criminal money flows. The recent past has shown that banks have difficulty to do this in a cost-effective way on an individual basis. The fact that banks can tackle this jointly with the amended Act will certainly contribute to the aim of the Wwft. Nevertheless, safeguards will have to be given on parts to protect the rights of customers,” said cyber, data and technology law expert Wouter Seinen of Pinsent Masons.

Seinen said it was noteworthy that the final bill has adopted several changes following strong criticisms over privacy issues from the Dutch Council of State, an independent adviser for the Dutch government, and the Dutch Data Protection Authority (AP).

As a result, the final proposal restricts the scope of monitoring and the types of data that may be shared and processed among banks. More conditions have been added concerning the protection and security of personal data. In addition, the bill stipulates that the measures must be evaluated after four years.

However, the bill still extends the data that banks may process, by allowing ‘special categories of personal data’ to be processed for the purpose of complying with the Wwft. Under the General Data Protection Regulation (GDPR), the processing of “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or membership of a trade union, and processing of genetic data, biometric data for the purpose of the unique identification of a person, or data about health, or date relating someone’s sexual behaviour or sexual behaviour orientation” is prohibited, but the amendments to the Wwft will make it possible for banks to process such data.

“For banks, this means that the data will have to be made available to an independent institution that will collect and analyse all this data from and on behalf of the banks. Yet the underlying privacy challenges should not be underestimated. Many critical questions remain to be answered, such as how is the 'independence' of this institute guaranteed; who makes the decisions in regard to that; how does the feedback to banks take place; how are the rights of the consumer safeguarded and how are the fundamental rights like access to financial services of customers guaranteed?” said Seinen.

The Dutch data protection authority’s recent enforcement action against the country’s tax authority over its fraud database serves as an important reference for the potential conflict between processing personal data for crime detection and GDPR compliance, Seinen said.

The Dutch regulator has imposed a €3.7m fine on the Dutch Tax Administration for illegally processing personal data over a period of years in its 'fraud signalling facility' (FSV), following its conviction for six violations.

“It is not inconceivable that the supervisory authority could take the same stance on the proposed anti-money laundering bill,” said Seinen. “After all, clearly comparable circumstances are conceivable. For example, the violations consisted of: no statutory basis for processing personal data, the purpose of the FSV was not specifically described in advance, the FSV contained incorrect and obsolete information, particular data was stored for far too long and data was not adequate protected.”

In addition to provisions on joint monitoring and combining and processing data, the bill also proposes a ban on cash payments of €3,000 or more to reduce the administrative burden for traders in goods of high value. It also imposes an obligation on financial institutions to take 'reasonable measures' to investigate whether another institution of the same category has previously refused services to a potential customer where there is an increased risk.