This, second part of my ‘commentary’ to PFIS (part 1: https://www.dhirubhai.net/pulse/partnership-information-sharing-new-eu-way-keep-up-part-hansen-phd-efzpf/?trackingId=Fl0zotnXvka9XPJ678sm2A%3D%3D) under AMLR and AMLAR (see part 3 for AMLAR’s) is the one which is most TL;DR. It tries to read the provisions of art. 75 (2) – 75 (7) AMLR one-by-one and understand them. Sometimes, it suggests a reference to other provisions of AMLR or of another regulation. There are also issues raised that are worth considering, I hope. These seem to me the most interesting and I would be extremely grateful to these readers which will not find the text TL;DR to comment on them and on other matters esp. if they would disagree with me.
A large part of art. 75 of AMLR, which we continue to explore in this (2nd) part of the text on PFIS (all abbreviations – unless already generally applied in professional texts - as introduced in part 1), contains several specific provisions applying to: notifying the respective authorities on the intention to become members of a PFIS, GDPR impact assessment verification (paragraph 2), limits regarding information shared (paragraph 3), conditions on sharing information (paragraph 4), exceptions regarding further transmission of information received within the PFIS (paragraph 5), OE’s (obliged entity's) internal policies and procedures necessary (paragraph 6) and independent audit of PFIS (paragraph 7).
Conditions of Forming and Joining PFIS
Art. 75 (2) requires OEs “intending to participate” in a PFIS to notify their respective supervisory authorities. These authorities shall, in turn, “where relevant in consultation with each other” and with “the authorities in charge of verifying compliance with GDPR” verify that the PFIS “has mechanisms in place to ensure”:
- “compliance with art. 75 AMLR” itself and
- “that the data protection impact assessment” as referred to in art. 35 of GDPR “has been carried out”.
We are additionally told that this verification shall take place prior to the beginning of the activities of the PFIS (BTW, we will be further told in art. 75 (4) (h) that the a/m data protection impact assessment “shall be carried out prior to processing of any personal data”, what adds additional piece to the puzzle).
To end the first part of art. 75 (2) we are told that “where relevant, supervisory authorities shall also consult FIUs”.
This whole formulation (art. 75 (2) AMLR) is quite ambiguous or at least twofold. If the regulation deals with the formation of a PFIS, then we would expect it to be clearly stated and limited to the conditions of such partnership’s formation. Similarly, if the provision would refer to the fact of joining the existing PFIS by a new potential member (which it clearly also does), then we would expect it to be also clearly, possibly separately, stated. Instead, we got a mix of both of these. And so we have to unravel them.
Surely, paragraph 2 is about the necessary conditions to be fulfilled when forming PFIS or - more precisely - when OEs, being its first candidate members will be joining PFIS. It is clear that supervisory authorities shall be notified.
The most obvious cases of “where relevant” regarding supervisory authorities consulting with each other seem to be:
- when the OEs intending to form the PFIS have different supervisory authorities in a single country (e.g. some of them are financial institutions and the rest aren’t) and/or
- when the OEs intending to form the PFIS are from different member states (so they usually – unless all temporarily supervised by AMLA - have different supervisory authorities) and/or
- at least one of the OEs intending to form the PFIS has AMLA as its current supervisory authority, whereas other OEs intending to form the same PFIS have other supervisory authorities.
Although already EBA’s JC 2019 81 Joint guidelines on cooperation and information exchange for the purpose of Directive (EU) 2015/849 between competent authorities supervising credit and financial institutions (The AML/CFT Colleges Guidelines) required – quite unfortunately, in my opinion – the AML/CFT competent authorities to be also competent in assessing compliance with GDPR, here we have some progress at least: the not-so-competent – with respect to GDPR - AML/CFT supervisory authorities will have a chance of being always properly consulted by “the authorities in charge of verifying compliance with GDPR” during their own verification whether particular PFIS ensures compliance not only with art. 75 of AMLR but also that the “data protection impact assessment” as per art. 35 of GDPR “has been carried out” properly and sufficiently. The recital (148) of AMLR supports my position here, as it explicitly says about “data protection authorities, which alone are competent for assessing the data protection impact assessment”.
It has to be noted that art. 35 GDPR is tricky in this context. If the processing is to be effected by a partnership then we must carefully define the controller and the processor as well as to assume that every time the list of members of the partnership is to change (esp. increase) the very PFIS changes with the new member and the potentially new data being processed and it may have an impact (e.g. due to change of the data “scope or context”) on the risk of data processing. So, “where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations” (art. 35 (11) GDPR).
These considerations may, in my opinion, suggest why both events - forming the PFIS by its primary members and joining the already existing PFIS by a new member - have been commingled here in the art. 75 (2).
And where is it “relevant” for the supervisory authorities to consult FIUs? Most probably, it is where an initial or a new member of the partnership is to join a PFIS and it may be worthy to verify whether there are either negative or positive arguments against or for this membership. It is FIU which can judge the value and credibility of the SAR/STR of a particular EO as well as it is FIU which could be made aware of which EO may join the PFIS and so to start sharing information with other PFIS members (esp. when some current investigation may be ongoing of which only FIU – of all PFIS members - may be aware). However, I admit, I may only guess the proper reasons of consulting FIUs.
At the end of art. 75 (2) we have a paragraph composed of just a single sentence, saying that “responsibility for compliance with requirements under Union or national law shall remain with the participants in the PFIS”. That is pretty obvious, that some of the participants being the authorities shall not assume all of the responsibility for the PFIS but it is worth to remember that… FIUs and supervisory authorities are also participants in the PFIS (see recital (80) to AMLAR if you have any doubts regarding whether e.g. FIU or AMLA shall be treated as participants in the PFIS) so that this responsibility is shared with them as well…
Limitations of Information Shared
According to art. 75 (3) the information exchanged in the PFIS shall be limited to:
- information on the customer and its UBO, incl. but so not only, the information received during the identification and verification of identity (so during performing CDD),
- “information on the purpose and intended nature of the business relationship or occasional transaction between the customer and the OE, as well as, where applicable, SoW and SoF of the customer”, so again the information which is obtained when performing CDD but not only then,
- “information on customer’s transactions” which is a very broad category since it is not necessarily limited to the very content and timing of these transactions,
- “information on higher and lower risk factors associated with the customer” which points exactly to the categories listed in – respectively – Annex III and Annex II to the AMLR,
- “the EO’s analysis of the risks associated with the customer pursuant to art. 20 (2)”, so the CDD-related customer risk analysis which also assumes reasons for applying EDD or SDD to the customer,
- “information held by the OE pursuant to art. 77 (1)” which contains not only documents and information obtained during CDD, a record of assessment undertaken pursuant to art. 69 (2) which covers not just circumstances taken under consideration when considering filing STR (notwithstanding: filed or not) but also “a copy of the STR, if any” (sic!), the supporting evidence and records admissible in judicial proceedings under national law, “which are necessary to identify transactions” and… in case of participating in PFISes, “copies of the documents and information obtained in the framework of these PFISes, and records of all instances of information sharing”. So at the end we have got a “loop” allowing to further share – within PFISes – the information received within the PFISes. So, if an OE belongs to 2 different PFISes, it can share – within one PFIS - the information and copies of documents obtained within another one!
- “information on suspicions pursuant to art. 69” which makes it legitimate to share any basis for SAR or STR (actually filed or not) (sic!)
And at the end we get the usual warning: “the information referred to” above “shall only be exchanged to the extent that it is necessary for the purposes of carrying out the activities of the PFIS.” However, it seems this warning refers rather to the content, extent or type of information, not to the partners with which the information is shared…
Conditions on Sharing Information
In art. 75 (4) we are told the conditions that “shall apply to the sharing of information within the context of PFIS”:
- OEs shall record all instances of information sharing within the PFIS,
- they shall not rely “solely” on “the information received in the context of the PFIS to comply with the requirements of AMLR”, so you cannot use CDD records of just another PFIS member (not being the OE’s group member) to perform your CDD,
- OEs are not allowed to “draw conclusions or take decisions that have an impact on the business relationship with the customer or on the performance of occasional transactions for the customer on the basis of information received from other participants in the PFIS” without “having assessed that information”, so all OE’s business decisions must remain OE’s own based on its own judgments. Moreover, “any information received in the context of the PFIS used in an assessment resulting in a decision to refuse or terminate a business relationship or to carry out an occasional transaction shall be included in the records kept pursuant to Article 21 (3), and that record shall contain reference to the fact that the information originated from a PFIS” so you are allowed to use information received from PFIS but you must perform a proper judgment (the basis of which must be also at least some minimum information not received from the PFIS) before taking the business decision,
- OEs must perform “their own assessment of transactions involving customers in order to assess which ones may be related to money laundering or terrorist financing or involve proceeds of criminal activity”. Yet, this is the duty of an OE regardless of its participation in any PFIS,
- OEs shall also “implement appropriate technical and organisational measures, including measures to allow pseudonymisation, to ensure a level of security and confidentiality proportionate to the nature and extent of the information exchanged”. Shall it mean that e.g. the data of victims of a criminal activity shall be kept anonymous when exchanged if they are not necessary to understand the information and assess the case? That would surely be appropriate and proportional,
- notwithstanding the above, the information cannot be shared regarding any customer. There are several important conditions regarding the customers which must be fulfilled if the information is to be shared at all:
o?? there must be customers “whose behaviour or transaction activities are associated with a higher risk of money laundering, its predicate offences or terrorist financing, as identified pursuant to the risk assessment” in the Union Risk Assessment (URA) and the National Risk Assessment (NRA). So unless the customer falls into the “higher risk” category on the basis of the current URA and NRA, the information on it cannot be shared within PFIS! Shall we also read it in such a way that the customer must be of higher risk in URA and NRA at the same time (as “and” would suggest) or could it be of higher risk in one of them only?
o?? “who fall under any of the situations referred to in” articles 29, 30, 31 (“risky third countries”) and 36 to 46 (all EDD cases incl. PEP & RCA) of AMLR; or
o?? for whom the EOs “need to collect additional information in order to determine whether they are associated with a higher level of risk of money laundering, its predicate offences or terrorist financing”. These cases are indicated – as far as I am able to identify it – at least in art. 34 (4) and art. 34 (5) ALMR.
So the set of customers on whom the information could be shared within the PFIS is strictly limited and whether the customer qualifies for its information being shared should be identified before the exchange,
- in case the information is being “generated through the use of artificial intelligence, machine learning technologies or algorithms” it can only be shared if “those processes were subject to adequate human oversight”. No further details are given here but here it seems to mean less than that every information shared being verified by a human being but only that the process (as a whole) of generating the information is being controlled by a human being,
- in case of processing personal data, “a data protection impact assessment” - as described in art. 35 of GDPR - must be performed before the start of processing this type of data,
- “the competent authorities that are members of a PFIS shall only obtain, provide and exchange information to the extent that this is necessary for the performance of their tasks under relevant Union or national law”. Although this point seems to be addressed to the competent authorities, it also assumes OEs shall not share – with the competent authorities if these authorities are members of the PFIS - the data which would not be “necessary for the performance of their tasks under relevant Union or national law”. We may also conclude that the information shared to or from competent authorities shall be limited more than the information shared in between other PFIS members (i.e. OEs themselves),
- where the respective prosecutors (“competent authorities referred to in Article 2 (1), point (44) (c) of AMLR”) “participate in a PFIS, they shall only obtain, provide or exchange personal data and operational information in accordance with national law transposing Directive (EU) 2016/680 of the European Parliament and of the Council and with the applicable provisions of national criminal procedural law, including prior judicial authorisation or any other national procedural safeguard as required”,
- finally, the “exchange of information on suspicious transactions” shall only take place “where the FIU to which the suspicious transaction report was submitted pursuant to articles 69 or 70 has agreed with such disclosure”. Although this point refers first generally to transactions (plural) what would suggest that the agreement shall be of a general nature, it then indicates particular transaction report submitted to a particular FIU so the agreement shall be individual – per transaction (or: per STR). Then, we may ask the question: how will such agreement be obtained, how shall it be organized? Shall the OE, when submitting the STR to FIU, immediately ask the FIU to agree for its disclosure within PFIS?
Further Transmission of Information Received Within PFIS
Although it is generally not allowed to further exchange the information received within PFIS, there are some exceptions:
- where the information is provided to another OE according to the art. 49 (1) i.e. when an OE provides the information to another OE and this latter OE relies upon all the necessary information concerning the CDD measures received,
- “the information is to be included in a report submitted to the FIU or provided in response to a FIU request pursuant to Article 69 (1)”. So the mechanisms of submitting reports and providing the responses to FIU are “outside of” the mechanism of PFIS (please, not: PFIS is a “mechanism” taking the form of a partnership). However, the information may be necessary to prepare and submit the “coordinated” report to FIU, like in the case described in the art. 69 (8) AMLR when OEs coordinate for the submission of such report by a single, chosen OE (as discussed in Part 1 of this text),
- “the information is provided to AMLA pursuant to Article 93 of AMLAR”. This provision refers to different, “special” PFIS, which AMLA either established or joined, with which we will be dealing in the 3rd part of this article,
- “the information is requested by law enforcement or judicial authorities, subject to any prior authorisations or other procedural guarantees as required under the national law”. This is a tricky provision, because it requires providing to law enforcement or to the prosecutors or courts the information which is not “entity’s own” and may be a subject of e.g. banking secrecy, which then – to be shared within PFIS by a bank – will require a very special exception: so that the release of the banking secrecy information (e.g. that the customer has accounts within the bank or about the SOF for a transaction) to the PFIS may result in this information’s further release to e.g. law enforcement. Why do I consider it tricky? Because the information here qualified (in the art. 75 (5) (d) AMLR) for the exceptional further transmission, may originate in an e.g. German bank and would be shared further with an e.g. Spanish entity (a bank or another OE), which then could transmit the information further to Spanish law enforcement, according to “prior authorisations or other procedural guarantees as required under the”… Spanish law, being the “national law” here (sic!). And what about the German banking secrecy law which should have defined all the exceptions to secrecy of this particular information?
OE’s Internal Policies and Procedures
“Prior to the participation in a PFIS” the OEs shall have drawn up their “policies and procedures for the sharing of information in their internal policies and procedures” (the ones covered by article 9 AMLR). These policies and procedures must:
- “specify the assessment to be carried out to determine the extent of information to be shared, and where relevant for the nature of the information or the applicable judicial safeguards, provide for differentiated or limited access to information for members of the PFIS”. So even if we were not certain reading all the previous provisions of the art. 75, we may now certainly conclude that it is not proper to share any information to anyone within the PFIS: the extent of the information shared may be limited, it could be differentiated dependent on the type of information and the members of PFIS with which the information is shared by the OE (sic!),
- “describe the roles and responsibilities of the parties to the partnership for information-sharing”. Similar regulatory requirements usually referred – in AMLD4/5 or in AMLR itself - to various agreements between parties e.g. between a correspondent and a respondent etc. Here the descriptions must be located – separately – in the “policies and procedures” of the participants to a PFIS. However, since the very PFIS assumes some partnership agreement, then we may consider it most appropriate to cover the provisions of this agreement in the a/m OE’s internal policies and procedures,
- “identify the risk assessments that the OE will take into account to determine situations of higher risk in which information can be shared”. Here we have a “higher risk” ascribed also to “situations” (not “customers” and not “factors”, although e.g. art. art. 20 (1), 23 (1), 28 (1), 32 (1), 38 (2) indicate that we shall categorise situations for higher as well as lower risk) in which “information can be shared”. So the policies and procedures shall cover the risk assessments which will be “taken into account” (so these risk assessments may not be the only determinants) to determine such situations which are of “higher risk” and in which of these higher risk situations the “information can be shared” (because we do not have to consider all “situations of higher risk” as triggering sharing an information within PFIS).
Independent Audit
Last but not least, we are being told that the OEs participating in a PFIS “shall commission an independent audit of the functioning of that partnership and shall share the results with the supervisory authorities” but only “where supervisory authorities deem it necessary”. I wonder: in the case of e.g. a cross-border PFIS, which “supervisory authorities” and “which OEs”? The decision of which supervisory authorities will be sufficient? And if this will be just single supervisory authority (of several ones, from different sector areas or from various counties), is it sufficient for the OEs under its supervision to commission an independent audit of the functioning of the whole international PFIS or just an audit of the functioning of the PFIS only in (or vis-à-vis) these OEs?
The above publication contains its author’s private opinions only.
