KYC / AML: Towards an effective EU framework to fight money laundering
ING Viewpoint August 2020
"Almost all criminal activities that generate profit involve money laundering in some form.
Banks have a societal responsibility to fight this very harmful form of financial crime.
Whilst banks, including ING, must recognise that mistakes have been made, and are acting to remedy the failures of the past, we believe that today’s framework for fighting financial crime could be made more robust.
We believe banks and other 'gatekeepers' could become more effective partners for public authorities in fighting crime if the EU's anti money laundering rules and supervision were harmonized, effective information sharing were allowed, and new technologies were stimulated.
Taking decisive steps in this direction would help to reach our common goal of eradicating financial crime."
Steven van Rijswijk
Chief Executive Officer ING Group
Digitalisation and cross-border integration of financial services provide criminals with more opportunities to conceal crime. In the eurozone alone, banks processed 90 bn electronic payments in 2018. We expect this already immense number to rise significantly as the COVID 19 pandemic will likely lead to an acceleration of digital banking. Financial crime is an international problem that requires a European and even global response. It is against this backdrop that ING wholeheartedly welcomes the May 2020 European Commission Action Plan on preventing money laundering and terrorist financing.
We welcome in particular the European Commission's focus in its Action Plan on harmonising the EU rulebook. We strongly support turning significant parts of the AML Directives into a directly applicable Regulation.
In this Viewpoint we set out the key requirements for harmonization. In addition, we set out the case for strengthening information sharing capabilities, for creating a new AML supervisory set up and for stimulating innovation in a wider sense.
Strengthening information sharing
Allow for sharing of personal data under strict conditions
Whilst the Action Plan touches upon information sharing, we believe an ambitious approach would allow better information sharing between banks and in the context of public-private cooperation - as there is tangible evidence that sharing information delivers better results. This requires a fundamental discussion about data protection laws and EU-wide clarity over its application.
Compliance with the GDPR is central to every scenario of information sharing, be it public private, interbank or intrabank. However, only a limited number of jurisdictions provide clear and constructive guidance or legislation for information sharing. Even if a Member State provides a legal basis allowing information to be shared as a legitimate interest to process personal data for AML purposes, financial institutions remain hesitant to do so as this may be challenged in other jurisdictions where they operate.
This is a significant barrier to fighting cross border crime and undermines the ability to maintain a full overview of the financial crime threat to the Single Market. It equally makes private-private cooperation, including through shared KYC and transaction reporting utilities, more challenging. The future AML Regulation would benefit from better alignment of AML rules with the GDPR by explicitly allowing information sharing for the purpose of fighting financial crime.1 In this respect, it would be beneficial to clarify that combatting financial crime is a legitimate ground under GDPR, e.g. via a formal opinion from the European Data Protection Board.
Success rate in fighting money laundering could improve2
Despite significant efforts by public authorities and private sector gatekeepers, the chances of financial crime being discovered and prosecuted are very low. It shows the need to re-design the framework, so it produces successful outcomes, rather than be a tick-the-box compliance exercise.
Public-Private Partnership and privacy rules
Public authorities and banks are already cooperating through task forces that show tangible results and allow for a much wider overview of the financial crime ecosystem. ING, together with other banks, the public prosecutor’s office, the national police and the FIU, is part of the Dutch Serious Crimes Taskforce to detect and identify money-laundering cases. The success of this approach is beyond doubt: in a similar pilot for terrorism finance, a seven fold increase of the conversion rate was observed . However, in the absence of clear EU-wide guidance, these initiatives remain national, and discussions around topics like data protection rules in this context continue. In order to reap the full benefits from these PPPs, we welcome the commitment to providing EU guidance by early 2021 and hope it brings the necessary clarity to legislation, particularly in relation to data protection rules.
A harmonised rulebook
The current lack of harmonised rules makes it difficult to roll out an EU wide Customer Due Diligence (CDD) approach. The following areas should be addressed:
UBO registers - with a focus on accessibility and usability. While the AMLD4 establishes UBO registers at national level, the design of UBO registers varies significantly across countries. EU-level legislation to make this coherent across Member States will improve the quality of data and the effectiveness of the registers.
CDD and Suspicious Transaction Reporting (STR) - Multi interpretable definitions make it difficult for banks operating on a cross-border basis to apply EU-wide anti money laundering policies. For example, for both reporting and investigating purposes, a customer involved in a high risk country, can be interpreted by Member States in many ways.
Harmonisation - more standardized Suspicious Transaction Reporting will contribute to the capability of FIUs to provide more granular feedback on these filings. This will improve the quality of STRs, making it easier for public authorities to investigate and prosecute AML cases.
A single supervisor
A harmonised rulebook would need to be supported by consistent and wide-ranging supervision at EU level. While the strengthened mandate of the EBA has provided a basis for further supervisory convergence, there are limits to how much can be achieved by pooling policy resources at the EBA and establishing AML colleges for cross-border banks. As long as national authorities are responsible for AML supervision in their respective jurisdictions, there will be differences in supervisory expectations, sanctions and measures.
Therefore, EU wide direct and ongoing AML supervision on all obliged entities that are considered significant from a risk perspective should be considered.
Innovation and KYC utilities
The EU should look into stimulating innovative technologies and cooperation models that could help make AML policies more effective. ING alone processes >8bn payment transactions annually and technology and data are the key enablers to assess all these transactions effectively. Better data will help us to develop better risk based scenarios and, in turn, focus on the alerts that do have an impact. ING also invests in advanced data analytics technologies to detect money laundering tactics like smurfing.
Another enabler of innovation in the context of KYC would be to stimulate the availability of robust and impenetrable unique client identifiers. This will bring important efficiency and security gains across the banking sector. The EU should build on its existing eIDAS Regulation framework to truly reap the benefits of such an approach. Find our thoughts on how this could be achieved here.
Finally, banks are already exploring opportunities to pool resources, data and investigating power (both on transaction monitoring and customer due diligence). For example, Dutch banks have recently set up a shared Transaction Monitoring utility to identify suspicious transaction patterns across banks.
The financial system should be equipped to effectively address financial crime. The EC AML Action Plan is an important step in the right direction, particularly as it calls for more harmonisation and supervisory convergence. However, more could be done in terms of allowing inter and intrabank as well as public-private information sharing. An enabling environment is key to grasp the full potential of technological innovation.
1 Art 23 1 GDPR
2 “Suspicious Activity Reporting varies significantly across Europe, Vedrenne August 28 2019 moneylaundering com”