Monday, 30 May 2016

Money laundering, customer due diligence and data protection: the CJEU's judgment in Safe Interenvios




Marcin Kotula, Legal Officer at the European Commission

The views expressed are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission

Background

The recent judgment of the CJEU in the case of Safe Interenvios was triggered by a preliminary reference from the Provincial Court in Barcelona (Audiencia Provincial). The Court in Barcelona submitted to the CJEU a number of questions related to the interpretation of the third Anti-Money Laundering Directive 2005/60/EC (AML Directive, since replaced by the fourth money laundering Directive, discussed here).

In the case in question, Safe, a company which falls under the definition of a "financial institution" within the meaning of the AML Directive and of a "payment institution" within the meaning of the Payment Services Directive 2007/64 (PSD) has been transferring the funds of its customers abroad through the accounts it held with 3 banks, BBVA, Sabadell and Liberbank. The transfers were to be carried out by agents who were accordingly authorised by Safe and verified by the Bank of Spain (Banco de España). After discovering irregularities regarding Safe's agents the banks, acting under Spanish Law 10/2010 on the prevention of money laundering and terrorist financing[1] which transposes the AML Directive in Spain requested various information from Safe. When Safe did not provide them with the requested information the banks closed its accounts. Before closing Safe's account BBVA informed SEPBLAC[2] that Safe might be involved in money laundering activities.

Safe challenged the closure of its accounts before the Commercial Court in Barcelona (Juzgado de lo Mercantil) arguing that the banks have also been transferring funds abroad and that insofar they have been competing with Safe on the same market. In consequence, according to Safe, the closure of accounts was an act of unfair competition. Safe argued further that the information requested by the banks which related to Safe's customers as well as to the origin and destination of the funds could not have been provided without breaching the data protection legislation.

Safe's challenge was largely unsuccessful as the Commercial Court in Barcelona did not find a specific infringement of competition law by none of the banks. It concluded that BBVA closed Safe's account on the basis of checks which showed that nearly a quarter of transactions were not carried out by agents authorised by Safe and verified by the Bank of Spain. As for the closure of accounts by Sabadell and Liberbank, the court in Barcelona partly ruled in Safe's favour concluding that these two banks failed to properly set out the reasons for their closures.

Subsequently Safe, Sabadell and Liberbank appealed against that judgment to the Provincial Court in Barcelona which submitted the preliminary questions to the CJEU. 

The CJEU was asked, first, whether customer due diligence measures, laid down in the AML Directive to respond to the risks of money laundering and terrorist financing, could be applied by a credit institution (in the case at hand, a bank) to a financial/payment institution such as Safe, given that financial/payment institutions are already subject to supervision by competent authorities under the PSD and the AML Directive. The CJEU was then additionally asked what type of customer due diligence measures (standard, simplified or enhanced) could be applied in such a scenario and which circumstances could trigger the application of those measures. Finally, the national court asked if the measures and the provision of certain information requested by the banks from Safe are in line with EU competition law (Safe claimed that the banks compete with it on the payment services market) and with EU data protection law (according to Safe, the banks requested the identification data of its customers and of the recipients of the funds which Safe transferred).

The AML Directive sets out the legal framework for measures aimed at preventing and combatting money laundering and terrorist financing. Its provisions are to a great extent inspired by the recommendations of the Financial Action Task Force (FATF), the main international body in the area of combatting money laundering and terrorist financing.  Article 3 of the AML Directive defines which institutions and professions are to apply the anti-money laundering measures. The list in Article 3 includes credit institutions such as banks and financial institutions such as Safe. Chapter II of the AML Directive, which deals with customer due diligence, distinguishes between 3 types of such diligence, i.e. simplified, standard and enhanced.

As far as standard due diligence is concerned, Articles 7 and 8 of the AML Directive describe in which circumstances due diligence should be applied and what measures this might involve. The latter provision underlines that the extent the due diligence measures can be determined on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction.

Article 9 of the AML Directive specifies the checks that need to be undertaken before the establishment of a business relationship or the carrying-out of a transaction. It also indicates when a business relationship must be terminated or a transaction cannot be carried out.

Article 11 sets out the simplified customer due diligence measures which inter alia apply in situations where the customers are credit institutions or financial institutions. Such customers are already covered by the scope of Article 2 of the AML Directive and need to apply due diligence measures towards their own customers. Enhanced customer due diligence is dealt with in Article 13.

Pursuant to Article 37 of the AML Directive the compliance with the requirements of the Directive by the institutions and persons that need to apply it is supervised by competent authorities. Credit institutions and payment institutions are also covered by the PSD.

Payment institutions get authorised to provide payment services by competent authorities designated by the Member States. These authorities are also empowered to supervise the compliance with the requirements that are applicable to payment service providers.

The CJEU's analysis

The CJEU first dealt with the question if financial institutions such as Safe can be the addressees of standard or enhanced customer due diligence measures despite the derogation in Article 11 of the AML Directive which foresees the application of simplified due diligence measures towards financial institutions.

The Court underlined that Article 11 of the AML Directive does not derogate from Article 7(c) under which standard customer diligence measures must be applied when there is a suspicion of money laundering or terrorist financing. Thus, a national provision which authorises the application of standard due diligence measures vis-à-vis financial institutions in such circumstances of suspicion is compatible with the Directive.

In a similar vein, Article 11 of the AML Directive does not derogate from Article 13 thereof. The latter requires enhanced customer due diligence measures to be applied in situations where the risk of money laundering or terrorist financing is higher. Paragraphs (2) to (4) of Article 13 contain a non-exhaustive list of such situations which by their nature present a higher risk. Whilst this list does not include the transfer of funds abroad the Member States have a margin of discretion in applying a risk-based approach and identifying other situations which are, by their nature, associated with a greater risk of money laundering or terrorist financing. In the case at hand, the transfer of funds abroad was included by the Spanish legislator in Law 10/2010 (Article 11) as one of the higher-risk situations which trigger enhanced customer due diligence.

The CJEU then dealt with Article 9 of Spanish Law 10/2010 which on the one hand allows the non-application of standard customer due diligence towards financial institutions but on the other hand empowers the Minister of Economic Affairs and Finance to exclude the application of simplified due diligence towards certain customers. On this point, the CJEU noted that the AML Directive only lays down the minimum level of EU harmonisation with Article 5 of the Directive envisaging the possibility of adopting or retaining in force stricter provisions in the EU Member States. This conclusion was supported by an earlier CJEU judgment in Jyske Bank Gibraltar. The stricter provisions which can apply in the Member States need to serve the purpose of strengthening the fight against money laundering and terrorist financing. They may thus also relate to additional situations which, according to the Member State, present a risk of money laundering or terrorist financing  even if the AML Directive does not prescribe any type of customer due diligence for those situations.

The second group of questions before the CJEU related to the extent of powers which credit institutions may exercise in the context of customer due diligence and to the relation between those powers and the powers of the supervisory authorities under Article 37 of the AML Directive and under Article 21 of the PSD. Here, the Court noted that an institution covered by the AML Directive cannot establish a business relationship or carry out a transaction through its account or must terminate an existing business relationship when it is unable to obtain the various items of information that are defined  in Article 8 of the Directive. These items include the verification of the customer's and the beneficial owner's identity (in the latter case pursuant to a risk-based approach) as well as the information on the purpose and intended nature of the business relationship. The inability of the institution to obtain these types of information might be due to the customers' refusal to cooperate (as in the case at hand) or to other factors.

The CJEU went on to identify the limitations that need to be applied when taking a measure such as the termination of a business relationship or the refusal to carry out a transaction through the bank account. The measure must be proportionate to the risk of money laundering or terrorist financing and thus cannot be taken in the absence of sufficient information which point out to that risk.

The Court then stated that the powers exercised in the context of customer due diligence and the supervisory powers of the competent authorities under the AML Directive and the PSD are rather to be seen as separate and complementary. In consequence, a credit institution may take account of the due diligence measures which its customer had to apply towards its own customers but the extent of the credit institution's due diligence measures in such a scenario must be appropriate to the risk of money laundering and terrorist financing. In addition, a credit institution must in that case neither compromise the supervisory tasks of the competent institutions under the PSD nor replace those supervisory authorities.

Next, the CJEU spelled out the conditions in which the national legislation can authorise or require standard or enhanced customer due diligence measures towards a financial institution. The CJEU's reply to the first group of questions indicated already that such measures can be applied vis-à-vis financial institutions pursuant to Article 13 of the AML Directive (enhanced due diligence) and Article 5 (stricter provisions). In this part of the judgment however the Court examined how the Member States (when prescribing such measures) or the credit institutions (when authorised by the Member State to apply such measures) can exercise the powers under Article 5 and 13.

The CJEU started by recalling its case-law on the freedom to provide services and on the permissible restrictions of that freedom (Art. 56 TFEU). It reminded that in Jyske Bank Gibraltar the prevention of and fight against money laundering and terrorist financing was recognised as a legitimate public interest objective which could justify a barrier to the freedom to provide services. It then turned to the question if Article 11 of Spanish Law 10/2010 which identifies the transfer of money abroad as a situation which always presents a higher risk of money laundering and terrorist financing (and in consequence triggers enhanced customer due diligence) is appropriate for attaining this legitimate public interest objective. In that regard, the Court stressed that both the national legislator (when prescribing standard or enhanced due diligence measures towards a financial institution) and the credit institutions (when authorised by the Member State to apply such measures) must carry out a complete risk assessment prior to deciding on the measures to take. Such measures must furthermore be proportionate to the risk so identified. The final element of this part of the CJEU's judgment was thus dedicated to the proportionality of Article 11 of Spanish Law 10/2010. Here, the Court concluded that the restriction of the freedom to provide services laid down in Article 11 would be proportionate if no less restrictive means were available and if the restriction was compatible with the fundamental rights and freedoms under the Treaties and the Charter e.g. with the right to protection of personal data (Article 8 of the Charter) and with the principle of free competition. Whilst, in principle, leaving the protection of personal data aspects for the last part of the judgment the Court found that a less restrictive measure was available in this case. In the case at hand the Spanish legislator generally presumed that all transfers of money abroad present a higher risk of money laundering and terrorist financing whereas it could have provided a possibility of rebutting that presumption in individual cases which objectively do not present such a risk.

The last group of preliminary questions put before the CJEU focussed on the compatibility of the enhanced due diligence measures with the EU data protection law, as set out in the Data Protection Directive (Directive 95/46). The Provincial Court in Barcelona asked if Safe can be obliged to provide the banks with the identification data of its customers and in particular those from whom the transferred funds originated as well as with the identification data of the recipients of the funds. In the reply to the previous group of questions the CJEU has already indicated that the due diligence measures taken pursuant to Articles 5 and 13 of the AML Directive need to be compatible with Article 8 of the Charter, i.e. with the right to the protection of personal data. The reply to the last group of questions could have thus elaborated on this statement and clarified which personal data of the customers and recipients can be validly requested by credit institutions. However, in the case at hand BBVA denied that it requested the identification data of Safe's customers and of the recipients of the funds. It merely requested the identification data of Safe's agents who used BBVA's accounts. Moreover, the CJEU found the last group of questions not to be sufficiently precise because they only referred generally to the Data Protection Directive without specifying any of its provisions which could be relevant in this context. The part of the preliminary questions which related to the Data Protection Directive was therefore considered inadmissible.  

Comments

The replies of the CJEU to the preliminary questions point out in the direction of giving a certain degree of flexibility to the national legislators and to the institutions and persons which apply customer due diligence measures. On the other hand, the measures prescribed or authorised by the national authorities and the measures applied in individual cases by banks and other institutions and persons covered by the AML Directive need to be preceded by comprehensive risk assessments. Those risk assessments should lead to the definition of measures which are appropriate to the identified level of risk. The measures can vary depending on the type of customer, business relationship, product or transaction.

This kind of well-balanced approach seems in line with the objectives of the AML Directive and with the CJEU's case-law which recognised preventing and combatting money laundering and terrorist financing as an overriding reason in the public interest.

The CJEU added a further safeguard at the later stages of the judgment: the proportionality of the customer due diligence measures depends not only on the results of the risk assessment but also on their compliance with the fundamental rights and freedoms and general principles of law. The Court specifically mentions the principle of free competition and the right to the protection of personal data enshrined in Article 8 of the Charter.

In Safe the CJEU did not however provide any specific indications on the issue which personal data can be requested from the customer in the context of due diligence measures and in which circumstances. This was so because the last group of preliminary questions was based on facts which were disputed in the proceedings and eventually this last group was declared inadmissible by the Court.

The AML Directive does not really address the matter how the measures it designs relate to the protection of personal data. In fact, there is only one point in the text of the Directive which touches upon that issue. It is Recital 33 which refers to the applicability of national data protection laws and of the international transfers rules of the Data Protection Directive in the context of the transmission of information to the Financial Intelligence Units (FIUs) and the disclosure of information about such a transmission.

On the other hand, the new fourth Anti-Money Laundering Directive 2015/849 is much more outspoken in this respect. Its Chapter V implicitly states that Article 7(e) of the Data Protection Directive constitutes the legal basis for processing personal data for the purpose of the prevention of money laundering and terrorist financing by recognising, in Article 43, that such processing is a matter of public interest. The same Chapter deals also with the issue of the information that needs to be provided to the customer before establishing a business relationship or carrying out an occasional transaction. Finally, it lays down more precise indications with regard to the transmission of information to FIUs and to the disclosure of that fact to the customers. According to Article 41(4) this issue should be regulated in national laws which must strike the balance between the access of the customer to the personal data and the interests of the proper functioning of the anti-money laundering procedures and investigations.

The provisions on the different kinds of customer due diligence are also more precise in the new Directive. There is no longer a derogation from standard due diligence for financial institutions. The Directive is now accompanied by three annexes. The first of these annexes contains a non-exhaustive list of risk variables that shall be taken into account when determining the extent of customer due diligence measures. The second annex includes a non-exhaustive list of factors which point out to a potentially lower risk of money laundering and terrorist financing, i.e. the degree of risk that might trigger the application of simplified customer due diligence. Finally, the third annex is a non-exhaustive list of factors suggesting a higher degree of risk which requires the application of enhanced customer due diligence. Generally speaking, the factors included in the three annexes relate to types of customers, geographic areas, and particular products, services, transactions or delivery channels. In addition, Articles 17 and 18 of Directive 2015/849 envisage guidelines on the risk factors and the measures to be taken in situations of simplified customer due diligence and enhanced customer due diligence respectively. Such guidelines shall be issued by ESAs, i.e. the European Supervisory Authorities (EBA, EIOPA and ESMA) by 26 June 2017.

Photo credit: gfintegrity.org



[1] Ley 10/2010 de prevención del blanqueo de capitales y de la financiación del terrorismo.
[2] The Executive Service of the Commission for the Prevention of Money Laundering and Financial Crime of the Bank of Spain - Servicio Ejecutivo de la Comisión de Prevención de Blanqueo de Capitales e Infracciones Monetarias del Banco de España.

No comments:

Post a Comment