Financial Intelligence Units (FIUs) in the Anti-Money Laundering Regime under Reform: An Enquiry into the Privacy and Data Protection Challenges

Printer-friendly version
Andreas Karapatakis
  •
  • 7128 reads
PDF icon pdf version

Table of Contents: 1. Introduction. – 2. The evolving nature of the European anti-money laundering regime. – 2.1. The EU AML Directives and the international AML regime. – 3. The powers of FIUs. – 4. The new AML regime and the developments regarding the FIUs’ access to information. – 4.1. Financial, administrative and law enforcement information. – 4.2. Interconnected central registers and single access points. – 5. The impact of the AML Directive on the protection of the rights to privacy and personal data protection. – 6. Justification of the interference. – 6.1. The ‘provided for by law’ criterion. – 6.2. The objective of general interest. – 6.3. The essence of the fundamental rights. – 7. Necessity and proportionality. – 8. Conclusion.

Abstract: Technological advancements of the last decade have increased the pressure on the current EU Anti-Money Laundering (AML) legal framework. After several isolated efforts through legislative intervention, the European Commission has decided to reform the current AML framework by adopting a package of four legislative proposals to strengthen the AML regime. At the heart of the reform lies the cooperation of FIUs, which have been established in each Member State to receive, analyse and transmit reports of suspicions identified and filed by the private sector. The newly adopted Directive (6th AML Directive) raises a plethora of legal questions regarding its compatibility regime with the rights to respect for private life and personal data protection. In particular, FIUs will be empowered with extensive access to information, raising concerns about whether these powers are necessary and proportionate without any exhaustive definition as to the categories of personal data to which FIUs can access. Following an overview, this article will shed light on these privacy and data protection challenges raised by the 6th AML Directive, focusing on the operation of FIUs.

Keywords: anti-money laundering – Financial Intelligence Units (FIUs) – access to information – fundamental rights – right to respect for private life – right to personal data protection.

1.   Introduction

Over the past 30 years, the European Union (EU) has developed a comprehensive and elaborate legal framework aimed at countering money laundering, closely following developments at the international level, most notably the international standards established by the Financial Action Task Force (FATF). Money Laundering is a multifaceted crime characterised by a series of intricate steps designed to obscure the illicit origins of funds. Its execution involves a range of techniques, enabling remarkable adaptability across different economic and technological environments. In the last two decades, technological advancements (including non-face-to-face transactions, digital currencies, etc) have further expanded the opportunities available to perpetrators. In response, the EU has engaged in a continuous process to modernise its anti-money laundering (AML) framework. This process culminated in 2021 with the adoption of a new AML legislative package aimed at addressing emerging money laundering techniques, harmonising the framework of obliged entities and strengthening the powers of FIUs.[1]

This article focuses solely on the recently adopted sixth AML Directive (6 AML Directive) and, in particular, on the powers granted to the FIUs. The revised framework, adopted on 24 April 2024, substantially expands the investigatory and information-gathering powers of FIUs. While these developments aim to enhance the effectiveness of AML enforcement, they also raise significant questions concerning their compatibility with the rights to respect for private life and personal data protection, enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights.[2] Notably, FIUs are granted extensive access to information without a clear delimited specification of the categories of personal data to which they may obtain access. This expansion of powers raises concerns as to whether the revised framework satisfies the requirements of necessity and proportionality under EU law. 

Despite the growing body of scholarship on EU AML law, the implications of the 6th AML Directive for the scope of FIUs’ powers and their compatibility with fundamental rights have thus far received limited attention. By focusing specifically on the expanded powers of the FIUs under the revised framework, this article addresses an important but still underexplored dimension of the EU’s evolving AML architecture.

Against this backdrop, the article advances the argument that the expansion of FIU’s powers introduces significant tensions between the objective of strengthening the EU’s AML regime and the protection of fundamental rights within the EU legal order. By examining the role of FIUs through the lens of Articles 7 and 8 of the Charter, the article contributes to the broader debate on the limits of financial surveillance powers within the EU and the role of fundamental rights in constraining the expansion of security oriented regulatory frameworks. In doing so, the article sheds new light on the limits of the EU’s expanding financial surveillance architecture.

The article proceeds as follows. Section II provides a brief overview of the evolution of the EU AML framework. Section III examines the progressive expansion of FIUs’ powers within this framework. Section IV analyses the new regime, with particular focus on FIUs’ access to information. Section V considers the impact of these developments on the rights to privacy and the protection of personal data. Section VI and VII then assess whether the resulting interference with these rights can be justified, focusing respectively on the conditions of justification and the requirements of necessity and proportionality. 

2.   The evolving EU AML legal framework

The EU AML regime is characterised by continuous reform and periodic re-evaluation, largely driven by evolving international standards and technological developments. Rather than constituting a self-contained regulatory framework, the EU AML regime has developed as part of a broader transnational architecture of financial crime regulation. Its foundations are closely linked to a range of international instruments and institutional actors. Key influences include the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic (Vienna Convention of 1988), the United Nations Convention against Transnational Organized Crime (Palermo Convention of 2000), as well as initiatives by the Council of Europe and, most prominently, the standards adopted by the FATF.[3] Among these, the FATF has played a particularly significant role in shaping the trajectory of EU AML legislation, serving as a primary source of inspiration for successive legislative reforms.[4] This evolutionary and externally influenced development of the EU AML framework provides the institutional and regulatory context within which the powers of FIUs have progressively expanded. 

2.1.  The EU AML directives and the international AML regime

The main international standards for the fight against money laundering are set by the FATF.[5] The responsibility of the FATF is to examine money laundering developments, new trends and techniques, monitor countries’ progress in combatting this crime and adjust its standards.[6] FATF’s standards (namely the 40 Recommendations) are regularly revised and updated to follow the developments in the field.[7] In October 2001, following the events of 9/11, the FATF added eight ‘special’ Recommendations to the standards, introducing the crime of terrorist financing in the international regime.[8] The last fundamental revision of the standards took place in 2019 with the addition of measures for regulating and supervising the activities related to virtual and crypto assets.[9]

The FATF Recommendations can be characterised as ‘soft law’, which allows their easy revision.[10] Despite their nature, they have an extensive influence on the creation and evolution of the EU AML regime.[11] The first European AML Directive (1st AML Directive), adopted in June 1991, introduced the preventive measures of the FATF Recommendations, providing a binding nature to these guidelines.[12] The preventive measures encompassed the ‘Know Your Customer’ (KYC) principle, resulting in the obligation of credit and financial institutions to identify their customers and report any suspicious transactions.[13] The 2nd AML Directive, adopted in December 2001, implemented the revised FATF Recommendations of 1996.[14] It introduced two main innovations: it widened the personal scope of the regime to include non-financial institutions and professions as obliged entities (e.g. real estate agents, auditors, notaries and other independent legal professionals) and extended the list of predicate offences.[15]

The 3rd AML Directive of October 2005 implemented the 2003 FATF's revised framework.[16] One significant change was the inclusion of terrorist financing in the scope of the EU regime.[17] Furthermore, the Directive introduced a ‘risk-based approach’ to customer identification and elaborated on Customer Due Diligence (CDD) measures .[18] Following the same pattern, the preamble of the 4th AML Directive argues that: ‘Union action should continue to take particular account of the FATF […] With a view to reinforcing the efficacy of the fight against money laundering and terrorist financing, the relevant Union legal acts should, where appropriate, be aligned with the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation adopted by the FATF in February 2012 (the ‘revised FATF Recommendations’)’.[19] The 4th AML Directive adopted in May 2015 developed further the risk-based approach – promoting a more proportionate framework – as well as the rules on beneficial ownership, CDD, politically exposed persons and obligations towards FIUs.[20]

Only three years after the 4th AML Directive, the EU adopted the 5th AML Directive.[21] The urgency for this adoption is evident from the fact that the Commission issued the proposal of the 5th AML Directive before the implementation deadline of the 4th AML Directive (26 June 2017).[22] The Commission underlined that the amendments align with FATF’s work concerning high-risk third countries and beneficial ownership.[23] However, the most significant innovation of the 5th AML Directive did not stem from the FATF Recommendations; the Directive was one of the first steps of the EU to regulate (to a considerably small extent) the phenomenon of digital currencies. [24]

In July 2019, the Commission issued a Communication outlining measures to better implement the existing regime.[25] In May 2020, it further adopted an Action Plan to ensure the effective implementation of the regime.[26] Based on the Action Plan, the Commission presented a legislative package which entailed a complete makeover of the EU AML regime. The package consisted of four legislative proposals: a) a Regulation concerning the new EU AML Authority (AMLA), aiming to improve the supervision of AML and enhance the cooperation among Financial Intelligence Units;[27] b) a new Regulation on AML/CFT, containing directly applicable rules for the obliged entities;[28] c) a 6th AML Directive replacing the existing Directive containing more detailed rules concerning FIUs;[29] and d) a revision of the 2015 Regulation on Transfer of Funds to make it possible to trace transfers of virtual assets (the so-called travel rule).[30]

With the exception of the first proposal, the Commission underlines in the preambles that the amendments were deemed necessary to implement the revised framework of the FATF.[31] The above overview of the evolution of the European AML framework depicts the FATF's significant influence on this regime's development. However, the nature of the FATF raises some rule of law concerns.[32]The FATF is a body characterised by minimal transparency and accountability.[33] The ‘experts’ of FATF aim to establish measures to tackle the crime of money laundering effectively. Having a specific aim, FATF’s measures constantly expand the state's power, but they are not equally balanced towards the protection of human rights. Therefore, at the EU level, the EU legislature should not blindly accept every and all measures produced by the FATF without an evaluation of their impact towards fundamental rights. 

3.   The powers of FIUs

This section examines the institutional role of FIUs within the EU AML framework and traces the progressive expansion of their powers, an institutional development that has received limited attention in existing legal scholarship. As the central bodies responsible for receiving and analysing financial intelligence, FIUs occupy a pivotal position within the EU AML regime. Understanding the scope and development of their powers is therefore essential for assessing the implications of the revised framework upon fundamental rights.

The AML regime is built on the fact that private entities (e.g. financial and credit institutions) collect the necessary information to identify money laundering or at least suspicious transactions. Article 6 of the 1st AML Directive provides a basic understanding of the reporting obligation and the information to be transmitted: ‘[…] credit and financial institutions and their directors and employees cooperate fully with the authorities responsible for combating money laundering: – by informing those authorities, on their own initiative, of any fact which might be an indication of money laundering, – by furnishing those authorities, at their request, with all necessary information, in accordance with the procedures established by the applicable legislation’.[34] However, the Directive did not include any details concerning the ‘authorities responsible of combating money laundering’.[35] Therefore, it is for the Member States to decide, the nature of these authorities.[36] The hesitation of entrusting law enforcement agencies (police) with this financial surveillance stems from the fact that the EU did not have competence in criminal matters at the moment of the adoption of the 1st AML Directive.[37]

The ‘authorities responsible for combating money laundering’ became known as FIUs. In the EU, FIUs can be divided into four categories: administrative FIUs, judicial FIUs, police FIUs and independent FIUs.[38] Due to the absence of definitive guidelines – both at the EU and international level – regarding the organisational structure of FIUs, a variety of structures currently exist within the EU. As Mouzakiti notes, 21 FIUs follow the administrative or the police model, five have hybrid characteristics, and one falls under the judicial model.[39] The FIUs are placed between the private sector and law enforcement agencies. Their role is primarily to receive information from the private sector, analyse it and inform law enforcement authorities when necessary.[40] Consequently, FIUs have access to and analyse various personal data, which is not necessarily connected to criminal activity or criminal proceedings. 

FIUs were not initially regulated in detail, apart from certain general provisions in the 1st AML Directive and a Council Decision of 2000 concerning FIU cooperation.[41] That Decision was adopted to address difficulties in the exchange of information between FIUs.[42] However, the Decision limited the scope of information exchange only for AML purposes and did not cover CFT.[43]Similarly, the FATF did not engage with the issue of FIUs until the 2003 revision of its Recommendations.[44] Influenced by the FATF, the EU legislature prescribed additional rules concerning the operation of FIUs in the 3rd AML Directive (2005) regarding the powers and functions of FIUs and their cooperation.[45] Specifically, Article 21 of the 3rd AML Directive stated that: 

‘1. Each Member State shall establish an FIU in order effectively to combat money laundering and terrorist financing. 2. That FIU shall be established as a central national unit. It shall be responsible for receiving (and to the extent permitted, requesting), analysing and disseminating to the competent authorities, disclosures of information which concern potential money laundering, potential terrorist financing or are required by national legislation or regulation. It shall be provided with adequate resources in order to fulfil its tasks. 3. Member States shall ensure that the FIU has access, directly or indirectly, on a timely basis, to the financial, administrative and law enforcement information that it requires to properly fulfil its tasks’.[46]

Additionally, under Article 38 of the 3rd AML Directive, the Commission had the duty to lend assistance as needed to facilitate coordination between FIUs, including the exchange of information.[47] The 4th AML Directive amended the rules, providing further details about their functions, organisation and cooperation. Recital 37 established the independent and autonomous nature of the FIUs ‘to collect and analyse the information which they receive with the aim of establishing links between suspicious transactions and underlying criminal activity in order to prevent and combat money laundering and terrorist financing’.[48] Based on this, each FIU ‘has the authority and capacity to carry out its functions freely, including the autonomous decision to analyse, request and disseminate specific information’.[49] The Recital concluded that FIUs serve as central national units for receiving, analysing and disseminating information.[50]

In terms of powers and tasks, Article 32 of the 4th AML Directive provided that the FIUs must have access to the financial, administrative and enforcement information necessary to achieve their tasks.[51] Moreover, the Directive mentioned two specific grounds based on which the FIUs may not comply with a request for information by competent authorities in their respective Member States: i) ‘Where there are objective grounds for assuming that the provision of such information would have a negative impact on ongoing investigations or analyses’, ii) ‘in exceptional circumstances, where disclosure of the information would be clearly disproportionate to the legitimate interests of a natural or legal person or irrelevant with regard to the purposes for which it has been requested’.[52] Furthermore, FIUs were empowered to take urgent action, directly or indirectly, where there is a suspicion that a transaction is related to money laundering, to suspend or withhold consent to a transaction that is proceeding to analyse the transaction, confirm the suspicion and disseminate the results of the analysis to the competent authorities.[53] Finally, Article 32(8) of the 4th AML Directive referred to two analytical functions of FIUs, namely the operational analysis, which focuses on individual cases and specific targets or on appropriately selected information and the strategic analysis, addressing money laundering and terrorist financing patterns and trends.[54]

The powers of the FIUs and, especially, access to information were elaborated further in the 5th AML Directive. Recital 17 stated the importance of unfettered access to information by FIUs, underlining that FIUs should have access to information obtained by obliged entities, even without a prior report being filed.[55] This translated to a controversial extension of FIUs’ powers to access information concerning even transactions which have not been categorised as suspicious at all. 

Timely access to the necessary information is crucial for the analytical function of FIUs. Therefore, the 5th AML Directive obliged the Member States to ensure that FIUs have access to national registers holding information for beneficial ownership of entities, bank accounts, safe deposit boxes, and real estate.[56] New Articles 32a and 32b establish central registers for bank accounts and real estate ownership information and provide further details concerning the information accessible by the FIUs through these registers.[57] Article 32a obliges Member States to set up central registries to identify owners of bank accounts and safe deposit boxes.[58] The FIUs must have immediate and unfiltered access to a range of information, including the identification details of the customer account holder, the beneficial owner of the customer account holder, the IBAN number and the name of the lessee of safe deposit boxes.[59] Moreover, the Article leaves it to the discretion of Member States to include any other information deemed necessary for FIUs.[60] Following the same pattern, Article 32b obliges Member States to set up central registries so that FIUs can access real estate ownership information.[61]

4.   The new AML regime and the developments regarding the FIUs' access to information

All acts forming part of the Commission’s 2021 AML legislative package have now been adopted and published. Nevertheless, this article focuses exclusively on the 6th AML Directive and on the mechanisms established by the Member States to prevent the use of the financial system for the purposes of money laundering and terrorist financing. By focusing on the scope of FIUs’ access to information under the revised Directive, the section sheds light on an important but relatively unexplored dimension of the EU’s evolving AML framework.

4.1.  Financial, administrative and law enforcement information

A fundamental issue of the 4th AML Directive, as amended by the 5th AML Directive, has been the categories of data to which FIUs have access. The regime states that FIUs must have access to the necessary financial, administrative and law enforcement information and does neither clarify what information is included in these broad categories nor under which conditions the FIUs are granted access to that data. Notably, these three categories of information are additional to the data already available on request to FIUs collected by the obliged entities under the customer due diligence duties.[62]

Article 21(1) of the 6th AML Directive regulates further the access to information by FIUs. The Article divides the information into three categories: i) financial information, ii) administrative information and iii) law enforcement information. For i) and ii), the access is immediate and direct.[63] Regarding law enforcement information (iii), the Article provides only direct or indirect access (thus not immediate) to a) any type of information which is already held by competent authorities in the context of preventing, detecting, investigating and prosecuting criminal offences and b) any type of information or data which is held by public authorities or by private entities in the context of preventing, detecting, investigating or prosecuting criminal offences and which is available to competent authorities without the taking of coercive measures under national law.[64] Article 21 elaborates that this information must include criminal records, information on investigations, information on the freezing or seizure of assets or on other investigative or provisional measures and information on convictions and on confiscations.[65]

This structured but detailed approach to access rights is reflected in the Commission’s explanatory memorandum to the proposal of the 6th AML Directive, which refers to ‘a list of minimum categories of information to which FIUs must have access’.[66]Nevertheless, the lists set out in Article 21 are extensive and, moreover, the use of the phrase ‘at least’ indicates that the lists of information are not exhaustive.[67] As a result, Article 21 establishes a baseline of access to information, while leaving scope for broader access. 

Additionally, the nature of the EU FIUs remains not harmonised. This leads to longstanding differences between FIUs with the same functions and powers but different statuses.[68] Several EU Member States have established FIUs outside the criminal justice system (i.e. administrative FIUs).[69] This decision stems from the fact that FIUs have access to and process information which is not directly relevant to criminal proceedings. As a result, an administrative FIU (i.e. outside the criminal justice system) might safeguard privacy to a higher degree.[70] The difference in the nature of the FIUs affects their ability to access certain types of information. Specifically, administrative FIUs might not be able to receive all the information under the law enforcement category. Such extensive access provided in Article 21 might conflict with the nature of administrative FIUs as opposed to police FIUs.[71] The inclusion of law enforcement information in the Directive is an attempt to harmonise AML rules and FIUs’ activities.[72]

4.2.  Interconnected central registers and single access points

The 6th AML Directive provides that FIUs must have access to information from three central registers, namely the beneficial ownership registers, the bank account registers and the real estate registers.[73] Such access must be immediate and direct.[74] To give effect to this obligation, Articles 10-18 lay down rules on the centralised, automated registers (i.e. central registers or central data retrieval systems) by specifying the categories of information that these registers must contain. Within the broader framework, the Commission adopted Implementing Regulation (EU) 2021/369 on 1 March 2021, which sets out the technical specifications and procedures for the interconnection of central beneficial ownership registers established by the Member States.[75] This interconnection is realised through the Beneficial Ownership Registers Interconnection System (BORIS), a decentralised system linking national beneficial ownership registers with the European e-Justice Portal via the European Central Platform.[76]

Furthermore, Article 16(6) of the 6th AML Directive provides that the Commission must ensure that the centralised automated mechanisms – established by the Member States – shall be interconnected via the bank account registers interconnection system (BARIS).[77] The FIUs have access to the information on payment and bank accounts, including virtual IBANs, securities accounts, crypto-asset accounts and safe deposit boxes in other Member States.[78] The information available through the centralised automated mechanisms is the name and identification details of the owner or the beneficial owner (of the account or the safe deposit box), the IBAN (or the unique account identifier) and the date of the opening and closing.[79]

In addition, as regards the real estate registers, Article 18(1) provides that FIUs will have immediate and direct access to information which allows for the identification of any real estate property and of the natural persons or legal entities or legal arrangements owing that property, but also ‘information allowing for the identification and analysis of transactions involving real estate’.[80] The 6th AML Directive provides that the access to real estate information ‘shall be provided via a single access point […] which allows competent authorities to access, via electronic means, information’.[81] Concerning the single access point, in February 2021, the Commission published a report based on a study evaluating the possibility of interconnecting real estate registers which found that the interconnection of these registers will aid the AML regime in becoming more effective.[82] This will provide the powers to FIUs to access information concerning the owned property in other Member States. This knowledge, accompanied by financial information (bank accounts), can lead to the profiling of individuals for intelligence purposes (and not for investigative ones). However, this is a matter to be addressed in the future.

The new rules aim to address several deficiencies of the existing AML regime concerning the access to information, coordination and exchange of information among FIUs.[83] However, they do not touch upon the main roots of the problem. First, the new framework still has the form of a Directive; therefore, the nature of FIUs in the EU will not be harmonised. Second, the categories of data accessible to FIUs are vague and not exhaustively defined. Third, the extensive powers of the FIUs to access information are, arguably, not compatible with the rights to respect for private life and personal data protection.

5.   The impact of the AML directive on the protection of the rights to privacy and personal data protection

The Commission’s proposal did not substantially engage with the question about the interference of the measures with fundamental rights. The impact assessment accompanying the proposal stressed the significant positive impact of the proposed rules towards the fight against money laundering. With regard to FIUs, the impact assessment underlined that the envisaged framework i) included a minimum set of common rules on the functions and powers of FIUs; ii) maximum time limits for requests for information or freezing of transactions/bank accounts; iii) clarified obligations for FIUs to provide feedback to entities/authorities reporting suspicions or cash declarations.[84] Concerning the impact on fundamental rights, the Commission acknowledged that the measures intersected in several areas with the fundamental right to personal data protection.[85] Interestingly, the word ‘intersect’ was preferred over ‘impact’ or ‘interference’. Moreover, the impact assessment referred only to data protection and not the right to privacy .[86] The assessment acknowledged that the AML regime should be balanced with the fundamental rights and the principles of necessity and proportionality, and underlined that the objective of fighting money laundering and terrorism financing is an objective of general interest.[87] However, a balancing exercise was not conducted, and the sections below will fill this gap.

The provisions of the 6th AML Directive significantly extend the FIUs’ powers concerning access to information. The preamble to the Directive justifies this expansion by reiterating that the delay of access to information by FIUs is an obstacle to the detection of funds relating to money laundering and terrorist financing.[88] The interference with the fundamental rights to privacy and data protection is inextricably linked with the extension of powers of the FIUs to access the three categories of information (financial, administrative and law enforcement). 

EU Member States must ensure that FIUs have immediate and direct access to financial and administrative information and direct or indirect access to law enforcement information.[89] Under Articles 11 and 16, competent authorities gain access to the interconnected central national beneficial ownership registers and the central national bank account registers.[90] For the beneficial ownership registers, competent authorities have immediate, unfiltered, direct, and free access through the interconnected system to the information outlined in Articles 62 and 66 of the Regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.[91] Regarding the bank account registers, the accessible information through the interconnected system includes the identity of the account holder (or the beneficial owner), the IBAN and the date of account opening and closing; the identity of the safe deposit box holder; the virtual IBAN number; for securities accounts, the unique identifies of the account, and the dates of account opening and closing; for crypto-asset accounts, the unique identifier of the account, and the dates of opening and closing.[92] Consequently, EU FIUs have direct and immediate access to a wide range of information.

The aforementioned powers to access and analyse information constitute interferences with the right to private life and data protection. Thus, the requirements of Articles 8 and 52 must be safeguarded due to the fact that the accessible information may reveal a full profile of someone’s life.  

6.   Justification of the Interference

The broad access to information granted to FIUs may interfere with the rights to respect for private life and to the protection of personal data. These rights are not absolute rights and must be considered based on their function in society.[93] Therefore, these rights can be limited, but any limitation needs to comply with Article 52 of the Charter. According to Article 52(1), any limitation on exercising the rights and freedoms recognised by this Charter must be provided by law and respect the essence of those rights and freedoms.[94] Concerning the principle of proportionality, these limitations may be made only if they are necessary and genuinely meet the objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.[95] The following section examines whether the interference with the rights to private life and data protection can be justified under the proportionality requirements. This analysis is crucial for determining whether the strengthened AML regime remains compatible with the constitutional limits of EU law.

6.1.  The ‘provided for by law’ criterion

The ‘provided for by law’ criterion corresponds to the ‘in accordance with law’ element under the ECHR.[96] The criterion requires to establish whether the principle of legality is respected (the existence of a legal basis) and, second, whether the respective law is precise and accessible.[97] In Malone v UK, the ECtHR held that ‘the phrase ‘in accordance with the law’ does not merely refer back to domestic law but also relates to the quality of the law, requiring it to be compatible with the rule of law’.[98] The ECtHR connected the requirement with the rule of law, stating that ‘there must be a measure of legal protection in domestic law against arbitrary interferences by public authorities’.[99] Concerning the accessibility criterion, the ECtHR decided that ‘the citizen must be able to have an indication that is adequate in the circumstances of the legal rules applicable to a given case’.[100] This first step is easily achievable with a published legal text. Regarding the precision element, a law is precise if it allows the citizen to regulate their conduct; thus, a citizen should be able to foresee the consequences which a given action may entail.[101]

With the adoption of the EU legislative act, the accessibility criterion is easily satisfied. However, the foreseeability requirement is more complicated. Concerning the access powers of the FIUs, Article 21 of the 6th AML Directive extends the powers of the FIUs to include a series of information.[102] The three categories (financial, administrative and law enforcement information) aim to make the power to access more precise by detailing the necessary information. However, the provision leaves a wide margin of discretion as to how it is to be interpreted (i.e. what information is included in these categories). Particularly, the EDPS underlined that this provision needs to be more precise.[103] Regarding the financial and administrative information, the FIUs will have access to ‘at least’ the information under Article 21(1)(a) and (b). For law enforcement information, the FIUs will have access to ‘any type’ of information outlined under Article 21(1)(c). This illustrates the extent of the power to access information, as Article 21 lacks clarity and precision. The genuine aim of the provision should have been to specify categorically what information should be accessible. 

The lack of clarity and precision of Article 21 constitutes a significant challenge for the new framework. This challenge is evident based on the institutional set-up of FIUs. FIUs in different Member States have different institutional models, resulting in a deviation of powers; on the one hand, administrative FIUs with no embedded investigative powers and, on the other hand, law enforcement FIUs with the ability to analyse and investigate crimes. The 6th AML Directive takes a bold step to bridge the differences in FIUs’ powers by clarifying that all FIUs should have access to the categories of information under Article 21. Nevertheless, the Directive does not harmonise the institutional setup of FIUs. Thus, the extensive access powers will conflict with the FIUs' administrative nature. 

6.2.  The objective of general interest

In light of the above, the 6th AML Directive aims to aid FIUs in identifying rapidly funds linked to money laundering and terrorist financing. The case law of the CJEU has confirmed that the fight against serious crime constitutes an objective of general interest, capable of justifying interference with the fundamental rights of privacy and data protection.[104] In Digital Rights Ireland, the Court held that ‘It is apparent from the case-law […] that the fight against international terrorism to maintain international peace and security constitutes an objective of general interest […] The same is true of the fight against serious crime in order to ensure public security […] in this respect, that Article 6 of the Charter lays down the right of any person not only to liberty but also to security’.[105]

6.3.  The essence of the fundamental rights

An interference impacts the essence of the right when the right is emptied of its basic core, and the individual cannot exercise the right. The case law clarifies that an interference may ‘not constitute, in relation to the aim pursued, a disproportionate and intolerable interference, impairing the very substance of the right so guaranteed’.[106] Moreover, when the measure does not permit the acquisition of knowledge of the content of the electronic communications, it therefore does not affect the essence of the right.[107]

There are no strict guidelines concerning the essence of the rights; however, the case law seems to connect this assessment with the nature of the information. Traffic data and civil identity data do not bear the same sensitivity as, for example, the content of communications.[108] In the present case, the extensive powers of FIUs do not seem to compromise the essence of the rights at stake. It can be argued that the categories of information are vague in nature, that FIUs will have access to various information through the interconnected systems, and that, based on Article 21(4), the FIUs can request access to information even without a prior report (i.e. changing the purpose of the access from investigative to intelligence). However, arguably, these are not enough to impact the core of the fundamental rights at stake as it is limited to certain aspects of the private life of the individual.[109]

7.   Necessity and proportionality 

Assessing the necessity of a proposed measure entails a combined evaluation of the effectiveness of the measure and whether there is a less intrusive option.[110] This inquiry is complicated by the fact that the notion of ‘effectiveness’ lacks a precise definition. The AML regime has been criticised as a non-effective regime.[111] It gets some sporadic wins but does not have the envisioned results. To this end, the Commission reiterated in the impact assessment that the proposed measure will aid FIUs in completing their tasks more rapidly and efficiently.[112] However, extending FIUs’ powers does not necessarily mean the regime will be effective. 

It is unclear how the extension of access powers resolves the issues of differences between administrative and law enforcement FIUs. The Directive does not take any steps to address the issue concerning the FIU institutional setup in the EU. As a result, it may be the case that these extensive access powers will be in conflict with the administrative FIUs, rendering the measure ineffective. 

The test requires consideration as to whether there are less intrusive measures to achieve the same objective. Based on the new regime as a whole, it can be deemed that it is less intrusive to further enhance the cooperation between the FIUs rather than extend their powers. Modern money laundering is a border-crossing crime that requires a clear and efficient cooperation framework. Articles 29 – 36 of the 6th AML Directive focus on the cooperation between FIUs (both in the EU and third countries).[113] Concerning the issue of cooperation, the Directive provides some effective solutions. Article 31(2) proposes a new standard template to be used in information exchanges, and Article 24(6)-(7) provides strict deadlines for the response to requests for information.[114]

The last part of the assessment is the proportionality test, which requires a balancing exercise between the measures and the objectives to be achieved. To successfully pass the condition of proportionality stricto sensu, the measures at stake must be clear and precise and lay down minimum safeguards, which can guarantee that the personal data can be effectively protected against abuse. To assess the proportionality, it is necessary to recap which practices are permissible concerning the objectives. Obviously, the case of FIUs is more concerned with access to information rather than the retention of data (which is more directly applicable to the practices of obliged entities), although some lessons can be taught by case law. 

In accordance with the case of La Quadrature du Net and others, Mitsilegas et al. identify a hierarchy of objectives.[115] This case considers three public policy interests: a) safeguarding national security, b) the fight against serious crime – public security and c) prosecution and punishment of less serious crimes.[116] For the first objective of national security, the CJEU held that ‘the primary interest in protecting the essential functions of the State and the fundamental interests of society and encompasses the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic and social structures of a country and, in particular, of directly threatening society, the population or the State itself’.[117]

As explained by Tzanou and Vogiatzoglou, national security is distinguished by the nature and seriousness of the objective.[118]Under this first objective, the Court decided that safeguarding national security can justify measures entailing serious interferences with fundamental rights.[119] Thus, it is identified that for safeguarding national security, general monitoring practices are permissible (under specific conditions). The authorities can request the generalised retention of data only in situations where the Member State faces a serious threat to national security ‘which is shown to be genuine and present or foreseeable’.[120]

Under the second level of objectives regarding the fight against serious crime and safeguarding public security, the CJEU determined that indiscriminate and generalised data retention is disproportionate. Therefore, only targeted retention of data can be proportionate. Such retention is considered the retention of data against individuals identified beforehand based on objective evidence.[121] Concerning the third level of objective (less serious crimes), the CJEU held that the retention of data is permissible only to identify an individual.[122]

Applying this case to the AML regime is a delicate process for two reasons. First, the FIUs do not retain information straight from individuals, and second, the AML regime includes two very distinct crimes. The particularity of the AML/CFT regime is evident from the fact that the crimes of money laundering and terrorist financing fall under different levels of objectives. On the one hand, terrorist financing can be considered – to a certain extent – an issue of national security, thus justifying more serious interferences.[123] On the other hand, money laundering is a serious crime falling under the second level of the objectives (public security). 

Recital 61 of the 6th AML Directive defends the extensive access to information by highlighting that the scope of information accessible through the interconnected system for bank accounts (BARIS) is limited to the minimum necessary, allowing FIUs to identify natural or legal persons holding bank accounts, payment accounts, securities accounts, crypto-asset accounts and safe-deposit boxes.[124] This argument would hold true if FIUs had access to information only through interconnected systems. However, FIUs can also request immediate and direct access to a wide range of other financial and administrative information and direct or indirect access to law enforcement information.[125]

In terms of data protection and the principle of data minimisation, the accessible information -including interconnected systems for bank accounts, beneficial ownership and the single access point system for real estate information- arguably exceeds what is necessary for identifying an individual. The step taken in the 6th AML Directive to categorise and specify – to a certain extent – the accessible information is more than welcome. Nevertheless, this does not reflect Article 21, which covers categories of information that are general in nature, and the lists are not exhaustive.[126]

Article 21(1)(c) is considerably vague, including ‘any type’ of information which is held by competent authorities regarding prevention, detection, investigation or prosecution of criminal offences and ‘any type’ of information which is held by public authorities and private entities in the context of preventing, detecting, investigating or prosecuting criminal offences.[127] The Article refers to law enforcement information relating to criminal offences in general and is not explicitly linked with the list of predicate offences.[128] To minimise the scope of the provision, Article 21 could have made a clear reference to Article 2 of Directive 2018/1673 on combating money laundering by criminal law, where the list of predicate offences is located. This way, FIUs can access law enforcement information related to the crimes of money laundering and terrorist financing, avoiding general access to information on all criminal offences. 

As the number of obliged entities rises, the impact on the right to privacy will affect more individuals.[129] The information under Article 21 covers the entire European financial services industry (including the crypto-asset industry) and non-financial services. Consequently, access to such information broadly affects all persons in these sectors. Moreover, the retention periods under the newly adopted AML Regulation are substantially long.[130] In particular, Article 77 in the AML Regulation states that the retention period equals the length of the business relationship plus five years. In a statement regarding the proposed AML package, the EDPB argued that ‘Where there is a long-term business relationship, such as a bank has with its customers, the retention period will often extend over several decennia’.[131] Obviously, such retention periods (under Article 77) apply to obliged entities – not to FUIs –, however, long retention periods result in more accessible data available to FIUs. 

Concerning the centralised interconnected bank account registers, the Directive introduced an innovation stating that ‘Member States should set out retention periods equivalent to the period for the retention of the documentation and information obtained within the application of customer due diligence measures’.[132] This mirrors the long retention periods of the obliged entities;[133]however, the accessible data through the system includes only a number of information and not everything retained by the obliged entities.[134] Recital 59 adds that the Member States can increase this period (not exceeding an additional five years) on a general basis by law without making case-by-case decisions.[135] To this end, the increased retention periods of the centralised registers will affect the totality of individuals (within Europe) and not a specific individual.[136]

The aforementioned characteristics of the FIU’s power can be viewed as a form of surveillance. However, the FIUs will access this information through the interconnected systems or after a request, having a specific target and purpose. The purpose is to identify an individual and to investigate whether funds are linked to money laundering. The access scope is formed based on the FIUs' reports from obliged entities, which serves as an additional layer of protection for fundamental rights. However, based on Article 21(4) of 6th AML Directive, FIUs can request, obtain and use information from any obliged entity to perform their functions, even if no prior report is filed.[137]

This information is added to the information that the FIUs can access through the interconnected systems (concerning beneficial ownership and bank accounts). Therefore, a combination of financial, administrative, and law enforcement information and information collected by obliged entities is enough to map out an individual's physical movements (especially in the case of virtual assets). To this end, this excessive broadening of FIUs’ powers to collect and directly access information creates concerns with regard to the proportionality of the measures.

Moving forward, one of the main powers of the FIUs is the analysis of the accessed information. This analysis is crucial to establishing links between suspicious transactions and criminal activity to prevent money laundering.[138] The power to access information is inextricably linked with the analysis function because if the access is broad in scope, FIUs will have a significant amount of information to analyse. In line with the case of La Quadrature du Net and others, the European Court of Justice (CJEU) recognises that IP addresses and data relating to persons’ civil identities are considered less sensitive than other data types.[139] The Court based its argumentation on the fact that IP addresses (as well as civil identities) are targeted at the specific individual and do not uncover additional information about any third parties.[140] IP addresses can be used to identify the digital movement of an individual (as well as the physical location). To this end, the analysis of the accessed data interferes with the right to data protection.

However, as mentioned, the FIUs’ powers to access information and analyse data cannot be deemed as generalised and indiscriminate practices. These powers are based primarily on the suspicious transaction reports received from obliged entities. Therefore, both powers are linked to specific transactions or specific individuals. The only counter-argument is the exception under Article 21(4), where the FIU can access information even with no prior report.[141] The ability to access information without a prior report does not necessarily affect the scope of the subject matter, but it changes the purpose of the power from investigative to intelligence, which is more connected to the issue of safeguards. Therefore, the measure can be justified based on the objectives. 

The interconnection of centralised registers (bank accounts and beneficial ownership) raises additional proportionality concerns. Through these systems, FIUs will have access to a considerable amount of information. However, the EDPS seems confident in the Commission’s assurance to closely monitor the setting up of the central bank account mechanisms and the beneficial ownership registers by Member States to ensure that they are populated with high-quality data, safeguarding the principle of accuracy.[142]Nevertheless, the problem remains with the clarity of the type of information accessible by FIUs. 

Moreover, the 6th AML Directive removes safeguards from the AML regime that are capable of ensuring a degree of proportionality. This corresponds to Article 21(4), where FIUs’ power to access information is not triggered by a report of suspicious transactions.[143] To this end, the EDPS highlights that this provision shifts the role of FIUs from ‘investigation-based’ to ‘intelligence-based’.[144] Practices characterised by the intelligence-based approach can be deemed similar to data mining techniques, which exceed, to some extent, the sphere of a targeted investigation. Recital 77 reinforces the argument of the intelligence-based role of FIUs, stating that ‘The functionalities of the FIU.net should be used by FIUs to their full potential. Those functionalities should allow FIUs to match their data with data of other FIUs in a pseudonymous manner, with the aim of detecting subjects of the FIU's interests in other Member States and identifying their proceeds and funds whilst ensuring full protection of personal data’.[145] The EDPS reiterates that only the investigative-based role of FIUs is in line with the principle of proportionality and purpose limitation.[146] Recital 77 is a clear shift towards the mentality of data mining techniques as it envisages a framework in which the identification of an individual is based on the ‘potential’ interest of the FIU and not on evidence. 

8.   Conclusion 

This article has examined the implications of the revised EU AML regime for the powers of FIUs, focusing in particular on the developments introduced by the 6th AML Directive. While the Directive seeks to strengthen the effectiveness of the AML framework, it significantly expands the scope of information accessible to FIUs. Under the 6th AML Directive, FIUs will have access to a vast amount of information, providing them with the ability to access, in an immediate manner, information in other Member States. Despite the differences between the institutional setup of FIUs, the Commission included law enforcement information in the categories of accessible information. Some of these ‘innovations’ were influenced by the FATF guidelines, which can depict the pitfalls of the normative outcome of a political agenda towards money laundering.

As analysis has shown the categories of information outlined in Article 21 lack sufficient specificity to meet the precision requirement, thereby allowing FIUs broad access to information. Such power to access information should be limited to what is strictly necessary. Article 21 raises concerns since the lists of information are extensive and non-exhaustive, providing direct or indirect access to sensitive law enforcement information. Such extensive access power might be in conflict with the administrative nature of some FIUs, resulting in an inadequate system. This article analyses these developments from the perspective of the rights to respect for private life and personal data protection. Based on this assessment, the article concluded that the undefined categories of information, the shift towards an ‘intelligence-based’ role of FIUs and the lack of safeguards deem the proposed measures disproportionate as they seem to fail the last step of the proportionality test. By examining the powers of FIUs through the lens of EU fundamental rights law, this article highlights an unexplored dimension of the EU’s evolving AML framework and illustrates the broader challenge faced by the EU in reconciling increasingly extensive financial surveillance mechanisms with the protection of privacy, a challenge that is likely to become increasingly central as the EU continues to expand its financial intelligence architecture. 

-------------------
European Papers, Vol. 11, 2026, No 1, pp. 509-532
ISSN 2499-8249 - doi: 10.15166/2499-8249/881

* Lecturer in Law, University of Liverpool, a.karapatakis@liverpool.ac.uk.

[1] European Commission, ‘Anti-money Laundering and Countering the Financing of Terrorism Legislative Package’ (20 July 2021) www.finance.ec.europa.eu; The AML package consisted of four legislative proposals: a) a proposal for a regulation establishing a new EU AML Authority (AMLA); b) a proposal for a regulation on AML/CFT; c) a 6th Directive on AML/CFT; and d) a proposal for a revised regulation on transfers of funds.

[2] European Parliament, ‘New EU Rules to Combat Money-laundering Adopted’ (24 April 2024) www.europarl.europa.eu

[3] For further information see V Mitsilegas, ‘The European Union and the Globalisation of Criminal law’ (2010) 12 Cambridge Yearbook of European Legal Studies 337; United Nations, Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances of 20 December 1988; United Nations, Convention Against Transnational Organized Crime of 15 November 2000.

[4] V Mitsilegas, ‘Global Governance of Crime “The European Union and the Global Governance of Crime”’ in V Mitsilegas, P Alldridge and L Cheliotis (eds), Globalisation, Criminal Law and Criminal Justice. Theoretical, Comparative and Transnational Perspectives (Hart Publishing 2015) 153.

[5] V Mitsilegas and N Vavoula, ‘The Evolving EU Anti-Money Laundering Regime: Challenges for Fundamental Rights and the Rule of Law’ (2016) 23 Maastricht Journal of European and Comparative Law 261, 263; Financial Action Task Force, ‘History of the FATF’ www.fatf-gafi.org; For further analysis concerning FATF see W Gilmore, Dirty Money: The Evolution of International Measures to Counter Money Laundering and the Financing of Terrorism (Council of Europe Publishing 2011).

[6] Financial Action Task Force (n 5) 

[7] Ibid; V Mitsilegas, ‘Countering the Chameleon Threat of Dirty Money: “Hard” and “Soft” Law in the Emergence of a Global Regime against Money Laundering and Terrorist Finance’ in A Edwards and P Gill (eds), Transnational Organised Crime: Perspectives on Global Security (Routledge 2003) 195-211.

[8] Financial Action Task Force (n 5).

[9] Ibid; ‘Virtual assets’ is an open-ended and future-proofed term used by FATF to include all existing virtual assets but also assets which will be invented, even if they carry different technological characteristics (e.g. cryptocurrencies, in-game currencies etc...).

[10] For a comparison with formal international organisations see AE Boyle, ‘Some Reflections on the Relationship of Treaties and Soft Law’(1999) 48 International and Comparative Law Quarterly 901.

[11] V Mitsilegas and B Gilmore, ‘The EU Legislative Framework against Money Laundering and Terrorist Finance: A Critical Analysis in the Light of Evolving Global Standards’ (2007) 56 International and Comparative Law Quarterly 119.

[12] V Mitsilegas, Money Laundering Counter-Measures in the European Union: A New Paradigm of Security Governance Versus Fundamental Legal Principles (Kluwer Law International 2003) 52-57.

[13] Mitsilegas (n 12) 71-78.

[14] Proposal for a European Parliament and Council Directive amending Council Directive 91/308/EEC of 10 June 1991 on prevention of the use of the financial system for the purpose of money laundering, COM (1999) 352 final, Recital 26.

[15] Directive 2001/97/EC of the European Parliament and of the Council of 4 December 2001 amending Council Directive 91/308/EEC on prevention of the use of the financial system for the purpose of money laundering, recital 7. A predicate offence is the underlying crime that generates the proceeds to be laundered. Under the 1st AML Directive, Member States where obliged only to combat the laundering of the proceeds of drug offences. 

[16] Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use and of the financial system for the purpose of money laundering and terrorist financing, Recital 5.

[17] Directive 2005/60/EC (n 16) Art 1.

[18] Ibid, Arts 8, 11, 13. For further see, Mitsilegas and Gilmore (n 11). The application of simplified or enhanced due diligence depends on the customer’s level of risk, i.e. for lower risk customers the obliged entity may apply the simplified measures and for high risk customers the enhanced due diligence.

[19] Directive 2015/849/EU of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, Recital 4.

[20] Directive 2015/849/EU (n 19).

[21] Directive 2018/843/EU of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU.

[22] The proposal for the 5th AML Directive was issued on 5 July 2016 and the implementation deadline of the 4th AML Directive was on 26 June 2017; Proposal for a Directive of the European Parliament and of the Council amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directive 2009/101/EC, COM(2016) 450 final; Directive 2015/849/EU (n 19) Art 67 .

[23] Proposal for a Directive COM(2016) 450 (n 22) 15, 22. 

[24] A Karapatakis, EU Anti-Money Laundering, Digital Currencies and Privacy (Hart Publishing, forthcoming 2026).

[25] European Commission, ‘Communication: Towards better implementation of the EU’s anti-money laundering and countering the financing of terrorism framework’, COM(2019) 360 final.

[26] European Commission, ‘Communication (2020/C 164/06) on an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing’, 2.

[27] Proposal for a Regulation of the European Parliament and of the Council of 20 July 2021 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) 1094/2010, (EU) 1095/2010, COM(2021) 421 final.

[28] Proposal for a Regulation of the European Parliament and of the Council of 20 July 2021 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, COM(2021) 420 final.

[29] Proposal for a Directive of the European Parliament and of the Council of 20 July 2021 on the mechanisms to be put in place by the Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and repealing Directive (EU) 2015/849, COM(2021) 423 final.

[30] Proposal for a Regulation of the European Parliament and of the Council of 20 July 2021 on information accompanying transfers of funds and certain crypto-assets (recast), COM(2021) 422 final.

[31] Proposal COM(2021) 420 (n 28) Recital 6; Proposal COM(2021) 423 (n 29) Recital 5; Proposal COM(2021) 422 (n 30) 6.

[32] Mitsilegas and Vavoula (n 5) 266.

[33] See J Cohen and CF Sabel, ‘Global Democracy?’ (2005) 37 NYU Journal of International Law and Policy 763, 764.

[34] Directive 91/308/EEC of the Council of 10 June 1991 on the prevention of the use of the financial system for the purpose of money laundering, Art 6.

[35] Directive 91/308/EEC (n 34) Art 6.

[36] V Mitsilegas, ‘New Forms of Transnational Policing: The Emergence of Financial Intelligence Units in the European Union and the Challenges for Human Rights: Part 1’ (1999) 3 Journal of Money Laundering Control 147, 148.

[37] F Mouzakiti, ‘Cooperation between Financial Intelligence Units in the European Union: Stuck in the middle between the General Data Protection Regulation and the Police Data Protection Directive’ (2020) 11 New Journal of European Criminal Law 351, 352; M Levi and M Maguire, ‘Something Old, Something New; Something Not Entirely Blue: Uneven and Shifting Modes of Crime Control’ in T Newburn and J Peay (eds), Policing: Politics, Culture and Control (Hart Publishing Oxford 2012) 195; JAE Vervaele, ‘Surveillance and Criminal Investigation: Blurring of Thresholds and Boundaries in the Criminal Justice System?’ in S Gutwirth, R Leenes and P De Hert (eds), Reloading Data Protection (Springer 2013) 115.

[38] Mitsilegas and Vavoula (n 5) 282. For further analysis regarding the different models see Mitsilegas (n 36) 148-155.

[39] Mouzakiti (n 37) 354.

[40] Mouzakiti (n 37) 353; M de Goede, ‘The Chain of Security’ (2017) 44 Review of International Studies, 24. 

[41] Council Decision of 17 October 2000 concerning arrangements for cooperation between financial intelligence units of the Member States in respect of exchanging information; Directive 91/308/EEC (n 34).

[42] Mouzakiti (n 37) 355.

[43] Ibid.

[44] Financial Action Task Force, International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation June 2003, Recommendations 13, 26, 31.

[45] Article 38 of the 3rd AML Directive clarifies that the Commission should lead assistance to facilitate coordination and cooperation between FIUs, and Recital 40 3rd AML Directive established the EU FIU-net for the exchange of information.

[46] Directive 2005/60/EC (n 16) Art 21.

[47] Ibid, Art 38.

[48] Directive 2015/849/EU (n 19) Recital 37; Recital 37 is incorporated in Article 32(3) of the 4th AML Directive.

[49] Directive 2015/849/EU (n 19) Recital 37.

[50] Ibid.

[51] Ibid Art 32(4).

[52] Ibid Art 32(5).

[53] Ibid Art 32(7).

[54] Ibid Art 32(8).

[55] Directive 2018/843/EU (n 21) Recital 17.

[56] Ibid Arts 32a and b; FA Siena, ‘The European Anti-money Laundering Framework – At a Turning Point? The Role of Financial Intelligence Units’ (2022) 13 New Journal of European Criminal Law 216, 238.

[57] The beneficial ownership information central registers were already established under Article 30 of the 4th AML Directive; Directive 2018/843/EU (n 21) Arts 32a and b.

[58] Directive 2018/843/EU (n 21) Art 32a.

[59] Ibid Art 32a.

[60] Ibid.

[61] Ibid Art 32b. 

[62] Siena (n 56), 236

[63] Article 21(1) provides two exceptions for these categories. First, for Financial information the access is immediate but not direct for information on wire transfers and second, for administrative information the access is immediate but not direct for information held by national financial supervisors and regulators in accordance with Article 45 and Article 50(2).

[64] Directive 2024/1640/EU of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive (EU) 2019/1937, and amending and repealing Directive (EU) 2015/849, Art 21(1)(c).

[65] Directive 2024/1640/EU (n 64) Art 21(1)(c).

[66] Proposal COM(2021) 423 (n 29) 10.

[67] Siena (n 56) 237. 

[68] Mouzakiti (n 37); T Quintel, ‘Data Protection Rules Applicable to Financial Intelligence Units: Still No Clarity in Sight’ (2022) 23 ERA Forum 53.

[69] As mentioned by Mouzakiti ‘The FIUs of Belgium, Bulgaria, Croatia, Czech Republic, France, Italy, Latvia, Malta, Poland, Romania, Slovenia and Spain are classified as administrative’; Mouzakiti (n 37). 

[70] Mitsilegs and Vavoula (n 5) 283.

[71] European Data Protection Supervisor, Opinion 12/2021 on the anti-money laundering and countering the financing of terrorism (AML/CFT) package of legislative proposals, of 22 September 2021 www.edps.europa.eu 2. 

[72] Siena (n 56) 237.

[73] Directive 2024/1640/EU (n 64) Arts 10-18.

[74] Ibid Art 21(1)(a)(ii) and (b)(ii)(xi)(xii).

[75] Commission Implementing Regulation (EU) 2021/369 of 1 March 2021 establishing the technical specifications and procedures required for the system of interconnection of central registers referred to in Directive (EU) 2015/849 of the European Parliament and of the Council.

[76] Implementing Regulation (EU) 2021/369 (n 75) Annex (1).

[77] Ibid.

[78] Directive 2024/1640/EU (n 64) Art16(7).

[79] Ibid Art 16(3); Article 16(5) allows Member States to require additional information (other than the information in paragraph 3) to be included in the centralised mechanisms. However, based on paragraph 7, such information shall not be accessible and searchable through BARIS. 

[80] Ibid.

[81] Directive 2024/1640/EU (n 64) Art 18. 

[82] European Commission, ‘Final Report: Study on the harmonisation and interconnection of real estate registers’ (February 2021) www.op.europa.eu. 81.

[83] European Commission, ‘Staff Working Document. Impact Assessment Accompanying the Anti-money laundering package’, SWD(2021) 190 final.

[84] Impact Assessment SWD(2021) 190 (n 83) 91.

[85] Ibid 52.

[86] Ibid.

[87] European Data Protection Supervisor, Opinion 5/2020 on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing of 23 July 2020 www.edps.europa.eu .

[88] Directive 2024/1640/EU (n 64) Recital 57. 

[89] Ibid Art 21.

[90] Ibid Arts 11 and 16.

[91] Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, Arts 62 and 66.

[92] Directive 2024/1640/EU (n 64) Arts 16(3).

[93] Case C-113/18 Data Protection Commissioner v Facebook Ireland Ltd and Schrems, EU:C:2020:559, para 172.

[94] Charter of Fundamental Rights of the European Union [2012] Art 52(1).

[95] Ibid Art 52.

[96] N Vavoula, Immigration and Privacy in the Law of the European Union: The Case of Information Systems (Brill Nijhoff 2022) 76-77.

[97] Malone v the United Kingdom App no 8691/79 (ECtHR, 2 August 1984).

[98] Malone v the United Kingdom (n 97) para 67.

[99] Ibid, para 67.

[100] The Sunday Times v the United Kingdom (No.2) App no 13166/87 (ECtHR, 26 November 1991) para 49. 

[101] The Sunday Times v the United Kingdom (No.2) (n 100) para 49; the ECtHR clarified that it is not necessary to have absolute certainty.

[102] Directive 2024/1640/EU (n 64) Art 21.

[103] Opinion 12/2021 (n 71) 11.

[104] Case C-293/12 Digital Rights Ireland and Seitlinger and Others, EU:C:2014:238.

[105] Digital Rights Ireland (n 104) para 42.

[106] Case C-393/19 OM, EU:C:2021:8, para 53.

[107] Digital Rights Ireland (n 104) para 39; see also Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, EU:C:2016:970, para 101; Case C-362/14 Maximillian Schrems v Data Protection Commissioner, EU:C:2015:650, para 94; For analysis, see European Data Protection Supervisor, Guidelines in assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data of 19 December 2019 www.edps.europa.eu 8; M Brkan, ‘The Concept of Fundamental Rights in the EU Legal Order: Peeling the Onion to its Core’ (2018) 14 European Constitutional Law Review 332.

[108] Vavoula (n 96) 92. 

[109] Opinion 1/15 Accord PNR UE-Canada, EU:C:2017:592, para 150. 

[110] European Data Protection Supervisor, Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit of 11 April 2017, www.edps.europa.eu, 5.

[111] For further see RF Pol, ‘Anti-money Laundering: The World’s least Effective Policy Experiment? Together, We can Fix it.’ (2020) 3 Policy Design and Practice 73.

[112] Impact Assessment SWD(2021) 190 (n 83) 21.

[113] Directive 2024/1640/EU (n 64) Arts 29-36.

[114] Ibid Arts 31(2) and 31(6)-(7).

[115] V Mitsilegas, E Guild, E Kuskonmaz and N Vavoula, ‘Data Retention and the Future of Large-scale Surveillance: The Evolution and Contestation of Judicial Benchmarks’ (2022) 29 European Law Journal 176, 181-185. 

[116] L Woods, ‘When is Mass Surveillance Justified? The CJEU Clarifies the Law in Privacy International and Other Cases’ (EU Law Analysis, 7 October 2020), at eulawanalysis.blogspot.com

[117] Joined Cases C-511/18, C-512/18 and C-520/18 La Quadrature du Net and Others v Premier Ministre and Others, EU:C:2020:791, para 135.

[118] La Quadrature du Net and Others (n 117) para 136; M Tzanou and P Vogitzoglou, ‘National Security and New Forms of Surveillance: From the Dara Retention Saga to a Data Subject Centred Approach’ (2025) 10 European Papers 803.

[119] La Quadrature du Net and Others (n 117) para 136.

[120] Ibid para 137.

[121] Ibid para 149.

[122] Ibid paras 152-158.

[123] Ibid para 136. See also Digital Rights Ireland (n 104); Tele2 Sverige and Watson (n 107).

[124] Directive 2024/1640/EU (n 64) Recital 61.

[125] Article 21 contains a non-exhaustive list of financial, administrative and law enforcement information.

[126] Directive 2024/1640/EU (n 64) Art 21.

[127] Ibid Art 21 (1)(c); such information encompasses criminal records, information on investigation, information concerning the freezing and seizure of assets, conviction information etc.

[128] See further Directive 2018/1673/EU of the European Parliament and the Council of 23 October 2018 on combating money laundering by criminal law, Art 2.

[129] Directive 2024/1640/EU introduces as obliged entities a wide range of crypto-asset service providers as defined in Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937, Art 3(1)(8). 

[130] Regulation (EU) 2024/1624 (n 91) Art 77. 

[131] European Data Protection Board, Statement on the prevention of personal data processed in relation with the prevention of money laundering and terrorist financing of 15 December 2020 www.edpb.europa.eu.

[132] Directive 2024/1640/EU (n 64) Recital 59.

[133] Regulation (EU) 2024/1624 (n 91) Art 77.

[134] Directive 2024/1640/EU (n 64) Art 16(3).

[135] Ibid Recital 59.

[136] Statement on the prevention of personal data processed (n 131).

[137] Directive 2024/1640/EU (n 64) Art 21(4).

[138] Ibid Recital 50.

[139] La Quadrature du Net and Others (n 117) paras 152-159; Case C-207/16 Ministerio Fiscal, EU:C:2018:788, para 62. 

[140] La Quadrature du Net and Others (n 117) paras 152-159.

[141] Directive 2024/1640/EU (n 64) Art 21(4).

[142] Communication (2020/C 164/06) (n 26) 4; Opinion 5/2020 (n 87) 8 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Art 5(1)(d).

[143] Directive 2024/1640/EU (n 64) Art 21(4).

[144] European Data Protection Supervisor, Opinion 1/2017 on a Commission Proposal Amending Directive (EU) 2015/849 and Directive 2009/101/EC: Access to beneficial ownership information and data protection implications of 2 February 2017 www.edps.europa.eu 12.

[145] Directive 2024/1640/EU (n 64) Recital 77. Interestingly, the Commission’s proposal (Recital 55) used the term ‘anonymous’ instead of ‘pseudonymous’, which is more beneficial for the protection of personal data.

[146] Opinion 12/2021 (n 71) 12.

 
European Papers, 16.04.2026 | Posted in
e-Journal