19 Challenges between US and EU AML/
CTF Compliance and Privacy Laws

4AMLD specifies data-sharing in the context of
CIP and CDD requirements or data-sharing within a group, but it does not include inter-institution AML data-sharing at the EU level. However, USA PATRIOT § 314(b) promotes inter-firm data-sharing of any data "possibly" relating to ML and TF, as long it does not expose the existence of an SAR or share an SAR. Still, financial institutions are hesitant to use the programme because it was difficult to share underlying data and not expose a possible SAR filing.
 
 

The conflicts between US and EU views on enterprise-wide SAR and underlying data-sharing present one of the greatest obstacles to a cohesive AML compliance strategy. When foreign branches, subsidiaries and affiliates cannot access and share enterprise data they cannot see client, transactional, or behavioural links across their businesses, which can create repetitive or incomplete reports to national authorities. The report found that both US and EU laws impose legal controls that inhibit data flows.

The EU prohibits the use of AML data for commercial purposes, which presents one of the highest risks to financial institutions since banks usually use such data to improve their services. There is no legal requirement for US financial institutions to separate AML/CTF from commercial data use. US firms operating in the EU or dealing with European clients must monitor employee data access and use.

Financial institutions must take note of and monitor the activities of their clientele for criminal offences as identified by national laws for SARs and other reports. 4AMLD narrowly defines predicate offences and the GDPR has special restrictions on the collection and dissemination of criminal data. In contrast, the US has a broader list of criminal activities that may cause MFIs to violate EU proportionality principles and promote function creep. EU MFIs must share information about suspicious activities within the group, and data may reach the US through affiliates and subsidiaries of EU firms. The transfer of this data may violate Member State rules.

US and EU financial institutions are accountable for the actions of vendor services, whether or not these services are directly regulated under AML law. 4AMLD allows Member States to authorize outsourcing relationships and makes vendors accountable to data protection law. Vendors that provide open-source KYC data to help financial institutions conduct CDD and EDD measures will face US data privacy challenges, since the EU defines PII as any data that identifies an individual or their behaviours. This contrasts with US law that utilizes various definitions of PII depending on the data type and use.

The US and EU authorize financial institutions to use data from other institutions if they are part of the same group and subject to the same AML rules. Lack of privacy provisions in US AML law means EU client data may be forwarded to third parties without European-level protections.

Both 4AMLD and US regulation have set a 25% minimum interest to determine a company’s ownership. Listing those with < 25% interest is determined by a financial institution’s risk assessment, which leaves financial institutions open to subjective regulatory measures. Identity validation and status within BO is riskier for US banks who are not obligated to follow up, unless they determine that the client is a risk. Both the US and EU have opted for central registries, but will differently determine public data access.

The Umbrella Agreement covers data transfers between EU-US authorities, but there are broad allowances for transfers and further processing to national security groups. European companies with branches in the US must comply with legal data requests from US authorities, but may not be shielded from EU scrutiny for doing so. Similarly, EU citizens just recently gained redress rights for data held by US authorities, but American citizens have always enjoyed these rights in the EU.

The discrepancies among US and EU laws complicate data collection for authorities, and challenge MFIs who must be aware of what can and cannot be shared depending on the jurisdiction. Again, EU companies are vulnerable to data protection scrutiny when they are in the US as PATRIOT § 314(a) enables authorities to request lead information on individuals suspected of ML or TF.
 

While there are few legal differences between EU and US RBA strategies, conflicts rise substantially when the EU’s rules-based data protection regime is placed within
AML/CTF risk-based operations. EU privacy law is meant to be applied with limited exceptions, which can clash with RBA methods that involve collecting and analysing volumes of personal data to determine risk. The US does not require data protection controls (beyond information security) in AML/CTF compliance which produced legal and operational conflicts at nearly every point of the study.

The US and EU have adopted an RBA within the BSA), the USA PATRIOT Act, and 4AMLD, rather than a rules-based approach, because they believe that financial institutions are best positioned to spot behaviours that contribute to the illicit economy and terrorist activities. RBA aims to help MFIs create more consistent enterprise-wide programmes that reflect operations across lines of business, clients, and geographical locations.

FATF standards and national laws require financial institutions to conduct EDD on clients serving in prominent domestic and foreign public roles. PEP definitions change according to the jurisdiction, but typically include PEPs, their immediate families, and close personal and business associates. Probing the personal relationships of PEPs and their families can breach sensitive data categories protected by the GDPR.

 

The US and EU provide a minimum amount of information that must be collected from a customer, but neither provide financial institutions with standards of how to confirm an individual’s identity. In the EU, these requirements are left up to Member State law, which can leave verification to the financial institution’s discretion. US and EU FIs must notify customers of their AML/CTF data collection obligations. 4AMLD and the GDPR gives customers the right to check the accuracy of their account data, contest it, and make corrections to data utilized for commercial relationships, but it is unclear where legislators and regulators would restrict access to data used for
AML/CTF since it could fall under exemptions for national security.
 

The EU requires that financial institutions hold data for five years with a possible extension of another five years, but limits retention to a total of ten years with specific safeguards to ensure data security. In the US, financial institution data retention is typically five years but can be extended to six years or longer if requested by the Secretary of the Treasury. These requirements place huge demands on an
MFI's technological and staffing resources.
 

Just as MFIs are expected to cooperate with LEAs and FIUs, the AML/CTF regime demands that criminal justice and national security communities seek cooperative relationships. The US and EU have established Memorandums of Understanding (MOUs) that outline the nature of FIU to FIU contacts but they have only recently added data-sharing to the Umbrella Agreement.
 

In Europe, 4AMLD obligates MFIs to respond to
LEA and FIU information requests in accordance with national laws. EU law prohibits authorities from directly requesting data from MFIs outside their jurisdictions. Authorities should use official channels when they need information held by a financial institution in another state. However, EU data stored or accessible in the US is subject to acquisition by US authorities via subpoenas. Both US and EU MFIs, face legal uncertainties involving national intelligence agencies as data protection laws do not apply or have limited authority.
 

The US and EU recognize that the illicit economy and transnational political violence are a threat to their economic well-being and national security and believe that the FATF Recommendations are central to curbing these dangers within their borders and across the globe.

The US and EU have committed themselves to the FATF Recommendations and the application of these guidelines within national laws promotes a high level of congruence across the transatlantic AML/CTF space.