EBA neglects GDPR in RegTech consultation | AML, CFT

The European Banking Authority (EBA) launched a RegTech industry survey, inviting financial institutions and ICT third party providers, to share their views and experience on the use of RegTech solutions. EBA is mainly interested in the following functions of technology-enabled innovation (RegTech):

• Anti Money-Laundering / Combating the Financing of Terrorism (AML/CFT) – on going monitoring of the business relationship and/or transaction monitoring
• Creditworthiness assessment
• Compliance with security requirements and standards (information security, cybersecurity, payment services) and/or
• Supervisory reporting

EBA directs the survey only to financial institutions and ICT-providers and does not include data protection questions, though the General Data Protection Regulation (GDPR) should be of major concern of both types of respondents.

AML/CFT & creditworthiness data processing and GDPR
Processing AML/CFT and creditworthiness information includes a lot of personal data and involves activities that qualify as ‘profiling’ in the meaning of the GDPR.

The general principles of GDPR involve data minimalisation (article 5) and respecting the rights of data subjects (chapter III). Article 12 GDPR requires that controllers (financial institutions) take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This includes that all data subjects involved in the processing of personal data in relation to AML/CFT and creditworthiness assessment will be informed in accordance with chapter III GDPR, have the right to know what personal data are processed and the right obtain the the rectification of inaccurate personal data concerning him or her. According to article 22 GDPR a data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is authorised by Union or Member State law to which the controller (the financial institution) is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.

According to GDPR [1] it is the responsibility of financial institutions to select their ICT-providers and providers of AML/CFT/creditworthiness data carefully and check these providers on the integrity of its management and employees, compliance with legislation (including GDPR), the quality of data-processing and technical quality of the systems. The quality of data-processing includes scrutinising that:

  • the data are collected in accordance with GDPR (when processing AML/CFT and creditworthiness information, financial institutions use external sources of information);
  • adequate data protection impact assessments are taking place regularly;
  • profiling is done in accordance with GDPR;
  • there are adequate systems in place to draw attention to bugs, mistakes, misinterpretation of data and discriminatory effects;
  • there are adequate facilities for all data subjects involved to know what information is processed about them, check the correctness of the recorded data;
  • data subjects are adequately informed on the risk category they are placed in and have means of discussing categorization with the financial institution.

RegTech services of high quality may facilitate the adequate observance by financial institutions of GDPR and may prevent discriminatory practices as occurred in the Netherlands in the ‘SyRI’ case [2]. SyRI was the responsibility of the Dutch government, but may also occur in financial institutions.

Missed opportunity
By not including GDPR in the questionnaire EBA is missing the opportunity to inspect the data protection quality of RegTech solutions and improve the observance of GDPR.

Even better it would be when EBA includes organisations representing those affected by by the AML/CFT and creditworthiness processing activities of financial institutions, like consumer- and privacy organisations and organisations representing companies and NGO’s.

[1] Probably also required by financial law.
[2] Judgment (in Dutch). [Interview]: Curtailing the surveillance state? Anticipating the SyRI case judgment, Asser Institute; Welfare surveillance system violates human rights, Dutch court rules, The Guardian.


More information:

EBA consultation:


  • Text of GDPR (html).
  • The European Data Protection Supervisor (EDPS) published an opinion on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing: “Data Protection requirements must go hand in hand with the prevention of money laundering and terrorism financing“: announcementopinion.
  • All EDPS’ publications on AML.

Over Ellen Timmer

Weblog: https://ellentimmer.com/ ||| Microblog: https://mastodon.nl/@ellent ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in English - posts in English on this blog, Europa, Financieel recht, onder meer Wft, Wtt, Fraude, witwasbestrijding, Wwft, Grondrechten, ICT, privacy, e-commerce en getagged met , , , , , , , , . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s