Marcin Kotula, Legal Officer at the European Commission

The views expressed are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission

Background

This analysis examines a recent Court of Justice of the European Union (CJEU) judgment concerning a case, Safe Interenvios, which originated from a preliminary reference submitted by a Provincial Court in Barcelona. The Barcelona court requested the CJEU to clarify the interpretation of the third Anti-Money Laundering Directive (AML Directive) in relation to a dispute involving a financial institution, Safe Interenvios, and several banks.

Safe Interenvios, categorized as both a “financial institution” under the AML Directive and a “payment institution” under the Payment Services Directive (PSD), facilitated international fund transfers for its clients using accounts held with three banks: BBVA, Sabadell, and Liberbank. These transfers were conducted by authorized Safe agents, overseen by the Bank of Spain. Suspicions arose regarding the legitimacy of certain Safe agents, prompting the banks, under Spanish Law 10/2010 (transposing the AML Directive), to request information from Safe. When Safe failed to provide the requested details, the banks closed its accounts. Notably, BBVA informed SEPBLAC (Spain’s financial intelligence unit) about potential money laundering activities by Safe.

Safe challenged the account closures in a Barcelona Commercial Court, alleging that the banks, also involved in international fund transfers, were engaging in unfair competition. Safe argued that providing the requested information, encompassing customer details and fund origins and destinations, would violate data protection laws.

The Commercial Court largely rejected Safe’s claims, finding no specific competition law breach by the banks. BBVA’s closure was justified due to a significant proportion of transactions conducted by unauthorized agents. However, the court partially ruled in Safe’s favor regarding Sabadell and Liberbank, citing their failure to adequately justify the closures.

Subsequent appeals by Safe, Sabadell, and Liberbank led the Provincial Court to request the CJEU’s interpretation of the AML Directive on several key questions. These included whether customer due diligence measures, designed to mitigate money laundering and terrorist financing risks, apply to financial institutions like Safe, already under PSD and AML Directive supervision. Additionally, the court sought clarification on the types of due diligence measures applicable (standard, simplified, or enhanced) and the triggering circumstances. Finally, the compatibility of the requested measures and information with EU competition and data protection laws was questioned, considering Safe’s claims of competitive activities and potential data protection breaches.

The AML Directive provides a legal framework for preventing and combatting money laundering and terrorist financing, largely inspired by Financial Action Task Force (FATF) recommendations. It defines covered institutions and professions, including credit institutions (e.g., banks) and financial institutions like Safe. The Directive outlines three customer due diligence levels: simplified, standard, and enhanced.

Standard due diligence, as detailed in Articles 7 and 8, outlines applicable circumstances and potential measures, emphasizing a risk-sensitive approach based on customer type, business relationship, product, and transaction nature.

Article 9 mandates specific checks before establishing business relationships or conducting transactions and outlines circumstances necessitating relationship termination or transaction refusal.

Simplified customer due diligence, outlined in Article 11, applies to lower-risk scenarios, including those involving credit or financial institutions already subject to the AML Directive. Conversely, Article 13 addresses enhanced due diligence required in higher-risk situations, providing a non-exhaustive list of such scenarios.

Article 37 mandates compliance supervision by competent authorities, while the PSD covers both credit and payment institutions. Payment institutions require authorization from Member State-designated authorities, which also oversee compliance.

The CJEU’s analysis

The CJEU first addressed whether standard or enhanced customer due diligence applies to financial institutions like Safe, despite Article 11’s provision for simplified measures.

The Court clarified that Article 11 does not supersede Article 7(c), requiring standard due diligence in suspected money laundering or terrorist financing cases. Therefore, national provisions allowing standard due diligence application to financial institutions under such suspicion are permissible.

Similarly, Article 11 does not override Article 13, mandating enhanced due diligence for higher-risk situations. While not explicitly listed in Article 13, Member States have discretion to apply a risk-based approach and identify other inherently higher-risk situations triggering enhanced due diligence. In this case, Spanish Law 10/2010 (Article 11) designates international fund transfers as a higher-risk activity requiring enhanced due diligence.

Analyzing Spanish Law 10/2010’s Article 9, allowing simplified due diligence for financial institutions unless excluded by the Minister of Economic Affairs and Finance, the CJEU emphasized the AML Directive’s minimum harmonization level (Article 5). This allows Member States to adopt or maintain stricter provisions, as supported by the CJEU’s judgment in Jyske Bank Gibraltar. Such stricter provisions, aimed at strengthening anti-money laundering efforts, may cover additional situations deemed risky by Member States, even without specific AML Directive requirements.

Next, the CJEU examined the extent of customer due diligence powers granted to credit institutions and their relationship with supervisory authorities’ powers under Article 37 of the AML Directive and Article 21 of the PSD.

The Court highlighted that institutions subject to the AML Directive cannot establish business relationships, conduct transactions, or maintain existing relationships if they cannot obtain information specified in Article 8. This includes verifying customer and beneficial owner identities (risk-based approach), as well as understanding the business relationship’s purpose and nature. Inability to obtain such information may stem from customer non-cooperation (as in this case) or other factors.

Importantly, the CJEU emphasized limitations on actions like business relationship termination or transaction refusal. Measures must be proportionate to the money laundering or terrorist financing risk, requiring sufficient information supporting the risk assessment.

The CJEU then distinguished between customer due diligence powers and supervisory authorities’ powers, deeming them separate and complementary. Credit institutions may consider due diligence measures applied by their customers to their own clients, but their own measures must remain proportionate to the risk. Credit institutions cannot undermine or substitute the supervisory functions of competent authorities under the PSD.

Addressing the conditions for national legislation authorizing or requiring standard or enhanced due diligence for financial institutions, the CJEU reiterated its earlier findings on applying such measures under Article 13 (enhanced due diligence) and Article 5 (stricter provisions) of the AML Directive.

The Court emphasized the need for comprehensive risk assessments by both national legislators (prescribing measures) and credit institutions (applying authorized measures) before implementing standard or enhanced due diligence. Measures must be proportionate to the identified risk and may vary based on customer type, relationship, product, or transaction. This risk-based approach, aligned with the CJEU’s case law and the AML Directive’s objectives, balances flexibility with robust risk mitigation.

Further safeguarding against excessive measures, the CJEU emphasized that proportionality relies not only on risk assessment but also on compliance with fundamental rights, freedoms, and general legal principles. This includes the principle of free competition and the right to personal data protection (Article 8 of the Charter).

However, the CJEU refrained from providing specific guidance on the permissible scope of personal data requests for due diligence purposes, as the final set of preliminary questions involved disputed facts and was ultimately deemed inadmissible.

While the AML Directive lacks specific provisions addressing the interplay between its measures and personal data protection, Recital 33 acknowledges the applicability of national data protection laws and the Data Protection Directive’s rules on international data transfers when transmitting information to Financial Intelligence Units (FIUs).

In contrast, the fourth Anti-Money Laundering Directive (2015/849) provides clearer guidance. It recognizes processing personal data for preventing money laundering and terrorist financing as a matter of public interest (Article 43), aligning with Article 7(e) of the Data Protection Directive. This new Directive also addresses pre-contractual information requirements and provides more specific instructions on information sharing with FIUs and customer notification, aiming for a balance between customer access to personal data and effective anti-money laundering procedures (Article 41(4)).

This newer Directive also offers greater clarity on customer due diligence types, removing the simplified due diligence exemption for financial institutions. Its three annexes provide non-exhaustive lists of risk variables, lower-risk factors (triggering simplified due diligence), and higher-risk factors (triggering enhanced due diligence). These factors encompass customer types, geographic regions, specific products, services, transactions, and delivery channels. Additionally, Articles 17 and 18 mandate the European Supervisory Authorities (ESAs) to issue guidelines on risk factors and measures for simplified and enhanced due diligence scenarios by June 26, 2017.

Photo credit: gfintegrity.org

[1] Ley 10/2010 de prevención del blanqueo de capitales y de la financiación del terrorismo.

[2] The Executive Service of the Commission for the Prevention of Money Laundering and Financial Crime of the Bank of Spain - Servicio Ejecutivo de la Comisión de Prevención de Blanqueo de Capitales e Infracciones Monetarias del Banco de España.