1.Rising Concerns Over Human Rights Violations by the Dutch Transaction Monitoring Platform (Transactie Monitoring Nederland, TMNL)

This article follows the discussion in “New Developments in Anti-Money Laundering in Europe: Focusing on the Dilemma Between Transaction Monitoring and Personal Data Protection* (Part I)*.” The Transaction Monitoring Netherlands (TMNL) platform, established in 2020, has been monitoring large-scale financial transactions through interbank data sharing. When anomalies are detected, TMNL notifies participating banks and continues to monitor such activities to the present. However, this data-sharing approach has faced doubts from Dutch human rights organizations. For example, the Human Rights in Finance.EU (HRIF.EU), established in August 2023, along with other organizations representing investors’ rights, submitted a petition to the Dutch Parliament on April 6, 2024, on behalf of nearly 15,000 banking customers. The petition requested parliamentary intervention to halt TMNL’s operations, cease its entrusted transaction information processing from five major banks, and destroy all related data. In the meantime, they filed a complaint with the Dutch Central Bank (De Nederlandsche Bank, DNB), arguing that, under the Money Laundering and Terrorist Financing Prevention Act (WWFT), the DNB should mandate that each bank individually conduct its anti-money laundering operations.

The Dutch Parliament did not provide a specific response to the petition. In addition, the DNB claimed that, after a formal review, HRIF.EU lacked the standing to file the petition. HRIF.EU, dissatisfied with these responses of the parliament and central bank, planned to submit a petition to the court to confirm the recognition of its qualifications by the DNB. It also claimed that according to research by the Dutch Payments Association, approximately 1.95 billion transactions occurred annually across all Dutch banks, and most involved the five major banks. The scale of transactions and data processed by TMNL amounted to approximately 5 million entries per day. Furthermore, TMNL had not disclosed, as requested by HRIF.EU, how it handled large volumes of transaction information, indicating a lack of transparency. Therefore, HRIF.EU opposed TMNL’s continued data processing activities and demanded the destruction of all collected data. HRIF.EU also asserted that TMNL infringed on the right to access automated decision-making as protected under the GDPR.

1. The purpose of HRIF.EU is to protect human rights within the financial sector, particularly in the complex realm of financial and anti-money laundering regulations. Its mission is to rectify and prevent human rights violations caused by improper regulatory provisions or practices, aiming to halt excessive infringement of human rights by financial institutions and regulatory authorities.

2.The Impact of Upcoming Anti-Money Laundering Legislation on TMNL

On May 30, 2024, the EU adopted a new Anti-Money Laundering package (EU AML package), which included AMLR and the Sixth Anti-Money Laundering Directive and will be implemented in 2027. The AMLR, an EU regulation, is directly applicable across all member states and imposes binding obligations on governments and individuals.

The AMLR establishes a clear framework for public-private sector cooperation. However, regarding data sharing, the regulation restricts it to situations involving high-risk customers or cases where additional information is needed to determine whether they should be classified or remain classified as high-risk customers. In such cases, peer institutions are allowed to conduct data sharing. Responding to the AMLR, the Dutch government stated in May 2024 that TMNL could continue to monitor suspicious transactions under the new rules (AMLR). The regulation stipulates that financial institutions may exchange data when it involves high-risk customers or when additional information is required for risk classification of customer data. Besides, in response to recent parliamentary inquiries, Dutch officials also referenced the evaluation content from the FATF’s assessment on anti-money laundering and combating the financing of terrorism, emphasizing TMNL’s establishment as a key success factor in the Netherlands’ anti-money laundering efforts.

The five major banks had initially proposed amendments to the WWFT to allow financial institutions to delegate transaction monitoring to a jointly established entity, limited to only generating alerts. However, with the enactment of the AMLR, which is scheduled to take effect in 2027, many of the originally proposed amendments are now encompassed within this regulation. It also ensures the protection of investors’ privacy rights. Given that the AMLR will have a direct domestic legal effect in the Netherlands, TMNL is currently planning new methods for future transaction monitoring and collaboration. On July 1, 2024, TMNL issued an official statement on its website, announcing plans to scale back its existing operations and redesign its focus. At the same time, it welcomed the AMLR for providing a legal foundation for cooperation among banks and integration through public-private partnerships. TMNL intended to continue close collaboration with Dutch and EU public authorities.

3.Preliminary Conclusion: Comparison Between Taiwan’s Data Sharing Regulations Among Financial Institutions and the Dutch Model

(1) Guidelines on Data Sharing Between Financial Institutions

On January 4, 2023, Taiwan’s Financial Supervisory Commission (FSC) issued the Guidelines on Data Sharing Between Financial Institutions and a Q&A document. The guidelines classify applicable entities into three categories: Financial holding company groups (Category 1), Financial groups not under financial holding companies (Category 2), and financial institutions not included in the above two categories (Category 3). Only entities within financial groups (Categories 1 and 2) are allowed to share data and establish databases to identify or monitor risks. For financial institutions in Category 3, data sharing is limited to facilitating customer operations or joint business efforts, and database establishment is prohibited. Regardless of the applicable category, customer consent must be obtained to ensure the protection of customer rights. Additionally, the purpose of data sharing, the scope of data, the roles and responsibilities of participating parties, accountability, and compliance with relevant regulations must be clearly stipulated.

The structure of the Dutch TMNL is an independent entity created by multiple financial institutions to share data and apply AI to detect suspicious transactions. According to Taiwan’s guidelines, this type of collaboration model falls under Category 3, the cooperation among financial institutions. In Category 3, the establishment of databases is prohibited, and data sharing is limited to facilitating KYC operations and conducting joint business activities. As a result, under current regulations, financial institutions in Taiwan cannot adopt the Dutch TMNL model for sharing customer data to collaborate on transaction monitoring and AI detection.

(2) Consultation Document on Data Governance for Cross-Market Data Sharing

Additionally, on May 16 of this year, the FSC issued practical operational guidelines for inter-institutional data sharing, releasing a consultation document to solicit feedback from financial institutions. This will serve as a reference for drafting the Guidelines on Data Governance for Cross-Market Data Sharing by the end of the year. In the consultation document, the FSC categorizes customer data into four levels based on confidentiality and re-identifiability, defining their degree of usage and applicable scope under a tiered governance approach.

Level 1 contains raw customer data that has not been processed, such as personal information involving names and birthdates.

Level 2 pertains to data that can still be easily re-identified to reveal customer information even after being processed for privacy protection. The use of Level 1 and Level 2 customer data is restricted to analysis, comparison, and risk management purposes; explicit consent from customers must be obtained for each item. Additionally, such data usage is restricted to inter-institutional use among financial institutions.

Level 3 data is processed through emerging privacy-enhancing technologies, such as homomorphic encryption, differential privacy, secure multi-party computation, synthetic data, and federated learning. While this data is less likely to be re-identified to reveal customer information, with simplified customer consent obtained, it can be shared with financial and non-financial institutions for business development and marketing purposes.

Level 4 data, not pertaining to individual customers, includes statistical data from financial institutions. This type of data is subject to minimal protection and exempt from personal data protection laws. It can be shared with non-financial institutions for purposes such as AI and machine learning model training, market research, and academic studies.

When compared to the data-sharing model of the Netherlands’ TMNL, it would fall under level 2 of data sharing defined in the guidelines issued by the FSC. Such data sharing must strictly adhere to the requirements of the Personal Data Protection Act. The data can only be shared among financial institutions after obtaining explicit customer consent for its use in anti-money laundering purposes on an item-by-item basis.

The FSC is currently soliciting public opinions on various issues related to the usage scenarios under tiered governance, the practical measures for protecting and processing personal data, and the determination of whether such data falls under the second or third level. The FSC plans to release the Guidelines on Data Governance for Cross-Market Data Sharing by the end of the year.