Financial Surveillance: EU Money Laundering Rules Threaten Rights

The lines between state prosecution and private customer monitoring are increasingly blurring in the EU. What is ostensibly presented as a determined fight against money laundering and terrorist financing (AML/CFT) is, according to civil rights advocates, evolving into a comprehensive surveillance system. The Dutch organization Privacy First warns that the EU's course is eroding financial privacy and endangering fundamental rights.

The problem, therefore, lies primarily in a gradual privatization of investigative work: Over the past decade, the EU has consistently shifted the responsibility for uncovering financial crimes from state authorities to “obliged entities” such as banks, accountants, notaries, and providers of crypto wallets.

With the new “AML Package,” adopted in 2024 and fully entering into force in mid-2027, this development is being considerably intensified, according to Privacy First. Banks are already forced today to collect enormous amounts of personal and financial data from their customers to scrutinize them for suspicious patterns using AI and digital analysis tools. Anyone who doesn't fit the mold quickly falls under general suspicion.

According to data protection advocates, the practical implementation of these rules leads to systemic human rights violations, as financial institutions, fearing draconian penalties from regulatory authorities, tend to over-fulfill legal requirements. Instead of targeted management of real risks, many banks resort to “de-risking”: they preemptively close accounts or refuse services as soon as a customer falls even remotely into a statistical risk category.

General Suspicion Through Algorithms

According to Privacy First, this particularly affects individuals with connections to “high-risk countries” such as Iran or Syria, and citizens of neighboring countries. Migrants, who are often more reliant on cash, are also frequently flagged as suspicious by bank algorithms because their behavior deviates from the digital norm.

The example of the Dutch ING Bank, which has already had to apologize for discrimination through profiling, shows that this is not a theoretical danger. However, the risk groups that banks must scrutinize more closely are broadly defined: even children and partners of members of parliament are considered “politically exposed persons” by definition and thus a potential risk, regardless of their actual behavior.

Another critical point is the expansion of transparency registers for beneficial owners. In these databases, companies, foundations, and non-profit organizations must disclose the natural individuals who exercise control. Under the new EU framework, this sensitive data will be practically publicly accessible.

End of Payment Privacy

Privacy First complains that this goes far beyond what is necessary for law enforcement. The burden is particularly high for NGOs. Although their board members are often already listed in the commercial register and do not pursue any economic self-interest, they are treated like potential money launderers. This leads to “chilling effects”: the bureaucratic effort and stigmatization could deter interested parties from engaging in social or civil society projects.

In statements to the EU Commission and national governments, Privacy First calls for a reversal. The fight against financial crime must remain proportionate and must not be based on blanket categorizations or mere legal status. The extensive processing of private financial data by private actors carries enormous risks and criminalizes the innocent.

Legal scholar Carolin Kaiser already lamented in 2017 in view of an earlier amendment to the AML Directive that this entailed disproportionate data retention, extensive personality profiles were created, and thus privacy was practically eliminated. Payment transactions threatened to be “almost completely monitored.”

(nen)