Legal provisions of COM(2018)213 - Rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences - Main contents

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2018)213 - Rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of ...
document	COM(2018)213
date	June 20, 2019

CHAPTER I - GENERAL PROVISIONS
Article 1 - Subject matter
Article 2 - Definitions
Article 3 - Designation of competent authorities
CHAPTER II - ACCESS BY COMPETENT AUTHORITIES TO BANK ACCOUNT INFORMATION
Article 4 - Access to and searches of bank account information by competent authorities
Article 5 - Conditions for access and for searches by competent authorities
Article 6 - Monitoring access and searches by competent authorities
CHAPTER III - EXCHANGE OF INFORMATION BETWEEN COMPETENT AUTHORITIES AND FIUS, AND BETWEEN FIUS
Article 7 - Requests for information by competent authorities to an FIU
Article 8 - Requests of information by an FIU to competent authorities
Article 9 - Exchange of information between FIUs of different Member States
Article 10 - Exchange of information between competent authorities of different Member States
CHAPTER IV - EXCHANGE OF INFORMATION WITH EUROPOL
Article 11 - Provision of bank account information to Europol
Article 12 - Exchange of information between Europol and FIUs
Article 13 - Detailed arrangements for the exchange of information
Article 14 - Data protection requirements
CHAPTER V - ADDITIONAL PROVISIONS RELATED TO THE PROCESSING OF PERSONAL DATA
Article 15 - Scope
Article 16 - Processing of sensitive personal data
Article 17 - Records of information requests
Article 18 - Restrictions to data subjects’ rights
CHAPTER VI - FINAL PROVISIONS
Article 19 - Monitoring
Article 20 - Relationship to other instruments
Article 21 - Evaluation
Article 22 - Committee procedure
Article 23 - Transposition
Article 24 - Repeal of Decision 2000/642/JHA
Article 25 - Entry into force
Article 26 - Addressees

CHAPTER I - GENERAL PROVISIONS

Article 1 - Subject matter

1. This Directive lays down measures to facilitate access to and the use of financial information and bank account information by competent authorities for the prevention, detection, investigation or prosecution of serious criminal offences. It also lays down measures to facilitate access to law enforcement information by Financial Intelligence Units (‘FIUs’) for the prevention and combating of money laundering, associate predicate offences and terrorist financing and measures to facilitate cooperation between FIUs.

2. This Directive is without prejudice to:

(a)	Directive (EU) 2015/849 and the related provisions of national law, including the organisational status conferred on FIUs under national law as well as their operational independence and autonomy;

(b)	channels for the exchange of information between competent authorities or the powers of competent authorities under Union or national law to obtain information from obliged entities;

(c)	Regulation (EU) 2016/794;

(d)	the obligations resulting from Union instruments on mutual legal assistance or on mutual recognition of decisions regarding criminal matters and from Framework Decision 2006/960/JHA.

Article 2 - Definitions

For the purposes of this Directive, the following definitions apply:

(1)	‘centralised bank account registries’ means the centralised automated mechanisms, such as central registries or central electronic data retrieval systems, put in place in accordance with Article 32a(1) of Directive (EU) 2015/849;

(2)	‘Asset Recovery Offices’ means the national offices set up or designated by each Member State pursuant to Decision 2007/845/JHA;

(3)	‘Financial Intelligence Unit (“FIU”)’ means an FIU as established pursuant to Article 32 of Directive (EU) 2015/849;

(4)	‘obliged entities’ means the entities set out in Article 2(1) of Directive (EU) 2015/849;

(5)	‘financial information’ means any type of information or data, such as data on financial assets, movements of funds or financial business relationships, which is already held by FIUs to prevent, detect and effectively combat money laundering and terrorist financing;

(6)

‘law enforcement information’ means:

(i)	any type of information or data which is already held by competent authorities in the context of preventing, detecting, investigating or prosecuting criminal offences;

(ii)	any type of information or data which is held by public authorities or by private entities in the context of preventing, detecting, investigating or prosecuting criminal offences and which is available to competent authorities without the taking of coercive measures under national law;

such information can be, inter alia, criminal records, information on investigations, information on the freezing or seizure of assets or on other investigative or provisional measures and information on convictions and on confiscations;

(7)

‘bank account information’ means the following information on bank and payment accounts and safe-deposit boxes contained in the centralised bank account registries:

(i)

as regards the customer-account holder and any person purporting to act on behalf of the customer: the name, complemented by either the other identification data required under the national provisions transposing point (a) of Article 13(1) of Directive (EU) 2015/849 or a unique identification number;

(ii)	as regards the beneficial owner of the customer-account holder: the name, complemented by either the other identification data required under the national provisions transposing point (b) of Article 13(1) of Directive (EU) 2015/849 or a unique identification number;

(iii)

as regards the bank or payment account: the IBAN number and the date of account opening and closing;

(iv)	as regards the safe-deposit box: the name of the lessee, complemented by the other identification data required under the national provisions transposing Article 13(1) of Directive (EU) 2015/849 or a unique identification number, and the duration of the lease period;

(8)	‘money laundering’ means the conduct defined in Article 3 of Directive (EU) 2018/1673 of the European Parliament and of the Council (14);

(9)	‘associated predicate offences’ means the offences referred to in point (1) of Article 2 of Directive (EU) 2018/1673;

(10)	‘terrorist financing’ means the conduct defined in Article 11 of Directive (EU) 2017/541 of the European Parliament and of the Council (15);

(11)	‘financial analysis’ means the results of operational and strategic analysis that has already been carried out by the FIUs in the performance of their tasks, pursuant to Directive (EU) 2015/849;

(12)	‘serious criminal offences’ means the forms of crime listed in Annex I to Regulation (EU) 2016/794.

Article 3 - Designation of competent authorities

1. Each Member State shall designate, among its authorities competent for the prevention, detection, investigation or prosecution of criminal offences, the competent authorities empowered to access and search its national centralised bank account registry. Those competent authorities shall include at least the Asset Recovery Offices.

2. Each Member State shall designate, among its authorities competent for the prevention, detection, investigation or prosecution of criminal offences, the competent authorities that can request and receive financial information or financial analysis from the FIU.

3. Each Member State shall notify the Commission of its competent authorities designated pursuant to paragraphs 1 and 2 by 2 December 2021, and shall notify the Commission of any amendment thereto. The Commission shall publish the notifications in the Official Journal of the European Union.

CHAPTER II - ACCESS BY COMPETENT AUTHORITIES TO BANK ACCOUNT INFORMATION

Article 4 - Access to and searches of bank account information by competent authorities

1. Member States shall ensure that the competent national authorities designated pursuant to Article 3(1) have the power to access and search, directly and immediately, bank account information when necessary for the performance of their tasks for the purposes of preventing, detecting, investigating or prosecuting a serious criminal offence or supporting a criminal investigation concerning a serious criminal offence, including the identification, tracing and freezing of the assets related to such investigation. Access and searches shall be considered to be direct and immediate, inter alia, where the national authorities operating the central bank account registries transmit the bank account information expeditiously by an automated mechanism to competent authorities, provided that no intermediary institution is able to interfere with the requested data or the information to be provided.

2. The additional information that Member States consider essential and include in the centralised bank account registries pursuant to Article 32a(4) of Directive (EU) 2015/849 shall not be accessible and searchable by competent authorities pursuant to this Directive.

Article 5 - Conditions for access and for searches by competent authorities

1. Access to and searches of bank account information in accordance with Article 4 shall be performed only on a case-by-case basis by the staff of each competent authority that have been specifically designated and authorised to perform those tasks.

2. Member States shall ensure that staff of the designated competent authorities maintain high professional standards of confidentiality and data protection, that they are of high integrity and are appropriately skilled.

3. Member States shall ensure that technical and organisational measures are in place to ensure the security of the data to high technological standards for the purposes of the exercise by competent authorities of the power to access and search bank account information in accordance with Article 4.

Article 6 - Monitoring access and searches by competent authorities

1. Member States shall provide that the authorities operating the centralised bank account registries ensure that logs are kept each time designated competent authorities access and search bank account information. The logs shall include, in particular, the following:

(a)	the national file reference;

(b)	the date and time of the query or search;

(c)	the type of data used to launch the query or search;

(d)	the unique identifier of the results;

(e)	the name of the designated competent authority consulting the registry;

(f)	the unique user identifier of the official who made the query or performed the search and, where applicable, of the official who ordered the query or search and, as far as possible, the unique user identifier of the recipient of the results of the query or search.

2. The data protection officers for the centralised bank account registries shall check the logs regularly. The logs shall be made available, on request, to the competent supervisory authority established in accordance with Article 41 of Directive (EU) 2016/680.

3. The logs shall be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and for ensuring data security. They shall be protected by appropriate measures against unauthorised access and shall be erased five years after their creation, unless they are required for monitoring procedures that are ongoing.

4. Member States shall ensure that authorities operating centralised bank account registries take appropriate measures so that staff are aware of applicable Union and national law, including the applicable data protection rules. Such measures shall include specialised training programmes.

CHAPTER III - EXCHANGE OF INFORMATION BETWEEN COMPETENT AUTHORITIES AND FIUS, AND BETWEEN FIUS

Article 7 - Requests for information by competent authorities to an FIU

1. Subject to national procedural safeguards, each Member State shall ensure that its national FIU is required to cooperate with its designated competent authorities referred to in Article 3(2) and to be able to reply, in a timely manner, to reasoned requests for financial information or financial analysis by those designated competent authorities in their respective Member State, where that financial information or financial analysis is necessary on a case-by-case basis and where the request is motivated by concerns relating to the prevention, detection, investigation or prosecution of serious criminal offences.

2. Where there are objective grounds for assuming that the provision of such information would have a negative impact on ongoing investigations or analyses, or, in exceptional circumstances, where disclosure of the information would be clearly disproportionate to the legitimate interests of a natural or legal person or irrelevant with regard to the purposes for which it has been requested, the FIU shall be under no obligation to comply with the request for information.

3. Any use for purposes beyond those originally approved shall be made subject to the prior consent of that FIU. FIUs shall appropriately explain any refusal to reply to a request made under paragraph 1.

4. The decision on conducting the dissemination of information shall remain with the FIU.

5. The designated competent authorities may process the financial information and financial analysis received from the FIU for the specific purposes of preventing, detecting, investigating or prosecuting serious criminal offences other than the purposes for which personal data are collected in accordance with Article 4(2) of Directive (EU) 2016/680.

Article 8 - Requests of information by an FIU to competent authorities

Subject to national procedural safeguards and in addition to the access to information by FIUs as provided for in Article 32(4) of Directive (EU) 2015/849, each Member State shall ensure that its designated competent authorities are required to reply in a timely manner to requests for law enforcement information made by the national FIU on a case-by-case basis, where the information is necessary for the prevention, detection and combating of money laundering, associate predicate offences and terrorist financing.

Article 9 - Exchange of information between FIUs of different Member States

1. Member States shall ensure that in exceptional and urgent cases, their FIUs are entitled to exchange financial information or financial analysis that may be relevant for the processing or analysis of information related to terrorism or organised crime associated with terrorism.

2. Member States shall ensure that in the cases referred to in paragraph 1 and subject to their operational limitations, FIUs endeavour to exchange such information promptly.

Article 10 - Exchange of information between competent authorities of different Member States

1. Subject to national procedural safeguards, each Member State shall ensure that its competent authorities designated pursuant to Article 3(2) are able to exchange financial information or financial analysis obtained from the FIU of their Member State, upon request and on a case-by-case basis, with a designated competent authority in another Member State, where that financial information or financial analysis is necessary for the prevention, detection and combating of money laundering, associate predicate offences and terrorist financing.

Each Member State shall ensure that its designated competent authorities use the financial information or financial analysis exchanged pursuant to this Article only for the purpose for which it was sought or provided.

Each Member State shall ensure that any dissemination of financial information or financial analysis obtained by its designated competent authorities from the FIU of that Member State to any other authority, agency or department or any use of that information for purposes other than those originally approved is made subject to the prior consent of the FIU providing the information.

2. Member States shall ensure that a request made pursuant to this Article and its response are transmitted using dedicated secure electronic communications ensuring a high level of data security.

CHAPTER IV - EXCHANGE OF INFORMATION WITH EUROPOL

Article 11 - Provision of bank account information to Europol

Each Member State shall ensure that its competent authorities are entitled to reply, through the Europol national unit or, if allowed by that Member State, by direct contacts with Europol, to duly justified requests related to bank account information made by Europol on a case-by-case basis within the limits of its responsibilities and for the performance of its tasks. Article 7(6) and (7) of Regulation (EU) 2016/794 apply.

Article 12 - Exchange of information between Europol and FIUs

1. Each Member State shall ensure that its FIU is entitled to reply to duly justified requests made by Europol through the Europol national unit or, if allowed by that Member State, by direct contacts between the FIU and Europol. Such requests shall be related to financial information and financial analysis and made on a case-by-case basis within the limits of the responsibilities of Europol and for the performance of its tasks.

2. Article 32(5) of Directive (EU) 2015/849 and Article 7(6) and (7) of Regulation (EU) 2016/794 apply to the exchanges made pursuant to this Article.

3. Member States shall ensure that any failure to comply with a request is appropriately explained.

Article 13 - Detailed arrangements for the exchange of information

1. Member States shall ensure that the exchanges of information pursuant to Articles 11 and 12 of this Directive take place in accordance with Regulation (EU) 2016/794 electronically through:

(a)	SIENA or its successor, in the language applicable to SIENA; or

(b)	where applicable, FIU.Net or its successor.

2. Member States shall ensure that the exchange of information under Article 12 is carried out in a timely manner and that in that regard the requests for information made by Europol are treated as if they originate from another FIU.

Article 14 - Data protection requirements

1. The processing of personal data related to bank account information, financial information and financial analysis referred to in Articles 11 and 12 of this Directive shall be performed in accordance with Article 18 of Regulation (EU) 2016/794 and only by the staff of Europol who have been specifically designated and authorised to perform those tasks.

2. Europol shall inform the data protection officer appointed in accordance with Article 41 of Regulation (EU) 2016/794 of each exchange of information pursuant to Articles 11, 12 and 13 of this Directive.

CHAPTER V - ADDITIONAL PROVISIONS RELATED TO THE PROCESSING OF PERSONAL DATA

Article 15 - Scope

This Chapter applies only to designated competent authorities and FIUs in respect of the exchange of information pursuant to Chapter III and in respect of the exchange of financial information and financial analysis involving the Europol national units pursuant to Chapter IV.

Article 16 - Processing of sensitive personal data

1. The processing of personal data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership or of data concerning a natural person’s health, sex life or sexual orientation shall only be allowed subject to appropriate safeguards for the rights and freedoms of the data subject, in accordance with the applicable data protection rules.

2. Only staff who have been specifically trained and who have been specifically authorised by the controller may access and process the data referred to in paragraph 1 under the guidance of the data protection officer.

Article 17 - Records of information requests

Member States shall ensure that records are kept relating to requests for information pursuant to this Directive. Those records shall contain at least the following information:

(a)	the name and contact details of the organisation and of the staff member requesting the information and, as far as possible, of the recipient of the results of the query or search;

(b)	the reference to the national case in relation to which the information is requested;

(c)	the subject matter of the requests; and

(d)	any executing measures of such requests.

The records shall be kept for a period of five years after their creation and shall be used solely for the purpose of checking the lawfulness of the processing of personal data. The authorities concerned shall make all records available to the national supervisory authority upon its request.

Article 18 - Restrictions to data subjects’ rights

Member States may adopt legislative measures restricting, in whole or in part, data subjects’ right of access to personal data relating to them processed under this Directive, in accordance with Article 23(1) of Regulation (EU) 2016/679 or with Article 15(1) of Directive (EU) 2016/680, as applicable.

CHAPTER VI - FINAL PROVISIONS

Article 19 - Monitoring

1. Member States shall review the effectiveness of their systems to combat serious criminal offences by maintaining comprehensive statistics.

2. By 1 February 2020, the Commission shall establish a detailed programme for monitoring the outputs, results and impact of this Directive.

That programme shall set out the means by which, and the intervals at which, the data and other necessary evidence will be collected. It shall specify the action to be taken by the Commission and by the Member States in collecting and analysing the data and other evidence.

Member States shall provide the Commission with the data and other evidence necessary for the monitoring.

3. In any event, the statistics referred to in paragraph 1 shall include the following information:

(a)	the number of searches carried out by designated competent authorities in accordance with Article 4;

(b)	data measuring the volume of requests issued by each authority under this Directive, the follow-up given to those requests, the number of cases investigated, the number of persons prosecuted and the number of persons convicted for serious criminal offences, where such information is available;

(c)	data measuring the time it takes an authority to respond to a request after the receipt of the request;

(d)	if available, data measuring the cost of human or IT resources that are dedicated to domestic and cross-border requests falling under this Directive.

4. Member States shall organise the production and gathering of the statistics and shall transmit the statistics referred to in paragraph 3 to the Commission on an annual basis.

Article 20 - Relationship to other instruments

1. This Directive shall not preclude Member States from maintaining or concluding bilateral or multilateral agreements or arrangements between themselves on the exchange of information between competent authorities, insofar as such agreements or arrangements are compatible with Union law, in particular with this Directive.

2. This Directive is without prejudice to any obligations and commitments of Member States or of the Union under existing bilateral or multilateral agreements with third countries.

3. Without prejudice to the division of competences between the Union and the Member States, in accordance with Union law, Member States shall notify the Commission of their intention to enter into negotiations on, and to conclude, agreements between Member States and third countries that are contracting parties of the European Economic Area on matters falling within the scope of Chapter II of this Directive.

If, within two months of receipt of notification of a Member State’s intention to enter into the negotiations referred to in the first subparagraph, the Commission concludes that the negotiations are likely to undermine relevant Union policies or to lead to an agreement which is incompatible with Union law, it shall inform the Member State accordingly.

Member States shall keep the Commission regularly informed of any such negotiations and, where appropriate, invite the Commission to participate as an observer.

Member States shall be authorised to apply provisionally or to conclude agreements referred to in the first subparagraph, provided that they are compatible with Union law and do not harm the object and purpose of the relevant policies of the Union. The Commission shall adopt such authorisation decisions by implementing acts. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 22.

Article 21 - Evaluation

1. By 2 August 2024, and every three years thereafter, the Commission shall draw up a report on the implementation of this Directive and submit it to the European Parliament and to the Council. The report shall be made public.

2. In accordance with Article 65(2) of Directive (EU) 2015/849, the Commission shall assess the obstacles to and opportunities for enhancing cooperation between FIUs in the Union, including the possibility and appropriateness of establishing a coordination and support mechanism.

3. By 2 August 2024, the Commission shall issue a report to the European Parliament and to the Council to assess the need for, and proportionality of, extending the definition of financial information to any type of information or data which are held by public authorities or by obliged entities and which are available to FIUs without the taking of coercive measures under national law, and shall present a legislative proposal, if appropriate.

4. By 2 August 2024, the Commission shall carry out an assessment of the opportunities and challenges regarding an extension of the exchange of financial information or financial analysis between FIUs within the Union to cover exchanges relating to serious criminal offences other than terrorism or organised crime associated with terrorism.

5. No sooner than 2 August 2027, the Commission shall carry out an evaluation of this Directive and present a report on the main findings to the European Parliament and the Council. The report shall also include an evaluation of how fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union have been respected.

6. For the purposes of paragraphs 1 to 4 of this Article, Member States shall provide the Commission with necessary information. The Commission shall take into account the statistics submitted by Member States under Article 19 and may request additional information from Member States and supervisory authorities.

Article 22 - Committee procedure

1. The Commission shall be assisted by a committee. This committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 4 of Regulation (EU) No 182/2011 shall apply.

Article 23 - Transposition

Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 1 August 2021. They shall immediately inform the Commission thereof.

When Member States adopt those provisions, they shall contain a reference to this Directive or shall be accompanied by such a reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.

Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.

Article 24 - Repeal of Decision 2000/642/JHA

Decision 2000/642/JHA is repealed with effect from 1 August 2021.

Article 25 - Entry into force

This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 26 - Addressees

This Directive is addressed to the Member States in accordance with the Treaties.