Facilitating the use of financial information is necessary to prevent, detect, investigate or prosecute serious crime.
(2)
In order to enhance security, improve prosecution of financial crimes, combat money laundering and prevent tax crimes in the Member States and across the Union, it is necessary to improve access to information by Financial Intelligence Units (‘FIUs’) and public authorities responsible for the prevention, detection, investigation or prosecution of serious crime, to enhance their ability to conduct financial investigations and to improve cooperation between them.
(3)
Pursuant to Article 4(3) of the Treaty on European Union (TEU), the Union and the Member States are to assist each other. They should also commit to cooperate in a loyal and expeditious manner.
(4)
In its communication of 2 February 2016 on an ‘Action Plan to strengthen the fight against terrorist financing’, the Commission committed to explore the possibility of a distinct self-standing legal instrument to broaden the access to centralised bank and payment account registers by Member States’ authorities, including by authorities competent for the prevention, detection, investigation or prosecution of criminal offences, by Asset Recovery Offices, by tax authorities and by anti-corruption authorities. Moreover, that Action Plan also called for a mapping of obstacles to the access to, exchange and use of information as well as to operational cooperation between FIUs.
(5)
Combating serious crime, including financial fraud and money laundering, remains a priority for the Union.
(6)
Directive (EU) 2015/849 of the European Parliament and of the Council (3) requires Member States to put in place centralised bank account registries or data retrieval systems allowing the timely identification of the persons holding bank and payment accounts and safe-deposit boxes.
(7)
Pursuant to Directive (EU) 2015/849, the information held in such centralised bank account registries is to be directly accessible to FIUs and also accessible to national authorities competent for the prevention of money laundering, the associated predicate offences and terrorist financing.
(8)
Immediate and direct access to the information held in centralised bank account registries is often indispensable for the success of a criminal investigation or for the timely identification, tracing and freezing of related assets in view of their confiscation. Direct access is the most immediate type of access to the information held in centralised bank account registries. This Directive should therefore lay down rules granting direct access to information held in centralised bank account registries to designated Member States’ authorities competent for the prevention, detection, investigation or prosecution of criminal offences. Where a Member State provides access to bank account information through a central electronic data retrieval system, that Member State should ensure that the authority operating the retrieval system reports search results in an immediate and unfiltered way to the designated competent authorities. This Directive should not affect channels for exchanging information between competent authorities or their powers to obtain information from obliged entities, under Union or national law. Any access to information held in centralised registries by the national authorities for purposes other than those of this Directive or with respect to criminal offences other than those covered by this Directive falls outside the scope thereof.
(9)
Given that in each Member State there are numerous authorities or bodies which are competent for the prevention, detection, investigation or prosecution of criminal offences, and in order to ensure proportionate access to financial and other information under this Directive, Member States should be required to designate which authorities or bodies are empowered to have access to the centralised bank account registries and which are able to request information from FIUs for the purposes of this Directive. When implementing this Directive, Member States should take into account the nature, organisational status, tasks and prerogatives of such authorities and bodies as established by their national law, including existing mechanisms for the protection of financial systems against money laundering and terrorist financing.
(10)
Asset Recovery Offices should be designated from amongst the competent authorities and have direct access to the information held in centralised bank account registries when preventing, detecting or investigating a specific serious criminal offence or supporting a specific criminal investigation, including the identification, tracing and freezing of assets.
(11)
To the extent that tax authorities and anti-corruption agencies are competent for the prevention, detection, investigation or prosecution of criminal offences under national law, they should also be considered authorities that can be designated for the purposes of this Directive. Administrative investigations other than those conducted by the FIUs in the context of preventing, detecting and effectively combatting money laundering and terrorist financing should not be covered by this Directive.
(12)
The perpetrators of criminal offences, in particular criminal groups and terrorists, often operate across different Member States and their assets, including bank accounts, are often located in other Member States. Given the cross-border dimension of serious crimes, including terrorism, and of the related financial activities, it is often necessary for competent authorities carrying out criminal investigations in one Member State to access information on bank accounts held in other Member States.
(13)
The information acquired by competent authorities from national centralised bank account registries can be exchanged with competent authorities located in another Member State, in accordance with Council Framework Decision 2006/960/JHA (4), Directive 2014/41/EU of the European Parliament and the Council (5) and with applicable data protection rules.
(14)
Directive (EU) 2015/849 has substantially enhanced the Union legal framework that governs the activity and cooperation of FIUs, including the assessment by the Commission of the possibility of establishing a coordination and support mechanism. The legal status of FIUs varies across Member States from an administrative or a law enforcement status to hybrid ones. The powers of FIUs include the right to access the financial, administrative and law enforcement information that they require to prevent, detect and combat money laundering, the associated predicate offences and terrorist financing. Nevertheless, Union law does not lay down all specific tools and mechanisms that FIUs should have at their disposal in order to access such information and accomplish their tasks. Since Member States are entirely responsible for setting up and deciding on the organisational nature of FIUs, different FIUs have varying degrees of access to regulatory databases, which leads to an insufficient exchange of information between law enforcement or prosecution services and FIUs.
(15)
In order to enhance legal certainty and operational effectiveness, this Directive should lay down rules to strengthen the FIUs’ ability to share financial information and financial analysis with the designated competent authorities in their Member State for all serious criminal offences. More precisely, FIUs should be required to cooperate with the designated competent authorities of their Member States and be able to reply, in a timely manner, to reasoned requests for financial information or financial analysis by those designated competent authorities, where that financial information or financial analysis is necessary, on a case-by-case basis and when such requests are motivated by concerns relating to the prevention, detection, investigation or prosecution of serious criminal offences, subject to the exemptions provided for in Article 32(5) of Directive (EU) 2015/849. That requirement should not preclude the autonomy of the FIUs under Directive (EU) 2015/849. In particular, in cases where the information requested originates from the FIU of another Member State, any restrictions and conditions imposed by that FIU for the use of that information should be complied with. Any use for purposes beyond those originally approved should be made subject to the prior consent of that FIU. FIUs should appropriately explain any refusal to reply to a request for information or analysis. This Directive should not affect the operational independence and autonomy of the FIUs under Directive (EU) 2015/849, including the autonomy of the FIUs to spontaneously disseminate information on their own initiative for the purposes of this Directive.
(16)
This Directive should also set out a clearly defined legal framework to enable FIUs to request relevant data stored by designated competent authorities in their Member State in order to enable them to prevent, detect and combat money laundering, the associated predicate offences and terrorist financing effectively.
(17)
FIUs should endeavour to exchange financial information or financial analysis promptly in exceptional and urgent cases, where such information or analysis is related to terrorism or organised crime associated with terrorism.
(18)
Such exchange should not hamper a FIU’s active role under Directive (EU) 2015/849 in disseminating its analysis to other FIUs where that analysis reveals facts, conduct or suspicion of money laundering and terrorist financing of direct interest to those other FIUs. Financial analysis covers operational analysis which focuses on individual cases and specific targets or on appropriate selected information, depending on the type and volume of the disclosures received and the expected use of the information after dissemination, as well as strategic analysis addressing money laundering and terrorist financing trends and patterns. However, this Directive should be without prejudice to the organisational status and role conferred to FIUs under the national law of Member States.
(19)
Given the sensitivity of financial data that should be analysed by FIUs and the necessary data protection safeguards, this Directive should specifically set out the type and scope of information that can be exchanged between FIUs, between FIUs and designated competent authorities and between designated competent authorities of different Member States. This Directive should not change currently agreed methods of data collection. However, Member States should be able to decide to broaden the scope of financial information and bank account information that can be exchanged between the FIUs and designated competent authorities. Member States should also be able to facilitate access by designated competent authorities to financial information and bank account information for the prevention, detection, investigation or prosecution of criminal offences other than serious criminal offences. This Directive should not derogate from the applicable data protection rules.
(20)
Under the specific competences and tasks of the Agency for Law Enforcement Cooperation (‘Europol’) established by Regulation (EU) 2016/794 of the European Parliament and of the Council (6), as laid down in that Regulation, Europol provides support to cross-border investigations by Member States’ into the money laundering activities of transnational criminal organisations. In that context, Europol should notify the Member States of any information and connections between criminal offences concerning those Member States. According to that Regulation, the Europol national units are the liaison bodies between Europol and the Member States’ authorities that are competent to investigate criminal offences. To provide Europol with the information necessary to carry out its tasks, each Member State should allow its FIU to reply to requests for financial information and financial analysis made by Europol through the Europol national unit of that Member State or, where appropriate, by direct contacts. Member States should also provide that their Europol national unit and, where appropriate, their designated competent authorities, are entitled to reply to requests for information on bank accounts by Europol. Requests made by Europol should be duly justified. They should be made on a case-by case basis, within the limits of Europol’s responsibilities and for the performance of its tasks. The operational independence and autonomy of FIUs should not be jeopardised and the decision whether to provide the requested information or analysis should remain with the FIUs. In order to ensure quick and effective cooperation, FIUs should reply to requests by Europol in a timely manner. In accordance with Regulation (EU) 2016/794, Europol should continue its current practice of providing feedback to the Member States about the use made of the information or analysis provided under this Directive.
(21)
This Directive should also take into consideration the fact that, where applicable, in accordance with Article 43 of Council Regulation (EU) 2017/1939 (7), the European Delegated Prosecutors of the European Public Prosecution Office (EPPO) are empowered to obtain any relevant information stored in national criminal investigation and law enforcement databases, as well as other relevant registers of public authorities, including centralised bank account registries and data retrieval systems, under the same conditions as those that apply under national law in similar cases.
(22)
To strengthen the cooperation between FIUs, the Commission should carry out an impact assessment in the near future to evaluate the possibility and appropriateness of establishing a coordination and support mechanism, such as an ‘EU FIU’.
(23)
To achieve the appropriate balance between efficiency and a high level of data protection, Member States should be required to ensure that the processing of sensitive financial information that could reveal sensitive data concerning a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or of data concerning a natural person’s health, sex life or sexual orientation should be allowed only by specifically authorised persons and in accordance with the applicable data protection rules.
(24)
This Directive respects fundamental rights and observes the principles recognised by Article 6 TEU and by the Charter of Fundamental Rights of the European Union, in particular the right to respect for one’s private and family life, the right to the protection of personal data, the prohibition of discrimination, the freedom to conduct a business, the right to an effective remedy and to a fair trial, the presumption of innocence and the right of defence and the principles of the legality and proportionality of criminal offences and penalties, as well as the fundamental rights and principles provided for in international law and international agreements to which the Union or all the Member States are party, including the European Convention for the Protection of Human Rights and Fundamental Freedoms, and in Member States’ constitutions, in their respective fields of application.
(25)
It is essential to ensure that processing of personal data under this Directive fully respects the right to protection of personal data. Any such processing is subject to Regulation (EU) 2016/679 (8) and to Directive (EU) 2016/680 (9) of the European Parliament and of the Council, in their respective scope of application. As far as the access of Asset Recovery Offices to centralised bank account registries and data retrieval systems is concerned, Directive (EU) 2016/680 applies while Article 5(2) of Council Decision 2007/845/JHA (10) does not apply. As far as Europol is concerned, Regulation (EU) 2016/794 applies. Specific and additional safeguards and conditions for ensuring the protection of personal data should be laid down in this Directive in respect of mechanisms to ensure the processing of sensitive data and records of information requests.
(26)
Any personal data obtained under this Directive should only be processed in accordance with the applicable data protection rules by competent authorities where it is necessary and proportionate for the purposes of the prevention, detection, investigation or prosecution of serious crime.
(27)
Furthermore, in order to respect the right to the protection of personal data and the right to privacy, and to limit the impact of access to the information contained in centralised bank account registries and data retrieval systems, it is essential to provide for conditions limiting such access. In particular, Member States should ensure that appropriate data protection policies and measures apply to access to personal data by competent authorities for the purposes of this Directive. Only authorised staff should have access to information containing personal data which can be obtained from the centralised bank account registries or through authentication processes. Staff granted access to such sensitive data should receive training on security practices with regard to the exchange and handling of the data.
(28)
The transfer of financial data to third countries and international partners for the purposes of this Directive should only be allowed under the conditions laid down in Chapter V of Regulation (EU) 2016/679 or Chapter V of Directive (EU) 2016/680.
(29)
The Commission should report on the implementation of this Directive three years after its date of transposition, and every three years thereafter. In accordance with the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (11) the Commission should also carry out an evaluation of this Directive on the basis of information collected through specific monitoring arrangements in order to assess the actual effects of the Directive and the need for any further action.
(30)
This Directive aims to ensure that rules are adopted to provide Union citizens with a higher level of security by preventing and combating crime, pursuant to Article 67 of the Treaty on the Functioning of the European Union (TFEU). Due to their transnational nature, terrorist and criminal threats affect the Union as a whole and require a Union-wide response. Criminals could exploit, and would benefit from, the lack of an efficient use of bank account information and financial information in a Member State, which could in turn have consequences in another Member State.
(31)
Since the objective of this Directive, namely to improve access to information by FIUs and public authorities responsible for the prevention, detection, investigation or prosecution of serious crime, to enhance their ability to conduct financial investigations and to improve cooperation between them, cannot be sufficiently achieved by the Member States, but can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Directive does not go beyond what is necessary in order to achieve this objective.
(32)
In order to ensure uniform conditions for the implementation of this Directive regarding the authorisation of Member States to provisionally apply or to conclude agreements with third countries that are contracting parties of the European Economic Area, on matters falling within the scope of Chapter II of this Directive, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (12).
(33)
Council Decision 2000/642/JHA should be repealed since its subject matter is regulated by other Union acts and it is no longer needed.
(34)
In accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TF EU, United Kingdom and Ireland have notified their wish to take part in the adoption and application of this Directive.
(35)
In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Directive and is not bound by it or subject to its application.
(36)
The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (13) and delivered an opinion on 10 September 2018,
