Outsourcing crime control: How EU anti-money laundering rules threaten financial privacy

Privatisation of crime fighting is a threat to financial privacy

EU rules regarding anti-money laundering, counter-terrorist financing and sanctions law (AML/CFT) have increasingly shifted responsibilities to detect crime from public entities to companies . AML/CFT law requires “obliged entities”, like banks, to collect large amounts of financial and other personal data about their customers. They then use this information to assess whether their customers are criminals or possess money generated by criminal activity. If the obliged entity suspects criminal finances, this must be reported to the authorities. The assessment by banks is based on an analysis of all transaction data with digital tools like artificial intelligence.

The way banks implement these rules in the EU has led to a systemic negative impact on human rights, often because of over-compliance, risk-aversion and weak accountability. This has been the case in the Netherlands where, among large number of human rights breaches by banks, Dutch ING Bank has even publicly apologised for discriminating against its customers based on profiling.

Although AML/CFT frameworks are designed to prevent financial crime, in practice they often affect people and organisations who are engaged in entirely lawful activities but are nonetheless categorised as “high risk” by financial institutions. Risk classification is frequently based on general indicators such as geographic connections, patterns of financial behaviour, or professional status. For example, this impacts people who are nationals or have relations with “high risk” countries such as Iran, Algeria, Syria and Lebanon, or neighbouring countries like Turkey, Morocco. Similarly, people who rely heavily on cash transactions – often migrants- may be flagged as suspicious simply because their financial behaviour deviates from what banks consider as “typical”. Small and medium-size enterprises (SMEs) with activities considered by obliged entities to be inherently risky experience significant difficulties.

Among the affected groups are non-profit organisations, which experience unnecessary requests for additional information, drastic increase in administrative requirements, difficulties or refusal when opening an account, and drastic increase in bank charges.

Another example is that the regulations designate a very broad group of individuals as being, by definition, at high risk of criminal activity, namely “Politically Exposed Persons” (PEPs). This includes not only elected officials – like members of parliament – but also their parents, partners, children, and close associates. This attaches risk to the status held by a person rather than their behaviour. In practice, all kinds of different ordinary individuals and groups encounter problems with banks’ Know Your Customer (KYC) procedures.

The practical consequences of these classifications are significant. These individuals and groups are disproportionately affected by account closures, transaction delays, intrusive monitoring, and financial exclusion due to banks’ risk-avoidance practices, a practice called “de-risking”. Instead of managing risk, banks seek to eliminate it by withdrawing altogether from customers or sectors perceived as problematic. The burden of compliance and over-enforcement often falls not on criminals, but on already marginalised communities with limited access to remedies.

According to Privacy First, the AML/CFT regulations contain many elements that violate human rights, such as categorising all children and parents of members of national parliaments to be at high risk of criminality. Furthermore, these regulations lead to large-scale processing of personal financial data by the obliged entities, with significant data protection risks.

In 2024, a package of completely revised AML/CFT rules was adopted, called the “AML Package”, which will come into force in mid-2027 and will bring about many changes. In August 2025, Privacy First participated in a consultation held by the Dutch government on the implementation of the new AML/CFT rules. The organisation emphasised the importance of critically examining the new rules and preventing further violations of fundamental rights.

Revised EU rules on registration of ‘beneficial owners’ could infringe fundamental rights

In December 2025, the European Commission held a consultation on the European registration rules for national registers of “beneficial owners” (BO registers). In this register all legal entities — such as companies, foundations and non-profit organisations — have to record the personal data of their BOs, the natural persons who ultimately own or control the entity, and the reason why they are considered to be considered as such. These registers are part of the AML/CFT system. By making ownership structures visible, authorities aim to prevent criminals from hiding behind complex corporate arrangements. Under the revised EU framework, these registers will practically become publicly accessible, meaning that sensitive personal data of beneficial owners may be available beyond law enforcement authorities and financial institutions.

While participating in the Commission’s consultation, Privacy First emphasised that the fight against financial crime must remain consistent with fundamental rights, including the right to privacy, data protection, and freedom of association. It argued that individuals should not be criminalised on the basis of characteristics that have nothing to do with crime. This also applies to the system of registration of BOs as established by the EU. Measures designed to combat crime must be proportionate and targeted at actual risks, rather than based on broad categories or legal status alone.

Privacy First’s consultation response addresses the consequences of BO registration for natural persons and non-profit organisations. Among other things, the system might lead to the unnecessary requests and excessive collection of personal data. For example, obliged entities like banks may feel compelled to request information not only from the regular BO, such as the director or a shareholder, but also their family members, expanding the circle of affected persons beyond those who have any meaningful economic or controlling interest.

Additionally, applying these rules to non-profit organisations is disproportionate. Following this framework, NGOs are required to register a BO, usually their managing directors, despite the person designated as BO having no economic interest in the NGO and being already publicly registered in the commercial register (trade register). The additional registration of directors as a BO leads to a great deal of misunderstanding among non-profit organisations, which already feel that all kinds of unreasonable demands are being made of them and that they are being treated as potential criminals.

The administrative burden, combined with the symbolic effect of being placed within an anti-money laundering framework burdens non-profit organisations and may result in fewer people committing themselves to social causes. It may have consequences for freedom of association and have a chilling effect.

In addition, Privacy First underlines that the consultation only covers a limited part of the BO system. For this reason, it urges the EU institution to undertake a broader review of the entire framework, as a comprehensive reassessment is necessary to ensure the protection of fundamental rights and the prevention of human rights violations.

The AMP Package poses great risk to the non-profit work in the EU, it is therefore crucial that civil society comes together to fight the wider consequences that it will have for everyone’s financial privacy and human rights violations.

Contribution by: Privacy First