Beautiful Virgin Islands

Wednesday, Jul 23, 2025

Game of Laws: Compliance in the Age of Regulatory Proliferation

Game of Laws: Compliance in the Age of Regulatory Proliferation

Even if the pace at which regulations are drafted seems to be slowing down, at least at the EU-level, regulations in general are still trending toward bullish proliferation. In the financial-crime field alone, around 1,300 binding pieces of legislation have been brought to light in the span of 20 years (2000-2020), with about 228 directives and 1100 regulations.

Today, around 186 directives and 800 regulations are in effect.

Additional potential regulations are also looming, including those that could establish a long-debated European central anti-money laundering authority or new, potentially extraterritorial, regulations in the post-Brexit UK.

Until fairly recently, the response from compliance officers to such new mandates could be compared to that of a soldier replying to an order: “Roger Wilco,” short for “received and will comply.” And then one day, it happened.

On July 18, 2018, the High Court of Justice in the UK ruled in favour of a claimant who had requested that his bank disclose the contents of Suspicious Activity Reports (SARs) filed to the National Crime Agency (NCA). Breach of the non-tipping-off principle? Not at all, according to the court.

Will this decision broader political conflict over the imposition of regulations and laws? Perhaps. Will it open a Pandora’s box of long proceedings to challenge the existing anti-financial crime and compliance legislative framework? Most probably.

At least one thing is clear: with all our legitimate and justified intentions to combat financial crime, we have been living in some sort of a legislative paradise, where all laws and regulations match together as the pieces of a jigsaw puzzle. But what if this paradise is lost?

The road paved with good intentions

We all seem to agree that the whole point behind compliance efforts is ultimately to serve the general welfare of humanity. Still, one may argue where the limits of the “general interest/common good” umbrella end.

Let’s take the example of AML/CTF requirements on the collection of data related to Politically Exposed Persons (PEPs). We remember that their 1st and 2nd degree relatives and close associates are also considered to be PEPs. Oftentimes, the research performed by financial institutions can be inclusive but also highly intrusive. What if a client has an extramarital affair? And what if it concerns a same-sex partner?

These cases clearly fall under the GDPR provisions regarding sensitive personal data. No particular issue with this unless we consider, for example, that many financial institutions operate in countries whose AML regulations do not impose any data protection for the information collected during compliance procedures; therefore, it seems that the key European requirement of the same level of safeguards is not met. Moreover, PEP definitions may vary even across the EU (e.g., Italy where a list of national PEPs has been published), further amplifying the scope.

More food for thought: national FIUs receive hundreds of SARs containing sensitive data. If we refer to Recital 14 of the GDPR, it seems that FIUs are not covered by the regulation’s provisions in general, nor by its specific safeguards. What will happen in case of a major breach or a cyberattack? Off the radar for now.

How about counterterrorist financing? Even when there are genuine security and welfare objectives, there may be data-privacy concerns. One of the most well-known affairs relates to SWIFT. Indeed, in 2006, the world was shocked with the revelations published by The New York Times that US authorities secretly and illegally gained access to SWIFT messages containing personal data as part of their Terrorist Finance Tracking Program. Back in 2006, this practice was judged as a breach of the then-applicable regulations. Two years later, however, the initial position was entirely reversed to recognize the legitimacy of the US program. In France, for instance, such practices would be violating the Blocking Statute of July 1968, updated in July 1980, which prohibits companies incorporated in France from transferring specific data to foreign authorities without using the channel of international criminal cooperation. Have you ever tried to use this channel, via Mutual Legal Assistance Treaties or otherwise? Well, good luck, and arm yourself with patience and snacks to nosh during your long legal siege.

In the context of such legal instability, we seem to be shifting towards a completely new compliance order.

Strange new world

We already know – and the European Commission itself highlighted this fact in a July 2019 press release – that AML and other financial crime regulations drastically lack harmonisation, whether it be across the EU Member States or between the EU and third countries, such as the US.

The US example is a flagrant one; suffice it to mention the fundamental difference between the FCPA and the rest of most well-known, anti-corruption laws lies in the treatment of passive bribery and facilitation payments. A small historical digression: several US Courts of Appeal confirmed at every occasion that their constitutional double jeopardy provision does not apply to the FCPA when it comes to foreign judgements, while most of the countries recognize, at least partially, the non bis in idem principle. A dangerous mismatch.

However, certain discrepancies may cause genuine issues or even larger disorder.

This is very often the case when it comes to the conflict between AML laws and privacy regulations. Let’s take the example of Lonsdale v National Westminster Bank. The claimant’s business and personal accounts were frozen by his bank. A barrister himself, he put two-and-two together, assumed a SAR was filed, and, according to the then in-force Data Protection Act 1998, requested access to the SAR. However, we all know that disclosing a SAR to the customer concerned is tantamount to the tipping-off offence, already clearly prohibited in the 3AMLD and seq. Legal crossroads in its splendour.

The court judged that “there was no evidence that the SARs are required to be kept confidential. The SARs were plainly relevant to the assessment of whether the bank’s employees genuinely held a relevant suspicion” .

Guillaume Rudelle, a Parisian barrister and Associate at Norton Rose Fulbright in France admits: “Practically speaking, such action could only be successful if the customer is able to demonstrate that the suspicious activity report (SAR) was unlawful, which is impossible if one cannot have access to the content of the SAR. Accordingly, denying a request made by the customer to obtain the disclosure of the SAR could be seen as a denial of the right to a fair trial”.

According to American lawyers, such an action would be impossible in the United States. The same holds true for France, though with nuances.

“SARs are confidential (art. L.561-18, French Monetary Code). Both their existence and the content of the report, along with any follow-up action, cannot be disclosed to the subject of the report or to any third party. Should an individual concerned by a SAR wish to consult what personal data was used in the SAR, he/she can ask the CNIL for “indirect access” which then nominates one of its members, who is also (or has been) a member of one of the French Supreme Courts, in order to investigate and potentially make relevant amendments to personal data. The individual gets access when the CNIL establishes with the bank that communicating the information will not reveal any sensitive information (i.e. the SAR itself, the amount at stake, declarations from bank employees, follow-up actions etc.) and, most importantly, does not risk to hinder the objectives of anti-money laundering and terrorism financing”, specifies Emmanuel Breen, Counsel at Laurent Cohen-Tanugi Avocats (Paris, France).

It remains unclear what the purpose of such a disclosure to the claimant would be, absent the above data.

Additionally, we must not forget the French Constitutional Council’s decision that deemed the public register of trusts required by the 4AMLD to be unconstitutional due to its infringement of the right to privacy. As of today, there is still no further progress on this point, at least in France.

While still a member of the EU, the UK somewhat customised their approach by creating a trust register that is not accessible to the public and therefore less of an invasion of privacy. This regime seems unlikely to be amended after Brexit.

In Italy, it seems that the UBO of a trust can oppose the publication of his/her data in the register.

Speaking of registers: what a fascinating exercise as to compile the data on the UBO registers in countries on every continent in terms of existence and availability. We can note that, in some cases, even the so-called “developing” countries have exceeded the developed European ones; Ghana, would be a good example of this.

On this basis, the recent decision taken by the European Commission to designate “high-risk” jurisdictions is more than nebulous. Nor will the EU’s plan to create a unique European AML supervisory body sort out this lack of consistency and harmonisation; this proposal gloomily promises only to add another layer to the bureaucratic blame game.

Finally, there is the mismatch between sanctions regulations, with perhaps the most conspicuous being the differences between OFAC’s programs and those under the EU Blocking Statute. In a nutshell, the problem arises because entities established or incorporated in the EU are prohibited from complying with specific US sanctions regimes, on pain of penalties.

“It is important to note, however, that the EU Blocking Regulation does not provide for a formal sanction mechanism and leaves it to Member States to define sanctions and enforce them. There are therefore huge discrepancies in the enforcement record of the EU Blocking Regulation among Member States. Certain governments have been more aggressive than others in this respect. For example, the UK adopted the Extraterritorial US Legislation Sanctions against Cuba, Iran and Libya – Protection of Trading Interests Order in February 2019, which provides for an unlimited fine. At the other extreme, countries like France and Luxembourg have yet to introduce any national legislation on this issue and are not yet in a position to prosecute violations of the EU Blocking Regulation”, says Mr. Breen. “The EU is not, though, alone in this aspect. Canada and Mexico also implemented their own blocking statutes to respond specifically to the US Helms-Burton Act”, he adds.

If jurisdictions continue this ping-pong game, who can unhesitatingly and confidently say where we are headed?

Towards a No-Man’s Land?

Mr. Breen tilts toward a further increase in regulations. During our discussion, he used the term “overcompliance”. Quite a fair one. Despite its positive connotations – i.e., going beyond explicit regulatory requirements and expectations – Mr. Breen still considers it a risk.

Pierre-Manuel Sroczynski, ex-Director of the Compliance and Permanent Control department at the French La Banque Postale and now a consultant at Somerset Advisory, holds a diametrically opposed view.

“The AML and sanctions-related legislative and regulatory corpus is already quite extensive and complete. A further increase? Definitely not. I guess the governments have taken heed of the fact that the crux of the matter now lies with the relevant and appropriate supervision, coordination and harmonisation”, he believes.

Today, we are waiting to find out what lies ahead, and what the current and upcoming regulatory efforts have in store for Compliance Officers. The territory remains challenged and contentious. Personally, being a Cartesian Compliance Officer, I believe that the “holy war” Compliance wages on financial crime may justify specific gambits, i.e. sacrifices (for example, data protection), in order to effectively pursue a just cause, unless there are truly no regulatory conflicts involved. I am also convinced that compliance should go beyond regulatory expectations, not to complicate our lives but to make it easier.

I have to admit that sometimes it feels like compliance has taken the wrong path, with regulations having too many loopholes that seem designed to satisfy particular shadow interests. Even the FATF Executive Secretary David Lewis admits that no country has a solid AML framework that works as it should. Take the recent EIB case, as an example: the drastic shortcomings in the AML framework were known to EIB’s top management, who actually considered the regulations and rules and insisted on their implementation throughout Europe. Or the whatever-Leaks or Papers: how many of you know what the state of play is after all the whistleblower-journalists to and fro, and the books written and disclosures published?

But as a compliance professional, I hope that no regulatory evolution in this field will force the return to ground zero.

Newsletter

Related Articles

Beautiful Virgin Islands
0:00
0:00
Close
US Treasury Secretary Calls for Institutional Review of Federal Reserve Amid AI‑Driven Growth Expectations
UK Government Considers Dropping Demand for Apple Encryption Backdoor
Severe Flooding in South Korea Claims Lives Amid Ongoing Rescue Operations
Japanese Man Discovers Family Connection Through DNA Testing After Decades of Separation
Russia Signals Openness to Ukraine Peace Talks Amid Escalating Drone Warfare
Switzerland Implements Ban on Mammography Screening
Japanese Prime Minister Vows to Stay After Coalition Loses Upper House Majority
Pogacar Extends Dominance with Stage Fifteen Triumph at Tour de France
CEO Resigns Amid Controversy Over Relationship with HR Executive
Man Dies After Being Pulled Into MRI Machine Due to Metal Chain in New York Clinic
NVIDIA Achieves $4 Trillion Valuation Amid AI Demand
US Revokes Visas of Brazilian Corrupted Judges Amid Fake Bolsonaro Investigation
U.S. Congress Approves Rescissions Act Cutting Federal Funding for NPR and PBS
North Korea Restricts Foreign Tourist Access to New Seaside Resort
Brazil's Supreme Court Imposes Radical Restrictions on Former President Bolsonaro
Centrist Criticism of von der Leyen Resurfaces as she Survives EU Confidence Vote
Judge Criticizes DOJ Over Secrecy in Dropping Charges Against Gang Leader
Apple Closes $16.5 Billion Tax Dispute With Ireland
Von der Leyen Faces Setback Over €2 Trillion EU Budget Proposal
UK and Germany Collaborate on Global Military Equipment Sales
Trump Plans Over 10% Tariffs on African and Caribbean Nations
Flying Taxi CEO Reclaims Billionaire Status After Stock Surge
Epstein Files Deepen Republican Party Divide
Zuckerberg Faces $8 Billion Privacy Lawsuit From Meta Shareholders
FIFA Pressured to Rethink World Cup Calendar Due to Climate Change
SpaceX Nears $400 Billion Valuation With New Share Sale
Microsoft, US Lab to Use AI for Faster Nuclear Plant Licensing
Trump Walks Back Talk of Firing Fed Chair Jerome Powell
Zelensky Reshuffles Cabinet to Win Support at Home and in Washington
"Can You Hit Moscow?" Trump Asked Zelensky To Make Putin "Feel The Pain"
Irish Tech Worker Detained 100 days by US Authorities for Overstaying Visa
Dimon Warns on Fed Independence as Trump Administration Eyes Powell’s Succession
Church of England Removes 1991 Sexuality Guidelines from Clergy Selection
Superman Franchise Achieves Success with Latest Release
Hungary's Viktor Orban Rejects Agreements on Illegal Migration
Jeff Bezos Considers Purchasing Condé Nast as a Wedding Gift
Ghislaine Maxwell Says She’s Ready to Testify Before Congress on Epstein’s Criminal Empire
Bal des Pompiers: A Celebration of Community and Firefighter Culture in France
FBI Chief Kash Patel Denies Resignation Speculations Amid Epstein List Controversy
Air India Pilot’s Mental Health Records Under Scrutiny
Google Secures Windsurf AI Coding Team in $2.4 Billion Licence Deal
Jamie Dimon Warns Europe Is Losing Global Competitiveness and Flags Market Complacency
South African Police Minister Suspended Amid Organised Crime Allegations
Nvidia CEO Claims Chinese Military Reluctance to Use US AI Technology
Hong Kong Advances Digital Asset Strategy to Address Economic Challenges
Australia Rules Out Pre‑commitment of Troops, Reinforces Defence Posture Amid US‑China Tensions
Martha Wells Says Humanity Still Far from True Artificial Intelligence
Nvidia Becomes World’s First Four‑Trillion‑Dollar Company Amid AI Boom
U.S. Resumes Deportations to Third Countries After Supreme Court Ruling
Excavation Begins at Site of Mass Grave for Children at Former Irish Institution
×