The (inevitable) human rights anchor for compliance professionals (in finance)
We live in challenging times. A range of natural, macro-economic, technical and geopolitical factors influence the world we are living in. These developments shaped prior laws and the behaviour of regulators, supervisors and private companies and will continue to do so. Now have a look at this stakeholder map and look at the board member, assigned the task to ensure adherence to law. He or she is responsible for compliance and has a range of compliance managers, advisors, business lines and experts available to help out.
Over time the compliance professionals (myself included) have developed an approach to their profession that makes their work do-able. But what do we do when fundamental assumptions that we apply to our work no longer appear to be valid? What should we do when we can observe that there are big flaws in the law-making process which render the law ineffective or unconstitutional? What do we do when we see that law makers do not solve inherent conflicts of law? What do we do when we can view supervisors overstepping their institutional mandate?
The constitutionality of law, regulators, government and supervisors can no longer be assumed to be the basis for the compliance function
Over the past years I’ve taken a step back to reflect on the dilemma’s and challenges of (financial/AML) compliance in todays world. I looked back at my career in which I helped shape the world of payments/fintech from a range of perspectives: as a banker, supervisor, policy maker helping out the move to E-money directive, SEPA and PSD. I worked as the head of banking supervision/financial markets at the bankers’ association and acted in a range of roles for private/public customers.
As for the dynamics of regulation, Rationality and Irrationality were the keywords in my 2014 lecture on the development of regulation in EU Payments.
My take-away was that one can better comprehend the outcome of EU legislation in payments by looking at the power dynamics than trying to make sense of the inherent logic of regulation. Take for example Regulation 2560/2001 which was the first big power play by the European Commission. In essence the Commission wrote a price regulation as it sought to shape the market to its liking. Or from a later date, the regulations that implemented the FATF Special Recommendation VII.
From a constitutional perspective, those regulations go well beyond what is appropriate under the constitutional frameworks of Europe. And in practice, the media/regulatory and political power dynamics have as a result that constitutional norms and human rights are not respected (fully) during the legislative process (or financial supervision afterwards). Still, for a long time this seemed to be more the exception than the norm.
After 2014: political motivators become the main driver for every actor in the game
In the last ten years I witnessed a more fundamental change. Very gradually, at least in the Netherlands, we can see that political motives shape the actions of politicians (logical) but remain unchecked by Ministries (of Finance) and observations by constitutional law makers (Council of State) are neglected. Tjeenk Willink, former President of the Council of State, wrote a couple of books on this noting his concern for the validity and legitimacy of rules, now that a constitutional check seems to fade into the background.
Also the main idea that a government itself would stick to the law/rules has most certainly been invalidated here in the Netherlands (with the biggest GDPR fines being handed out to the Dutch Ministry of Finance/taxation department that was discriminating against its own citizens and using a range of illegal databases to keep on doing so).
It is in this perspective that we must also acknowledge that in financial supervision, under the ‘inspiring ideas’ of Malcolm Sparrow it has become the norm not to care about legality of action, but effectiveness. The financial supervisor thus starts to act as lawmaker itself and operates beyond boundaries, even ignoring relevant other bodies of law such as the GDPR (see example here).
The consequence is that as compliance professionals we lose our anchor. We need to start working from different assumptions. We can no longer assume that laws are properly balanced, fundamental rights are respected and nor can we assume that supervisors will stick to institutional boundaries. We need a new anchor. But which?
Human Rights form a good anchor as they seek balance
In my view, compliance professionals need to expand their view and re-consider their footing. In general they can assume that laws/supervisors work fine, but we must acknowledge that there is a realistic probability that in specific instances the laws do not work fine and that regulators and supervisors overstep their boundaries. We have a duty to investigate and double-check whether perhaps in this case the law and supervisor may infringe on the fundamental rights of companies (freedom of business) and individuals (innocence presumption, right to ownership, right to privacy etc).
The declaration of Human Rights and subsequent normative frameworks can be quite helpful in that respect. Most important is the understanding that human rights are not absolute rights in themselves, but are rights that require finding the right balance. There are many legal and procedural safeguards to ensure that this balance is struck beforehand.
Unfortunately however, these ex-ante safeguards (like the Dutch Integraal AfwegingsKader Regelgeving which contains checklists on infringements of Human Rights to be considered when making laws) are in practice often ignored by regulators and politicians alike. Therefore it takes law suits to address the shortcomings and respect the balance between human rights at hand.
Human rights anchor in practice: excessive AML-rules versus privacy infringements and freedom of enterprise
Let’s have a look at how this human rights as an anchor would work in practice.
Right now the Netherlands has overly excessive regulation in place with respect to reporting unusual transactions rather than suspicious transactions. Also, private and public actors cooperate in transaction monitoring on this matter, despite clear viewpoints of the European Data Protection Board that this is too disproportional. As a result many customers are faced with undue and overly privacy infringing questions, threathened that their accounts are taken away and in general bullied a bit too much.
The cause of this bullying lies in a disbalance between AML rules versus privacy fundamental rights. And although the power disbalance in Europe is clear, it is also clear from higher UN Resolutions that we should not mass monitor our customers/citizens and no legislation should prescribe this. So there is a serious conflict of law here, which goes unresolved.
But why is it unresolved?
Because very few companies dare to challenge this.
Still, when looking at the House of law it is clear that UN resolutions and frameworks exist that do stress the need to find a proper balance and that can form the legal basis to reconsider what is being done in the Netherlands (or Europa).
Excerpt from presentation 2022 on more modern — human rights proof way of AML/KYC legislation in NL.
The Bitonic case demonstrates how a human rights anchor can be succesfully applied as part of the compliance work !
From 2019 to mid 2022 I acted as the responsible compliance advisor that helped the crypto-company win a law suit against its AML-KYC supervisor. The supervisor, De Nederlandsche Bank, had asked too much, had no legal basis for it and this was technically clear from the outset. The fact that there was no legal basis in Sanctions law for the alleged requirement in combination with the all-in intrusive (privacy infringing) nature of the requirement, meant that a speedy trial before the administrative judge was possible. There was an urgent need to stop the violation of the GDPR.
The judge then sent the supervisor back to do its homework after which the supervisor itself had to conclude that it had indeed illegally required the disputed requirement during the registration process. It revoked the requirement fully. And we could finally delete all the illegally assembled customer information.
Further on down the road, two years later, as part of a prolonged debate on the cost of supervision, the same Rotterdam court anulled the parts of the Dutch AML-law that were in violation of the EUrules in this respect (those parts were put in there — in spite of a negative judgment by the Council of State — on request of the supervisor). See for more info the blog here.
The example demonstrates how, by using a human rights perspective, unbalanced and unlawful regulations and an overstepping supervisor can be pushed back. However, this approach not only requires compliance officers to step away from their assumptions on the legality of laws and behaviour of supervisors. It also requires a broader perspective and skill set for the compliance advisor.
Human Rights and administrative procedure as part of the compliance skills
Of course readers may say: Well this is all a very much Dutch tainted story about the future of compliance. But is it really?
The rule of law and the lawfulness of regimes and governments is currently pretty much under attack world wide and cannot be taken for granted. Political winds can blow any direction and when government institutions bend their behaviour to those winds, it takes a serious spinal chord to stand upright and resist the legal changes and supervisory behaviourr which is contrary to the spirit of International Bill of Human Rights.
The reality of our future legal environment and technological developments such as AI mean that compliance officers may seek to adapt accordingly. In my view this means that the compliance profession has a next stage of professionalisation ahead. Up next we should thus also expect compliance advisors to:
- be able to combine human rights perspectives, privacy perspectives and anti money laundering perspectives in a more holistic view of what it means to act as a responsible compliance professional
- be very involved in the European and local law making process and be able to judge the dynamics and legitimacy of it and the possible flaws in the process
- be able/willing to do freedom of information requests to get the real data on the motives and drivers of government actors involved out in the open (for use in the public domain and in court cases)
- be able/willing to use enforcement requests to ensure proper attention of supervisory authorities to topics/illegal behaviour in the market that requires more attention than is given by the supervisor itself
- read up on verdicts of relevant courts to understand the legal issues at stake and not blindly revert to internal lawyers for legal stuff. Make sure they themselves also read up on important human rights verdicts
- explain to risk managers and top management the risk of human right infringement costs and damages actions that the company becomes vulnerable to, when transgressing human rights
- be able/willing to fight for human rights and litigate against powerful actors such as the supervisors, lawmakers or other institutions (and remember: there may be other institutional players able to help — think competition authority or data protection authority)
- be confident that breaches of human rights are also breaches of EU Union law and taking action to stop those breaches
Are you going with me?
Yes. This is an invitation to further shape our future compliance work by using the human rights anchor as well. So are you going with me?
