• Home /
• News /
• 2025 /
• September /
• More profiling and surveillance under new EU anti-money laundering rules

More profiling and surveillance under new EU anti-money laundering rules

Topic

Country/Region

25 September 2025

Last year, the EU adopted new rules against money laundering and terrorist financing. Member states are currently implementing the rules that will come into force in July 2027. Dutch non-governmental organisation Privacy First is calling for safeguards to prevent unchecked surveillance, monitoring and profiling.

Image: Mika Baumeister, Unsplash

---

 

Anti-money laundering legislation

The Dutch government’s implementation of new EU anti-money laundering rules needs to protect citizens, businesses and charities from potentially harmful effects, the organisation Privacy First has argued in a submission to a government consultation.

Under EU rules, crime-fighting tasks are already performed by companies, including banks, notaries and bookkeepers. Those firms, known as “obliged entities,” must make a risk profile of each customer, to assess whether they may be engaged in criminal activity.

Furthermore, they must monitor the relationship with the customer, the customer’s transactions, and are obliged to report potentially suspicion activity to the national Financial Intelligence Unit (FIU).

In the Netherlands, the rules are laid down in the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme).

Discrimination, account refusal and data-gathering

These regulations have caused great social harm in the Netherlands: among other things, it has become difficult for certain business sectors and non-profit organisations to open a bank account, and people sometimes face discrimination from banks and other obliged entities.

Furthermore, obliged entities sometimes request very large amounts of confidential and privacy-sensitive data from their customers, going much further than necessary for fear of government sanctions.

In a letter in May this year, the Dutch finance minister acknowledged that the anti-money-laundering regime had gone too far and promised to take action. Privacy First has questioned whether the minister can keep his promises – the Netherlands will soon have little say in the fight against money laundering.

New EU rules

In mid-2027, the new EU Anti-Money Laundering Regulation (AMLR) and other parts of the European Anti-Money Laundering Package will come into force. A lot will change, and not necessarily for the better.

Privacy First’s response to the consultation on implementing the new rules stresses that the organisation is not opposed to involving companies in crime fighting.

They do object, however, to:

• assigning unsuitable tasks to companies;
• the disproportionate costs incurred by obliged entities that are passed on to the customer; and
• the failure to respect the fundamental rights of citizens, and small and medium-sized businesses and non-profit organisations.

Privacy First sees the implementation of European regulations as offering an opportunity to improve safeguards, and has called for:

• improved legal protection of consumers, SMEs and small and medium-sized nonprofit organisations, including through the establishment of a financial ombudsman to handle all complaints on anti-money laundering issues and through low-threshold access to the independent courts;
• a requirement for obliged entities to communicate about their customer due diligence through a secure channel;
• a prohibition on requiring customers to use the European Digital Identity (EUDI) wallet;
• a prohibition for obliged entities on requiring access to the customer's bank account through open banking or open finance (systems designed to enable the exchange of personal and financial data) for the purposes of customer due diligence;
• any automated risk profiling of customers to follow the principles of the European AI Act, including a fundamental rights compliance assessment (FRIA);
• anti-money laundering supervisors, such as the Dutch central bank (DNB), to enforce compliance by obliged entities with data protection rules and respect for customers' fundamental rights;
• supervisory authorities responsible for sanctioning obliged entities to consider whether sanctions could result in fundamental rights violations;
• increased resources for the Dutch Data Protection Authority, so it can monitor compliance by both obliged entities and public authorities with data protection, anti-discrimination and other fundamental rights;
• periodic mandatory audits by independent auditors on compliance with data protection and fundamental rights legislation by public authorities and larger obliged entities.

Halt rights violations

The consultation submission urges the Dutch government to promote the removal of elements of the European anti-money laundering rules that violate fundamental rights.

One example offered is the overly-broad definition of 'politically exposed person' (PEP), which leads to a large group of innocent citizens being incorrectly classified as at a high risk of crime. For example, all parents and children of members of the House of Representatives supposedly pose a high risk of committing crime.

More broadly, Privacy First seeks to spark a public discussion on the privatisation of crime fighting, and wants Dutch politicians to urge Brussels to reconsider and adjust the rules, which provide inadequate protections for fundamental rights.

The full consultation response is available online (in Dutch).

Privacy First is a Dutch non-governmental organisation established in 2008 that focuses on citizen's fundamental rights, including data protection, and the right to make one's own choices, free from undue control and influence.

The organisation works on financial privacy, among other things, and in that context monitors national and EU developments in anti-money laundering, credit registration, open finance and similar topics. Other areas of concern include medical privacy, children's privacy and digital surveillance.