London Daily

Focus on the big picture.
Thursday, Oct 02, 2025

Game of Laws: Compliance in the Age of Regulatory Proliferation

Game of Laws: Compliance in the Age of Regulatory Proliferation

Even if the pace at which regulations are drafted seems to be slowing down, at least at the EU-level, regulations in general are still trending toward bullish proliferation. In the financial-crime field alone, around 1,300 binding pieces of legislation have been brought to light in the span of 20 years (2000-2020), with about 228 directives and 1100 regulations.

Today, around 186 directives and 800 regulations are in effect.

Additional potential regulations are also looming, including those that could establish a long-debated European central anti-money laundering authority or new, potentially extraterritorial, regulations in the post-Brexit UK.

Until fairly recently, the response from compliance officers to such new mandates could be compared to that of a soldier replying to an order: “Roger Wilco,” short for “received and will comply.” And then one day, it happened.

On July 18, 2018, the High Court of Justice in the UK ruled in favour of a claimant who had requested that his bank disclose the contents of Suspicious Activity Reports (SARs) filed to the National Crime Agency (NCA). Breach of the non-tipping-off principle? Not at all, according to the court.

Will this decision broader political conflict over the imposition of regulations and laws? Perhaps. Will it open a Pandora’s box of long proceedings to challenge the existing anti-financial crime and compliance legislative framework? Most probably.

At least one thing is clear: with all our legitimate and justified intentions to combat financial crime, we have been living in some sort of a legislative paradise, where all laws and regulations match together as the pieces of a jigsaw puzzle. But what if this paradise is lost?

The road paved with good intentions

We all seem to agree that the whole point behind compliance efforts is ultimately to serve the general welfare of humanity. Still, one may argue where the limits of the “general interest/common good” umbrella end.

Let’s take the example of AML/CTF requirements on the collection of data related to Politically Exposed Persons (PEPs). We remember that their 1st and 2nd degree relatives and close associates are also considered to be PEPs. Oftentimes, the research performed by financial institutions can be inclusive but also highly intrusive. What if a client has an extramarital affair? And what if it concerns a same-sex partner?

These cases clearly fall under the GDPR provisions regarding sensitive personal data. No particular issue with this unless we consider, for example, that many financial institutions operate in countries whose AML regulations do not impose any data protection for the information collected during compliance procedures; therefore, it seems that the key European requirement of the same level of safeguards is not met. Moreover, PEP definitions may vary even across the EU (e.g., Italy where a list of national PEPs has been published), further amplifying the scope.

More food for thought: national FIUs receive hundreds of SARs containing sensitive data. If we refer to Recital 14 of the GDPR, it seems that FIUs are not covered by the regulation’s provisions in general, nor by its specific safeguards. What will happen in case of a major breach or a cyberattack? Off the radar for now.

How about counterterrorist financing? Even when there are genuine security and welfare objectives, there may be data-privacy concerns. One of the most well-known affairs relates to SWIFT. Indeed, in 2006, the world was shocked with the revelations published by The New York Times that US authorities secretly and illegally gained access to SWIFT messages containing personal data as part of their Terrorist Finance Tracking Program. Back in 2006, this practice was judged as a breach of the then-applicable regulations. Two years later, however, the initial position was entirely reversed to recognize the legitimacy of the US program. In France, for instance, such practices would be violating the Blocking Statute of July 1968, updated in July 1980, which prohibits companies incorporated in France from transferring specific data to foreign authorities without using the channel of international criminal cooperation. Have you ever tried to use this channel, via Mutual Legal Assistance Treaties or otherwise? Well, good luck, and arm yourself with patience and snacks to nosh during your long legal siege.

In the context of such legal instability, we seem to be shifting towards a completely new compliance order.

Strange new world

We already know – and the European Commission itself highlighted this fact in a July 2019 press release – that AML and other financial crime regulations drastically lack harmonisation, whether it be across the EU Member States or between the EU and third countries, such as the US.

The US example is a flagrant one; suffice it to mention the fundamental difference between the FCPA and the rest of most well-known, anti-corruption laws lies in the treatment of passive bribery and facilitation payments. A small historical digression: several US Courts of Appeal confirmed at every occasion that their constitutional double jeopardy provision does not apply to the FCPA when it comes to foreign judgements, while most of the countries recognize, at least partially, the non bis in idem principle. A dangerous mismatch.

However, certain discrepancies may cause genuine issues or even larger disorder.

This is very often the case when it comes to the conflict between AML laws and privacy regulations. Let’s take the example of Lonsdale v National Westminster Bank. The claimant’s business and personal accounts were frozen by his bank. A barrister himself, he put two-and-two together, assumed a SAR was filed, and, according to the then in-force Data Protection Act 1998, requested access to the SAR. However, we all know that disclosing a SAR to the customer concerned is tantamount to the tipping-off offence, already clearly prohibited in the 3AMLD and seq. Legal crossroads in its splendour.

The court judged that “there was no evidence that the SARs are required to be kept confidential. The SARs were plainly relevant to the assessment of whether the bank’s employees genuinely held a relevant suspicion” .

Guillaume Rudelle, a Parisian barrister and Associate at Norton Rose Fulbright in France admits: “Practically speaking, such action could only be successful if the customer is able to demonstrate that the suspicious activity report (SAR) was unlawful, which is impossible if one cannot have access to the content of the SAR. Accordingly, denying a request made by the customer to obtain the disclosure of the SAR could be seen as a denial of the right to a fair trial”.

According to American lawyers, such an action would be impossible in the United States. The same holds true for France, though with nuances.

“SARs are confidential (art. L.561-18, French Monetary Code). Both their existence and the content of the report, along with any follow-up action, cannot be disclosed to the subject of the report or to any third party. Should an individual concerned by a SAR wish to consult what personal data was used in the SAR, he/she can ask the CNIL for “indirect access” which then nominates one of its members, who is also (or has been) a member of one of the French Supreme Courts, in order to investigate and potentially make relevant amendments to personal data. The individual gets access when the CNIL establishes with the bank that communicating the information will not reveal any sensitive information (i.e. the SAR itself, the amount at stake, declarations from bank employees, follow-up actions etc.) and, most importantly, does not risk to hinder the objectives of anti-money laundering and terrorism financing”, specifies Emmanuel Breen, Counsel at Laurent Cohen-Tanugi Avocats (Paris, France).

It remains unclear what the purpose of such a disclosure to the claimant would be, absent the above data.

Additionally, we must not forget the French Constitutional Council’s decision that deemed the public register of trusts required by the 4AMLD to be unconstitutional due to its infringement of the right to privacy. As of today, there is still no further progress on this point, at least in France.

While still a member of the EU, the UK somewhat customised their approach by creating a trust register that is not accessible to the public and therefore less of an invasion of privacy. This regime seems unlikely to be amended after Brexit.

In Italy, it seems that the UBO of a trust can oppose the publication of his/her data in the register.

Speaking of registers: what a fascinating exercise as to compile the data on the UBO registers in countries on every continent in terms of existence and availability. We can note that, in some cases, even the so-called “developing” countries have exceeded the developed European ones; Ghana, would be a good example of this.

On this basis, the recent decision taken by the European Commission to designate “high-risk” jurisdictions is more than nebulous. Nor will the EU’s plan to create a unique European AML supervisory body sort out this lack of consistency and harmonisation; this proposal gloomily promises only to add another layer to the bureaucratic blame game.

Finally, there is the mismatch between sanctions regulations, with perhaps the most conspicuous being the differences between OFAC’s programs and those under the EU Blocking Statute. In a nutshell, the problem arises because entities established or incorporated in the EU are prohibited from complying with specific US sanctions regimes, on pain of penalties.

“It is important to note, however, that the EU Blocking Regulation does not provide for a formal sanction mechanism and leaves it to Member States to define sanctions and enforce them. There are therefore huge discrepancies in the enforcement record of the EU Blocking Regulation among Member States. Certain governments have been more aggressive than others in this respect. For example, the UK adopted the Extraterritorial US Legislation Sanctions against Cuba, Iran and Libya – Protection of Trading Interests Order in February 2019, which provides for an unlimited fine. At the other extreme, countries like France and Luxembourg have yet to introduce any national legislation on this issue and are not yet in a position to prosecute violations of the EU Blocking Regulation”, says Mr. Breen. “The EU is not, though, alone in this aspect. Canada and Mexico also implemented their own blocking statutes to respond specifically to the US Helms-Burton Act”, he adds.

If jurisdictions continue this ping-pong game, who can unhesitatingly and confidently say where we are headed?

Towards a No-Man’s Land?

Mr. Breen tilts toward a further increase in regulations. During our discussion, he used the term “overcompliance”. Quite a fair one. Despite its positive connotations – i.e., going beyond explicit regulatory requirements and expectations – Mr. Breen still considers it a risk.

Pierre-Manuel Sroczynski, ex-Director of the Compliance and Permanent Control department at the French La Banque Postale and now a consultant at Somerset Advisory, holds a diametrically opposed view.

“The AML and sanctions-related legislative and regulatory corpus is already quite extensive and complete. A further increase? Definitely not. I guess the governments have taken heed of the fact that the crux of the matter now lies with the relevant and appropriate supervision, coordination and harmonisation”, he believes.

Today, we are waiting to find out what lies ahead, and what the current and upcoming regulatory efforts have in store for Compliance Officers. The territory remains challenged and contentious. Personally, being a Cartesian Compliance Officer, I believe that the “holy war” Compliance wages on financial crime may justify specific gambits, i.e. sacrifices (for example, data protection), in order to effectively pursue a just cause, unless there are truly no regulatory conflicts involved. I am also convinced that compliance should go beyond regulatory expectations, not to complicate our lives but to make it easier.

I have to admit that sometimes it feels like compliance has taken the wrong path, with regulations having too many loopholes that seem designed to satisfy particular shadow interests. Even the FATF Executive Secretary David Lewis admits that no country has a solid AML framework that works as it should. Take the recent EIB case, as an example: the drastic shortcomings in the AML framework were known to EIB’s top management, who actually considered the regulations and rules and insisted on their implementation throughout Europe. Or the whatever-Leaks or Papers: how many of you know what the state of play is after all the whistleblower-journalists to and fro, and the books written and disclosures published?

But as a compliance professional, I hope that no regulatory evolution in this field will force the return to ground zero.

Newsletter

Related Articles

0:00
0:00
Close
Trump Administration Launches “TrumpRx” Plan to Enable Direct Drug Sales at Deep Discounts
Trump Announces Intention to Impose 100 Percent Tariff on Foreign-Made Films
Altman Says GPT-5 Already Outpaces Him, Warns AI Could Automate 40% of Work
Singapore and Hong Kong Vie to Dominate Asia’s Rising Gold Trade
Trump Organization Teams with Saudi Developer on $1 Billion Trump Plaza in Jeddah
Manhattan Sees Surge in Office-to-Housing Conversions, Highest Since 2008
Switzerland and U.S. Issue Joint Assurance Against Currency Manipulation
Electronic Arts to Be Taken Private in Historic $55 Billion Buyout
Thomas Jacob Sanford Named as Suspect in Deadly Michigan Church Shooting and Arson
Russian Research Vessel 'Yantar' Tracked Mapping Europe’s Subsea Cables, Raising Security Alarms
New York Man Arrested After On-Air Confession to 2017 Parents’ Murders
U.S. Defense Chief Orders Sudden Summit of Hundreds of Generals and Admirals
Global Cruise Industry Posts Dramatic Comeback with 34.6 Million Passengers in 2024
Trump Claims FBI Planted 274 Agents at Capitol Riot, Citing Unverified Reports
India: Internet Suspended in Bareilly Amid Communal Clashes Between Muslims and Hindus
Supreme Court Extends Freeze on Nearly $5 Billion in U.S. Foreign Aid at Trump’s Request
Archaeologists Recover Statues and Temples from 2,000-Year-Old Sunken City off Alexandria
China Deploys 2,000 Workers to Spain to Build Major EV Battery Factory, Raising European Dependence
Speed Takes Over: How Drive-Through Coffee Chains Are Rewriting U.S. Coffee Culture
U.S. Demands Brussels Scrutinize Digital Rules to Prevent Bias Against American Tech
Ringo Starr Champions Enduring Beatles Legacy While Debuting Las Vegas Art Show
Private Equity’s Fundraising Surge Triggers Concern of European Market Shake-Out
Colombian President Petro Vows to Mobilize Volunteers for Gaza and Joins List of Fighters
FBI Removes Agents Who Kneeled at 2020 Protest, Citing Breach of Professional Conduct
Trump Alleges ‘Triple Sabotage’ at United Nations After Escalator and Teleprompter Failures
Shock in France: 5 Years in Prison for Former President Nicolas Sarkozy
Tokyo’s Jimbōchō Named World’s Coolest Neighbourhood for 2025
European Officials Fear Trump May Shift Blame for Ukraine War onto EU
BNP Paribas Abandons Ban on 'Controversial Weapons' Financing Amid Europe’s Defence Push
Typhoon Ragasa Leaves Trail of Destruction Across East Asia Before Making Landfall in China
The Personality Rights Challenge in India’s AI Era
Big Banks Rebuild in Hong Kong as Deal Volume Surges
Italy Considers Freezing Retirement Age at 67 to Avert Scheduled Hike
Italian City to Impose Tax on Visiting Dogs Starting in 2026
Arnault Denounces Proposed Wealth Tax as Threat to French Economy
Study Finds No Safe Level of Alcohol for Dementia Risk
Denmark Investigates Drone Incursion, Does Not Rule Out Russian Involvement
Lilly CEO Warns UK Is ‘Worst Country in Europe’ for Drug Prices, Pulls Back Investment
Nigel Farage Emerges as Central Force in British Politics with Reform UK Surge
Disney Reinstates ‘Jimmy Kimmel Live!’ after Six-Day Suspension over Charlie Kirk Comments
U.S. Prosecutors Move to Break Up Google’s Advertising Monopoly
Nvidia Pledges Up to $100 Billion Investment in OpenAI to Power Massive AI Data Center Build-Out
U.S. Signals ‘Large and Forceful’ Support for Argentina Amid Market Turmoil
Nvidia and Abu Dhabi’s TII Launch First AI-&-Robotics Lab in the Middle East
Vietnam Faces Up to $25 Billion Export Loss as U.S. Tariffs Bite
Europe Signals Stronger Support for Taiwan at Major Taipei Defence Show
Indonesia Court Upholds Military Law Amid Concerns Over Expanded Civilian Role
Larry Ellison, Michael Dell and Rupert Murdoch Join Trump-Backed Bid to Take Over TikTok
Trump and Musk Reunite Publicly for First Time Since Fallout at Kirk Memorial
Vietnam Closes 86 Million Untouched Bank Accounts Over Biometric ID Rules
×