Today, we look at the anti-money laundering framework in the whole European Union in a systemic way to learn the lessons and address the shortcomings.
We have a problem: Europol estimates that around 1% of Europe's wealth (GDP) is involved in suspect financial activity. That is the equivalent of the annual EU budget.
So, what we did today is firstly to assess the risks. We identified that the biggest risks are linked to anonymous transactions, like pre-paid cards, to virtual currencies and lack of transparency on beneficial ownership.
As a regulator, the Commission has already acted by strengthening the rules. We did the right thing, as the 4th and 5th anti-money laundering Directives address these new risks we identified.
Not all rules are applicable yet, as the latest update has to be transposed in January 2020 only.
So, I am not afraid to say that Europe has one of the strongest anti-money Laundering rules in place.
But then these rules also need to be vigorously enforced. We have used the past cases of money laundering scandals to look at the enforcement and the conclusion is that the Member States' supervisors and Financial Intelligence Units are not always doing enough, especially when it comes to cross-border cooperation.
The money flows very easily between EU countries' financial systems, so should the information between Financial Intelligence Units - but this is not always the case.
Also banks with branches in different Member States were not well supervised, as neither the supervisors in the host country nor in the country of origin would take the responsibility.
So we conclude that the enforcement is not proactive and dissuasive enough.
The banks also must do more. They were prioritising some of their other obligations but didn't look closely enough where the money comes from, especially following the crisis.
So, we have tried to address this, too, by playing our role as guardian of the Treaty and opening infringement procedures and by strengthening the role of the European Banking Authority by giving it the power to put in place a preventive and pro-active supervision.
The price of a failure is high and in each and every meeting I have with EU ministers on this issue I am reassured that the political will is growing to tackle this issue.
As the President-elect has indicated in her political guidelines supervision has to become more effective and remaining loopholes need to be filled, so I am sure the next Commission will continue to lead these efforts.
Finally, there is also an important external dimension to our anti-money laundering tool box, the identification of high-risk third countries.
Following the rejection of the Commission's list by the Council, we have worked on a refined methodology to address the concerns of the Member States. I will continue this work and will move it to the political level at the October ECOFIN Council. I will also discuss it with the EP.
We have also strengthened the Commission's activity in the Financial Action Task Force (FATF). In April, this taskforce agreed on a strategic review that will make its listing process more risk-based. And in June, FATF added Panama to its list of high-risk third countries, confirming the assessment we made in February.
But what's frustrating is the fact that Council and the European Parliament take very divergent approaches on this issue. The effect is that we are lagging behind as our latest update to the list comes from mid -2018.
I am determined to find a solution and I am hopeful that we can reach the agreement that would defend the EU financial system from the risks coming from outside the EU.
Allow me to conclude with a few words on data protection.
One year after the direct application of our new data protection regime, it is time to assess where we are.
There are three main conclusion from our assessment:
One: data protection finally matters and people are starting to care about their privacy.
Two: The EU is entering a digital era on a strong footing as data protection rules become an integral part of other policies, such as on Artificial Intelligence.
And three: Beyond Europe, our data protection rules open up possibilities for digital diplomacy to promote data flows based on high standards between countries that share EU values.
But we need to continue our work for the GDPR to become fully operational and effective. This is what this communication is all about.
We see that harmonisation of data protection rules across the EU is progressing, but we, the Commission, have to be vigilant so the Member States won't be tempted to take advantage of some specificities they could include in their national laws. We must avoid the so called gold-plating. The Commission will do its job of the guardian of the treaties vigorously on this front.
Then, we see that the majority of citizens know the rules. They know how to address their complaints to national data protection authority.
But we have to continue raising awareness so people get a better understanding of the risks, especially in the digital world.
Businesses complain much less, as they see that the doom scenarios of last spring did not materialise. They start to see advantages such as: increased security of data, lowering the costs of breaches, innovative privacy friendly solutions and finally, privacy by design as a competitive differentiator. More and more companies want to gain people's trust by respecting their privacy.
But still too many companies, especially SMEs, feel uncertain about the GDPR. That's why we continue to support the Data Protection Authorities with funds for campaigns and why we urge the European Data Protection Board to step up work on facilitating life for business by using innovative solutions such as standard contractual clauses, codes of conduct and certification. This is a toolbox GDPR offers to help with compliance and create more certainty for companies.
Finally, on the international stage GDPR has become a reference point of a modern and high digital standard. More and more countries in Asia, Latin America or Africa are adopting new laws or changing their existing ones and are taking the GDPR as a reference point. This is a true example of the EU as a rule maker and a standard setter.
The adequacy agreement with Japan next to the Trade Agreement is also something that other countries want to replicate. I went to Chile and Argentina 2 weeks ago: Chile is working on the first ever comprehensive data protection law taking inspiration from the GDPR and wants to engage in adequacy talks as soon as possible. Argentina is also changing their law. This is important in the context of our trade agreements with both countries.
In the future and building on the Japanese idea of Data Flows with Trust and on the Council of Europe Convention 108 I see scope for more multilateral rule-making in the area of privacy rules in the digital world. And the EU can be a leader in this process.
We promised one law, one continent. But we must not stand still. That is why the Communication contains a to-do list for everyone. For the Member States, for the European Data Protection Board and Data Protection Authorities, for the Commission. GDPR can only fully succeed if we have uniform application and robust enforcement across the EU and when we will develop an EU-wide culture in this area.
This will also be an important contribution for the review of the GDPR which the new Commission will have to do in 2020.