S.I. No. 22/2023 - European Union (Money Laundering and Terrorist Financing) (Use of Financial and Other Information) Regulations 2023
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 7th February, 2023. | ||
I, SIMON HARRIS, Minister for Justice, in exercise of the powers conferred on me by section 3 of the European Communities Act 1972 (No. 27 of 1972) and for the purpose of giving effect to Directive (EU) 2019/1153 of the European Parliament and of the Council of 20 June 20191 , hereby make the following regulations: | ||
1. (1) These Regulations may be cited as the European Union (Money Laundering and Terrorist Financing) (Use of Financial and Other Information) Regulations 2023. | ||
(2) Regulations 4 to 7 shall come into operation on the date of the establishment of the Central Database under the Central Mechanism Regulations. | ||
2. (1) In these Regulations, unless the context otherwise requires – | ||
“Article 3(1) authorities” shall be construed in accordance with Regulation 3(1); | ||
“Article 3(2) authorities” shall be construed in accordance with Regulation 3(2); | ||
“Bank” means the Central Bank of Ireland; | ||
“Central Database” shall be construed in accordance with the Central Mechanism Regulations; | ||
“Central Mechanism” shall be construed in accordance with the Central Mechanism Regulations; | ||
“Central Mechanism Regulations” means the European Union (Anti-Money Laundering: Central Mechanism for Information on Safe-Deposit Boxes and Bank and Payment Accounts) Regulations 2022 ( S.I. No. 46 of 2022 ); | ||
“Directive” means Directive (EU) 2019/1153 of the European Parliament and of the Council of 20 June 20191 laying down rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences, and repealing Council Decision 2000/642/JHA; | ||
“Europol” means the body established under Article 1(1) of Regulation (EU) 2016/794; | ||
“FIU Ireland” has the same meaning as it has in section 40A(2) of the Principal Act; | ||
“money laundering” has the same meaning as it has in section 2(1) of the Principal Act; | ||
“Principal Act” means the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 ; | ||
“Regulation (EU) 2016/794” means Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 20162 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA. | ||
(2) A word or expression that is used in these Regulations and that is also used in the Directive has, unless the context otherwise requires, the same meaning in these Regulations as it has in the Directive. | ||
3. (1) The following (hereinafter referred to as “Article 3(1) authorities”) are designated for the purposes of Article 3(1) of the Directive: | ||
(a) the Garda Síochána; | ||
(b) FIU Ireland; | ||
(c) the Criminal Assets Bureau. | ||
(2) The following (hereinafter referred to as “Article 3(2) authorities”) are designated for the purposes of Article 3(2) of the Directive: | ||
(a) the Garda Síochána; | ||
(b) the Minister for Social Protection. | ||
4. (1) Article 3(1) authorities may access and search, on a case-by-case basis and in a direct and immediate manner, bank account information when necessary for the performance of their tasks for the purposes of preventing, detecting, investigating or prosecuting a serious criminal offence or supporting a criminal investigation concerning a serious criminal offence, including the identification, tracing and freezing of the assets related to such investigation. | ||
(2) The power in subsection (1) shall be exercised on behalf of the Article 3(1) authorities by the following persons: | ||
(a) on behalf of the Garda Síochána, a member of the Garda Síochána – | ||
(i) who is engaged in the prevention, detection, investigation or prosecution of a serious criminal offence or supporting a criminal investigation concerning a serious criminal offence as defined by Annex I to Regulation (EU) 2016/794, and | ||
(ii) who was designated and authorised to exercise the power by a member of the Garda Síochána not below the rank of superintendent, | ||
(b) on behalf of FIU Ireland, by a person appointed by the Commissioner of the Garda Síochána in that behalf as referred to in section 40A(2) of the Principal Act, and | ||
(c) on behalf of the Criminal Assets Bureau, by an officer of the Criminal Assets Bureau, who – | ||
(i) is of a grade not below that of Higher Executive Officer, or is a member of the Garda Síochána not below the rank of inspector, and | ||
(ii) who was designated and authorised to exercise the power by a member of the Garda Síochána not below the rank of superintendent. | ||
(3) Article 3(1) authorities shall ensure that – | ||
(a) their officers and staff are – | ||
(i) of high integrity, | ||
(ii) appropriately skilled, and | ||
(iii) maintain high professional standards of confidentiality and data protection, and | ||
(b) the security of the bank account information that is accessed and searched in accordance with this Regulation is maintained to high technological standards. | ||
(4) The Bank shall ensure that the security of the data that is available to be accessed and searched in accordance with this Regulation is maintained to high technological standards. | ||
(5) In this Regulation “direct and immediate” includes the expeditious transmission by the Bank of the bank account information concerned by an automated mechanism to the Article 3(1) authorities, provided that no intermediary institution is able to interfere with the requested data or the information to be provided. | ||
5. (1) The Bank shall keep a record of each time an Article 3(1) authority accesses or searches bank account information and the record shall include the following information: | ||
(a) the national file reference; | ||
(b) the date and time of the query or search; | ||
(c) the type of data used to launch the query or search; | ||
(d) the unique identifier of the results; | ||
(e) the name of the authority consulting the registry; | ||
(f) the unique user identifier of the official who made the query or performed the search and, where applicable, of the official who ordered the query or search and, insofar as is possible, the unique user identifier of the recipient of the results of the query or search. | ||
(2) The records referred to in paragraph (1) – | ||
(a) shall be checked on a regular basis by the data protection officers of the Central Database and the Central Mechanism, and | ||
(b) shall be made available, on request, to the Data Protection Commission. | ||
(3) The records referred to in paragraph (1) shall be – | ||
(a) used only for - | ||
(i) data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and | ||
(ii) ensuring data security, | ||
(b) protected by appropriate measures against unauthorised access, and | ||
(c) erased five years after their creation, unless they are required for monitoring procedures that are ongoing. | ||
(4) The Bank shall take appropriate measures, which shall include specialised training programmes, so that its staff are aware of applicable European Union and national law, including in relation to data protection. | ||
(5) In this Regulation “data protection officer” has the same meaning as it has in section 88 (1) of the Data Protection Act 2018 . | ||
6. Article 3(1) authorities – | ||
(a) may reply to Europol to duly justified requests related to bank account information made by Europol on a case-by-case basis within the limits of Europol’s responsibilities and for the performance of Europol’s tasks, and | ||
(b) shall ensure that replies to requests under paragraph (a) are made in accordance with Regulation (EU) 2016/794 electronically through - | ||
(i) the information exchange network commonly known as SIENA, or its successor, in the language applicable to SIENA, or | ||
(ii) where applicable, to the computer network commonly known as FIU.net, or its successor. | ||
7. Article 3(1) authorities shall be under no obligation to comply with a request referred to in Regulation 6 where to do so would - | ||
(a) be contrary to the essential interests of the security of the State, | ||
(b) jeopardise the success of an ongoing investigation or the safety of an individual, or | ||
(c) disclose information relating to organisations or specific intelligence activities in the field of national security, but Article 3(1) authorities shall comply with the request as soon as the bank account information in question ceases to fall within the scope of paragraph (a), (b) or (c). | ||
8. Section 24(1) of the Principal Act is amended by the insertion of the following definitions: | ||
“ ‘Article 3(2) authorities’ means the authorities designated under Regulation 3(2) of the European Union (Money Laundering and Terrorist Financing) (Use of Financial and Other Information) Regulations 2023; | ||
‘Directive (EU) 2019/1153’ means Directive (EU) 2019/1153 of the European Parliament and of the Council of 20 June 20191 laying down rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences, and repealing Council Decision 2000/642/JHA; | ||
‘Europol’ means the body established under Article 1(1) of Regulation (EU) 2016/794; | ||
‘FIU Ireland’ has the meaning assigned to it by section 40A(2); | ||
‘Regulation (EU) 2016/794’ means Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 20162 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA;”. | ||
9. Section 40A of the Principal Act is amended – | ||
(a) in subsection (1), by the substitution of “Directive and Directive (EU) 2019/1153” for “Directive”, and | ||
(b) by the insertion of the following subsection after subsection (2): | ||
“(3) In this Chapter the following have the same meaning as they have in Directive (EU) 2019/1153: | ||
(a) associate predicate offences; | ||
(b) financial analysis; | ||
(c) financial information; | ||
(d) serious criminal offences.”. | ||
10. The Principal Act is amended by the insertion of the following section after section 40C: | ||
“Requests by FIU Ireland to Article 3(2) authorities | ||
40CA. (1) An Article 3(2) authority shall reply, in a timely manner, to reasoned and necessary requests by a member of the Garda Síochána who is appointed to FIU Ireland, made on a case-by-case basis, for law enforcement information, where the information is necessary for the prevention, detection and combating of money laundering, associate predicate offences and terrorist financing. | ||
(2) In this section - | ||
‘law enforcement information’ has the same meaning as it has in Directive (EU) 2019/1153; | ||
‘terrorist financing’ has the same meaning as it has in Directive (EU) 2019/1153.”. | ||
11. The Principal Act is amended by the insertion of the following section after section 40D: | ||
“Requests by Article 3(2) authorities to FIU Ireland | ||
40DA. (1) Subject to subsection (2), FIU Ireland shall cooperate with the Article 3(2) authorities and shall reply, in a timely manner, to reasoned and necessary requests by those authorities, made on a case-by-case basis, for financial information or financial analysis, where the requests are motivated by concerns relating to the prevention, detection, investigation or prosecution of serious criminal offences. | ||
(2) FIU Ireland shall not be obliged to comply with requests referred to in subsection (1) – | ||
(a) where, in the opinion of FIU Ireland, there are objective grounds for assuming that the provision of such information would have a negative impact on ongoing investigations or analyses, or | ||
(b) in exceptional circumstances, where, in the opinion of FIU Ireland, disclosure of the information would be clearly disproportionate to the legitimate interests of a natural or legal person, or irrelevant with regard to the purposes for which it has been requested. | ||
(3) The financial information or financial analysis obtained by an Article 3(2) authority as a result of a request referred to in subsection (1) may only be used for a purpose other than the purpose of the request where FIU Ireland has given its prior consent. | ||
(4) Where FIU Ireland refuses to accede to a request referred to in subsection (1), it shall provide an appropriate explanation for the refusal to the Article 3(2) authority concerned. | ||
(5) The Article 3(2) authorities may process the financial information and financial analysis received from FIU Ireland for the specific purposes of preventing, detecting, investigating or prosecuting serious criminal offences.”. | ||
12. Section 40E of the Principal Act is amended by the insertion of the following subsection after subsection (3): | ||
“(4) Without prejudice to subsection (1), in exceptional and urgent cases and insofar as is practicable in a prompt manner, FIU Ireland may exchange with other FIUs financial information or financial analysis that may be relevant for the processing or analysis of information related to terrorism or organised crime associated with terrorism.”. | ||
13. The Principal Act is amended by the insertion of the following sections in Chapter 3 after section 40E: | ||
“Exchange of financial information or financial analysis | ||
40F. (1) An Article 3(2) authority may share financial information or financial analysis obtained from FIU Ireland, upon request and on a case-by-case basis, with an authority in another Member State that has been designated by that Member State under Article 3(2) of Directive (EU) 2019/1153, where that financial information or financial analysis is necessary for the prevention, detection and combating of money laundering, associate predicate offences and terrorist financing. | ||
(2) Any – | ||
(a) dissemination of financial information or financial analysis obtained by an Article 3(2) authority from FIU Ireland to any other authority, agency or department, or | ||
(b) use of that information or analysis for purposes other than those for which the information was originally provided by FIU Ireland, | ||
shall be subject to the prior consent of FIU Ireland. | ||
(3) An Article 3(2) authority may request from an authority in another Member State that has been designated by that Member State under Article 3(2) of Directive (EU) 2019/1153, on a case-by-case basis, financial information or financial analysis that was obtained from the Financial Intelligence Unit in that Member State, where the financial information or financial analysis is necessary for the prevention, detection and combating of money laundering, associate predicate offences and terrorist financing. | ||
(4) An Article 3(2) authority that receives financial information or financial analysis pursuant to a request under subsection (3) shall use that information or analysis only for the purpose for which it was sought or provided. | ||
(5) FIU Ireland and Article 3(2) authorities shall ensure that financial information and financial analysis requested or shared under this section shall be transmitted using dedicated secure electronic communications ensuring a high level of data security. | ||
(6) In this section ‘terrorist financing’ has the same meaning as it has in Directive (EU) 2019/1153. | ||
Exchange of information between Europol and FIU Ireland | ||
40G. (1) FIU Ireland may reply to Europol to duly justified requests related to financial information and financial analysis made by Europol on a case-by-case basis within the limits of Europol’s responsibilities and for the performance of Europol’s tasks. | ||
(2) FIU Ireland shall be under no obligation to comply with a request referred to in subsection (1) where there are objective grounds for assuming that the provision of the financial information and financial analysis to which the request relates would have a negative impact on ongoing investigations or analyses, or, in exceptional circumstances, where disclosure of the information and analysis would be clearly disproportionate to the legitimate interests of a natural or legal person or irrelevant with regard to the purposes for which it has been requested. | ||
(3) FIU Ireland shall be under no obligation to comply with a request referred to in subsection (1) where to do so would - | ||
(a) be contrary to the essential interests of the security of the State, | ||
(b) jeopardise the success of an ongoing investigation or the safety of an individual, or | ||
(c) disclose information relating to organisations or specific intelligence activities in the field of national security, but FIU Ireland shall comply with the request as soon as the financial information or financial analysis in question ceases to fall within the scope of paragraphs (a), (b) or (c). | ||
(4) FIU Ireland shall – | ||
(a) provide an appropriate explanation to Europol for any failure to comply with a request made under subsection (1), | ||
(b) ensure that requests under subsection (1) are dealt with in a timely manner, and in any event no later than requests from FIUs (as referred to in section 40A(1)) in other Member States, and | ||
(c) ensure that replies to requests under subsection (1) are made in accordance with Regulation (EU) 2016/794 electronically through - | ||
(i) the information exchange network commonly known as SIENA, or its successor, in the language applicable to SIENA, or | ||
(ii) where applicable, to the computer network commonly known as FIU.net, or its successor. | ||
Processing of certain special categories of personal data | ||
40H. (1) Article 3(2) authorities and FIU Ireland shall, in respect of information exchanged pursuant to section 40CA, section 40DA, section 40E(4), section 40F and section 40G, ensure that only staff who have been specifically trained and specifically authorised may process the following special categories of personal data under the guidance of a data protection officer: | ||
(a) personal data revealing - | ||
(i) the racial or ethnic origin of the data subject, | ||
(ii) the political opinions or the religious or philosophical beliefs of the data subject, or | ||
(iii) whether the data subject is a member of a trade union; | ||
(b) data concerning health; | ||
(c) personal data concerning an individual’s sex life or sexual orientation. | ||
(2) In this section the following expressions shall have the meaning that they have in section 69 of the Data Protection Act 2018 : | ||
‘data subject’; | ||
‘personal data’; | ||
‘processing’; | ||
‘special categories of personal data’. | ||
Records of certain information requests | ||
40I. (1) Article 3(2) authorities and FIU Ireland shall keep records of requests made and received under section 40CA, section 40DA, section 40E(4), section 40F and section 40G. | ||
(2) The records made shall include - | ||
(a) the name and contact details of the organisation and of the staff member requesting the information and, as far as possible, of the recipient of the results of the query or search, | ||
(b) the reference to the national case in relation to which the information is requested, | ||
(c) the subject matter of the requests, and | ||
(d) any executing measures of such requests. | ||
(3) The records shall be – | ||
(a) kept for a period of five years after their creation, and | ||
(b) used solely for the purpose of checking the lawfulness of the processing of personal data. | ||
(4) Article 3(2) authorities and FIU Ireland shall make all records available to the Data Protection Commission upon its request.”. | ||
14. Regulation 3 of the Central Mechanism Regulations is amended – | ||
(a) in subsection (2) - | ||
(i) paragraph (c), by the substitution of “Database;” for “Database.”, and | ||
(ii) by the insertion of the following paragraph after paragraph (c): | ||
“(d) enabling FIU Ireland, the Criminal Assets Bureau and the Garda Síochána to access and search bank account information from the Central Database in accordance with Regulation 4 of the European Union (Money Laundering and Terrorist Financing) (Use of Financial and Other Information) Regulations 2023.”, and | ||
(b) in subsection (3)(a), by the substitution of “Regulations and the European Union (Money Laundering and Terrorist Financing) (Use of Financial and Other Information) Regulations 2023” for “Regulations”. | ||
| ||
GIVEN under my Official Seal, | ||
2 February, 2023. | ||
SIMON HARRIS, | ||
Minister for Justice. | ||
1 OJ No. L 186, 11.7.2019, p. 122. |
