Proceedings [DEU] ¦ AML: Blacklist of an Online Bank

28 March 2019

Proceedings [DEU] ¦ AML: Blacklist of an Online Bank

Rewriting the Rules: When “Blacklists” Cross the Line in AML Compliance

A former customer applied to reopen an account with an online bank. The bank refused. It then admitted it was systematically blocking all former customers by retaining their personal data in a “blacklist” (a warning file) to prevent any new account openings. The stated rationale: obligations under the German Banking Act (Kreditwesengesetz, KWG) to implement safety measures against money laundering risks.

Where Compliance Meets Illegality

The bank claimed it could not, at present, distinguish between former customers who were money-laundering suspects and those who were not. As a result, it defaulted to a blanket denial and data matching against all ex-customers. This practice is unlawful. Under data protection principles, personal data of former customers must be erased, or — where statutory retention applies — securely blocked, not repurposed for generalized denial decisions. Only individuals with an actual suspicion of money laundering, or other compelling, well-documented reasons, may be included in a file designed to prevent future banking relationships.

Bastian Schwind-Wagner
Bastian Schwind-Wagner "The blanket blacklisting of former customers under the guise of AML is unlawful and undermines risk-based compliance. Banks must erase or lawfully block ex-customer data and restrict denial decisions to documented suspicions or compelling risk factors."
Why It Matters for Financial Crime Controls

Effective anti-money laundering (AML) is risk-based, not suspicion-agnostic. Overbroad blacklists erode due process, contravene data protection law, and undermine trust without improving financial crime prevention. They also expose institutions to regulatory sanctions and reputational damage. In this case, the bank acknowledged its error, committed to promptly changing its procedure, and nevertheless faces administrative offense proceedings. The lesson is clear: compliance does not excuse indiscriminate data retention or blanket exclusions.

Better Practice Standards

Banks should:

  • Maintain accurate, current risk assessments grounded in specific indicators.
  • Apply targeted screening criteria tied to concrete suspicion or documented risk factors.
  • Erase or lawfully block former-customer data, avoiding secondary use without a legal basis.
  • Document decision rationales and enable case-by-case review.
Conclusion

A blacklist for former customers against whom there are no grounds for suspicion is unlawful.

The information in this article is of a general nature and is provided for informational purposes only. If you need legal advice for your individual situation, you should seek the advice of a qualified lawyer.
Did you find any mistakes? Would you like to provide feedback? If so, please contact us!
Dive deeper
  • Stiftung Datenschutz ¦ datenschutzarchiv.org; TB LfD Berlin 2018, page 131 ¦ Link
Ruling [DEU] ¦ Money laundering: fulfillment of the qualifying criteria only by obliged parties; order for confiscation permissible under new law »
Bastian Schwind-Wagner
Bastian Schwind-Wagner Bastian is a recognized expert in anti-money laundering (AML), countering the financing of terrorism (CFT), compliance, data protection, risk management, and whistleblowing. He has worked for fund management companies for more than 24 years, where he has held senior positions in these areas.
Newsletter
Your registration could not be saved. Please try again.
We have sent you an e-mail to confirm your subscription.

We use Brevo as a marketing platform. By submitting the form, you agree that the personal information you provide will be transferred to Brevo for processing in accordance with Brevo's privacy policy.