Judgment of the Court (Fifth Chamber) of 10 March 2016. Safe Interenvios, SA v Liberbank, SA and Others.
C-235/14 • 62014CJ0235 • ECLI:EU:C:2016:154
- Inbound citations: 50
- •
- Cited paragraphs: 20
- •
- Outbound citations: 60
JUDGMENT OF THE COURT (Fifth Chamber)
10 March 2016 ( *1 )
‛Reference for a preliminary ruling — Prevention of the use of the financial system for the purpose of money laundering and terrorist financing — Directive 2005/60/EC — Customer due diligence measures — Directive 2007/64/EC — Payment services in the internal market’
In Case C‑235/14,
REQUEST for a preliminary ruling under Article 267 TFEU from the Audiencia Provincial de Barcelona (Provincial Court, Barcelona, Spain), made by decision of 7 May 2014, received at the Court on 13 May 2014, in the proceedings
Safe Interenvíos SA
v
Liberbank SA,
Banco de Sabadell SA,
Banco Bilbao Vizcaya Argentaria SA,
THE COURT (Fifth Chamber),
composed of T. von Danwitz, President of the Fourth Chamber, acting as President of the Fifth Chamber, D. Šváby, A. Rosas (Rapporteur), E. Juhász and C. Vajda, Judges,
Advocate General: E. Sharpston,
Registrar: M. Ferreira, Principal Administrator,
having regard to the written procedure and further to the hearing on 6 May 2015,
after considering the observations submitted on behalf of:
—
Safe Interenvíos SA, by A. Selas Colorado and D. Solana Giménez, abogados,
—
Banco Bilbao Vizcaya Argentaria SA, by J.M. Rodríguez Cárcamo and B. García Gómez, abogados,
—
the Spanish Government, by A. Rubio González and A. Gavela Llopis, acting as Agents,
—
the Portuguese Government, by L. Inez Fernandes, M. Rebelo and G. Miranda, acting as Agents,
—
the European Commission, by J. Rius and I.V. Rogalski, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 3 September 2015,
gives the following
Judgment
1This request for a preliminary ruling concerns the interpretation of Article 11(1), read in conjunction with Articles 5, 7 and 13, of Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing ( OJ 2005 L 309, p. 15 ) as amended by Directive 2010/78/EU of the European Parliament and of the Council of 24 November 2010 ( OJ 2010 L 331, p. 120 ) (‘the Money Laundering Directive’).
2The request has been made in proceedings between Safe Interenvíos SA (‘Safe’), a payment institution, and Liberbank SA (‘Liberbank’), Banco de Sabadell (‘Sabadell’) and Banco Bilbao Vizcaya Argentaria SA (‘BBVA’), three credit institutions (collectively ‘the banks’), concerning the closure by the banks of the accounts held by Safe because they suspected money laundering.
Legal context
EU law
The Money Laundering Directive
3As stated in recital 5 of the Money Laundering Directive, measures adopted in the field of money laundering and terrorist financing ‘should … be consistent with other action undertaken in other international fora’ and ‘take particular account of the Recommendations of the Financial Action Task Force (hereinafter referred to as the FATF), which constitutes the foremost international body active in the fight against money laundering and terrorist financing. Since the FATF Recommendations were substantially revised and expanded in 2003, this Directive should be in line with that new international standard’.
4Recital 10 of the Money Laundering Directive is worded as follows:
‘The institutions and persons covered by this Directive should … identify and verify the identity of the beneficial owner. To fulfil this requirement, it should be left to those institutions and persons whether they make use of public records of beneficial owners, ask their clients for relevant data or obtain the information otherwise, taking into account the fact that the extent of such customer due diligence measures relates to the risk of money laundering and terrorist financing, which depends on the type of customer, business relationship, product or transaction.’
5Recitals 22 and 24 of the Money Laundering Directive state:
Loading citations...‘(22)
It should be recognised that the risk of money laundering and terrorist financing is not the same in every case. In line with a risk-based approach, the principle should be introduced into Community legislation that simplified customer due diligence is allowed in appropriate cases.
...
(24)
Equally, Community legislation should recognise that certain situations present a greater risk of money laundering or terrorist financing. Although the identity and business profile of all customers should be established, there are cases where particularly rigorous customer identification and verification procedures are required.’
6Recital 33 of the Money Laundering Directive states that disclosure of information as referred to in Article 28 of the directive should be in accordance with the rules on transfer of personal data to third countries as laid down in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ( OJ 1995 L 281, p. 31 ; ‘the Personal Data Directive’) and that, moreover, Article 28 cannot interfere with national data protection and professional secrecy legislation.
7Recital 48 of the Money Laundering Directive states that the directive respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union (‘the Charter’) and should not be interpreted or implemented in a manner that is inconsistent with the European Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950.
8Article 1(1) and (2) of the Money Laundering Directive provides:
‘1. Member States shall ensure that money laundering and terrorist financing are prohibited.
2. For the purposes of this Directive, the following conduct, when committed intentionally, shall be regarded as money laundering:
(a)
the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such activity to evade the legal consequences of his action;
(b)
the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of property, knowing that such property is derived from criminal activity or from an act of participation in such activity;
(c)
the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such activity;
(d)
participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions mentioned in the foregoing points.’
9The Money Laundering Directive, as Article 2(1) provides, applies to credit institutions, financial institutions and various legal or natural persons acting in the exercise of their professional activities.
10Article 3(1) of the Money Laundering Directive defines a ‘credit institution’ by reference to the definition of the same term in the first subparagraph of Article 1(1) of Directive 2000/12/EC of the European Parliament and of the Council of 20 March 2000 relating to the taking up and pursuit of the business of credit institutions ( OJ 2000 L 126, p. 1 ), that is to say, as ‘an undertaking whose business is to receive deposits or other repayable funds from the public and to grant credits for its own account’.
11Under Article 3(2)(a) of the Money Laundering Directive, the definition of a ‘financial institution’ includes ‘an undertaking, other than a credit institution, which carries out one or more of the operations included in points 2 to 12 and points 14 and 15 of Annex I to Directive 2006/48/EC’ of the European Parliament and of the Council of 14 June 2006 relating to the taking up and pursuit of the business of credit institutions ( OJ 2006 L 177, p. 1 ) as amended by Directive 2009/111/EC of the European Parliament and of the Council of 16 September 2009 ( OJ 2009 L 302, p. 97 ). That list of activities includes, in point 4 of the annex, ‘payment services as defined in Article 4(3) of Directive 2007/64/EC’ of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC ( OJ 2007 L 319, p. 1 ) as amended by Directive 2009/111 (‘the Payment Services Directive’) and, in point 5 of the annex, ‘issuing and administering other means of payment … in so far as this activity is not covered by point 4’.
12Article 5 of the Money Laundering Directive provides that ‘the Member States may adopt or retain in force stricter provisions in the field covered by this Directive to prevent money laundering and terrorist financing’.
13Chapter II of the Money Laundering Directive, headed ‘Customer due diligence’, includes, in Articles 6 to 10, general provisions concerning standard customer due diligence, in Articles 11 to 12, specific provisions relating to simplified customer due diligence and, in Article 13, specific provisions relating to enhanced customer due diligence.
14By virtue of Article 7 of the Money Laundering Directive, the institutions and persons covered by the directive are to apply customer due diligence measures when establishing a business relationship, when carrying out occasional transactions amounting to EUR 15000 or more, when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold, and when there are doubts about the veracity or adequacy of previously obtained customer identification data.
15As set out in Article 8 of the Money Laundering Directive:
‘1. Customer due diligence measures shall comprise:
(a)
identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source;
(b)
identifying, where applicable, the beneficial owner and taking risk-based and adequate measures to verify his identity ...
(c)
obtaining information on the purpose and intended nature of the business relationship;
(d)
conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship ...
2. The institutions and persons covered by this Directive shall apply each of the customer due diligence requirements set out in paragraph 1, but may determine the extent of such measures on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction. The institutions and persons covered by this Directive shall be able to demonstrate to the competent authorities … that the extent of the measures is appropriate in view of the risks of money laundering and terrorist financing.’
16Article 9(1), (5) and (6) of the Money Laundering Directive provides:
‘1. Member States shall require that the verification of the identity of the customer and the beneficial owner takes place before the establishment of a business relationship or the carrying-out of the transaction.
...
5. Member States shall require that, where the institution or person concerned is unable to comply with points (a), (b) and (c) of Article 8(1), it may not carry out a transaction through a bank account, establish a business relationship or carry out the transaction, or shall terminate the business relationship, and shall consider making a report to the financial intelligence unit (FIU) in accordance with Article 22 in relation to the customer.
...
6. Member States shall require that institutions and persons covered by this Directive apply the customer due diligence procedures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis.’
17Article 11(1) of the Money Laundering Directive states:
‘By way of derogation from Articles 7(a), (b) and (d), 8 and 9(1), the institutions and persons covered by this Directive shall not be subject to the requirements provided for in those Articles where the customer is a credit or financial institution covered by this Directive, or a credit or financial institution situated in a third country which imposes requirements equivalent to those laid down in this Directive and supervised for compliance with those requirements.’
18Article 11(2) of the Money Laundering Directive provides for other circumstances in which, by way of derogation from Articles 7(a), (b) and (d), 8 and 9(1), the Member States may allow the institutions and persons covered by the directive not to apply standard customer due diligence. Under Article 11(3), institutions and persons covered by the directive are in any case to gather sufficient information to establish if the customer qualifies for an exemption as mentioned in Article 11(1) and (2).
19Article 13(1) of the Money Laundering Directive provides:
‘Member States shall require the institutions and persons covered by this Directive to apply, on a risk-sensitive basis, enhanced customer due diligence measures, in addition to the measures referred to in Articles 7, 8 and 9(6), in situations which by their nature can present a higher risk of money laundering or terrorist financing, and at least in the situations set out in paragraphs 2, 3, 4 and in other situations representing a high risk of money laundering or terrorist financing which meet the technical criteria established in accordance with Article 40(1)(c).’
20Article 13(2) to (4) of the Money Laundering Directive relates to situations in which the customer is not physically present for the purpose of his identification, to cases of cross-frontier correspondent banking relationships with respondent institutions from third countries and to transactions or business relationships with politically exposed persons residing in a Member State other than the Member State concerned or in a third country. Specific enhanced customer due diligence measures or examples of appropriate measures are listed for those situations.
21Under Article 20 of the Money Laundering Directive, the Member States must require that the institutions and persons covered by the directive pay special attention to any activity which they regard as particularly likely, by its nature, to be related to money laundering or terrorist financing.
22Article 22 of the Money Laundering Directive, which, together with Article 23, imposes reporting obligations, requires the institutions and persons covered by the directive, and where applicable their directors and employees, to cooperate fully, in particular by promptly informing the financial intelligence unit, on their own initiative, where the institution or person covered by the directive knows, suspects or has reasonable grounds to suspect that money laundering or terrorist financing is being or has been committed or attempted.
23Article 28 of the Money Laundering Directive prohibits the institutions and persons covered by the directive and their directors and employees from disclosing to the customer concerned or to other third persons the fact that information has been transmitted in accordance with Articles 22 and 23 or that a money laundering or terrorist financing investigation is being or may be carried out.
24As set out in Article 34(1) of the Money Laundering Directive, the Member States must require that the institutions and persons covered by the directive establish adequate and appropriate policies and procedures regarding customer due diligence, reporting, record keeping, internal control, risk assessment, risk management, compliance management and communication in order to forestall and prevent operations related to money laundering or terrorist financing.
25Article 37 of the Money Laundering Directive, which, together with Article 36, concerns supervision, provides in paragraph 1 that the Member States are to require the competent authorities at least to effectively monitor, and to take the necessary measures with a view to ensuring, compliance with the requirements of the directive by all the institutions and persons covered by it.
The Payment Services Directive
26The Payment Services Directive lays down, in particular, the rules enabling six categories of payment service provider to be distinguished, categories which include credit institutions within the meaning of Article 4(1)(a) of Directive 2006/48 as amended by Directive 2009/111 and payment institutions within the meaning of the Payment Services Directive.
27Article 4 of the Payment Services Directive, headed ‘Definitions’, provides:
‘For the purposes of this Directive, the following definitions shall apply:
...
3.“payment service” means any business activity listed in the Annex [which includes the execution of payment transactions];
4.“payment institution” means a legal person that has been granted authorisation in accordance with Article 10 [which requires undertakings that intend to provide payment services to obtain authorisation as a payment institution before commencing the provision of payment services] to provide and execute payment services throughout the Community;
...
22.“agent” means a natural or legal person which acts on behalf of a payment institution in providing payment services;
...’
28In accordance with Article 5(f) of the Payment Services Directive, an application for authorisation as a payment institution must be accompanied by a number of documents, including ‘a description of the internal control mechanisms which the applicant has established in order to comply with obligations in relation to money laundering and terrorist financing under [the Money Laundering Directive]’. Article 10(2) of the Payment Services Directive provides that an authorisation is to be granted ‘if the information and evidence accompanying the application complies with all the requirements under Article 5 and if the competent authorities’ overall assessment, having scrutinised the application, is favourable’. Under Article 12(1) of the Payment Services Directive, the authorisation may be withdrawn only in specified circumstances, including, pursuant to Article 12(1)(c), where the payment institution no longer fulfils the conditions for granting the authorisation.
29As set out in Article 17(1) of the Payment Services Directive, when a payment institution intends to provide payment services through an agent it is to communicate to the competent authorities in its home Member State certain information enabling that agent to be listed in the public register of authorised payment institutions, their agents and branches which is provided for in Article 13 of the directive. That information is to include the name and address of the agent concerned and a description of the internal control mechanisms that will be used by agents in order to comply with the obligations in relation to money laundering and terrorist financing under the Money Laundering Directive.
30Pursuant to the first subparagraph of Article 20(1) of the Payment Services Directive, the Member States are to designate as the competent authorities responsible for the authorisation and prudential supervision of payment institutions ‘either public authorities, or bodies recognised by national law or by public authorities expressly empowered for that purpose by national law, including national central banks’. As provided in the second subparagraph of Article 20(1), those ‘competent authorities shall guarantee independence from economic bodies and avoid conflicts of interest. Without prejudice to the first subparagraph, payment institutions, credit institutions, electronic money institutions, or post office giro institutions shall not be designated as competent authorities’.
31Article 21 of the Payment Services Directive, headed ‘Supervision’, provides:
‘1. Member States shall ensure that the controls exercised by the competent authorities for checking continued compliance with this Title [headed “Payment service providers”] are proportionate, adequate and responsive to the risks to which payment institutions are exposed.
In order to check compliance with this Title, the competent authorities shall be entitled to take the following steps, in particular:
(a)
to require the payment institution to provide any information needed to monitor compliance;
(b)
to carry out on-site inspections at the payment institution, at any agent or branch providing payment services under the responsibility of the payment institution, or at any entity to which activities are outsourced;
(c)
to issue recommendations, guidelines and, if applicable, binding administrative provisions; and
(d)
to suspend or withdraw authorisation in cases referred to in Article 12.
2. ... the Member States shall provide that their respective competent authorities, may, as against payment institutions or those who effectively control the business of payment institutions which breach laws, regulations or administrative provisions concerning the supervision or pursuit of their payment service business, adopt or impose in respect of them penalties or measures aimed specifically at ending observed breaches or the causes of such breaches.
...’
32Article 79 of the Payment Services Directive, headed ‘Data protection’, provides that ‘Member States shall permit the processing of personal data by payment systems and payment service providers when this is necessary to safeguard the prevention, investigation and detection of payment fraud. The processing of such personal data shall be carried out in accordance with [the Personal Data Directive]’.
Spanish law
33Law 10/2010 on the prevention of money laundering and terrorist financing (Ley 10/2010 de prevención del blanqueo de capitales y de la financiación del terrorismo) of 28 April 2010 (BOE No 103 of 29 April 2010, p. 37458), which transposes the Money Laundering Directive into Spanish law, distinguishes between three types of customer due diligence measures, namely standard customer due diligence measures in Articles 3 to 6 of that law, simplified customer due diligence measures in Article 9 and enhanced customer due diligence measures, in Article 11.
34The standard customer due diligence measures include, as Articles 3 to 6 of Law 10/2010 respectively provide, formally identifying the persons concerned, identifying the beneficial owner, obtaining information on the purpose and intended nature of the business relationship and ongoing monitoring of the business relationship.
35Article 7(1) of Law 10/2010 states:
‘Persons subject to this law shall apply each of the due diligence measures prescribed in the preceding articles, but they may determine the extent to which the measures contained in Articles 4, 5 and 6 are applied on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction, that information being contained in the express customer-acceptance policy ...
Persons covered by this law must be capable of demonstrating to the competent authorities that the scope of the measures adopted is appropriate in the light of the risk of money laundering and terrorist financing, by means of a prior risk analysis which must in any event be in writing.
Persons subject to this law shall apply the due diligence measures in any event when there are signs of money laundering or terrorist financing, regardless of any derogation, exemption or threshold, or when there are doubts about the veracity or adequacy of previously obtained data.’
36Under Article 7(3), persons subject to Law 10/2010 may not start a business relationship or carry out a transaction if they cannot apply the customer due diligence measures provided for by that law. If such impossibility arises during the course of the business relationship, they are to terminate that relationship.
37Article 9 of Law 10/2010 provides:
‘1. Without prejudice to the provisions contained in the third subparagraph of Article 7(1), persons subject to this law are authorised not to apply the due diligence measures provided for in Articles 3(2), 4, 5 and 6 in respect of the following customers:
...
(b)
financial institutions having their seat in the European Union, or in equivalent third countries, which are subject to supervision for the purpose of ensuring compliance with due diligence measures.
...
The Minister for Economic Affairs and Finance may by order preclude the application of simplified due diligence measures in respect of certain customers.
2. The application of simplified due diligence measures in respect of other customers involving a low risk of money laundering and terrorist financing may be authorised by way of regulation.
3. Persons subject to this law must in any event gather sufficient information to determine whether the customer may be covered by one of the exceptions provided for by this article.’
38Article 11 of Law 10/2010 states:
‘Persons subject to this law shall apply, in addition to the standard due diligence measures, enhanced measures in the cases referred to in this section and in all the other cases specified by way of regulation on account of the high risk of money laundering or terrorist financing that they present.
Persons subject to this law shall also apply, on a risk-sensitive basis, enhanced due diligence measures in situations which by their nature can present a higher risk of money laundering or terrorist financing. Activities of private banks, money remittance services and foreign currency exchange transactions shall in any event be regarded as presenting such a risk.
Enhanced due diligence measures required in sectors or fields presenting a higher risk of money laundering or terrorist financing may be specified by way of regulation.’
The dispute in the main proceedings and the questions referred for a preliminary ruling
39Safe is a company that transfers customers’ funds to Member States other than the Member State in which it is established and to third countries through accounts which it holds with credit institutions.
40After discovering irregularities regarding the agents who transferred funds through the accounts which Safe held with the banks, the latter requested information from Safe, pursuant to Law 10/2010. When Safe refused to provide them with that information, the banks closed the accounts which it held with them.
41It is apparent from the documents submitted to the Court that on 11 May 2011 BBVA disclosed those irregularities to the Executive Service of the Commission for the Prevention of Money Laundering and Financial Crime of the Bank of Spain (Servicio Ejecutivo de la Comisión de Prevención de Blanqueo de Capitales e Infracciones Monetarias del Banco de España; ‘Sepblac’), stating that it suspected Safe of money laundering. On 22 July 2011, BBVA notified Safe of the irrevocable closure of its account.
42Safe challenged BBVA’s decision to close its account and similar decisions by the other two banks before the Juzgado de lo Mercantil No 5 de Barcelona (Commercial Court No 5, Barcelona), on the ground that closure of the accounts was an act of unfair competition which prevented it from operating normally by transferring funds to States other than the State in which it is established. Safe submitted that it was legally required to have an account with a banking institution in order to be able to carry out such transfers of funds — operations which it performed at the banks — and that it competed with the banks in the market. It also contended that the banks had asked it to provide data relating to its customers and the origin and destination of the funds, on the pretext of the provisions of Law 10/2010, a contention which the banks dispute, and that providing the banks with that information was contrary to national data protection legislation.
43The banks responded that the measures adopted were in accordance with Law 10/2010, were justified, in particular because of the risk connected with the transfer of funds by an institution to States other than the State in which it is established, and were not contrary to competition law.
44On 25 September 2012, the Juzgado de lo Mercantil No 5 de Barcelona (Commercial Court No 5, Barcelona) dismissed Safe’s action. It held that the banks were entitled to ask Safe to adopt enhanced customer due diligence measures and to provide data relating to its customers, provided that they had detected in Safe’s conduct signs of infringement of Law 10/2010.
45It examined in each specific case whether the banks’ conduct was justified. It held that none of the banks had infringed any specific prohibition of anti-competitive conduct, but that Sabadell and Liberbank, unlike BBVA, had acted unfairly by failing to set out the reasons for the measures adopted. On the other hand, it held that BBVA’s conduct was justified because it was based on checks which showed that 22% of transfers made through Safe’s accounts during the period from 1 September to 30 November 2010 were not carried out by agents who had been authorised by Safe and were listed with the Bank of Spain. Moreover, during that period transfers were made by 1291 persons, which far exceeded the number of Safe’s agents. In addition, an expert report had highlighted the risks of transfers not conducted by identified agents.
46Safe, Sabadell and Liberbank appealed against that judgment to the Audiencia Provincial de Barcelona (Provincial Court, Barcelona), which is hearing the three appeals together.
47The referring court states that all the parties involved are subject to Law 10/2010, as they fall within the categories referred to in Article 2 of that law, which include credit institutions and payment institutions. Furthermore, all the parties compete on the market and carry out the same activity of transferring funds to States other than the State in which they are established. However, payment institutions such as Safe must carry out that activity through accounts opened with credit institutions, such as the banks.
48Before the referring court, Safe argues, first, that BBVA was not required to adopt customer due diligence measures where the customers are financial institutions because the latter are supervised directly by the public authorities, in this instance by the Bank of Spain. Secondly, in Spain only Sepblac may access data relating to the customers of payment institutions. Thirdly, even if BBVA was required to adopt such due diligence measures, it had to conduct a detailed and exhaustive study of Safe’s policy for complying with the relevant legislation prior to adopting them. In the present case, BBVA had merely requested an expert report which had been prepared using BBVA’s data. Fourthly, Law 10/2010 does not apply to persons, such as agents, offering support to financial institutions for the transfer of funds.
49Before the referring court, Sabadell advances the fact that the judgment of the Juzgado de lo Mercantil No 5 de Barcelona (Commercial Court No 5, Barcelona) accepted that Sabadell could in principle adopt enhanced customer due diligence measures but held that it could not do so in this case. Liberbank argues that closing the account held by Safe was justified because Safe had failed to provide the information requested.
50The referring court considers that three main questions are raised in relation to the interpretation of Article 11(1) of the Money Laundering Directive.
51First, the question is raised whether, in the light of Article 5 of the Money Laundering Directive, which authorises the Member States to adopt or retain in force stricter provisions in the field covered by the directive to prevent money laundering and terrorist financing, the national legislature may be regarded as authorised to transpose the exception or derogation laid down in Article 11(1) of the directive in terms other than those used in the exception or derogation itself. Article 9(1)(b) of Law 10/2010 provides that persons subject to that law ‘are authorised not to apply [standard] due diligence measures’ in respect of customers which are financial institutions having their seat in the European Union, or in equivalent third countries, which are subject to supervision for the purpose of ensuring compliance with customer due diligence measures.
52Secondly, interpretation of Article 11(1) of the Money Laundering Directive, read in conjunction with Article 7 thereof, gives rise to the question whether the EU legislature intended to lay down a genuine unconditional exception to the obligation on credit institutions to adopt customer due diligence measures when their customers are payment institutions themselves covered by the directive, on account of their status as financial institutions subject to their own supervision system.
53Thirdly, the question is raised whether the exception laid down in that provision encompasses exclusively due diligence measures or also extends to enhanced due diligence measures.
54Further questions are raised in the alternative, should Article 11(1) of the Money Laundering Directive be interpreted as entitling financial institutions to adopt due diligence measures or enhanced due diligence measure or even as obliging them to do so, whether on the basis of EU legislation or of national legislation.
55Those further questions concern, first, the relationship between Article 11(1) of the Money Laundering Directive and Article 21 of the Payment Services Directive and are designed to determine the limits of the due diligence measures and enhanced due diligence measure that banking institutions are, as the case may be, capable of applying in respect of payment institutions. They concern, secondly, whether the provision by payment institutions to credit institutions of data relating to the payment institutions’ customers is compatible with EU law, in particular with the Personal Data Directive.
56In those circumstances the Audiencia Provincial de Barcelona (Provincial Court, Barcelona) decided to stay proceedings and to refer the following questions to the Court for a preliminary ruling:
‘(1)
On the interpretation of Article 11(1) of [the Money Laundering Directive]:
(a)
If this provision is read in conjunction with Article 7 of that directive, was it the EU legislature’s intention to establish a genuine derogation from the possibility that credit institutions may adopt due diligence measures when their customers are themselves payment institutions in turn subject to their own supervision system, or is it simply an authorisation to derogate?
(b)
If this provision is read in conjunction with Article 5 of that directive, may the national legislature transpose the derogation laid down in the provision concerned in terms other than the actual wording thereof?
(c)
Does the derogation contained in Article 11(1) apply to enhanced due diligence measures too in the same terms as it applies to due diligence measures?
(2)
In the alternative, should the reply to the above questions confirm that credit institutions may adopt due diligence measures and enhanced due diligence measures in relation to payment institutions:
(a)
How far does the possibility that credit institutions may supervise the operations of payment institutions extend? Can they be deemed to be authorised under the provisions of [the Money Laundering Directive] to supervise the due diligence procedures and measures adopted in turn by payment institutions or does that power belong exclusively to the public institutions referred to in [the Payment Services Directive], in the present case, the Banco de España (Bank of Spain)?
(b)
Does the application of that right of credit institutions to adopt measures require any special justification that may be deduced from the acts of the payment institution or may those measures instead be adopted generally, simply on account of the fact that the payment institution carries out a risky activity such as the sending of remittances abroad?
(c)
If it is held that a specific justification is required in order for credit institutions to be able to adopt due diligence measures in relation to payment institutions:
(i)
What is the relevant conduct that a bank must bear in mind for the purposes of adopting due diligence measures?
(ii)
Can a credit institution be considered authorised to assess, for that purpose, the due diligence measures which a payment institution applies in its procedures?
(iii)
Does the exercise of that power require the bank to have identified in a payment institution’s operations conduct leading it to suspect collaboration in money laundering activities or in terrorist financing?
(3)
In addition, if it should be held that credit institutions are authorised to adopt enhanced due diligence measures in relation to payment institutions:
(a)
Is it acceptable that those measures may include a measure requiring payment institutions to provide identification data for all their customers from whom the funds remitted originate, and the identities of the recipients?
(b)
Is the obligation of payment institutions to provide their customers’ data to credit institutions with which they are forced to operate and with which they also compete on the market compatible with [the Personal Data Directive]?’
Consideration of the questions referred
Question 1
57First of all, it should be noted that it appears from the documents submitted to the Court that BBVA began to suspect money laundering or terrorist financing after discovering irregularities in the information relating to the agents who transferred funds through the account which Safe held with it. BBVA requested information from Safe pursuant to Law 10/2010 and, after Safe refused to provide that information, closed its account. Whilst Article 9 of that law authorises the application of simplified customer due diligence measures in so far as the customers are financial institutions whose compliance with due diligence measures is supervised, under Article 11 of the law enhanced customer due diligence measures must be adopted in situations which, on the basis of a risk analysis, can present a higher risk of money laundering or terrorist financing. The situations which by their nature present such a risk include, in particular, money transfer services.
58By Question 1, the referring court asks, in essence, whether, Articles 5, 7, 11(1) and 13 of the Money Laundering Directive must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which, first, authorises the application of standard customer due diligence measures in so far as the customers are financial institutions whose compliance with due diligence measures is supervised and, secondly, requires the institutions and persons covered by the directive to apply, on a risk-sensitive basis, enhanced customer due diligence measures in situations which by their nature can present a higher risk of money laundering or terrorist financing, such as that of the transfer of funds.
59In Sections 1 to 3 of Chapter II, which is headed ‘Customer due diligence’, the Money Laundering Directive provides for three types of customer due diligence measures, namely standard, simplified and enhanced measures.
60In Section 1 of that chapter, headed ‘General provisions’, Article 7(a) to (d) sets out the situations in which the institutions and persons covered by the Money Laundering Directive are obliged to apply standard customer due diligence measures, because the situations are considered to present risks of money laundering or terrorist financing, which can be prevented by adopting the measures laid down in Articles 8 and 9 of the directive. Those situations arise when a business relationship is established, when occasional transactions amounting to EUR 15000 or more are carried out, when there is a suspicion of money laundering or terrorist financing and when there are doubts about the veracity or adequacy of previously obtained customer identification data.
61In the situations referred to in Article 7 of the Money Laundering Directive, the institutions and persons covered by the directive must apply standard customer due diligence measures, which comprise, under Article 8(1) of the directive, identifying the customer and verifying the customer’s identity, identifying, where applicable, the beneficial owner, obtaining information on the purpose and intended nature of the business relationship and conducting ongoing monitoring of the existing business relationship and the transactions already undertaken. As is clear from Article 8(2), the extent of those due diligence measures may be determined on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction.
62Under Article 9(6) of the Money Laundering Directive, the Member States must require that institutions and persons covered by the directive apply the customer due diligence procedures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis. However, by virtue of Article 9(1), the Member States must require the identity of the customer and the beneficial owner to be verified before a business relationship is established or a transaction is carried out.
63Consequently, in Articles 7 to 9 of the Money Laundering Directive, the EU legislature identified the circumstances in which it considered that national legislation must prescribe standard due diligence measures in order to prevent a risk of money laundering or terrorist financing.
64In other situations, depending, in particular, on the type of customer, business relationship, product or transaction, the risk may be higher or lower, as is apparent from recitals 10, 22 and 24 of the Money Laundering Directive. Articles 11 and 13 of the directive relate to those situations and require the Member States to ensure that various levels of customer due diligence are applied.
65Under certain conditions laid down in Article 11 of the Money Laundering Directive, it is not necessary to apply the customer due diligence measures prescribed in Articles 8 and 9(1) of the directive in situations where, pursuant to Article 7(a), (b) and (d), they should in principle be applied. Those conditions concern situations in which the EU legislature considered the risk of money laundering and terrorist financing to be lower by reason of, inter alia, the identity of the customer or the value and content of the transaction or product.
66That is so in particular, under Article 11(1) of the Money Laundering Directive, where the customer of an institution or person covered by the directive is itself a credit or financial institution covered by the directive.
67It must, however, be pointed out that Article 11(1) of the Money Laundering Directive does not derogate from Article 7(c) of the directive.
68Pursuant to Article 7(c) of the Money Laundering Directive, read in conjunction with Article 11(1), customer due diligence measures must always be applied when there is a suspicion of money laundering or terrorist financing, a concept which is not defined in the directive. Consequently, where such a suspicion arises, a Member State is precluded from authorising or requiring the application of simplified customer due diligence measures.
69Furthermore, contrary to Safe’s contentions, the derogation in Article 11(1) of the Money Laundering Directive does not preclude national legislation that provides for the application by the institutions and persons concerned of enhanced due diligence measures pursuant to Article 13 of the directive.
70Article 11(1) of the Money Laundering Directive is intended solely to derogate from the standard customer due diligence measures set out in Section 1 of Chapter II. Since that provision does not refer to Article 13 of the Money Laundering Directive, which is in Section 3 of Chapter II, it has no bearing on the customer due diligence that is required where there is a higher risk, as the Advocate General has observed in point 94 of her Opinion. Furthermore, the institutions and persons covered by the directive are authorised to apply simplified due diligence measures ‘in line with a risk-based approach’ in appropriate cases only, as recital 22 of the directive states. It is apparent from recital 24 of the directive that, although the identity and business profile of all customers should be established, there are cases where particularly rigorous customer identification and verification procedures are required on account of a greater risk of money laundering or terrorist financing.
71Consequently, if there is a higher risk of money laundering or terrorist financing as envisaged in Article 13 of the Money Laundering Directive, the fact that the customer is itself an institution or person covered by the directive does not preclude a Member State from being able to require the application in respect of that customer of enhanced due diligence measures within the meaning of Article 13.
72Article 13 of the Money Laundering Directive requires the Member States to provide that the institutions and persons covered by the directive are to apply, on a risk-sensitive basis, in particular in situations which by their nature can present a higher risk of money laundering or terrorist financing, and at least in the situations set out in Article 13(2) to (4), enhanced customer due diligence measures in addition to the measures referred to in Articles 7, 8 and 9(6) of the directive.
73It is clear from the words ‘at least’ that, whilst Article 13 of the Money Laundering Directive lists certain situations in which the Member States must require the application of enhanced due diligence measures, that list is not, however, exhaustive. The Member States have significant discretion, when transposing the directive, as to the appropriate way of implementing the obligation to require enhanced due diligence measures and to determine both the situations in which a higher risk of that kind exists and the due diligence measures.
74Thus, as the Advocate General has observed in point 95 of her Opinion, although the transfer of funds by an institution to States other than the State in which it is established is not listed in Article 13(2) to (4) of the Money Laundering Directive, Article 13 does not preclude Member States from identifying in their national law, taking a risk-based approach, other situations which by their nature present a higher risk and therefore justify or even require the application of enhanced customer due diligence in addition to standard due diligence.
75Consequently, notwithstanding the derogation in Article 11(1) of the Money Laundering Directive, Articles 7 and 13 of the directive require the Member States to ensure that the institutions and persons covered by the directive apply, in situations concerning customers that are themselves institutions or persons covered by the directive, the standard customer due diligence measures pursuant to Article 7(c) of the directive and enhanced customer due diligence measures pursuant to Article 13 thereof in situations which by their nature can present a higher risk of money laundering or terrorist financing.
76Finally, so far as concerns Article 9 of Law 10/2010, which authorises standard due diligence measures to be applied in respect of financial institutions even if there is no suspicion or higher risk of money laundering or terrorist financing within the meaning of Articles 7(c) and 13 of the Money Laundering Directive, it is to be borne in mind that the Money Laundering Directive merely provides for a minimum level of harmonisation and that, even when Member States have properly transposed Articles 7, 11 and 13 of the directive into national law, Article 5 of the directive allows them to adopt or retain in force stricter provisions where those provisions seek to strengthen the fight against money laundering and terrorist financing (see, to this effect, judgment in Jyske Bank Gibraltar, C‑212/11 , EU:C:2013:270 , paragraph 61 ).
77It should also be pointed out that the ‘stricter provisions’ referred to in Article 5 of the Money Laundering Directive may concern situations for which the directive prescribes a certain type of customer due diligence and also other situations which Member States consider to present a risk.
78Article 5 of the Money Laundering Directive is included in Chapter I of the directive, headed ‘Subject matter, scope and definitions’, and applies to all the provisions in the field covered by the directive in order to prevent money laundering and terrorist financing. It follows that its scope is not limited to the provisions of Chapter II of the directive, headed ‘Customer due diligence’. A Member State may therefore provide that customer due diligence measures must be applied by a credit institution to a payment institution even where the conditions laid down in Article 11(1) of the directive are satisfied, and thus even where there is no suspicion within the meaning of Article 7(c), and in situations other than those listed in Articles 7 and 13.
79In providing that the Member States may adopt or retain in force stricter provisions in the field covered by the Money Laundering Directive to prevent money laundering and terrorist financing, Article 5 of that directive does not grant the Member States a power or obligation to legislate by virtue of EU law, but merely, unlike the provisions laid down in Chapter II of the directive, recognises the power which the Member States enjoy under national law to provide for such stricter provisions outside the framework of the regime established by the directive (see, by analogy, judgment in Julián Hernández and Others, C‑198/13 , EU:C:2014:2055 , paragraph 44 ).
80In the light of the foregoing considerations, the answer to Question 1 is as follows:
—
Articles 5, 7, 11(1) and 13 of the Money Laundering Directive must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which, first, authorises the application of standard customer due diligence measures in so far as the customers are financial institutions whose compliance with due diligence measures is supervised when there is a suspicion of money laundering or terrorist financing within the meaning of Article 7(c) of that directive and, secondly, requires the institutions and persons covered by the directive to apply, on a risk-sensitive basis, enhanced customer due diligence measures in situations which by their nature can present a higher risk of money laundering or terrorist financing within the meaning of Article 13(1) of the directive, such as that of the transfer of funds.
—
Furthermore, even in the absence of such a suspicion or such a risk, Article 5 of the Money Laundering Directive allows the Member States to adopt or retain in force stricter provisions where those provisions seek to strengthen the fight against money laundering and terrorist financing.
Question 2(a) and (c)(ii)
81By Question 2(a), the referring court asks, in essence, how the Money Laundering Directive is to be interpreted so far as concerns the limits on the powers that credit institutions have, pursuant to that directive, in relation to payment institutions which are their customers and which are in addition covered by that directive and by the Payment Services Directive. By Question 2(c)(ii), it asks, in essence, whether the Money Laundering Directive must be interpreted as meaning that a credit institution may assess the customer due diligence procedures applied by a payment institution.
82It is apparent from the order for reference that these questions relate to interpretation of the Money Laundering Directive in conjunction with the Payment Services Directive, in particular Article 21 of the latter which defines the powers conferred upon the national authorities for the purpose of supervising payment institutions. The referring court raises the issue of the extent of the power that may be conferred upon credit institutions so far as concerns monitoring of the operations of payment institutions. It takes the view that the Payment Services Directive confers that supervisory power solely on the competent national authority, in this instance Sepblac, but wonders whether the Money Laundering Directive confers indirectly upon banking institutions some power to supervise payment institutions through the possibility of adopting enhanced due diligence measures.
83It should be pointed out that the Money Laundering Directive concerns the due diligence obligations owed by the institutions and persons covered by that directive. Thus, Article 8(1) of the directive defines the elements of a business relationship that the institutions and persons covered by the directive must obtain information about.
84Under the first subparagraph of Article 9(5) of the Money Laundering Directive, the Member States are to require that, where the institution or person concerned is unable to comply with Article 8(1)(a) to (c) of that directive, it may not carry out a transaction through a bank account, establish a business relationship or carry out the transaction, or is to terminate the business relationship. Therefore, the adoption of a measure such as the breaking off of a business relationship, provided for in the first subparagraph of Article 9(5) of the Money Laundering Directive, is the consequence of the inability of an institution or person covered by the directive to comply with the due diligence obligations owed by it pursuant to Article 8(1)(a) to (c) of the directive and as implemented by the Member States.
85Application of Article 9(5) of the Money Laundering Directive does not depend on why an institution or person covered by that directive cannot comply with the due diligence obligations laid down in 8(1)(a) to (c) of the directive. Consequently, failure of the customer of an institution or person covered by the Money Laundering Directive to cooperate by providing information enabling it to comply with the national law implementing Article 8 of the directive is not necessary to trigger the consequences provided for in Article 9(5) of the directive.
86Nonetheless, in accordance with Article 8(2) of the Money Laundering Directive, the institutions and persons covered by that directive must be able to demonstrate to the competent authorities mentioned in Article 37 of the directive that the extent of the measures adopted in performing their customer due diligence obligation — whose extent may be determined on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction — is appropriate in view of the risks of money laundering and terrorist financing.
87Such measures must have a concrete link with the risk of money laundering and terrorist financing and be proportionate to that risk. It follows that a measure such as the breaking off of a business relationship, provided for in the first subparagraph of Article 9(5) of the Money Laundering Directive, should, in the light of Article 8(2) of that directive, not be adopted in the absence of sufficient information connected with the risk of money laundering and terrorist financing.
88In addition, Article 37 of the Money Laundering Directive requires the competent national authorities to effectively monitor, and to take the necessary measures with a view to ensuring, compliance with the requirements of the directive by all the institutions and persons covered by the directive, which include credit institutions and payment institutions applying customer due diligence measures in respect of one of their customers.
89It follows that the customer due diligence and reporting obligations owed by credit institutions, on the one hand, and the supervisory and monitoring measures that fall to the competent national authorities, on the other, constitute a body of preventive and dissuasive measures to combat money laundering and terrorist financing effectively and to safeguard the soundness and integrity of the financial system.
90Contrary to Safe’s contentions, that does not mean, however, that when the institutions and persons covered by the Money Laundering Directive act pursuant to national laws implementing Articles 8 and 9 of that directive, they take on the supervisory role reserved for the competent authorities.
91Nor does it mean that the institutions and persons covered by the Money Laundering Directive may compromise the task of supervising payment institutions with which the competent authorities are entrusted pursuant to Article 21 of the Payment Services Directive in order to monitor compliance with the provisions of Title II of that directive, headed ‘Payment service providers’, and may take the place of those supervisory authorities.
92Whilst the institutions and persons covered by the Money Laundering Directive must apply the due diligence measures referred to in Article 8 of that directive, read in conjunction with Article 11 and, as the case may be, Article 13, and may for this purpose find it necessary to take account of the due diligence measures which their customers apply in their procedures, the fact remains that in Articles 17 and 21 of the Payment Services Directive and Articles 36 and 37 of the Money Laundering Directive supervisory measures are reserved for the competent authorities.
93The answer to Question 2(a) and (c)(ii) therefore is that the Money Laundering Directive must be interpreted as meaning that the institutions and persons covered by that directive may not compromise the task of supervising payment institutions with which the competent authorities are entrusted pursuant to Article 21 of the Payment Services Directive and may not take the place of those authorities. The Money Laundering Directive must be interpreted as meaning that, whilst a financial institution may, in performing the supervisory obligation which it owes in respect of its customers, take account of the due diligence measures applied by a payment institution in respect of its own customers, all the due diligence measures that it adopts must be appropriate to the risk of money laundering and terrorist financing.
Question 2(b) and (c)(i) and (iii)
94By Question 2(b) and (c)(i) and (iii), the referring court asks, in essence, in the event that Article 11(1) of the Money Laundering Directive does not preclude a Member State from being able to authorise a credit institution to apply due diligence measures other than simplified measures in respect of a payment institution which is its customer, whether Articles 5 and 13 of that directive must be interpreted as meaning that, when a Member State exercises either the discretion which Article 13 grants to it or the power in Article 5, the application by a credit institution of enhanced due diligence measures in respect of a payment institution which is its customer may be based on the type of general activity carried out by that payment institution, in this instance the transfer of funds, or whether it is necessary to identify, in that institution’s operations, specific conduct leading to suspicion of collaboration in money laundering activities or in terrorist financing.
95This question is raised in the context of a dispute involving institutions covered by the Money Laundering Directive which founded their due diligence measures in respect of their customer, a payment institution, on the national law applicable to situations which are identified by the national legislature as presenting a higher risk, in this instance the provision of money transfer services, and which are not mentioned in Article 13 of that directive. The question relates to circumstances in which a Member State has exercised either the discretion which that article grants to it so far as concerns the application of enhanced due diligence measures in respect of a payment institution or the power in Article 5 of the directive to authorise, in its national legislation, credit institutions to apply, or not apply, simplified due diligence measures in respect of their customers which are payment institutions and to adopt in their regard the due diligence measures that they consider the most appropriate.
96It must be pointed out that, in so doing, the Member State concerned must nevertheless exercise that power in compliance with EU law, in particular the fundamental freedoms guaranteed by the Treaties (see, by analogy, judgment in Jyske Bank Gibraltar, C‑212/11 , EU:C:2013:270 , paragraph 49 ).
97In order to establish whether EU law is complied with, it must be examined whether Article 56 TFEU precludes national legislation, such as that at issue in the main proceedings, which provides for the application of due diligence measures other than simplified measures in respect of a payment institution, such as Safe, which transfers customers’ funds to Member States other than the Member State in which it is established through accounts which it holds with credit institutions.
98It is settled case-law of the Court that Article 56 TFEU requires not only the elimination of all discrimination against providers of services on grounds of nationality or the fact that they are established in a Member State other than that where the services are to be provided, but also the abolition of any restriction, even if it applies without distinction to national providers of services and to those of other Member States, which is liable to prohibit, impede or render less advantageous the activities of a provider of services established in another Member State where he lawfully provides similar services (judgment in Jyske Bank Gibraltar, C‑212/11 , EU:C:2013:270 , paragraph 58 and the case-law cited). Furthermore, Article 56 TFEU precludes the application of any national rules which have the effect of making the provision of services, within the meaning of Article 57 TFEU, between Member States more difficult than the provision of services purely within one Member State (judgments in Cipolla and Others, C‑94/04 and C‑202/04 , EU:C:2006:758 , paragraph 57 , and Commission v Belgium, C‑296/12 , EU:C:2014:24 , paragraph 29 ).
99National legislation, such as that at issue in the main proceedings, which provides for the application of due diligence measures other than simplified measures in respect of a payment institution gives rise to costs and extra difficulties for the provision of money transfer management services, which are additional to the due diligence obligations that that payment institution must perform itself pursuant to the Money Laundering Directive. On account in particular of the costs of translating data with a cross-border element, the burden resulting from the application of those additional due diligence measures is liable to be greater in connection with a cross-border transfer of funds and is therefore capable of deterring the payment institution from providing those services in such a context.
100Nevertheless, according to the Court’s settled case-law, where national legislation falling within an area which has not been completely harmonised at EU level is applicable without distinction to all persons and undertakings operating in the territory of the Member State concerned, it may, notwithstanding its restrictive effect on the freedom to provide services, be justified where it reflects an overriding reason in the public interest and that interest is not already safeguarded by the rules to which the service provider is subject in the Member State in which he is established, and in so far as it is appropriate for securing the attainment of the aim which it pursues and does not go beyond what is necessary in order to attain that aim (see judgments in Commission v Austria, C‑168/04 , EU:C:2006:595 , paragraph 37 , and Jyske Bank Gibraltar, C‑212/11 , EU:C:2013:270 , paragraph 60 ).
101It must therefore be examined on what conditions legislation such as that at issue in the main proceedings meets those requirements.
102In that regard, first, it should be recalled that preventing and combating money laundering and terrorist financing constitute a legitimate aim capable of justifying a barrier to the freedom to provide services (judgment in Jyske Bank Gibraltar, C‑212/11 , EU:C:2013:270 , paragraphs 62 to 64 and 85 and the case-law cited).
103The Court has already accepted that the aim of combatting the use of the financial system for money laundering or terrorist financing, which is inherent in the Money Laundering Directive, is to be balanced against the protection of other interests, including the freedom to provide services. Thus, in the judgment in Jyske Bank Gibraltar ( C‑212/11 , EU:C:2013:270 , paragraphs 49 , 59 and 60 ), the Court held, in essence, that restrictions on the freedom to provide services resulting from an obligation to provide information were permissible in so far as such an obligation seeks to strengthen, in compliance with EU law, the effectiveness of the fight against money laundering and terrorist financing.
104Secondly, national legislation such as that at issue in the main proceedings is appropriate for securing the attainment of the aim pursued if it helps to reduce the risk and reflects the concern to attain that aim in a consistent and systematic manner. Such national legislation satisfies those requirements when it identifies, in accordance with an appropriate risk assessment, including in relation to customers which are payment institutions, a high risk with respect to, inter alia, a type of customer, country, product or transaction and, on that basis, authorises or even requires the institutions and persons covered by the Money Laundering Directive to apply, in accordance with their own individualised risk assessment, appropriate customer due diligence measures.
105Thirdly, in order to assess whether such national legislation is proportionate, it is necessary to determine the level of protection desired by the Member State concerned with respect to the identified level of risk of money laundering or terrorist financing.
106It is apparent from the Money Laundering Directive, in particular Articles 5 and 13(1) and recital 24, that the Member States may either set a level of protection higher than that chosen by the EU legislature and authorise or require customer due diligence measures other than those provided for in the directive, pursuant to the power in Article 5, or identify other situations presenting a higher risk in the exercise of the discretion that Article 13 grants to them. In so doing, the Member States may, in particular, identify the specific measures to be applied in certain specified situations or give the institutions and persons covered by the directive discretion to apply, on the basis of an appropriate risk assessment, the measures considered proportionate to the risk at issue in a specific situation.
107In any event, the Member States must ensure that the enhanced customer due diligence measures capable of being applied are based on assessment of the existence and level of a risk of money laundering or terrorist financing with respect to a customer, business relationship, account, product or transaction, as the case may be. Without such assessment, it is not possible for either the Member State concerned or, as the case may be, an institution or person covered by the Money Laundering Directive to decide in an individual case what measures to apply. Finally, where there is no risk of money laundering or terrorist financing, it is not possible to take preventive action on those grounds.
108That risk assessment must take into account, at least, all relevant facts capable of demonstrating the risk of one of the types of conduct that are considered to constitute money laundering or terrorist financing.
109Furthermore, whether national legislation is proportionate also depends on the degree to which the customer due diligence measures for which it provides intrude upon other rights and interests protected by EU law, such as the protection of personal data, provided for in Article 8 of the Charter, and the principle of free competition between entities operating in the same market. Where a Member State relies on overriding reasons in the general interest in order to justify rules which are liable to obstruct the exercise of the freedom to provide services, such justification, provided for by EU law, must be interpreted in the light of the general principles of EU law, in particular the fundamental rights now guaranteed by the Charter. Thus, the national rules in question can fall under the exceptions provided for only if they are compatible with the fundamental rights the observance of which is ensured by the Court (see judgments in ERT, C‑260/89 , EU:C:1991:254 , paragraph 43 , and Pfleger and Others, C‑390/12 , EU:C:2014:281 , paragraph 35 ). The aims of that legislation must be weighed against those other legitimate interests.
110Finally, whether national legislation is proportionate depends on whether there are less restrictive means of achieving the same level of protection. The national legislation at issue in the main proceedings presumes, generally, that transfers of funds always present a high risk, without providing for the possibility of rebutting that presumption of risk in the case of transfers of funds not objectively presenting such a risk. Thus, in particular, legislation which provides for such a possibility appears less restrictive, while enabling the level of protection desired by the Member State concerned to be achieved.
111Consequently, the answer to Question 2(b) and (c)(i) and (iii) is that Articles 5 and 13 of the Money Laundering Directive must be interpreted as meaning that national legislation such as that at issue in the main proceedings, adopted pursuant either to the discretion which Article 13 of that directive grants the Member States or to the power in Article 5 of the directive, must be compatible with EU law, in particular the fundamental freedoms guaranteed by the Treaties. Whilst such national legislation designed to combat money laundering or terrorist financing pursues a legitimate aim capable of justifying a restriction on the fundamental freedoms and whilst to presume that transfers of funds by an institution covered by that directive to States other than the State in which it is established always present a higher risk of money laundering or terrorist financing is appropriate for securing the attainment of that aim, that legislation exceeds, however, what is necessary for the purpose of achieving the aim which it pursues, since the presumption which it establishes applies to any transfer of funds, without providing for the possibility of rebutting the presumption in the case of transfers of funds not objectively presenting such a risk.
Question 3
112By Question 3(b), the referring court asks, in essence whether the Personal Data Directive must be interpreted as preventing the Member States from obliging payment institutions to provide information regarding the identity of their customers to credit institutions which are in direct competition with them, in the context of enhanced customer due diligence measures which the credit institutions apply. Question 3(a) is designed to ascertain whether enhanced customer due diligence measures may consist in requiring payment institutions to provide identification data for all their customers from whom the funds transferred originate, and the identification data for the recipients.
113It is apparent from the order for reference that these questions are designed to ascertain whether, from the point of view of the Personal Data Directive, due diligence measures and enhanced due diligence measures may constitute an exception that makes it possible to hand over personal data. For the referring court, it is a matter in particular of ascertaining what data can, as the case may be, be handed over by payment institutions at the request of credit institutions, on the basis of the provisions of the Money Laundering Directive, and in what circumstances such data may be handed over.
114As is clear from settled case-law reflected in Article 94 of the Rules of Procedure of the Court of Justice, in the context of the cooperation between the Court of Justice and the national courts established in Article 267 TFEU the need to provide an interpretation of EU law which will be of use to the national court makes it necessary for that court to define the factual and legislative context of the questions it is asking or, at the very least, to explain the factual circumstances on which those questions are based (see, to this effect, judgment in Azienda sanitaria locale n. 5 Spezzino and Others, C‑113/13 , EU:C:2014:2440 , paragraph 47 ). The Court is empowered to rule on the interpretation of EU provisions only on the basis of the facts which the national court puts before it (order in Argenta Spaarbank, C‑578/14 , EU:C:2015:372 , paragraph 14 ).
115The referring court must also set out the precise reasons why it was unsure as to the interpretation of certain provisions of EU law and why it considered it necessary to refer questions to the Court for a preliminary ruling. The Court has already held that it is essential that the national court should give at the very least some explanation of the reasons for the choice of the provisions of EU law of which it requests an interpretation and regarding the link that it establishes between those provisions and the national legislation applicable to the dispute before it (orders in Equitalia Nord , C‑68/14 , EU:C:2015:57 , paragraph 14 and the case-law cited, and Argenta Spaarbank, C‑578/14 , EU:C:2015:372 , paragraph 15 ).
116Indeed, the information provided in orders for reference serves not only to enable the Court to provide useful answers but also to give the governments of the Member States and other interested parties the opportunity to submit observations in accordance with Article 23 of the Statute of the Court of Justice of the European Union. It is the Court’s duty to ensure that that opportunity is safeguarded, given that, under that provision, only the orders for reference are notified to the interested parties (order in Argenta Spaarbank, C‑578/14 , EU:C:2015:372 , paragraph 16 ).
117By Question 3, the referring court refers generally to the Personal Data Directive without indicating sufficiently precisely the provisions of that directive that could be relevant in order to enable the Court to give a useful answer.
118Furthermore, the question of the content of the information requested from Safe under the due diligence measures applied by the banks in its regard has been discussed. In the proceedings before the Court, BBVA maintained that it never requested personal data regarding Safe’s customers or the recipients of the funds transferred, but that it only requested information regarding the agents acting for Safe and using its accounts.
119It is settled case-law that, under the procedure of cooperation established by Article 267 TFEU, it is not for the Court of Justice but for the national court to ascertain the facts which have given rise to the dispute and to establish the consequences which they have for the judgment which it is required to deliver (see judgment in Accor, C‑310/09 , EU:C:2011:581 , paragraph 37 and the case-law cited).
120Having regard to the foregoing considerations, it must be held that Question 3 is inadmissible.
Costs
121Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Fifth Chamber) hereby rules:
1.Articles 5, 7, 11(1) and 13 of Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing as amended by Directive 2010/78/EU of the European Parliament and of the Council of 24 November 2010 must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which, first, authorises the application of standard customer due diligence measures in so far as the customers are financial institutions whose compliance with due diligence measures is supervised when there is a suspicion of money laundering or terrorist financing within the meaning of Article 7(c) of that directive and, secondly, requires the institutions and persons covered by the directive to apply, on a risk-sensitive basis, enhanced customer due diligence measures in situations which by their nature can present a higher risk of money laundering or terrorist financing within the meaning of Article 13(1) of the directive, such as that of the transfer of funds.
Furthermore, even in the absence of such a suspicion or such a risk, Article 5 of Directive 2005/60 as amended by Directive 2010/78 allows the Member States to adopt or retain in force stricter provisions where those provisions seek to strengthen the fight against money laundering and terrorist financing.
2.Directive 2005/60 as amended by Directive 2010/78 must be interpreted as meaning that the institutions and persons covered by that directive may not compromise the task of supervising payment institutions with which the competent authorities are entrusted pursuant to Article 21 of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC, as amended by Directive 2009/111/EC of the European Parliament and of the Council of 16 September 2009, and may not take the place of those authorities. Directive 2005/60 as amended by Directive 2010/78 must be interpreted as meaning that, whilst a financial institution may, in performing the supervisory obligation which it owes in respect of its customers, take account of the due diligence measures applied by a payment institution in respect of its own customers, all the due diligence measures that it adopts must be appropriate to the risk of money laundering and terrorist financing.
3.Articles 5 and 13 of Directive 2005/60 as amended by Directive 2010/78 must be interpreted as meaning that national legislation such as that at issue in the main proceedings, adopted pursuant either to the discretion which Article 13 of that directive grants the Member States or to the power in Article 5 of the directive, must be compatible with EU law, in particular the fundamental freedoms guaranteed by the Treaties. Whilst such national legislation designed to combat money laundering or terrorist financing pursues a legitimate aim capable of justifying a restriction on the fundamental freedoms and whilst to presume that transfers of funds by an institution covered by that directive to States other than the State in which it is established always present a higher risk of money laundering or terrorist financing is appropriate for securing the attainment of that aim, that legislation exceeds, however, what is necessary for the purpose of achieving the aim which it pursues, since the presumption which it establishes applies to any transfer of funds, without providing for the possibility of rebutting the presumption in the case of transfers of funds not objectively presenting such a risk.
[Signatures]
( *1 ) Language of the case: Spanish.