Riley S. Faelan<p>In strange <a href="https://toot.cat/tags/fintech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fintech</span></a> <a href="https://toot.cat/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://toot.cat/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> news, an Estonian bank, the LHV Bank, is claiming 247.5M€ from the government's money laundering regulator over the regulator having accessed banking secrecy protected data from the bank in a roundabout way — through the judicial enforcement register, a practice that the Justice Chancellor has recently opined to be unconstitutional. Other banks may follow.</p><p>It appears that there is a vulnerability in the legal framework, in that it takes a specific and narrowly tailored court order for the money laundering regulator to get detailed transaction and/or account data directly from a bank, but the judicial enforcement register, having been built on the assumption of functioning in the world of already enforceable court orders, has procedural direct access to banking data, but no procedural safeguards to actually check for a court order existing as a precondition for such access, and the money laundering regulator seems to have been using this loophole for large-scale surveillance for about five years.</p><p>LHV bank's general term of service specify 100k€ in contractual damages per unlawful query, and I surmise they have found 2475 of such roundabout queries in their audit logs.</p><p>Source: <a href="https://www.err.ee/1609754001/lhv-nouab-rahapesu-andmeburoolt-pangasaladuse-asjas-247-miljonit" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">err.ee/1609754001/lhv-nouab-ra</span><span class="invisible">hapesu-andmeburoolt-pangasaladuse-asjas-247-miljonit</span></a></p>