Mutual Support

In my inaugural 2018 post, I presented three takeaway themes from FATF’s November 2017 Guidance on Private Sector Information Sharing.   The first – Data privacy and AML/CFT are not mutually exclusive – is a straight forward observation that is addressed head on by the Guidance.

“AML/CFT and DPP public policy goals are not mutually exclusive and should recognize support and be balanced.”

It is an overdue statement that should bring privacy to the forefront of financial crime compliance discussion, not only because it brings data privacy on par, but because of the assertion that they support each other.   But even as the Guidance emphasizes mutual support, it doesn’t exactly articulate how one reinforces the other.  Yet, it is important to understand the relationship because it promotes effective and legal data sharing for AML/CFT.

AML/CFT compliance programs depend on the sharing of data among many different groups, and requires financial institutions (FIs) to know what data to collect and use, know when to share it, and with whom to share it.  These are difficult tasks owing to a host of factors including, but not limited to, the varied types of data and volume of data needed for risk-based decision-making. Privacy controls would seem to complicate the matter because they mandate certain rules for processing data for specific purposes.

As I have said in the past, the duality of data – the condition that financial data is both commercial and potentially criminal at the same time creates a conundrum for FIs.  Determining when financial data’s commercial use ended and when AML/CFT use began is therefore a fundamental problem of implementation because that point determines when commercial rules concluded and AML/CFT data privacy governance kicked in. To further complicate matters, the ‘switch’ is not permanent since an individual’s data flows back and forth during the life-cycle of the business relationship. Lastly, the criteria will be unique within an FI and its group [internal], or if sharing is conducted FI to FI, or if an FI transfers to authorities (and vice versa) [external].

However, this is where understanding the privacy/compliance support nexus is important. Knowing this, while FATF did not explicitly outline how privacy supports AML/CFT or how to apply it in a compliance program, it did provide components of that support process, which I have been incorporating into a framework.  In this post, I outline the role of three components;

  • Technology
  • Data standardization
  • Data governance

Technology:

FATF notes that FIs confront a mish-mash of incompatible systems, software, and data formats within and across a group (often from mergers and acquisitions), and/or deal with older technologies that make upgrades difficult or impossible without incurring massive costs – all of which can impede information sharing.  Each environment may be designed to process different types of data for varied uses.  Some systems may be repetitious AML solutions across business lines, while others may ingest data that was not collected for AML use, but may be necessary at some point in the compliance workflow. The latter can make data transfer difficult, because the data was collected for one purpose, but essential to another use.  This is certainly true for example, KYC processes, where customer information is collected for a commercial relationship, but could easily be escalated to EDD or FIU groups.  Again, it is not a stretch to say that many banking databases or systems hold dual purpose or dual use data.

A primary exercise in applying privacy by design principles involves conducting a data inventory (aka mapping, lineage) – a survey of what data is collected and from where, its purpose, its access permissions, conditions of transfer, and its storage, retention, and deletion.  Done well, it maps where AML and non-AML systems and data comingle, which help identify where commercial to compliance flows occur.

Data Standardization & Data Governance:

FATF notes that standardization of data types and formats “may also promote data sharing by enabling integration,” and provides examples of “information elements” necessary for data sharing and the value each data elements provides the FI.  The Guidance points out the usefulness of certain data elements (p.8), in “global risk assessment” (p.10) and “product services and geographical risks” (p. 11). Although FATF does not get into details, successful risk-based assessments require at least three groups of data– market (business views), regulatory (data demanded by law), and criminal typologies (data provided by authorities) – each involve unique governance considerations and many beyond the scope of privacy laws that govern the FI’s own data.

The data inventory allows information technology staff to survey compatibilities across the business, but it also helps identify what data is fit for purpose in the construction of AML/CFT standardized data sets.  This exercise must involve content and compliance SMEs working alongside IT pros.  Only their combined knowledge can create the focused data sets required.

Focused and flexible data sets attuned to shifting risk conditions contribute to robust decision-making matrixes that set signal points or benchmarks to help FIs determine when ‘enough’ information has been gathered to warrant sharing within the corporate group or with authorities without evoking the ire of AML or privacy regulators.  In privacy parlance this is part of data minimization, using the data necessary for the job, which supports quality analysis, reduces labor, and maximizes the value of FI intelligence to the business, other FIs, or authorities.  Standardization contributes to setting access points and permissions that establish audit trails – essential for confidentiality, which mitigates AML/CFT secrecy laws that can lead to blockages.  Lastly, the entire process maps data flows that inform data governance (i.e. in EU parlance, when GDPR’s “safeguards” apply), as it highlights when data passes from the commercial to compliance spaces (or comingles).

Information Sharing in Practice?

FATF (and this report) suggests that FIs are (slowly) operationalizing privacy in AML using these methods, and are engaging with national data protection authorities as they do so.  The Annex provides brief examples where FIs and privacy authorities currently consult (e.g. France, Spain), but a country-by-country approach produces inconsistencies that will not suit a multinational financial system.  For example, the EU’s GDPR allows Member States determine how data safeguards will be applied to AML/CFT data, which means that multinationals will not be able to implement consistent data sharing networks across their own groups, let alone the globe.  As these standards spread to other financial centers like Japan, the problems will be compounded – a fact that FATF also noted:

“…global financial institutions operating in multiple jurisdictions would benefit from data protection authorities issuing clarifying interpretation and guidance on the extent to which sharing personal data across borders for AML/CFT purposes is permissible under the public interest or other derogation(s) contained in different data protection regulations on data transfers (e.g. the extent to which transfers of data made for the purpose of complying with AML/CFT is permissible).”

There is still much work to be done before FIs (and other obligated entities) harness the mutually supportive data privacy and AML/CFT practices.  While much of this involves breaking down education and informational silos within FIs, among policy-makers, and regulators, the FATF Guidance signals some progress.  This high-level framework briefly described ways that privacy is complementary to AML/CFT, and I will be devoting much of my energy in the coming months to further developing the details.

Data Sharing, AML/CFT & Data Privacy: 2018, Together at Last?

Happy and healthy 2018 to all!

In this series of blog posts, I will discuss FATF’s November 2017 Guidance on Private Sector Information Sharing.  I am happy to say that the Guidance addresses many of the points I noted in my 2016 SWIFT Institute paper on AML/CTF and data privacy (e.g. cross-border data protection law, how confidentiality can forbid group sharing).

The FATF Guidance is a welcome development and seems to be part of a shift in thinking towards more favorable attitudes regarding data governance among AML/CFT professionals that I have personally noted in the past year. This is probably due to a host of factors including the EU’s General Data Protection Regulation (GDPR) constantly being in the headlines, the rise of cooperative public-private groups such as the UK’s Joint Money Laundering Intelligence Taskforce (JMLIT) and US’s FinCEN Exchange, Brexit, and developments in Fintech.

Building off its 2016 efforts, this FATF Guidance puts information sharing on the map in committing its governments to implement agendas to meet these goals.  The Guidance tells the private sector that states consider data sharing an internal and group priority.  Hopefully, it will provide financial institutions with enough confidence to contribute to forming the standards necessary so data sharing (public-private and private-private) can effectively balance market and national security interests.  FATF emphasizes this throughout the text, noting that putting the guidelines into practice requires public and private views and expertise.  Notably, FATF adds data privacy authorities to the Guidance’s intended audience alongside governments and financial institutions, thereby recognizing the importance of these views to the goal.

However, as is typical of any international group’s stance on a globally complicated issue with conditions that change according to jurisdiction, FATF guidance can only provide guideposts – it does not, and cannot, furnish the detailed governance and operational processes that regulators and financial institutions need.  This is not a criticism, but a reminder of the role and limitations of these Guidances and how much work there is yet to be done by national authorities and the private sector.*

FATF confirmed the widely-held belief that information sharing is essential to a “well-functioning AML/CFT framework.” In forthcoming posts, I will expand on three thematic streams within the Guidance;

  1. Data protection and privacy and AML/CFT are not mutually exclusive
  2. Financial institutions must share data internally and across the group
  3. Effective data sharing is only possible with public-private and private-private cooperation. (Recognizing the sometime cyclical cycle that public-private groups are “source as well as target of information flow.”)

All while noting that two conditions pervade all of the above;

  • Siloed views are not effective
  • Technology and governance are intertwined

I am looking forward to getting on the blog wagon again and seeing how the data sharing regime develops.  A thank you to everyone who has been supportive of my work on this topic over the years. Keep engaging – there’s more to come in 2018.

Cheers!

*Having said this, I hope the Wolfsberg Group follows suit and completes its 2014 guidance on AML/CFT and data privacy.

 

**This blog represents my personal opinions and does not represent LexisNexis Risk Solutions.  My research is my personal intellectual property and has been in no way influenced by any member of the financial services community or by government officials.

Good-bye 2016: To 2018

Happy New Year (a bit early)! 2016 was quite an exciting and busy year with many personal and professional transitions that left little time for blogging.  However, I’m back with insights as the financial services and authorities work throughout 2017 to implement the AML/CTF and data protection legislation and agreements for 2018.

Before I discuss recent developments in the field, I’d like to comment on the release of my SWIFT Institute-sponsored paper on US-EU AML/CTF & Privacy for Multinational Banks,* which was published in August (download here). The Institute also invited me to speak about it at Sibos in Geneva, Switzerland in September (download slides here).

My experience with the Institute has been fantastic. A sincere thank you to Peter Ware and Nancy Murphy for their kindness, professionalism, and support for independent research that allows academics to reach practitioners with meaningful analysis.**

19 AML/CTF & Data Privacy Compliance Conflicts Graphic from the Paper (Caution: Not as Impressive as SWIFT’s interactive graphic!)

I highly recommend that you visit the Institute’s fabulous interactive graphic for an overview of the 19 compliance conflicts (view here).

Don’t forget to read the last section of the paper that covers Profiling! It lives in all 19 issues and impacts every single AML/CTF compliance function.

About the paper:

The paper is a primer for financial institutions and policy-makers to identify 19 legal conflicts that may affect a multinational’s ability to comply with the AML/CTF and privacy regimes.  I hope that this information enables private actors to understand how their internal processes may expose them to regulatory risk; for public actors, I hope it provides a better understanding of the challenges the private sector faces in multi-jurisdictional compliance, but especially how these issues affect the quality of data that private corporations ultimately provide to authorities to achieve the end goal – combating financial crime and political violence.

As one can imagine, there was not enough space for an analysis of all the dimensions or actors involved, so a few things to note;

  • The US Terrorist Financing Tracking Program (TFTP) demands a paper of its own due to developments regarding the development of an EU TFTS.
  • I shelved an anonymous AML/CTF & Privacy survey due to an insufficient data sample. I will conduct the survey again, but the preliminary results demonstrated a clear US and EU divide.  Respondents did highlight AML/CTF and data protection concerns when dealing with high risk third country areas.
  • Section 3.2 on Public-Private cooperation could have been a paper onto itself (and may appear as a forthcoming chapter). Multinationals face tough decisions when they operate in multiple countries where they must comply with data requests from authorities.

The Takeaway

Despite the difficulties ahead, in the paper’s conclusions, I state that the financial services should be acting now to align their data protection obligations in 4AMLD to the GDPR.

4AMLD and the GDPR consistently refer to ‘safeguards’ for data processing, but these safeguards are ultimately left up to EU Member State law, so the diversity among EU Member State law will continue.  The GDPR formally calls for cooperation among industry associations to formulate “codes of conduct” to set the technical and organizational standards outlined in the Regulation.  Article 38 (40 and 41 in final version) outlines the codes’ provisions, which are broad enough to accommodate compliance’s risk-based regime, including secure systems and fair and transparent data processing for legitimate interests.

The private sector should work with Member States to create AML/CTF & privacy-centric ‘codes of conduct’ that harmonize with these developing national safeguards .

I’ll be posting updates on those efforts as I become aware of them.

Have a healthy and safe 2017!

Want to learn more?  Join me on 22 February 2017 for a webinar on Nomoneylaundering.com 

Still to Come:
4AMLD Amendments (aka 5AMLD) and the GDPR impact

*Paper referrals to EU legislation predate the final version of the GDPR and the articles and recitals may have changed.

**This blog represents my personal opinions and does not represent LexisNexis Risk Solutions.  My research is my personal intellectual property and has been in no way influenced by any member of the financial services community or by government officials.

Multinationals, Privacy, AML/CTF et. al.

A small update (more to come) to announce that an article I wrote with W. Travis Selmier in 2015 has been published!  Due to unforeseen delays in production, Border Crossings released our article in their April 2016 issue.  We hope you enjoy it.

“Multinational Banks as Carriers for US & EU Law”

In other news, the SWIFT paper will be in the public eye very soon.  I had the opportunity to speak about it at the IAPP Global Privacy Summit in Washington, DC in November (“Mission Impossible: Complying with Banking Secrecy, Privacy, and AML Obligations”) to an enthusiastic audience, and with a great panel.  I am very proud of this work and hope that it helps the transatlantic banking and regulatory communities tackle AML/CTF and data protection issues as the EU’s 4th Anti-Money Laundering Directive (4AMLD) and the General Data Protection Regulation (GDPR) become realities in the next two years.

Why Bitcoin is Like PONG

I’ve been absent from blog writing to finish the SWIFT Project (nearly done!), and to write a piece for American Banker.   Now, I’m taking a moment to pause for some brief thoughts on bitcoin.

I ‘own’ 1,017.69 bits, which amounts to 25 cents USD. I was a little giddy when someone on Twitter gifted them to me as a reward for a snarky comment about the financial crisis.

Receiving bitcoin was like getting PONG for Christmas circa 1977.   For those not as nerd-minded as I, I assure you this is a compliment.

PONG, in its pixelated glory, was a pioneer of home gaming, a forerunner of the fantastic systems we have today.  Bitcoin is part of that same technological spirit because the blockchain has the potential take money, value, and payments out of the hands of states and financial institutions, and bring it into our homes.

Before people start screaming “It’s not widespread and a fad!”, or cheering “Down with the establishment!” let me explain – it’s a start not an end.

Bitcoin is a product of a community that has always been interested in stretching boundaries.  It’s where the ideas start, but the ideas really begin to enter our daily lives and become ‘normal’ because of their ability to adapt to current conditions, and then become mainstream.  That’s going to take some time, and some new ideas.

To me, the blockchain is part of an evolutionary development in money’s digital transformation.  This initiative came from the private sector, but we’ve already seen states create their own digital currency with Special Drawing Rights (SDRs).

The technology and the ideas behind the blockchain are diverse and adaptable – exactly the kinds of “innovative” thinking that the financial industry adores.

Markets and consumers are excited about the possibilities, because it:

States and regulators have been cautious.  In the EU, the European Banking Authority warned that virtual currencies are unregulated and that lack of regulation brings regulatory risk. However, a few months ago, an official from the EBA told me this did not mean it was against digital currencies – “ We like diversity.”

The US has issued fines and started to regulate Bitcoin with limited success.  Meanwhile, like-minded companies strive to provide individuals and firms who use bitcoin and the blockchain with the same confidence fiat currencies enjoy.

Lastly, the blockchain is transparent, but can offer privacy with some effort, which is one of the least understood aspects of the technology.  This year, I was at a dinner where a successful business guest dismissed bitcoin saying it was “just for illegal stuff.”  When I responded that it was appealing for many reasons including the possibility of privacy, I was asked, “What’s the big deal about your information? Are you some kind of data survivalist?”

No, I was not afraid of the government and did not envision some apocalyptic data future.  I just like the idea, which did not make me a contemporary societal anomaly.

The message was not well received, but I was not surprised.

Later, I road home on the train, playing PONG on my smart phone.

Google, the Right to be Forgotten & Multinational Corporations

Today, I joined 80 other academics in requesting Google to release more information about its implementation of the European Court of Justice’s “Right to be Forgotten” (RTBF) ruling.

Last year, in Harvard Business Review I said that the Decision presented opportunities for innovation and profit if transnational companies recognized the demands of established, and emerging, privacy markets.  However, profit isn’t the only reason why companies should be interested in Google’s RTBF process – it is a prime example of the important role that the private sector plays in setting transnational privacy standards.

The ECJ applied EU data protection law, but it did not set the procedures for the implementation of the Right to be Forgotten.   This task has been left to Google, which has been working with a core group of advisors and EU bodies like Working Party 29 to build internal procedures to comply with a legal concept that continues to evolve.  In effect, the Google experiment will set processes that will influence, either positively or negatively depending with whom you speak, the future of privacy and data protection for the EU and anyone who does business there.

Google’s actions, voluntary or not, are a valuable part of the data privacy dialogue among states, corporations, and individuals.   For any law to be successful (measure success how you will) it must take into consideration how companies operate.  In setting internal processes to comply corporations make their greatest contributions to data protection.

Google has already responded to our open letter saying it will “consider” more transparency.  I suspect it fears publishing data on still-evolving policies or revealing proprietary information.  However, clarifying RTBF procedures may assist the company to identify program strengths and weaknesses, reduce the number of ineligible removal submissions, help other companies to understand regulatory expectations and perhaps prompt them to adopt some of Google’s strategies, and in due time, inform the content and character of future legislation.

Thus, Google’s practices demonstrate the private sector’s influence on the implementation of data protection law.  It is also suggests that corporations shouldn’t have to engage in standards-setting only in response to a legal mandate.

In today’s global digital business atmosphere, companies confront transnational data flows and privacy conflicts in their operations every day. Yet, multinationals typically view privacy concerns as an infringement on their business models.  Instead, the private sector could use its operational knowledge and implementation power to create industry-wide data protection standards that consider national legislation, are responsive to customer concerns and lower their operational risks, before, or even in the absence of regulatory mandates.

Adopting a privacy inclusive view of data operations is better than waiting for, and responding to, litigation, which is a losing strategy in an interconnected world.

Separation Anxiety: AML, Privacy, Vendors & Multinationals

Last month, I had the pleasure of speaking at the 20th Annual ACAMS AML & Financial Crime Conference in Hollywood, FL.  From my understanding, it was the first time the organization had offered a panel on compliance and privacy for cross-border data flows. Our panel was well-attended, which demonstrated the industry’s growing concern about these issues. It was a great experience and I had a wonderful time with my fellow panelists.

I attended many panels in those two days as the lone academic in a sea of compliance professionals (social anthropology note: they dress better than academics, drinks are free and top-shelf, nice swag).  I had great conversations, quite a lot of fun, and the insights I gained from these interactions reinforced some of the mantras in my research.

So this intrepid academic decided to do some very informal interviewing and observations at the exhibition hall.  I walked through to see if any vendors listed privacy as a service in their displays (only 2). At the same time, I randomly asked about their experience with AML and privacy.

My opening salvo went something like this:

Do you have any technology-driven or governance-centered services that address AML and data protection for national or international banking?

“No, each of those services are client-driven.”
“We don’t have anyone at this conference who can speak about privacy.”
“It’s separate from AML.”
“Our service doesn’t handle data protection.”

At this point, there are few, if any, services able to provide the financial community with technological solutions that take into account INFOSEC, data protection, and compliance (AML and otherwise).   And, we cannot ignore the governance and policy instruments that must come with them.   I love the automated aspects of the filed but they cannot, and should not, dominate compliance.

Now I’m not blaming the vendors solely for these shortcomings.  They respond to their customers’ demands.  Everyone is focusing on AML because the fines are getting bigger and privacy is pushed to the low-risk back-burner.   (By the way, I’ve found similar problems with privacy professionals, so I’m not picking on AML.)

These conditions also reflect a separation between security and privacy in the regulations themselves (e.g. I’ll be speaking about the still unresolved problems in the 4th Money Laundering Directive and data protection in London in May).

However, privacy is catching up.

I predict that in 5 years financial institutions will find themselves scrambling to respond to data protection/privacy regulations that are already issues, or in the pipeline.  They will spend money to employ a new team of specialized consultants, which will produce redundant services that could easily be integrated into existing structures with a little ingenuity. They will do all of this not realizing that privacy is already part of their business, because their clients already expect it.

Innovation involves seeing relationships beyond your nose – and the horizon.

Common Interests, Uncommon Responses

Last month, Jan Philipp Albrecht, Member of European Parliament (Greens/EFA) and rapporteur for the EU’s Data Protection Regulation stated, “There is an urgency to build a common interpretation of national security.  It is on our common security interest.” 

It caught my attention because I have been writing about the correlation among threat perception, counter-terrorism, and data-sharing.

It is important to build a common interpretation of national security for a number of reasons. Governments are more likely to cooperate when they share similar perceptions of a treat. However, because of their experiences with political violence, the US and EU have developed different institutions and procedures to deal with terrorist threats, which have heavily influenced their views and laws on privacy, surveillance, and data-sharing.

In short, they understand why it is important to confront political violence, but disagree about how to do so.

Today President Obama and Chancellor Merkel recognized how historical experience had produced divergent approaches to government surveillance. Mr. Obama stated, “Given Germany’s history, there are going to be sensitivities around this issue…There are going to be irritants like there are among friends.”  Merkel concured, “There are still disagreements on some points.” [Es gibt da nach wie vor unterschiedliche Auffassungen in einigen Punkten.”]

First, neither the US nor Europe will be able to completely alter the way they confront terrorism because their experiences have produced different methods and institutions to counter these threats.   (And even here we cannot lump Europe into one EU basket either.)

Second, the US and European have little choice but to get along because of the transnational nature of the terrorism.   Their differences, however, have not halted data-exchange among intelligence and police networks.  That’s also because there’s a shared sense of purpose and duty among these groups across the Atlantic. There are numerous examples of bilateral and multilateral cooperation, but the one that comes easily to my mind is the Terrorist Finance Tracking Program, TFTP.

To me, the TFTP, Safe Harbor, (and even the limited SIGINT reform) demonstrates something else – that cooperation on the collection and transfer of transatlantic data (both public and privately held) is slowly (and painfully) producing a hybrid system that takes the histories, values, and institutions of the US and EU into account.

Whatever the result, it’s going to be bumpy ride, and sure to displease everyone.

 

 

The “Weaponization of Finance” is more than Sanctions – It’s Data

I am always happy when I see people address the links between finance and security because it is so rare.

Last month, Daniel Drezner, of Tufts University and the Brookings Institute, wrote about the “hard limits of economic statecraft” regarding the use of sanctions against Russia’s actions in the Ukraine (interview here too).  This week, Ian Bremmer and Cliff Kupchan, of the Eurasia Group listed “The Weaponization of Finance” as a “Top Risk of 2015.”

Bremmer and Kupchan correctly assert that the US’s global financial position affords American policymakers powerful means to influence behaviors beyond its borders.  Specifically, they note access to capital markets and sanctions as “tools of coercive diplomacy.”  They cite the US influence on norms in international organizations, the dollar’s role as the premier reserve and investment currency, and the vulnerability of the private banking sector to cyber-attack as further evidence of its power resources.

Sanctions deserve a place in the statecraft toolbox, but as Business Insider’s @elenaholodny summarized, it is difficult to employ successfully (See also David Baldwin’s classic Economic Statecraft, Meghan O’Sullivan Shrewd Sanctions, Cortright and Lopez Smart Sanctions, and Drezner’s own Sanctions Paradox).

Restricting the use of finance to sanctions limits its value to foreign affairs. The technological revolution in banking, which has ditigialized the industry, finance’s multinational presence, and the increase in recordkeeping and reporting requirements after 9/11 and the 2008 crisis, has provided policymakers with an opportunity to harness financial data to map behaviors, networks of violence, and illicit economies across borders.

The Eurasia Group hints to this, “The United States is expanding its ability to track the financial transactions [my emphasis] of government leaders of concern, as well as their state and private sector allies, in order to close their access to capital and property.”

But governments use financial data for more than sanctions. They do it to detect weaknesses in the system and to track networks of illicit crime and political violence.

Thus, financial data’s ability to help map networks of behavior when combined with other types of information mean that finance’s role in foreign policy extends well beyond economics.

That is, of course, if government agencies can acquire that data – legally or otherwise.

I argue (briefly explained here and here) that financial data intelligence is one example of a new type of statecraft suited to the digital age; Information Statecraft – the attempt to influence through the acquisition, control, or presentation of data, information, or knowledge.

However, financial data isn’t solely held by governments; it’s held by private financial institutions, which presents numerous challenges to using financial data for sanctions or other policies.  Bremmer and Kupchan also allude to this point – “the weaponization of finance is a tool that can be use with minimal cooperation from other governments.”  While it oversimplifies the relationships involved, it does highlight the importance of private sector compliance.

Financial institutions have always treasured data for their own purposes, but now states are demanding they record, maintain, and report more of it to authorities (e.g. FATF recommendations for Politically Exposed Persons, Beneficial Ownership, Know Your Customer rules, Suspicious Action/Activity Reports, among others). For decades, and more so after 9/11, governments expect bankers to be AML/CTF sentinels, which is very far from their primary business, to make money.

The weaponization of finance is real, and has been evolving for a while.  We need to expand our views of statecraft to accommodate the new realities of the digital world, and this is especially true of the relationship between finance and foreign policy.

A Note on Extraterritoriality

“Extraterritoriality” keeps coming up in interviews and conversations, and as I write about the legalities of data sharing I find this concept has a curious pedigree.

In some instances it is exclusionary.  Diplomatic immunity is the most often cited example, where a host country cannot prosecute foreign dignitaries’ misdeeds under local law, but in certain circumstances his/her native land will waive this right.  The term can also denote inclusion, where states claim national law applies beyond its sovereign borders citing the ‘effects test.’

In both, boundaries are defined and crossed.  They perfectly illustrate the legal and physical dichotomies in the world(s) of information communications technologies, finance, and data, which may be geographically and legally defined, yet transnational in their virtual and physical existence.  As I have been told, “Banking is local” – regulations, attitudes about money and investing reflect local expectations, but in the last 40 years the technologies and many of the staffing and services on which we depend to facilitate these relationships, are not.  This is also a problem for international organizations like the IMF that worry about interstate cooperation and enforcement in a regulatory world – “How are they [the G20] going to deal with extraterritoriality?” The suggested answer – “They only cooperate when they are scared.”  The danger is that instead of compromise and adaptation, states and corporations will resort to a tug of war mentality of interests based on strict definitions and boundaries.

Extraterritoriality asks, “Whose rules apply, to whom, and when?” It addresses setting standards and enforcing them.   In the end, I do not think that that the corporate world or governments will be entirely successful in avoiding a battle of territorialities, but I do hope that there is enough ‘fear’ to motivate them to recognize the importance of compromise to everyone’s interests. Too often, in the aftermath of crisis (whether it be the national security or financial kind) policy-makers and practitioners fall into a lull of comfort, lose sight of the big picture, and start aggressively pushing politics into areas that desperately demand practical solutions.

Next post:  Qualifying and Quantifying “Big Data” (a buzz word that I’m increasingly beginning to loathe)