Originally posted on August 21, 2018
In my inaugural 2018 post, I presented three takeaway themes from FATF’s November 2017 Guidance on Private Sector Information Sharing. The first – Data privacy and AML/CFT are not mutually exclusive – is a straight forward observation that is addressed head on by the Guidance.
“AML/CFT and DPP public policy goals are not mutually exclusive and should recognize support and be balanced.”
It is an overdue statement that should bring privacy to the forefront of financial crime compliance discussion, not only because it brings data privacy on par, but because of the assertion that they support each other. But even as the Guidance emphasizes mutual support, it doesn’t exactly articulate how one reinforces the other. Yet, it is important to understand the relationship because it promotes effective and legal data sharing for AML/CFT.
AML/CFT compliance programs depend on the sharing of data among many different groups, and requires financial institutions (FIs) to know what data to collect and use, know when to share it, and with whom to share it. These are difficult tasks owing to a host of factors including, but not limited to, the varied types of data and volume of data needed for risk-based decision-making. Privacy controls would seem to complicate the matter because they mandate certain rules for processing data for specific purposes.
As I have said in the past, the duality of data – the condition that financial data is both commercial and potentially criminal at the same time creates a conundrum for FIs. Determining when financial data’s commercial use ended and when AML/CFT use began is therefore a fundamental problem of implementation because that point determines when commercial rules concluded and AML/CFT data privacy governance kicked in. To further complicate matters, the ‘switch’ is not permanent since an individual’s data flows back and forth during the life-cycle of the business relationship. Lastly, the criteria will be unique within an FI and its group [internal], or if sharing is conducted FI to FI, or if an FI transfers to authorities (and vice versa) [external].
However, this is where understanding the privacy/compliance support nexus is important. Knowing this, while FATF did not explicitly outline how privacy supports AML/CFT or how to apply it in a compliance program, it did provide components of that support process, which I have been incorporating into a framework. In this post, I outline the role of three components;
- Data standardization
- Data governance
FATF notes that FIs confront a mish-mash of incompatible systems, software, and data formats within and across a group (often from mergers and acquisitions), and/or deal with older technologies that make upgrades difficult or impossible without incurring massive costs – all of which can impede information sharing. Each environment may be designed to process different types of data for varied uses. Some systems may be repetitious AML solutions across business lines, while others may ingest data that was not collected for AML use, but may be necessary at some point in the compliance workflow. The latter can make data transfer difficult, because the data was collected for one purpose, but essential to another use. This is certainly true for example, KYC processes, where customer information is collected for a commercial relationship, but could easily be escalated to EDD or FIU groups. Again, it is not a stretch to say that many banking databases or systems hold dual purpose or dual use data.
A primary exercise in applying privacy by design principles involves conducting a data inventory (aka mapping, lineage) – a survey of what data is collected and from where, its purpose, its access permissions, conditions of transfer, and its storage, retention, and deletion. Done well, it maps where AML and non-AML systems and data comingle, which help identify where commercial to compliance flows occur.
Data Standardization & Data Governance:
FATF notes that standardization of data types and formats “may also promote data sharing by enabling integration,” and provides examples of “information elements” necessary for data sharing and the value each data elements provides the FI. The Guidance points out the usefulness of certain data elements (p.8), in “global risk assessment” (p.10) and “product services and geographical risks” (p. 11). Although FATF does not get into details, successful risk-based assessments require at least three groups of data– market (business views), regulatory (data demanded by law), and criminal typologies (data provided by authorities) – each involve unique governance considerations and many beyond the scope of privacy laws that govern the FI’s own data.
The data inventory allows information technology staff to survey compatibilities across the business, but it also helps identify what data is fit for purpose in the construction of AML/CFT standardized data sets. This exercise must involve content and compliance SMEs working alongside IT pros. Only their combined knowledge can create the focused data sets required.
Focused and flexible data sets attuned to shifting risk conditions contribute to robust decision-making matrixes that set signal points or benchmarks to help FIs determine when ‘enough’ information has been gathered to warrant sharing within the corporate group or with authorities without evoking the ire of AML or privacy regulators. In privacy parlance this is part of data minimization, using the data necessary for the job, which supports quality analysis, reduces labor, and maximizes the value of FI intelligence to the business, other FIs, or authorities. Standardization contributes to setting access points and permissions that establish audit trails – essential for confidentiality, which mitigates AML/CFT secrecy laws that can lead to blockages. Lastly, the entire process maps data flows that inform data governance (i.e. in EU parlance, when GDPR’s “safeguards” apply), as it highlights when data passes from the commercial to compliance spaces (or comingles).
Information Sharing in Practice?
FATF (and this report) suggests that FIs are (slowly) operationalizing privacy in AML using these methods, and are engaging with national data protection authorities as they do so. The Annex provides brief examples where FIs and privacy authorities currently consult (e.g. France, Spain), but a country-by-country approach produces inconsistencies that will not suit a multinational financial system. For example, the EU’s GDPR allows Member States determine how data safeguards will be applied to AML/CFT data, which means that multinationals will not be able to implement consistent data sharing networks across their own groups, let alone the globe. As these standards spread to other financial centers like Japan, the problems will be compounded – a fact that FATF also noted:
“…global financial institutions operating in multiple jurisdictions would benefit from data protection authorities issuing clarifying interpretation and guidance on the extent to which sharing personal data across borders for AML/CFT purposes is permissible under the public interest or other derogation(s) contained in different data protection regulations on data transfers (e.g. the extent to which transfers of data made for the purpose of complying with AML/CFT is permissible).”
There is still much work to be done before FIs (and other obligated entities) harness the mutually supportive data privacy and AML/CFT practices. While much of this involves breaking down education and informational silos within FIs, among policy-makers, and regulators, the FATF Guidance signals some progress. This high-level framework briefly described ways that privacy is complementary to AML/CFT, and I will be devoting much of my energy in the coming months to further developing the details.