EU AML/CTF & the Duality of Financial Data: Rule Based Processing & Risk Based Compliance

I have argued that the dual nature of financial data means that it is simultaneously governed by two regimes: anti-money-laundering (AML) and counter-terrorism finance (CTF) laws that seek to protect the financial system from fraud, crime, and political violence; and data protection and privacy laws that seek to protect an individual’s identity and choices from government and private abuse. However, neither set of regulations adequately addresses financial data’s dual role.

Much of my research focused on the challenges this poses for multinational financial institutions, but the same issues apply to law enforcement authorities operating in the financial crime space. The most recent example pertains to FIU.net, a decentralized data-sharing platform housed within Europol that gives EU Financial Intelligence Units (FIUs) control over the information they share with their European counterparts, while maintaining control of that data within EU jurisdictions.[1]

In December 2019, the European Data Protection Supervisor (EDPS) imposed a year-long ban on Europol’s technical operation of FIU.net because it was a breach of the Europol Regulation that limits processing to police data and suspects.  However, the definition of a suspect varies according to Member State law, and for that reason the Europol Cooperation Board could not “consistently ensure that Europol is legally competent” to process all types of suspicious transaction data that passed through FIU.net since it also contained those not suspect of financial crimes. In the words of the report:

To comply with the [Europol] rules, individuals involved in suspicious transactions would have to be considered as suspects. FIUs, however, act before the start of any criminal proceeding or investigation has begun.

This is true, but the core of the AML risk-based method as recommended by the Financial Action Task Force (FATF) and the EU’s 4th Anti-money Laundering Directive (4AMLD) stipulates that financial institutions must report suspicious actions to FIUs. Suspicion is determined not by a legal standard, but by unique risk assessments dependent on factors endemic to the institution. Furthermore, there are mandatory thresholds for reporting currency transactions, which again do not denote illegal acts. As a result, most reports FIUs receive do not make an individual a suspect under the law and present insufficient grounds for FIU.net to operate under the technical care of Europol.

The current rule-based framework for the collection and transfer of financial crime data among private entities, authorities, and EU organizations is incompatible with the risk-based method and mapping the the illicit economy. It is difficult to determine a suspect from the contents of a single report, as one piece of information may not signal an illicit act on its own – it must be combined and analyzed with multiple pieces of information held by several groups to unmask illicit networks and reach legal thresholds of intent, determine suspects, and initiate investigations.  

Thus, as the legal foundation of the EDPS decision was clear, it was not in balance with the anti-financial crime regime in which it operates. The EDPS suspension was to give time for a “smooth transition of the technical administration of FIU.net to another entity” by December 2020, which is now less than 7 months away. It is difficult to determine the suspension’s impact on inter-European cooperation, (although the Egmont Secure Web (ESW) email system maintained by the US FIU FinCEN is still available to EU FIUs).   

On June 17, 2020, the European Council’s “CONCLUSIONS on enhancing financial investigations to fight serious and organised crime” seemed to acknowledge the problem, reaffirming a fundamental fact of combating financial crime- that the private sector possesses “significant amounts of personal data possibly [emphasis added] relevant for law enforcement authorities.” While calling for the Commission to make a “temporary arrangement” for FIU.net and to “table a proposal for a long term solution” the Council encouraged the creation of legal frameworks for cross-border cooperation and information sharing among FIUs, FIUs and Europol, and between public-private parties. 

In the case of Europol and FIU.net, it is difficult to surmise what EU institution could legally, and operationally, process potentially criminal data to support FIUs, to support the financial crime regime, the new Europol Financial and Economic Crime Centre (EFECC), and unite the EU’s AML supervisory capabilities.  Legal frameworks must address the realities of risk-based reporting, and suspicion, without depending on rule-based data processing.  To bridge the gap, the Commission and EDPS should focus on outlining safeguards for processing AML data for both public and private entities as suggested in 4AMLD, GDPR, Directive (EU) 2019/1153, Regulation (EU) 2016/794, and other applicable laws.  


[1] In 2014, I spent the day at Europol learning the FIU.net model. It influenced my work on a transaction monitoring methodology with standardized yet flexible data sets that can be used across business lines and inform risk assessments, which can set standards for suspicion and mitigate this issue. (Happy to discuss in DM).

Mutual Support

Originally posted on August 21, 2018

In my inaugural 2018 post, I presented three takeaway themes from FATF’s November 2017 Guidance on Private Sector Information Sharing.   The first – Data privacy and AML/CFT are not mutually exclusive – is a straight forward observation that is addressed head on by the Guidance.

“AML/CFT and DPP public policy goals are not mutually exclusive and should recognize support and be balanced.”

It is an overdue statement that should bring privacy to the forefront of financial crime compliance discussion, not only because it brings data privacy on par, but because of the assertion that they support each other.   But even as the Guidance emphasizes mutual support, it doesn’t exactly articulate how one reinforces the other.  Yet, it is important to understand the relationship because it promotes effective and legal data sharing for AML/CFT.

AML/CFT compliance programs depend on the sharing of data among many different groups, and requires financial institutions (FIs) to know what data to collect and use, know when to share it, and with whom to share it.  These are difficult tasks owing to a host of factors including, but not limited to, the varied types of data and volume of data needed for risk-based decision-making. Privacy controls would seem to complicate the matter because they mandate certain rules for processing data for specific purposes.

As I have said in the past, the duality of data – the condition that financial data is both commercial and potentially criminal at the same time creates a conundrum for FIs.  Determining when financial data’s commercial use ended and when AML/CFT use began is therefore a fundamental problem of implementation because that point determines when commercial rules concluded and AML/CFT data privacy governance kicked in. To further complicate matters, the ‘switch’ is not permanent since an individual’s data flows back and forth during the life-cycle of the business relationship. Lastly, the criteria will be unique within an FI and its group [internal], or if sharing is conducted FI to FI, or if an FI transfers to authorities (and vice versa) [external].

However, this is where understanding the privacy/compliance support nexus is important. Knowing this, while FATF did not explicitly outline how privacy supports AML/CFT or how to apply it in a compliance program, it did provide components of that support process, which I have been incorporating into a framework.  In this post, I outline the role of three components;

  • Technology
  • Data standardization
  • Data governance

Technology:

FATF notes that FIs confront a mish-mash of incompatible systems, software, and data formats within and across a group (often from mergers and acquisitions), and/or deal with older technologies that make upgrades difficult or impossible without incurring massive costs – all of which can impede information sharing.  Each environment may be designed to process different types of data for varied uses.  Some systems may be repetitious AML solutions across business lines, while others may ingest data that was not collected for AML use, but may be necessary at some point in the compliance workflow. The latter can make data transfer difficult, because the data was collected for one purpose, but essential to another use.  This is certainly true for example, KYC processes, where customer information is collected for a commercial relationship, but could easily be escalated to EDD or FIU groups.  Again, it is not a stretch to say that many banking databases or systems hold dual purpose or dual use data.

A primary exercise in applying privacy by design principles involves conducting a data inventory (aka mapping, lineage) – a survey of what data is collected and from where, its purpose, its access permissions, conditions of transfer, and its storage, retention, and deletion.  Done well, it maps where AML and non-AML systems and data comingle, which help identify where commercial to compliance flows occur.

Data Standardization & Data Governance:

FATF notes that standardization of data types and formats “may also promote data sharing by enabling integration,” and provides examples of “information elements” necessary for data sharing and the value each data elements provides the FI.  The Guidance points out the usefulness of certain data elements (p.8), in “global risk assessment” (p.10) and “product services and geographical risks” (p. 11). Although FATF does not get into details, successful risk-based assessments require at least three groups of data– market (business views), regulatory (data demanded by law), and criminal typologies (data provided by authorities) – each involve unique governance considerations and many beyond the scope of privacy laws that govern the FI’s own data.

The data inventory allows information technology staff to survey compatibilities across the business, but it also helps identify what data is fit for purpose in the construction of AML/CFT standardized data sets.  This exercise must involve content and compliance SMEs working alongside IT pros.  Only their combined knowledge can create the focused data sets required.

Focused and flexible data sets attuned to shifting risk conditions contribute to robust decision-making matrixes that set signal points or benchmarks to help FIs determine when ‘enough’ information has been gathered to warrant sharing within the corporate group or with authorities without evoking the ire of AML or privacy regulators.  In privacy parlance this is part of data minimization, using the data necessary for the job, which supports quality analysis, reduces labor, and maximizes the value of FI intelligence to the business, other FIs, or authorities.  Standardization contributes to setting access points and permissions that establish audit trails – essential for confidentiality, which mitigates AML/CFT secrecy laws that can lead to blockages.  Lastly, the entire process maps data flows that inform data governance (i.e. in EU parlance, when GDPR’s “safeguards” apply), as it highlights when data passes from the commercial to compliance spaces (or comingles).

Information Sharing in Practice?

FATF (and this report) suggests that FIs are (slowly) operationalizing privacy in AML using these methods, and are engaging with national data protection authorities as they do so.  The Annex provides brief examples where FIs and privacy authorities currently consult (e.g. France, Spain), but a country-by-country approach produces inconsistencies that will not suit a multinational financial system.  For example, the EU’s GDPR allows Member States determine how data safeguards will be applied to AML/CFT data, which means that multinationals will not be able to implement consistent data sharing networks across their own groups, let alone the globe.  As these standards spread to other financial centers like Japan, the problems will be compounded – a fact that FATF also noted:

“…global financial institutions operating in multiple jurisdictions would benefit from data protection authorities issuing clarifying interpretation and guidance on the extent to which sharing personal data across borders for AML/CFT purposes is permissible under the public interest or other derogation(s) contained in different data protection regulations on data transfers (e.g. the extent to which transfers of data made for the purpose of complying with AML/CFT is permissible).”

There is still much work to be done before FIs (and other obligated entities) harness the mutually supportive data privacy and AML/CFT practices.  While much of this involves breaking down education and informational silos within FIs, among policy-makers, and regulators, the FATF Guidance signals some progress.  This high-level framework briefly described ways that privacy is complementary to AML/CFT, and I will be devoting much of my energy in the coming months to further developing the details.

Data Sharing, AML/CFT & Data Privacy: 2018, Together at Last?

Originally posted on December 31, 2017

Happy and healthy 2018 to all!

In this series of blog posts, I will discuss FATF’s November 2017 Guidance on Private Sector Information Sharing.  I am happy to say that the Guidance addresses many of the points I noted in my 2016 SWIFT Institute paper on AML/CTF and data privacy (e.g. cross-border data protection law, how confidentiality can forbid group sharing).

The FATF Guidance is a welcome development and seems to be part of a shift in thinking towards more favorable attitudes regarding data governance among AML/CFT professionals that I have personally noted in the past year. This is probably due to a host of factors including the EU’s General Data Protection Regulation (GDPR) constantly being in the headlines, the rise of cooperative public-private groups such as the UK’s Joint Money Laundering Intelligence Taskforce (JMLIT) and US’s FinCEN ExchangeBrexit, and developments in Fintech.

Building off its 2016 efforts, this FATF Guidance puts information sharing on the map in committing its governments to implement agendas to meet these goals.  The Guidance tells the private sector that states consider data sharing an internal and group priority.  Hopefully, it will provide financial institutions with enough confidence to contribute to forming the standards necessary so data sharing (public-private and private-private) can effectively balance market and national security interests.  FATF emphasizes this throughout the text, noting that putting the guidelines into practice requires public and private views and expertise.  Notably, FATF adds data privacy authorities to the Guidance’s intended audience alongside governments and financial institutions, thereby recognizing the importance of these views to the goal.

However, as is typical of any international group’s stance on a globally complicated issue with conditions that change according to jurisdiction, FATF guidance can only provide guideposts – it does not, and cannot, furnish the detailed governance and operational processes that regulators and financial institutions need.  This is not a criticism, but a reminder of the role and limitations of these Guidances and how much work there is yet to be done by national authorities and the private sector.*

FATF confirmed the widely-held belief that information sharing is essential to a “well-functioning AML/CFT framework.” In forthcoming posts, I will expand on three thematic streams within the Guidance;

  1. Data protection and privacy and AML/CFT are not mutually exclusive
  2. Financial institutions must share data internally and across the group
  3. Effective data sharing is only possible with public-private and private-private cooperation. (Recognizing the sometime cyclical cycle that public-private groups are “source as well as target of information flow.”)

All while noting that two conditions pervade all of the above;

  • Siloed views are not effective
  • Technology and governance are intertwined

I am looking forward to getting on the blog wagon again and seeing how the data sharing regime develops.  A thank you to everyone who has been supportive of my work on this topic over the years. Keep engaging – there’s more to come in 2018.

Cheers!

*Having said this, I hope the Wolfsberg Group follows suit and completes its 2014 guidance on AML/CFT and data privacy.

**This blog represents my personal opinions and does not represent LexisNexis Risk Solutions.  My research is my personal intellectual property and has been in no way influenced by any member of the financial services community or by government officials.

Good-bye to 2016: to 2018

December 28, 2016

Happy New Year (a bit early)! 2016 was quite an exciting and busy year with many personal and professional transitions that left little time for blogging.  However, I’m back with insights as the financial services and authorities work throughout 2017 to implement the AML/CTF and data protection legislation and agreements for 2018.

Before I discuss recent developments in the field, I’d like to comment on the release of my SWIFT Institute-sponsored paper on US-EU AML/CTF & Privacy for Multinational Banks,* which was published in August (download here). The Institute also invited me to speak about it at Sibos in Geneva, Switzerland in September (download slides here).

My experience with the Institute has been fantastic. A sincere thank you to Peter Ware and Nancy Murphy for their kindness, professionalism, and support for independent research that allows academics to reach practitioners with meaningful analysis.**

19 AML/CTF & Data Privacy Compliance Conflicts Graphic from the Paper (Caution: Not as Impressive as SWIFT’s interactive graphic!)

I highly recommend that you visit the Institute’s fabulous interactive graphic for an overview of the 19 compliance conflicts (view here).

Don’t forget to read the last section of the paper that covers Profiling! It lives in all 19 issues and impacts every single AML/CTF compliance function.

About the paper:

The paper is a primer for financial institutions and policy-makers to identify 19 legal conflicts that may affect a multinational’s ability to comply with the AML/CTF and privacy regimes.  I hope that this information enables private actors to understand how their internal processes may expose them to regulatory risk; for public actors, I hope it provides a better understanding of the challenges the private sector faces in multi-jurisdictional compliance, but especially how these issues affect the quality of data that private corporations ultimately provide to authorities to achieve the end goal – combating financial crime and political violence.

As one can imagine, there was not enough space for an analysis of all the dimensions or actors involved, so a few things to note;

  • The US Terrorist Financing Tracking Program (TFTP) demands a paper of its own due to developments regarding the development of an EU TFTS.
  • I shelved an anonymous AML/CTF & Privacy survey due to an insufficient data sample. I will conduct the survey again, but the preliminary results demonstrated a clear US and EU divide.  Respondents did highlight AML/CTF and data protection concerns when dealing with high risk third country areas.
  • Section 3.2 on Public-Private cooperation could have been a paper onto itself (and may appear as a forthcoming chapter). Multinationals face tough decisions when they operate in multiple countries where they must comply with data requests from authorities.

The Takeaway

Despite the difficulties ahead, in the paper’s conclusions, I state that the financial services should be acting now to align their data protection obligations in 4AMLD to the GDPR.

4AMLD and the GDPR consistently refer to ‘safeguards’ for data processing, but these safeguards are ultimately left up to EU Member State law, so the diversity among EU Member State law will continue.  The GDPR formally calls for cooperation among industry associations to formulate “codes of conduct” to set the technical and organizational standards outlined in the Regulation.  Article 38 (40 and 41 in final version) outlines the codes’ provisions, which are broad enough to accommodate compliance’s risk-based regime, including secure systems and fair and transparent data processing for legitimate interests.

The private sector should work with Member States to create AML/CTF & privacy-centric ‘codes of conduct’ that harmonize with these developing national safeguards .

I’ll be posting updates on those efforts as I become aware of them.

Have a healthy and safe 2017!

Want to learn more?  Join me on 22 February 2017 for a webinar on Nomoneylaundering.com 

NOTE: Paper referrals to EU legislation predate the final version of the GDPR and the articles and recitals may have changed. The text is the same and thus the analysis has not been impacted.

**This blog represents my personal opinions and does not represent LexisNexis Risk Solutions.  My research is my personal intellectual property and has been in no way influenced by any member of the financial services community or by government officials.