Multinationals, Privacy, AML/CTF et. al.

Originally posted on June 14, 2016

A small update (more to come) to announce that an article I wrote with W. Travis Selmier in 2015 has been published!  Due to unforeseen delays in production, Border Crossings released our article in their April 2016 issue.  We hope you enjoy it.

“Multinational Banks as Carriers for US & EU Law”

In other news, the SWIFT paper will be in the public eye very soon.  I had the opportunity to speak about it at the IAPP Global Privacy Summit in Washington, DC in November (“Mission Impossible: Complying with Banking Secrecy, Privacy, and AML Obligations”) to an enthusiastic audience, and with a great panel.  I am very proud of this work and hope that it helps the transatlantic banking and regulatory communities tackle AML/CTF and data protection issues as the EU’s 4th Anti-Money Laundering Directive (4AMLD) and the General Data Protection Regulation (GDPR) become realities in the next two years.

Why Bitcoin is Like PONG

Originally posted on September 29, 2015

I’ve been absent from blog writing to finish the SWIFT Project (nearly done!), and to write a piece for American Banker.   Now, I’m taking a moment to pause for some brief thoughts on bitcoin.

I ‘own’ 1,017.69 bits, which amounts to 25 cents USD. I was a little giddy when someone on Twitter gifted them to me as a reward for a snarky comment about the financial crisis.

Receiving bitcoin was like getting PONG for Christmas circa 1977.   For those not as nerd-minded as I, I assure you this is a compliment.

PONG, in its pixelated glory, was a pioneer of home gaming, a forerunner of the fantastic systems we have today.  Bitcoin is part of that same technological spirit because the blockchain has the potential take money, value, and payments out of the hands of states and financial institutions, and bring it into our homes.

Before people start screaming “It’s not widespread and a fad!”, or cheering “Down with the establishment!” let me explain – it’s a start not an end.

Bitcoin is a product of a community that has always been interested in stretching boundaries.  It’s where the ideas start, but the ideas really begin to enter our daily lives and become ‘normal’ because of their ability to adapt to current conditions, and then become mainstream.  That’s going to take some time, and some new ideas.

To me, the blockchain is part of an evolutionary development in money’s digital transformation.  This initiative came from the private sector, but we’ve already seen states create their own digital currency with Special Drawing Rights (SDRs).

The technology and the ideas behind the blockchain are diverse and adaptable – exactly the kinds of “innovative” thinking that the financial industry adores.

Markets and consumers are excited about the possibilities, because it:

States and regulators have been cautious.  In the EU, the European Banking Authority warned that virtual currencies are unregulated and that lack of regulation brings regulatory risk. However, a few months ago, an official from the EBA told me this did not mean it was against digital currencies – “ We like diversity.”

The US has issued fines and started to regulate Bitcoin with limited success.  Meanwhile, like-minded companies strive to provide individuals and firms who use bitcoin and the blockchain with the same confidence fiat currencies enjoy.

Lastly, the blockchain is transparent, but can offer privacy with some effort, which is one of the least understood aspects of the technology.  This year, I was at a dinner where a successful business guest dismissed bitcoin saying it was “just for illegal stuff.”  When I responded that it was appealing for many reasons including the possibility of privacy, I was asked, “What’s the big deal about your information? Are you some kind of data survivalist?”

No, I was not afraid of the government and did not envision some apocalyptic data future.  I just like the idea, which did not make me a contemporary societal anomaly.

The message was not well received, but I was not surprised.

Later, I road home on the train, playing PONG on my smart phone.

Google, the Right to be Forgotten & Multinational Corporations

Originally posted on May 14, 2015

Today, I joined 80 other academics in requesting Google to release more information about its implementation of the European Court of Justice’s“Right to be Forgotten” (RTBF) ruling.

Last year, in Harvard Business Review I said that the Decision presented opportunities for innovation and profit if transnational companies recognized the demands of established, and emerging, privacy markets.  However, profit isn’t the only reason why companies should be interested in Google’s RTBF process – it is a prime example of the important role that the private sector plays in setting transnational privacy standards.

The ECJ applied EU data protection law, but it did not set the procedures for the implementation of the Right to be Forgotten.   This task has been left to Google, which has been working with a core group of advisors and EU bodies like Working Party 29 to build internal procedures to comply with a legal concept that continues to evolve.  In effect, the Google experiment will set processes that will influence, either positively or negatively depending with whom you speak, the future of privacy and data protection for the EU and anyone who does business there.

Google’s actions, voluntary or not, are a valuable part of the data privacy dialogue among states, corporations, and individuals.   For any law to be successful (measure success how you will) it must take into consideration how companies operate.  In setting internal processes to comply corporations make their greatest contributions to data protection.

Google has already responded to our open letter saying it will “consider” more transparency.  I suspect it fears publishing data on still-evolving policies or revealing proprietary information.  However, clarifying RTBF procedures may assist the company to identify program strengths and weaknesses, reduce the number of ineligible removal submissions, help other companies to understand regulatory expectations and perhaps prompt them to adopt some of Google’s strategies, and in due time, inform the content and character of future legislation.

Thus, Google’s practices demonstrate the private sector’s influence on the implementation of data protection law.  It is also suggests that corporations shouldn’t have to engage in standards-setting only in response to a legal mandate.

In today’s global digital business atmosphere, companies confront transnational data flows and privacy conflicts in their operations every day. Yet, multinationals typically view privacy concerns as an infringement on their business models.  Instead, the private sector could use its operational knowledge and implementation power to create industry-wide data protection standards that consider national legislation, are responsive to customer concerns and lower their operational risks,before, oreven in the absence of regulatory mandates.

Adopting a privacy inclusive view of data operations is better than waiting for, and responding to, litigation, which is a losing strategy in an interconnected world.

Separation Anxiety: AML, Privacy, Vendors & Multinationals

Originally posted on April 6, 2015

Last month, I had the pleasure of speaking at the 20th Annual ACAMS AML & Financial Crime Conference in Hollywood, FL.  From my understanding, it was the first time the organization had offered a panel on compliance and privacy for cross-border data flows. Our panel was well-attended, which demonstrated the industry’s growing concern about these issues. It was a great experience and I had a wonderful time with my fellow panelists.

I attended many panels in those two days as the lone academic in a sea of compliance professionals (social anthropology note: they dress better than academics, drinks are free and top-shelf, nice swag).  I had great conversations, quite a lot of fun, and the insights I gained from these interactions reinforced some of the mantras in my research.

So this intrepid academic decided to do some very informal interviewing and observations at the exhibition hall.  I walked through to see if any vendors listed privacy as a service in their displays (only 2). At the same time, I randomly asked about their experience with AML and privacy.

My opening salvo went something like this:

Do you have any technology-driven or governance-centered services that address AML and data protection for national or international banking?

“No, each of those services are client-driven.”
“We don’t have anyone at this conference who can speak about privacy.”
“It’s separate from AML.”
“Our service doesn’t handle data protection.”

At this point, there are few, if any, services able to provide the financial community with technological solutions that take into account INFOSEC, data protection, and compliance (AML and otherwise).   And, we cannot ignore the governance and policy instruments that must come with them.   I love the automated aspects of the filed but they cannot, and should not, dominate compliance.

Now I’m not blaming the vendors solely for these shortcomings.  They respond to their customers’ demands.  Everyone is focusing on AML because the fines are getting bigger and privacy is pushed to the low-risk back-burner.   (By the way, I’ve found similar problems with privacy professionals, so I’m not picking on AML.)

These conditions also reflect a separation between security and privacy in the regulations themselves (e.g. I’ll be speaking about the still unresolved problems in the 4th Money Laundering Directive and data protection in London in May).

However, privacy is catching up.

I predict that in 5 years financial institutions will find themselves scrambling to respond to data protection/privacy regulations that are already issues, or in the pipeline.  They will spend money to employ a new team of specialized consultants, which will produce redundant services that could easily be integrated into existing structures with a little ingenuity. They will do all of this not realizing that privacy is already part of their business, because their clients already expect it.

Innovation involves seeing relationships beyond your nose – and the horizon.