Over the years, I have finished several research projects on AML/Privacy. This page will be updated as projects are completed. In progress efforts will have their own pages.
Fulbright -Schuman 2014: Belgium & Malta
Announced 13 January 2014
Part of my original motivation for this blog was to share my experiences as a Fulbright-Schuman Scholar, which is a tremendous honor. I was resident scholar at the University Gent, Belgium with the Department of Political Science from February until March 2014, and the University of Malta with the Department of Information Policy and Governance from April to May 2014.
Summary of the research: [with commentary] Transatlantic counter-terrorist efforts have suffered from policy incongruities for decades [The US and EU have different approaches to countering terrorism; the US has generally favored a military approach since it mostly experienced terrorism in the context of Cold War animosities which made it a foreign policy issue. Europeans typically dealt with terrorism “at home” which nationalist/separatist groups, which meant that they approached the problem through police work and their domestic legal systems.], but the current security climate demands a cooperative approach. [Networks of political violence are increasingly global since the end of the Cold War and states must cooperate if they are going to combat these types of issues – hello technology and globalization!]
This research develops a theoretical and empirical case for the use of financial data to map terrorist networks. [Governments should recognize that “following the money” or financial data, can give them another piece of intelligence in mapping terrorist networks across states.] Information Statecraft, a concept I recently introduced in Business Horizons, which suggests that a government’s ability to control and acquire data (financial or otherwise) may lend them the ability to understand and influence the policies and behaviors of other states and non-state actors. [That the contemporary international economy is fueled on finance rather than trade, which has put financial data in a unique position – the globalized and digitized world has transformed the use and character of money into data. However, governments do not hold all the data themselves, they need the help of financial institutions who do have it, and this often poses problems for banks which want to keep their data from prying (regulatory and competitor) eyes, but they also must comply with national laws. Something I explain in my Adequacy versus Equivalency article. Finally, there are the rights of individuals – how do demands on their data challenge personal concerns about privacy?]
Privacy & Security
The EU and US hold different views about privacy and naturally have different laws to determine who “owns” data.
The EU believes that the protection of personal data as a human right and ownership of personally identifiable information (e.g. name, face, date, place of birth, credit card numbers, and genetics) is vested to the person no matter what entity – government, another person, bank, etc. – may possesses that data, it remains the right of the individual to determine its usage. EU legislation has proactively responded to technologies that made it easier to spread information and harder for individuals to maintain control over it. The most significant of these, Directive 95/46/EC includes the right of consent, notification of disclosure, right of access, and the right to object to the processing of data. These laws extend to the EU’s counter-terrorism strategies, which were also shaped by its domestic experiences with political violence over the past decades. Therefore, counter-terrorism operations within the EU are typically conducted by criminal investigation where data collection is subject to due process.
In the US, data ownership is the property of the holder, whoever that might be, and the government only regulates certain issues or groups. To date, there is no universal privacy or data protection legislation to govern US citizen data – So, for example, the Constitution covers governmental uses of data, not private corporations like the European model.
Thus, US financial institutions (and everyone else) control their terms of service to their clientele and provide limited opportunities to “opt-out” of selected uses of personal data. Regulation is reserved for accuracy and transparency purposes, but there is no official oversight. Attitudes about counter-terrorism and data collection were influenced by Cold War experiences with Communism and foreign terrorist organizations, where responses generally involved sanctions or military force. At home, the US conducted surveillance of its citizens for evidence of Communist sympathies, a practice extended to contemporary concerns about terrorism with the 2001 US PATRIOT Act, which increased the government’s data access.
These differences sometimes mean that when the US government wants to obtain a European citizen’s data (legally, that is. It can tap into intercontinental lines outside sovereign borders, but that data still has a “landed” owner like a person or corporation), say for counter-terrorism investigations, it might run into problems because individuals have protections under EU law (specifically under Directive 95/46/EC).
But, the European Commission and European Parliament are currently debating revising 95/46/EC and transforming it into a Regulation which would create one European law. As a Directive, each EU state is expected to enact national laws in keeping with the minimum standards of the Directive, where a Regulation creates one law to be implemented among all of them (National governments can have stricter privacy provisions if they desire).
The Current Common Question: What about the Snowden Affair?
It is no secret that the NSA has been collecting data on US citizens since its inception (For starters, see Church Committee investigations and a nice little piece about that here), but what has been particularly interesting to my ears is learning how the Agency collects and stores data, either with or without the knowledge and cooperation of private corporations. Has this affected the transatlantic partnership? The European Parliament and Commission have shown concern, and the case certainly has elevated the topic to the public’s attention, but its real impact is yet to be determined. Snowden is a small part of a larger issue though.
However, my interests in privacy and data protection predate the Snowden Affair. I want to get all perspectives about the topic – private companies and officials from both sides of the Atlantic to see how they see data in terms of their interests and their opinions about policies that rule it – or don’t. I hope to contribute some understanding to a topic that encompasses many different groups who often do not speak the same language of interests.
SWIFT Institute AML/CTF & Privacy Project
COMPLETED! Published July 2016 – Download the paper via SSRN
Multinational Banking and Conflicts among US-EU AML/CTF Compliance & Privacy Law: Operational & Political Views in Context
A project sponsored by The SWIFT Institute, SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a member-owned cooperative of institutions across the globe which is dedicated to industry-led solutions to a host of issues that pervade the financial services industries. The Institute sponsors academic research of interest to its membership and as you can see cross-border compliance and privacy are certainly among its interests.
The financial services community has confronted increasing demands on its data from government regulators, law enforcement, and national intelligence services because financial information provides essential intelligence to determine weaknesses in the financial system and detect networks of illicit trade and political violence. However, how multinational banks comply with conflicting national Anti-Money Laundering and Counter-Terrorism Finance (AML/CTF) and how these requirements mesh with data protection and privacy laws in different jurisdictions is an understudied area in the financial services.
This project examined AML/CTF guidelines and privacy laws that govern US-EU data flows to assess how multinational banks handle the contradictions among these requirements and where there might be opportunities for industry cooperation. It will;
1) illuminate conflicts between AML/CTF reporting and privacy laws that govern cross-border data flows of Personally Identifiable Information (PII) that place banks and their subsidiaries at risk;
2) place AML/CTF reporting in context of political developments like the proposed EU Directive for law enforcement and national security data, and the Safe Harbor regime.
3) Suggest ways forward for the next 2 years.