Data Sharing, AML/CFT & Data Privacy: 2018, Together at Last?

Originally posted on December 31, 2017

Happy and healthy 2018 to all!

In this series of blog posts, I will discuss FATF’s November 2017 Guidance on Private Sector Information Sharing.  I am happy to say that the Guidance addresses many of the points I noted in my 2016 SWIFT Institute paper on AML/CTF and data privacy (e.g. cross-border data protection law, how confidentiality can forbid group sharing).

The FATF Guidance is a welcome development and seems to be part of a shift in thinking towards more favorable attitudes regarding data governance among AML/CFT professionals that I have personally noted in the past year. This is probably due to a host of factors including the EU’s General Data Protection Regulation (GDPR) constantly being in the headlines, the rise of cooperative public-private groups such as the UK’s Joint Money Laundering Intelligence Taskforce (JMLIT) and US’s FinCEN ExchangeBrexit, and developments in Fintech.

Building off its 2016 efforts, this FATF Guidance puts information sharing on the map in committing its governments to implement agendas to meet these goals.  The Guidance tells the private sector that states consider data sharing an internal and group priority.  Hopefully, it will provide financial institutions with enough confidence to contribute to forming the standards necessary so data sharing (public-private and private-private) can effectively balance market and national security interests.  FATF emphasizes this throughout the text, noting that putting the guidelines into practice requires public and private views and expertise.  Notably, FATF adds data privacy authorities to the Guidance’s intended audience alongside governments and financial institutions, thereby recognizing the importance of these views to the goal.

However, as is typical of any international group’s stance on a globally complicated issue with conditions that change according to jurisdiction, FATF guidance can only provide guideposts – it does not, and cannot, furnish the detailed governance and operational processes that regulators and financial institutions need.  This is not a criticism, but a reminder of the role and limitations of these Guidances and how much work there is yet to be done by national authorities and the private sector.*

FATF confirmed the widely-held belief that information sharing is essential to a “well-functioning AML/CFT framework.” In forthcoming posts, I will expand on three thematic streams within the Guidance;

  1. Data protection and privacy and AML/CFT are not mutually exclusive
  2. Financial institutions must share data internally and across the group
  3. Effective data sharing is only possible with public-private and private-private cooperation. (Recognizing the sometime cyclical cycle that public-private groups are “source as well as target of information flow.”)

All while noting that two conditions pervade all of the above;

  • Siloed views are not effective
  • Technology and governance are intertwined

I am looking forward to getting on the blog wagon again and seeing how the data sharing regime develops.  A thank you to everyone who has been supportive of my work on this topic over the years. Keep engaging – there’s more to come in 2018.

Cheers!

*Having said this, I hope the Wolfsberg Group follows suit and completes its 2014 guidance on AML/CFT and data privacy.

**This blog represents my personal opinions and does not represent LexisNexis Risk Solutions.  My research is my personal intellectual property and has been in no way influenced by any member of the financial services community or by government officials.

Good-bye to 2016: to 2018

December 28, 2016

Happy New Year (a bit early)! 2016 was quite an exciting and busy year with many personal and professional transitions that left little time for blogging.  However, I’m back with insights as the financial services and authorities work throughout 2017 to implement the AML/CTF and data protection legislation and agreements for 2018.

Before I discuss recent developments in the field, I’d like to comment on the release of my SWIFT Institute-sponsored paper on US-EU AML/CTF & Privacy for Multinational Banks,* which was published in August (download here). The Institute also invited me to speak about it at Sibos in Geneva, Switzerland in September (download slides here).

My experience with the Institute has been fantastic. A sincere thank you to Peter Ware and Nancy Murphy for their kindness, professionalism, and support for independent research that allows academics to reach practitioners with meaningful analysis.**

19 AML/CTF & Data Privacy Compliance Conflicts Graphic from the Paper (Caution: Not as Impressive as SWIFT’s interactive graphic!)

I highly recommend that you visit the Institute’s fabulous interactive graphic for an overview of the 19 compliance conflicts (view here).

Don’t forget to read the last section of the paper that covers Profiling! It lives in all 19 issues and impacts every single AML/CTF compliance function.

About the paper:

The paper is a primer for financial institutions and policy-makers to identify 19 legal conflicts that may affect a multinational’s ability to comply with the AML/CTF and privacy regimes.  I hope that this information enables private actors to understand how their internal processes may expose them to regulatory risk; for public actors, I hope it provides a better understanding of the challenges the private sector faces in multi-jurisdictional compliance, but especially how these issues affect the quality of data that private corporations ultimately provide to authorities to achieve the end goal – combating financial crime and political violence.

As one can imagine, there was not enough space for an analysis of all the dimensions or actors involved, so a few things to note;

  • The US Terrorist Financing Tracking Program (TFTP) demands a paper of its own due to developments regarding the development of an EU TFTS.
  • I shelved an anonymous AML/CTF & Privacy survey due to an insufficient data sample. I will conduct the survey again, but the preliminary results demonstrated a clear US and EU divide.  Respondents did highlight AML/CTF and data protection concerns when dealing with high risk third country areas.
  • Section 3.2 on Public-Private cooperation could have been a paper onto itself (and may appear as a forthcoming chapter). Multinationals face tough decisions when they operate in multiple countries where they must comply with data requests from authorities.

The Takeaway

Despite the difficulties ahead, in the paper’s conclusions, I state that the financial services should be acting now to align their data protection obligations in 4AMLD to the GDPR.

4AMLD and the GDPR consistently refer to ‘safeguards’ for data processing, but these safeguards are ultimately left up to EU Member State law, so the diversity among EU Member State law will continue.  The GDPR formally calls for cooperation among industry associations to formulate “codes of conduct” to set the technical and organizational standards outlined in the Regulation.  Article 38 (40 and 41 in final version) outlines the codes’ provisions, which are broad enough to accommodate compliance’s risk-based regime, including secure systems and fair and transparent data processing for legitimate interests.

The private sector should work with Member States to create AML/CTF & privacy-centric ‘codes of conduct’ that harmonize with these developing national safeguards .

I’ll be posting updates on those efforts as I become aware of them.

Have a healthy and safe 2017!

Want to learn more?  Join me on 22 February 2017 for a webinar on Nomoneylaundering.com 

NOTE: Paper referrals to EU legislation predate the final version of the GDPR and the articles and recitals may have changed. The text is the same and thus the analysis has not been impacted.

**This blog represents my personal opinions and does not represent LexisNexis Risk Solutions.  My research is my personal intellectual property and has been in no way influenced by any member of the financial services community or by government officials.

Multinationals, Privacy, AML/CTF et. al.

Originally posted on June 14, 2016

A small update (more to come) to announce that an article I wrote with W. Travis Selmier in 2015 has been published!  Due to unforeseen delays in production, Border Crossings released our article in their April 2016 issue.  We hope you enjoy it.

“Multinational Banks as Carriers for US & EU Law”

In other news, the SWIFT paper will be in the public eye very soon.  I had the opportunity to speak about it at the IAPP Global Privacy Summit in Washington, DC in November (“Mission Impossible: Complying with Banking Secrecy, Privacy, and AML Obligations”) to an enthusiastic audience, and with a great panel.  I am very proud of this work and hope that it helps the transatlantic banking and regulatory communities tackle AML/CTF and data protection issues as the EU’s 4th Anti-Money Laundering Directive (4AMLD) and the General Data Protection Regulation (GDPR) become realities in the next two years.