Good-bye 2016: To 2018

Happy New Year (a bit early)! 2016 was quite an exciting and busy year with many personal and professional transitions that left little time for blogging.  However, I’m back with insights as the financial services and authorities work throughout 2017 to implement the AML/CTF and data protection legislation and agreements for 2018.

Before I discuss recent developments in the field, I’d like to comment on the release of my SWIFT Institute-sponsored paper on US-EU AML/CTF & Privacy for Multinational Banks,* which was published in August (download here). The Institute also invited me to speak about it at Sibos in Geneva, Switzerland in September (download slides here).

My experience with the Institute has been fantastic. A sincere thank you to Peter Ware and Nancy Murphy for their kindness, professionalism, and support for independent research that allows academics to reach practitioners with meaningful analysis.**

19 AML/CTF & Data Privacy Compliance Conflicts Graphic from the Paper (Caution: Not as Impressive as SWIFT’s interactive graphic!)

I highly recommend that you visit the Institute’s fabulous interactive graphic for an overview of the 19 compliance conflicts (view here).

Don’t forget to read the last section of the paper that covers Profiling! It lives in all 19 issues and impacts every single AML/CTF compliance function.

About the paper:

The paper is a primer for financial institutions and policy-makers to identify 19 legal conflicts that may affect a multinational’s ability to comply with the AML/CTF and privacy regimes.  I hope that this information enables private actors to understand how their internal processes may expose them to regulatory risk; for public actors, I hope it provides a better understanding of the challenges the private sector faces in multi-jurisdictional compliance, but especially how these issues affect the quality of data that private corporations ultimately provide to authorities to achieve the end goal – combating financial crime and political violence.

As one can imagine, there was not enough space for an analysis of all the dimensions or actors involved, so a few things to note;

  • The US Terrorist Financing Tracking Program (TFTP) demands a paper of its own due to developments regarding the development of an EU TFTS.
  • I shelved an anonymous AML/CTF & Privacy survey due to an insufficient data sample. I will conduct the survey again, but the preliminary results demonstrated a clear US and EU divide.  Respondents did highlight AML/CTF and data protection concerns when dealing with high risk third country areas.
  • Section 3.2 on Public-Private cooperation could have been a paper onto itself (and may appear as a forthcoming chapter). Multinationals face tough decisions when they operate in multiple countries where they must comply with data requests from authorities.

The Takeaway

Despite the difficulties ahead, in the paper’s conclusions, I state that the financial services should be acting now to align their data protection obligations in 4AMLD to the GDPR.

4AMLD and the GDPR consistently refer to ‘safeguards’ for data processing, but these safeguards are ultimately left up to EU Member State law, so the diversity among EU Member State law will continue.  The GDPR formally calls for cooperation among industry associations to formulate “codes of conduct” to set the technical and organizational standards outlined in the Regulation.  Article 38 (40 and 41 in final version) outlines the codes’ provisions, which are broad enough to accommodate compliance’s risk-based regime, including secure systems and fair and transparent data processing for legitimate interests.

The private sector should work with Member States to create AML/CTF & privacy-centric ‘codes of conduct’ that harmonize with these developing national safeguards .

I’ll be posting updates on those efforts as I become aware of them.

Have a healthy and safe 2017!

Want to learn more?  Join me on 22 February 2017 for a webinar on Nomoneylaundering.com 

Still to Come:
4AMLD Amendments (aka 5AMLD) and the GDPR impact

*Paper referrals to EU legislation predate the final version of the GDPR and the articles and recitals may have changed.

**This blog represents my personal opinions and does not represent LexisNexis Risk Solutions.  My research is my personal intellectual property and has been in no way influenced by any member of the financial services community or by government officials.

Separation Anxiety: AML, Privacy, Vendors & Multinationals

Last month, I had the pleasure of speaking at the 20th Annual ACAMS AML & Financial Crime Conference in Hollywood, FL.  From my understanding, it was the first time the organization had offered a panel on compliance and privacy for cross-border data flows. Our panel was well-attended, which demonstrated the industry’s growing concern about these issues. It was a great experience and I had a wonderful time with my fellow panelists.

I attended many panels in those two days as the lone academic in a sea of compliance professionals (social anthropology note: they dress better than academics, drinks are free and top-shelf, nice swag).  I had great conversations, quite a lot of fun, and the insights I gained from these interactions reinforced some of the mantras in my research.

So this intrepid academic decided to do some very informal interviewing and observations at the exhibition hall.  I walked through to see if any vendors listed privacy as a service in their displays (only 2). At the same time, I randomly asked about their experience with AML and privacy.

My opening salvo went something like this:

Do you have any technology-driven or governance-centered services that address AML and data protection for national or international banking?

“No, each of those services are client-driven.”
“We don’t have anyone at this conference who can speak about privacy.”
“It’s separate from AML.”
“Our service doesn’t handle data protection.”

At this point, there are few, if any, services able to provide the financial community with technological solutions that take into account INFOSEC, data protection, and compliance (AML and otherwise).   And, we cannot ignore the governance and policy instruments that must come with them.   I love the automated aspects of the filed but they cannot, and should not, dominate compliance.

Now I’m not blaming the vendors solely for these shortcomings.  They respond to their customers’ demands.  Everyone is focusing on AML because the fines are getting bigger and privacy is pushed to the low-risk back-burner.   (By the way, I’ve found similar problems with privacy professionals, so I’m not picking on AML.)

These conditions also reflect a separation between security and privacy in the regulations themselves (e.g. I’ll be speaking about the still unresolved problems in the 4th Money Laundering Directive and data protection in London in May).

However, privacy is catching up.

I predict that in 5 years financial institutions will find themselves scrambling to respond to data protection/privacy regulations that are already issues, or in the pipeline.  They will spend money to employ a new team of specialized consultants, which will produce redundant services that could easily be integrated into existing structures with a little ingenuity. They will do all of this not realizing that privacy is already part of their business, because their clients already expect it.

Innovation involves seeing relationships beyond your nose – and the horizon.

The “Weaponization of Finance” is more than Sanctions – It’s Data

I am always happy when I see people address the links between finance and security because it is so rare.

Last month, Daniel Drezner, of Tufts University and the Brookings Institute, wrote about the “hard limits of economic statecraft” regarding the use of sanctions against Russia’s actions in the Ukraine (interview here too).  This week, Ian Bremmer and Cliff Kupchan, of the Eurasia Group listed “The Weaponization of Finance” as a “Top Risk of 2015.”

Bremmer and Kupchan correctly assert that the US’s global financial position affords American policymakers powerful means to influence behaviors beyond its borders.  Specifically, they note access to capital markets and sanctions as “tools of coercive diplomacy.”  They cite the US influence on norms in international organizations, the dollar’s role as the premier reserve and investment currency, and the vulnerability of the private banking sector to cyber-attack as further evidence of its power resources.

Sanctions deserve a place in the statecraft toolbox, but as Business Insider’s @elenaholodny summarized, it is difficult to employ successfully (See also David Baldwin’s classic Economic Statecraft, Meghan O’Sullivan Shrewd Sanctions, Cortright and Lopez Smart Sanctions, and Drezner’s own Sanctions Paradox).

Restricting the use of finance to sanctions limits its value to foreign affairs. The technological revolution in banking, which has ditigialized the industry, finance’s multinational presence, and the increase in recordkeeping and reporting requirements after 9/11 and the 2008 crisis, has provided policymakers with an opportunity to harness financial data to map behaviors, networks of violence, and illicit economies across borders.

The Eurasia Group hints to this, “The United States is expanding its ability to track the financial transactions [my emphasis] of government leaders of concern, as well as their state and private sector allies, in order to close their access to capital and property.”

But governments use financial data for more than sanctions. They do it to detect weaknesses in the system and to track networks of illicit crime and political violence.

Thus, financial data’s ability to help map networks of behavior when combined with other types of information mean that finance’s role in foreign policy extends well beyond economics.

That is, of course, if government agencies can acquire that data – legally or otherwise.

I argue (briefly explained here and here) that financial data intelligence is one example of a new type of statecraft suited to the digital age; Information Statecraft – the attempt to influence through the acquisition, control, or presentation of data, information, or knowledge.

However, financial data isn’t solely held by governments; it’s held by private financial institutions, which presents numerous challenges to using financial data for sanctions or other policies.  Bremmer and Kupchan also allude to this point – “the weaponization of finance is a tool that can be use with minimal cooperation from other governments.”  While it oversimplifies the relationships involved, it does highlight the importance of private sector compliance.

Financial institutions have always treasured data for their own purposes, but now states are demanding they record, maintain, and report more of it to authorities (e.g. FATF recommendations for Politically Exposed Persons, Beneficial Ownership, Know Your Customer rules, Suspicious Action/Activity Reports, among others). For decades, and more so after 9/11, governments expect bankers to be AML/CTF sentinels, which is very far from their primary business, to make money.

The weaponization of finance is real, and has been evolving for a while.  We need to expand our views of statecraft to accommodate the new realities of the digital world, and this is especially true of the relationship between finance and foreign policy.