Data Sharing, AML/CFT & Data Privacy: 2018, Together at Last?

Happy and healthy 2018 to all!

In this series of blog posts, I will discuss FATF’s November 2017 Guidance on Private Sector Information Sharing.  I am happy to say that the Guidance addresses many of the points I noted in my 2016 SWIFT Institute paper on AML/CTF and data privacy (e.g. cross-border data protection law, how confidentiality can forbid group sharing).

The FATF Guidance is a welcome development and seems to be part of a shift in thinking towards more favorable attitudes regarding data governance among AML/CFT professionals that I have personally noted in the past year. This is probably due to a host of factors including the EU’s General Data Protection Regulation (GDPR) constantly being in the headlines, the rise of cooperative public-private groups such as the UK’s Joint Money Laundering Intelligence Taskforce (JMLIT) and US’s FinCEN Exchange, Brexit, and developments in Fintech.

Building off its 2016 efforts, this FATF Guidance puts information sharing on the map in committing its governments to implement agendas to meet these goals.  The Guidance tells the private sector that states consider data sharing an internal and group priority.  Hopefully, it will provide financial institutions with enough confidence to contribute to forming the standards necessary so data sharing (public-private and private-private) can effectively balance market and national security interests.  FATF emphasizes this throughout the text, noting that putting the guidelines into practice requires public and private views and expertise.  Notably, FATF adds data privacy authorities to the Guidance’s intended audience alongside governments and financial institutions, thereby recognizing the importance of these views to the goal.

However, as is typical of any international group’s stance on a globally complicated issue with conditions that change according to jurisdiction, FATF guidance can only provide guideposts – it does not, and cannot, furnish the detailed governance and operational processes that regulators and financial institutions need.  This is not a criticism, but a reminder of the role and limitations of these Guidances and how much work there is yet to be done by national authorities and the private sector.*

FATF confirmed the widely-held belief that information sharing is essential to a “well-functioning AML/CFT framework.” In forthcoming posts, I will expand on three thematic streams within the Guidance;

  1. Data protection and privacy and AML/CFT are not mutually exclusive
  2. Financial institutions must share data internally and across the group
  3. Effective data sharing is only possible with public-private and private-private cooperation. (Recognizing the sometime cyclical cycle that public-private groups are “source as well as target of information flow.”)

All while noting that two conditions pervade all of the above;

  • Siloed views are not effective
  • Technology and governance are intertwined

I am looking forward to getting on the blog wagon again and seeing how the data sharing regime develops.  A thank you to everyone who has been supportive of my work on this topic over the years. Keep engaging – there’s more to come in 2018.

Cheers!

*Having said this, I hope the Wolfsberg Group follows suit and completes its 2014 guidance on AML/CFT and data privacy.

 

**This blog represents my personal opinions and does not represent LexisNexis Risk Solutions.  My research is my personal intellectual property and has been in no way influenced by any member of the financial services community or by government officials.

Separation Anxiety: AML, Privacy, Vendors & Multinationals

Last month, I had the pleasure of speaking at the 20th Annual ACAMS AML & Financial Crime Conference in Hollywood, FL.  From my understanding, it was the first time the organization had offered a panel on compliance and privacy for cross-border data flows. Our panel was well-attended, which demonstrated the industry’s growing concern about these issues. It was a great experience and I had a wonderful time with my fellow panelists.

I attended many panels in those two days as the lone academic in a sea of compliance professionals (social anthropology note: they dress better than academics, drinks are free and top-shelf, nice swag).  I had great conversations, quite a lot of fun, and the insights I gained from these interactions reinforced some of the mantras in my research.

So this intrepid academic decided to do some very informal interviewing and observations at the exhibition hall.  I walked through to see if any vendors listed privacy as a service in their displays (only 2). At the same time, I randomly asked about their experience with AML and privacy.

My opening salvo went something like this:

Do you have any technology-driven or governance-centered services that address AML and data protection for national or international banking?

“No, each of those services are client-driven.”
“We don’t have anyone at this conference who can speak about privacy.”
“It’s separate from AML.”
“Our service doesn’t handle data protection.”

At this point, there are few, if any, services able to provide the financial community with technological solutions that take into account INFOSEC, data protection, and compliance (AML and otherwise).   And, we cannot ignore the governance and policy instruments that must come with them.   I love the automated aspects of the filed but they cannot, and should not, dominate compliance.

Now I’m not blaming the vendors solely for these shortcomings.  They respond to their customers’ demands.  Everyone is focusing on AML because the fines are getting bigger and privacy is pushed to the low-risk back-burner.   (By the way, I’ve found similar problems with privacy professionals, so I’m not picking on AML.)

These conditions also reflect a separation between security and privacy in the regulations themselves (e.g. I’ll be speaking about the still unresolved problems in the 4th Money Laundering Directive and data protection in London in May).

However, privacy is catching up.

I predict that in 5 years financial institutions will find themselves scrambling to respond to data protection/privacy regulations that are already issues, or in the pipeline.  They will spend money to employ a new team of specialized consultants, which will produce redundant services that could easily be integrated into existing structures with a little ingenuity. They will do all of this not realizing that privacy is already part of their business, because their clients already expect it.

Innovation involves seeing relationships beyond your nose – and the horizon.