Reuters: Greater awareness of personal data privacy law heightens conflict with financial crime regulation
The general public's greater awareness of data privacy and the prevalence of such law has made it increasingly challenging for financial institutions to comply with know-your-customer (KYC) rules and other financial crime regulations, consultants said.
The conflict between personal data privacy law and financial crime regulation has long existed even before the EU General Data Protection Regulation (GDPR), which marks the most important change in data privacy regulation in 20 years, was enforced on May 25, 2018, said Tim Phillipps, APAC leader - financial crime network at Deloitte in Singapore. But that conflict has heightened in recent years.
"It is difficult and there is a conflict. As people become more aware of data privacy and a steady increase of data privacy law, it is increasingly difficult for banks to meet the obligations under the KYC rules and comply with data privacy requirements, particularly in the requirement of collecting data from location to location," he said.
Financial institutions that run a data centre in one jurisdiction trying to access the data of their customers in European countries and Indonesia where personal data privacy law rules are particularly onerous, face enormous challenges, Phillipps said.
Data privacy regulation and standards have put the onus on companies and financial institutions where monitoring of personal information is concerned, said Brandon Daniels, president, global technology markets at Exiger in New York. Data privacy law such as GDPR requires companies to obtain rights or legal permission before they are allowed to access a subject's personal information.
In KYC compliance, financial institutions are required to have processes to demonstrate that they have done sufficiently deep due diligence on customers to ensure they find the necessary information associated with their customers. Most systems, processes and enhanced due diligence connected to KYC and financial crime processes take into consideration large amounts of data that sit in a grey zone in terms of data privacy use, Daniels said.
"This gives rise to the issue of determining what data financial institutions can use in the KYC and financial crime processes, and raises the question of whether banks are able to develop processes and policies that allow them to immediately halt the inspection of, or wipe completely, information from their systems," he said.
Daniels pointed to another challenge faced by banks when they rely on third-party watchlists for information or adverse media about their customers and are simultaneously provided with personal data of people with the same name whom they were searching for information in the watchlists.
"It's an ambiguity in the law. We will see how that plays out in the next five years," he said.
Early days but technology can help
If the massive fines imposed on Facebook – which was slapped with a $5 billion fine - and other companies embroiled in cyber breaches resulting in personal data privacy law breaches are any indications, they suggest that solving these problems remain in their infancy, Daniels said.
"We are still in the early days of figuring out how to manage these challenges effectively. But there are tools that can help banks get ahead of this," he said.
Some financial institutions have begun to use technology that allows them to filter out information that is not associated with the individuals on whom they are conducting due diligence and for which they have no legal permission to use their data to conduct due diligence, according to Daniels.
Tools such as association technology identifies documents, information and articles that have a prevalence of data points in common with the targets of due diligence before a human takes over to review the information.
"Association technology allows the systems to provide only information that has a high probability of being connected to the targets of due diligence... Today a relationship manager can use a screening tool to screen a customer's risk. In future, there will be technology that allows you to determine the probability that the information is about the person you are looking for. These tools will require more questions to be asked and information to be input by a relationship manager in order to do screening. It's got to enhance the relationship manager's engagement with retail or corporate customers to make sure they get enough information," he said.
Regulators need to allow segmentation of data; tricky subject
Sharing customers' information among banks is one possible solution to resolving this conflict but that requires regulators to acknowledge data can be used in different forms if it is for the purposes of conducting KYC or anti-money laundering processes, Phillipps said. Regulators need to allow segmentation of data, he said.
"Regulators have the ability to say, 'We expect you to strictly comply with data privacy rules in the ordinary course of business but when it comes to the identification of proceeds of crime, they [banks] will be able to share data and use it in a form that might address the problem… Banks need a different level of access to data to address the challenges of financial crime; essentially, an exemption from strict privacy for the purposes of identifying the proceeds of crime," he said.
This is a tricky subject to regulators because it deals with the heart of problem - striking a balance between protecting individual privacy and enabling the identification of proceeds of crime, Phillipps said. There have been continuous discussions on this topic in the regulatory community but there has been no consensus so far.
The Wolfsberg Group initiative
A number of initiatives addressing the conflict between complying with personal data privacy law and meeting financial crime obligations have been undertaken. One such initiative, driven by the Wolfsberg Group, involves creating a sandbox environment in the United States and the UK where banks demonstrate whether sharing of information among themselves would make a substantial difference in preventing financial crime. The initiative began 18 months ago and is still a work-in-progress.
"They have been experimenting with it for some time. The U.S. regulators have got proof-of-concept involving sharing of intelligence among banks. This makes is possible for banks to put the data in a closed environment. There hasn't been an outcome. If banks are able to cross-compare data with other banks, then we will have a far more efficient system because the intelligence would be far more substantial," he said.
An experiment worth undertaking
The Wolfsberg Group initiative has so far not been piloted in Asia. Such an experiment would be worth undertaking in Singapore where the regulator has a precedent for doing closed environment experiments in the financial technology (fintech) space. Lifting rules for the closed environment, proof-of-concept would help to determine whether such an approach is useful in fighting financial crime, Phillipps said.
"It would be an experiment worth undertaking – sharing data across Singapore banks from [an] intelligence and analytics [perspective] and identifying how much of money has been sourced through financial crime. It might also improve the ability of data used in identifying proceeds of crime without losing sight of the purpose in fighting drug trafficking, human trafficking and wildlife trafficking. It's become a common conversation among the heads of financial crime at banks to say: 'If we can share the information between banks more readily, we will identify more financial crime'," he said.
But regulators need to strike a balance if they eventually allow banks to share data.
"There is no doubt regulators would understand the challenges banks are facing in terms of doing it. It's a question, in many cases, of whether you could do more with information sharing among banks and whether regulators could facilitate and encourage that," he said.
Daniels said there would be increasing pressure on regulators to provide more definitive guidance.
- Writen by Patricia Lee, chief correspondent, banking and securities regulation, Asia
This article first appeared on Thomson Reuters Regulatory Intelligence
Fighting financial crime in practice:
Read more from Reuters in Exiger’s series of articles for AML professionals
- Advanced Analytics Used for Tackling AML Issues Have Yet to Replace Banks' Legacy Systems
Data analytics has the potential to uncover financial crime – but how are banks implementing it on the frontline?
Read article >
- Collaborations Between Regulators and Industry Most Effective in Addressing Financial Crime
How can financial institutions and regulators work together to trace the 99% of illicit funds still hidden in financial markets?
Read article >
- 1% Illicit Funds Uncovered in Financial System Raises Question About Whether Banks Need to Do More
Less than 1% of illicit money flows typically gets seized and frozen given today’s AML controls – so how do you trace the other 99% awash in financial markets?
Read article >