Data Privacy and AML Rules on a Transatlantic Collision Course
The Treasury Department gave financial institutions a rare pat on the back in a recent analysis of anti-money-laundering safeguards, saying the system has significantly improved.
The Department of Justice is looking into whether the two dozen banks that facilitated bribes allegedly paid to FIFA officials knew they were doing so. The case is also a test of how much liability banks have over illegal payments they allow.
In the digital age, financial data is both a commercial tool and a means of detecting criminal activity. This leaves multinational financial institutions, especially those that operate in both the United States and the European Union, at risk for fines and litigation.
The dual nature of financial data means that it is simultaneously governed by two regimes: anti-money-laundering and counter-terrorism finance laws that seek to protect the financial system from fraud, crime, and political violence; and data protection and privacy laws that seek to protect an individual's identity and choices from government and private abuse.
Neither set of regulations adequately addresses financial data's dual role. This means that multinational banks can find it difficult to comply with one without violating the other particularly given that different countries incentivize banks to prioritize different regimes. It is time for the financial sector to take this opportunity to establish industry standards that turn client privacy into a business asset. This will mitigate the operational risks arising from sometimes-contradictory national AML and data protection requirements.
There is some harmony between U.S. and E.U. risk-based laws intended to root out money laundering and terrorist financing. Privacy is a different story.
The E.U.'s comprehensive rules-based system protects privacy as a human right. The law is meant to be applied with limited exceptions. Meanwhile, the U.S. protects privacy by sector and typically treats consumer data as property, with civil rights set by case law. Multinational banks find themselves balancing different demands on the data they collect from their clients, which causes problems in AML compliance.
The legal ambiguities have their greatest impact with cross-border data flows. This year, the E.U.'s fourth money-laundering directive legalized group-wide suspicious activity reports and supporting data and included data protection provisions that safeguard these transfers.
Couching data protection within AML operations provides a trail of accountability. But U.S. and E.U. multinationals still face obstacles since they do not, and cannot, allow unfettered data access among all of their affiliates and subsidiaries. That's because network systems and software are often incompatible and some data protection and disclosure laws forbid trans-border access. In addition, in the U.S., banks are forbidden to share SARs with their foreign branches and affiliates because of disclosure restrictions, which make it difficult to implement group-wide compliance programs. Thus, AML compliance officers must circumvent technological and legal barriers in one jurisdiction to investigate or complete reports for another and risk penalties for doing so.
One thing that data protection and AML officials do share is an affinity for enforcing accountability with fines and litigation. In 2014, the U.S. levied $13 billion in fines against banks for AML violations, including European firms. Europe also issued millions in AML penalties. On the privacy side, a bevy of U.S. state and federal agencies enforce corporate privacy regulations, but there are generous exceptions for AML and national security. The E.U. Data Protection Directive, meanwhile, allows for a wide range of national penalties and actions for data violations, but it also contained exemptions for AML under the umbrella of the "public interest."
The inclusion of data protection in the Money-Laundering Directive closes many of the E.U.'s AML data loopholes. The requirement for group-wide data sharing makes it clear that AML processes and procedures must include privacy standards no matter where they operate. And soon, the E.U.'s General Data Protection Regulation will allow either 2% or 5% global annual turnover or 100 million in fines, which incentivizes banks to take these rules seriously.
Yet given the current trend of holding AML compliance officials personally accountable for violations as well as the broader regulatory effort to instill a cultureof ethical responsibility into business, it's likely that AML priorities will remain many banks' top priority. The AML/privacy dichotomy will prompt many compliance officials to weigh their own welfare against that of their firms.
An experienced AML officer made this point explicitly in May at the Association of Certified Anti-Money Laundering Specialists' 11th Annual AML and Financial Crime conference in London when a fellow panelist challenged him about using data that might violate data privacy and protection rules:
"But you might get a 5% global fine!"
"Yes, I know, but I am not putting myself in jeopardy."
Few compliance officers would disagree.
A Multidisciplinary Approach to Best Practices
It is in no one's best interest for AML and data privacy regulations to maintain their transatlantic collision course. To navigate this new environment, financial services officials need to change their attitudes about data privacy.
For many, it is understandably easier to view countering illicit finance and terrorism as a public good. The threat of state surveillance or corporate data misuse might seem benign in comparison.
But financial institutions must reevaluate their ethical responsibilities to client data. The political climate has shifted, and the public expects private corporations to consciously balance national security with individual rights.
Moreover, banks' entitled attitude toward client data and their attempts to monetize it as an asset are not helping their public image. Clients care about privacy both in the U.S. and E.U. Firms that respond to this demand and market their commitments to privacy effectively will gain reputational trust and simultaneously lower their risks for data protection violations with Europe.
Ultimately, it is big banks' responsibility to establish data privacy best practices in the context of their AML duties. At the global and regional levels, some conflicts could be mitigated by establishing regular dialogues among government, regulatory and law enforcement officials. From these deliberations, banks should establish best practices for products and jurisdictions. To avoid informational and educational stovepipes, they should do so with a multidisciplinary approach that involves information security specialists, privacy and AML professionals, and senior executives who possess overlapping knowledge and skillsets.
The duality of data in finance cannot be eliminated. However, the risks among national security, privacy, and business can be improved with a concerted effort on the part of the industry.
Dr. Michelle Frasher is a consulting and research scholar affiliated with the E.U. Center at the University of Illinois at Urbana-Champagne. Her study on AML and data protection issues in the U.S. and E.U., sponsored by the SWIFT Institute, is forthcoming in October 2015. She writes about politics, finance, AML, and privacy at www.frasher.cc and @michellefrasher.