When Karl Marx foresaw the rise of global capital structures, he ultimately foresaw the withering away of the nation state. Like many of Marx's prophecies, he was right in some ways, but wrong in others. While the nation state persists, it continues to pose major problems to the supranational entities built over the last few decades. One problem, in particular, involves national privacy and data protection laws.
While global banks have an unquenchable thirst for customers' data, they are agnostic as to the country that data is sourced from. On the other hand, independent sovereign nations fiercely protect the rights of their citizens to maintain the privacy of this data and, in many cases, seek to keep data from leaving their borders. Many countries have laws in place that make it potentially illegal for entities say banks with branches in different countries to share certain types of information when it is moving across national borders. The type of information potentially subject to such restrictions ranges from names and social security numbers to sensitive personal information such as criminal or health history.
Such information restrictions are anathema to large global entities. First, realizing the scale benefits of running large enterprises of any type requires global processing of information in centralized locations. This means maintaining systems in hubs that pull information from across the globe.
Second, not just banks but their regulators, particularly in the U.S., increasingly demand transparency over risks and issues wherever they may occur. If, for example, a U.S. bank raises suspicions to its regulators in Russia about one of its clients in the Russian arm, the U.S. regulators would likely want this arm to report those suspicions to the U.S. parent company and, in turn, to its U.S. regulators. That way, any activity occurring in Russia can be triangulated against activities in the U.S. or elsewhere of the same client.
Due to these and other issues, the existence of data protection and bank secrecy laws pose an obstacle to banks and their regulators that must ultimately be addressed. A cultural gap persists around privacy. For instance, U.S. decision makers in the private and government sectors tend to overlook the importance attached to privacy rights in, say, Europe. In fact, the penalties for failure to comply with privacy laws in many countries can be very serious indeed, including lengthy periods of incarceration for the offender. As it strives to comply with the demands of its U.S. regulator, then, the bank risks breaking the laws of the country its branches reside in.
In trying to address this cultural gap, we can make three important assumptions. First, at least for the foreseeable future, we will continue to live in a world where supranational entities in the private sector coexist with independent sovereign states. International banks and other global private firms need to ensure that they do more than pay lip service to the laws of these sovereign states. A global privacy office is required to ensure these firms have a real-time understanding of the privacy laws in each operating country. No single employee can be expected to know or interpret these laws. Rather, clear roles and responsibilities need to be assigned to ensure business officers, Information Technology staff and operations officers are equipped to make appropriate decisions as they set up new global and regional business models.
Second, regulators, particularly in the U.S., wont easily roll over in the face of privacy laws and cultural preferences of other countries. They are going to continue to demand full transparency over their regulated entities. This means banks need to have a defensible position regarding what they share across borders, whether in the area of anti-money-laundering investigations, cross-border litigation or Basel III capital data.
Ensuring an up to date understanding and procedure for addressing the conflicts of law in each operating country is only one part of the issue. Risk acceptance may also be part of the equation as there is little, if nothing, by way of settled laws on the issue.
Determining the level of risk acceptance a firm is willing to take requires dialogue and agreement with local legal, compliance and business officers in the country in question. It is, after all, those on the ground who will have to live with the consequences of these decisions. As such, decisions by fiat from the corporate center carry little weight, in practice, if not supported by those on the ground.
Third, privacy requirements should be built into the up-front design of global operating models and global IT systems, and not added later as an afterthought. On the business side this means, for example, building consent into customer account agreements governing the use of customer data in support of anti-money-laundering surveillance. On the system side, this means building tight layers of user entitlements, ensuring control over who gets to view data, keeping it on a strictly need-to-know basis.
System architecture must be designed in such a way that enables the optimal mix of business efficiencies while maintaining conformity to privacy standards. If this sounds like a tall order, it surely is. But no one said running a universal bank was going to be easy. If financial firms wish to maintain the trust and support of the nation states they coexist with, they will need to raise their game accordingly.
Andrew Waxman writes on risk and compliance issues in capital markets. He is a consultant in IBM's Global Business Services' financial markets risk and compliance practice and can be reached at email@example.com or on Twitter @abwaxman.The views expressed here are his own.