In the digital age, financial data is both a commercial tool and a means of detecting criminal activity. This leaves multinational financial institution issuers, especially those that operate in both the United States and the European Union, at risk for fines and litigation.
The dual nature of financial data means that it is simultaneously governed by two regimes: anti-money-laundering and counter-terrorism finance laws that seek to protect the financial system from fraud, crime, and political violence; and data protection and privacy laws that seek to protect an individual’s identity and choices from government and private abuse.
Neither set of regulations adequately addresses financial data’s dual role. This means that multinational banks can find it difficult to comply with one without violating the other—particularly given that different countries incentivize banks to prioritize different regimes. It is time for the financial sector to take this opportunity to establish industry standards that turn client privacy into a business asset. This will mitigate the operational risks arising from sometimes-contradictory national AML and data protection requirements.
There is some harmony between U.S. and E.U. risk-based laws intended to root out money laundering and terrorist financing. Privacy is a different story.
The E.U.’s comprehensive rules-based system protects privacy as a human right. The law is meant to be applied with limited exceptions. Meanwhile, the U.S. protects privacy by sector and typically treats consumer data as property, with civil rights set by case law. Multinational banks find themselves balancing different demands on the data they collect from their clients, which causes problems in AML compliance.
The legal ambiguities have their greatest impact with cross-border data flows. This year, the E.U.’s fourth money-laundering directive legalized group-wide suspicious activity reports and supporting data and included data protection provisions that safeguard these transfers.
Couching data protection within AML operations provides a trail of accountability. But U.S. and E.U. multinationals still face obstacles since they do not, and cannot, allow unfettered
One thing that data protection and AML officials do share is an affinity for enforcing accountability with fines and litigation. In 2014, the U.S. levied
The inclusion of data protection in the Money-Laundering Directive closes many of the EU’s AML data loopholes. The requirement for group-wide data sharing makes it clear that AML processes and procedures must include privacy standards no matter where they operate. And soon, the EU's
Yet given the current trend of holding AML compliance officials
It is in no one’s best interest for AML and data privacy regulations to maintain their transatlantic collision course. To navigate this new environment, financial services officials need to change their attitudes about data privacy.
For many, it is understandably easier to view countering illicit finance and terrorism as a public good. The threat of state surveillance or corporate data misuse might seem benign in comparison.
But financial institutions must reevaluate their ethical responsibilities to client data. The political climate has shifted, and the public expects private corporations to consciously balance national security with individual rights.
Moreover, banks' entitled attitude toward client data—and their attempts to
Ultimately, it is big banks' responsibility to establish data privacy best practices in the context of their AML duties. At the global and regional levels, some conflicts could be mitigated by establishing regular
The duality of data in finance cannot be eliminated. However, the risks among national security, privacy, and business can be improved—with a concerted effort on the part of the industry.
Michelle Frasher is a consulting and research scholar affiliated with the E.U. Center at the University of Illinois at Urbana-Champagne.