.svg)
Top payments industry professionals believe that existing data protection laws are acting as a “barrier” in the fight against financial crime, but is a “central depository” for the sharing of such data the solution?
Last week, during a Payments Association (PA) Insights event, representatives from across the payments industry agreed that more can and should be done to ensure that data gets to where it is needed to prevent financial crime.
But in jurisdictions such as the UK, EU and the US, current regulations for anti-money laundering (AML) impose strict rules against sharing customer data with third parties, even when financial crime is suspected.
In the UK, for example, under the 2022 Proceeds of Crime Act (POCA), banks can only query their own customer transaction data, and cannot request further data or information from other banks, even if it relates to the same transaction.
Banks are also unable to communicate to one another when a relationship with a customer has been terminated, even if the customer was terminated due to financial crime concerns.
This means that terminated customers can easily open up an account with a new provider, without the new provider being aware of the original bank’s concerns.
However, if the UK’s Economic Crime and Corporate Transparency Bill is passed into law, it will allow AML regulated firms to communicate financial crime concerns about specific customers or transactions on a limited basis.
This will be achieved through a civil liability waiver for AML regulated firms when sharing data that relates to suspected financial crime with other regulated firms or third parties.
Under the General Data Protection Regulation (GDPR), civil liability would still apply if AML-regulated firms share customer data for reasons other than legitimate financial crime concerns.
Let us fight crime
At the PA Insights event, payments industry professionals agreed that current regulations are overbearing and counterproductive when it comes to fighting financial crime.
In a straw poll conducted by PA during the webinar, 72 percent of respondents said that data protection laws are obstructing the sharing of “relevant information” that could be used to detect, prevent or investigate financial crime.
Max Alexander, panellist and vice president of cyber and tech emerging threats at J.P. Morgan, said he was unsurprised by the poll, describing the results as “exactly” as anticipated.
“When we talk about data sharing models for reducing fraud, having regulatory power to go out and share that data is absolutely something that’s needed,” he said.
Using SWIFT as an example, Alexander said that commercial banks should be given more leeway to share data-based insights with other firms and third parties.
SWIFT, which cannot see any personal data related to the users of its service, can therefore share anonymised insights with the institutions in its network.
“At the macro level, maybe if you're a SWIFT, you can develop your own internal machine learning or algorithms, contact all of your customer financial institutions and say: ‘Hey, this might be fraud’,” said Alexander.
“But if you're a big bank or a small bank, there are absolutely legal prohibitions against sharing certain data.”
Jane Barber, payments regulatory and trade association lead at NatWest, agreed with Alexander.
She pointed out that even in cases where data can be shared, lengthy internal assessments to ensure compliance can result in delays prior to taking action.
In other words, the regulations may not pose “barriers” per se, but the practical outcome is the same if the data sharing cannot be executed in a timely manner.
Data sharing and data security
A second poll asked respondents whether a “central depository” for sharing customer data, which could be used by all AML-regulated firms, might offer a solution.
Once again, there was strong support for the proposal, with 79 percent of respondents voting in favour of it.
Among the panellists, however, the idea of a central depository for highly regulated, confidential data was less warmly received.
Nick Davey, technical payments specialist at the UK’s Payment Systems Regulator (PSR), said he was surprised by respondents’ support for the measure, and argued that a central depository would inevitably be compromised.
“Ultimately, it's a big attack surface if you can go via any AML-certified entity,” he said, describing the wide range of access points as a “moral hazard” for the entire database.
Secondly, Davey pointed out that such a system would be difficult to administer, even within a single jurisdiction.
Taking the UK as an example, he said there were no clear winners as to which agency should administer such a database.
He also asked what recourse individuals would have, if any, to see how they are reflected in the database, or how they could challenge entries that relate to them personally.
For example, Davey noted that the GDPR allows citizens to challenge “automated decisioning” that relates to their personal data, so this would need to be honoured by the agency administering the database.
Alexander, likewise, said he would “urge caution” at the idea of a central depository. “You would essentially be putting final analytic products in there, creating a prohibited entities list,” he said.
“Anybody who shows up on this central repository would not have access to banking services" as the consumer or business user would be effectively blacklisted by all the financial institutions that receive it.
If pursued, Alexander said he would want to see legislation that requires financial institutions to conduct their own analysis to ensure the accuracy of the list before acting on it.
“If you're denying someone access to the financial services system, you're essentially outcasting them from society,” he said. “I'm all in favour of big data, but big data used ethically and responsibly.”
