While financial regulators increasingly call for information sharing within the industry, data privacy compliance poses barriers to inter-institutional and cross-border collaboration. In this challenging situation, new Privacy-Enhancing Technologies (PETs) can help enable secure data sharing without compromising privacy, security, and regulatory compliance.
We brought industry experts together for a fireside chat on Financial Intelligence Sharing under GDPR to explore three different information sharing implementations across the financial crime lifecycle: Customer Due Diligence, Transaction Monitoring, and Fraud and Cybercrime Investigations.
Here’s what we learned:
#1 Information sharing adds value throughout the financial crime and compliance cycle
“Collaborative data sharing allows organizations to achieve data insights they would not be able to reach on their own.”
Project Director and Innovation Watch Leader, Société Générale Corporate and Investment Banking (SGCIB)
In each case presented during the discussion, privacy-protected collaboration provided financial institutions access to data held by other entities, leading to valuable insights which each individual institution couldn’t have gained alone. PETs were successfully used to alleviate GDPR compliance and competitive concerns, enabling banks to cooperate throughout the financial crime and compliance cycle in ways which were previously impossible.
Customer Due Diligence: DANIE consortium
The DANIE Project is a UK-based consortium of banks and data providers whose objective is to improve the quality of their client reference data by benchmarking data with peers. Banks upload encrypted data to the consortium application where the data remains protected by PETs at all times, preventing it from being re-identified or attributed to a data source.
- PETs eliminate banks’ concerns when sharing client lists, which had formerly prevented such collaborations.
- Saves costs of third party data providers previously used to enhance reference data quality.
- Improved KYC, onboarding, and due diligence processes.
Transaction Monitoring Netherlands
Transaction Monitoring Netherlands (TMNL) consists of five Dutch banks that combine transaction data and monitor it collectively to gain a complete view of criminal money flows and networks.
Each bank uploads data to the central data store where the consortium combines these transactions, monitors them, and reports potentially suspicious patterns. Sensitive information is encrypted and viewed only when suspicions of money laundering or terrorist financing arise.
- Unusual transactions detected with higher certainty.
- Financial criminality patterns detected with higher certainty.
- Higher quality insights into criminal financial activities.
Financial Fraud and Cyber Crime Investigations: Cyber Defence Alliance (CDA)
The CDA is a consortium of EU/UK banks and law enforcement agencies whose mission is to facilitate collaborative fraud and cybercrime investigations.
Through the CDA, institutions send encrypted queries to one another, inquiring about suspicious actors and activities – e.g. account ownership, account balances, and relationships between entities – without ever revealing the subjects of these investigations. By utilizing Duality’s PET solution based on Homomorphic Encryption (HE), institutions can analyze data while keeping sensitive information private.
- Improved attribution and case building by banks and law enforcement, reducing criminals’ ability to operate efficiently.
- Automated responses within less than a minute enable timely responses that detect and deter malicious activity. This enables law enforcement to seize funds before they are moved.
- Encryption of queries avoids the risk of disclosure, regulatory breaches and tipping off insiders at banks.
#2 Regulatory grey areas make it difficult to innovate and implement information sharing initiatives
“Clarity from regulators about [what constitutes] legitimate interest, scope of necessity, definition of anonymization and de-identification...is the condition precedent to innovate.”
Partner & Chair of GDPR Compliance and International Privacy, Fox Rothschild LLP
As in other jurisdictions, the co-existence of European Anti-Money Laundering Directives (AMLD) and the EU privacy regulation – the GDPR – creates conflicting compliance obligations for financial institutions. Collaboration and information sharing remain a grey area, with a number of terms lacking clear definitions, including:
- What is considered a legitimate interest allowing institutions to exchange information?
- Which information can be shared, and under what circumstances?
- What is in the legal scope of necessity?
- Which forms of pseudo-anonymization constitute a sufficient degree of protection and allow for exchange of personal information?
It is time for regulators to provide a clear code of conduct that delineates each term and its application in anti-financial crime processes. Explicit practical guidance and legal certainty will help drive innovation and encourage institutions to explore new modes of collaboration proactively.
National legislators can and must play a crucial role by creating AML frameworks that provide clarity regarding the above points and how GDPR should be enforced in the context of financial crime prevention.
Regulatory collaboration is also important. Inter-governmental bodies such as the FATF and the European Commission are important organizations that can help reduce friction and harmonize heterogenous AML frameworks, in turn enabling impactful AML collaborations between different jurisdictions.
#3 PETs help minimize compliance risk and are already in use
“Institutions had a privacy-preserving analytical capability at their fingertips, so they were able to negate risks of disclosure and regulatory breaches. PETs like Homomorphic Encryption balance the need to keep data secure while extracting value from it.
Head of Product Marketing and Strategy, Duality Technologies
In this contradictory and unclear regulatory context, PETs provide institutions a way to move forward. Different technologies enable secure collaborations along the entire financial crime prevention lifecycle and promise to:
- Provide adequate protection for personal data, in compliance with Article 32 of GDPR, during information sharing.
- Overcome challenges in cross-border data transfer in the post-Schrems II era by enabling institutions to share encrypted insights, instead of directly sharing personal data.
- Attain an ethical balance between information sharing and privacy protection.
- Decrease costs: PET-enabled collaboration increases the efficiency and effectiveness of financial crime prevention and compliance programs.
- Accelerate the use of Machine Learning in anti-financial crime programs by deploying methods that enable banks to analyze encrypted data and jointly build detection models.
In summary, PETs are paving the way for increased financial intelligence sharing, during times of growing globalized financial crime.
Over to you! Tell us how your organization can benefit from secure information-sharing.
Share your challenge so we can help identify how PETs can significantly enhance your way of working. Contact us here.
Did you miss our fireside chat? You can watch it here at your convenience.
Our thanks go to our panelists and moderator:
- Nick Maxwell, Head of the Future of Financial Intelligence Sharing (FFIS), RUSI Centre
- Odia Kagan, Partner & Chair of GDPR Compliance and International Privacy, Fox Rothschild LLP
- Anthony Ta, Project Director and Innovation Watch Leader, Société Générale Corporate and Investment Banking (SGCIB)
- Hilko van Roojen, Senior Manager, Deloitte Forensic and Financial Crime
- Ronen Cohen, Head of Product Marketing and Strategy, Duality Technologies