This month, we participated in two roundtable events organized by the Financial Action Task Force (FATF), the global watchdog for money laundering and terrorist financing. FATF member delegations, industry representatives, data protection specialists, and technology experts discussed how regulated entities can responsibly adopt new technologies to improve the outcomes of their AML/CFT processes. An important focus throughout the sessions was the exploration of Privacy-Enhancing Technologies (PETs) that can support financial intelligence sharing and help institutions reconcile AML obligations with privacy compliance. We presented our recommendations on how the financial services industry can move forward and leverage collective analytics to thwart financial crime.
Below are our responses to key questions the FATF raised for discussion during these roundtables.
1. How can emerging technologies contribute to a paradigm shift in AML/CFT?
Today, virtually every regulated entity uses technology in their AML/CFT processes to varying degrees. Interestingly, AML and regtech are utilized almost exclusively internally– financial institutions use internal data available to them to try and understand their customers, transactions, counterparties, and more. But emerging technologies focused on secure collaboration can help these stakeholders widen their view of risk from an internal one to an industry-wide one, across organizations and borders. Moreover, they can do so without sacrificing privacy, competition, security, and regulatory compliance.
Privacy-enhancing technologies (PETs) can help regulated entities and regulators achieve a holistic view of customers, enabling better personalization, which yields higher customer satisfaction and therefore better compliance. It enables them to become more agile and adaptive to changing risks. It protects their IP and their customers so that they can maintain their competitive edge. Most importantly, it makes financial systems safer while also enabling more people, companies, and countries to participate in regulated financial markets.
2. How can regulators drive technology adoption to facilitate information sharing?
Regulated entities often pilot new technologies to ensure they meet legal, scalability and performance requirements, but obstacles occur when it comes to implementing these technologies. Regulators can play an important role in driving adoption through a variety of measures:
- Create feedback loops and incentives: By defining measurable objectives for technology adoption, regulators can help regulated entities understand their progress: for example through feedback on how technology impacts SAR quality and incentives tied to investing in new technology.
- Apply risk reduction measures: When it comes to information sharing, financial institutions can be reluctant to move forward without risk reduction measures such as sandboxes, no-action letters, exemptive relief or safe harbors. This is especially important in instances of cross-border information sharing, where regulatory requirements may differ or even conflict.
In priority areas, FATF and other regulators could consider allowing responsible institutions to freely innovate. This differs from the typical approach which encourages “responsible adoption” of technology; changing the focus of responsibility can help institutions deemed to be reliable to innovate at pace, along with their respective regulators.
- Drive harmonization across regulatory focus areas, as well as across jurisdictions: Currently, institutions are facing heterogenous and often contradictory compliance requirements. Besides the inherent conflict between data privacy regulation and AML intelligence sharing, disparities in national laws and regulations hinder cross-border collaboration. Today, it is not uncommon for a multinational organization to engage in separate discussions with each set of regulators in the various countries in which they operate – with larger banks, this number can reach well past 100! This prospect alone hinders adoption and investment across jurisdictions.
3. Which areas require more regulatory clarity?
Intelligence sharing today is largely a regulatory grey zone, preventing vital initiatives in the industry. Entities need more clarity and guidance on basic questions like:
- What data can be shared? There are many different types of data used for AML/CFT. Can all of it be shared, or just subsets? Some examples include risk scores on specific entities, network relationships and customer demographics, or transaction information.
- When can data be shared? There are many phases of the AML lifecycle that would benefit from information sharing. Can data be shared for the benefit of all of them, or does it have to correspond to a specific part of the process like training and tuning, customer screening, investigations after a crime is confirmed, or simply confirming suspicions?
- With whom can data be shared? There are many stakeholders in the financial services ecosystem. Can data be shared with all of them? What about other financial institutions? Do those institutions need to be domestic, or can they be in another jurisdiction? What about multinationals seeking to share data internally? How about financial intelligence units and law enforcement?
- How can data be shared? Organizations have many options when it comes to processes, protections, and technologies for data sharing. Which of these are required? Would the use of certain technologies grant an organization safe harbor, or even the ability to share different types of data that they would not be able to share otherwise?
4. Is technology the silver bullet?
No. Technology alone is not a “silver bullet.” It must be deployed in concert with good data governance. Using privacy-enhancing technology can help institutions work within the boundaries of the law, not to circumvent it. For any collaboration initiative, participants need to put guardrails in place and define what data will be used, what insights they will allow others to gain from it, under what circumstances it can be shared, and with whom.
5. Which emerging technologies can best facilitate privacy-enhanced intelligence sharing?
Homomorphic Encryption (HE) is a privacy-enhancing technology that facilitates financial intelligence collaboration by enabling organizations to encrypt both data and models and use them for analyses and even training without ever decrypting them.
HE allows for the encryption and use of data elements, making them not identifying, describing, or relating to people or households. As a result, it is not legally considered “personal information” and therefore is outside the scope of the relevant privacy laws. Using HE ensures data processors and collaboration partners are not exposed to any sensitive information. The specific type of HE we use enables organizations to remain compliant with national and supranational privacy requirements, as stipulated by legal opinions and regulatory input to that end.
Notably, these sentiments are also echoed by a number of privacy regulators, like the AEPD in Spain.
Some forms of HE, such as the one used by Duality, is open-source and standardized by the HomomorphicEncryption.Org industry consortium, which is extremely important with regards to engendering trust amongst users, regulators, and other stakeholders and eventually driving adoption.
6. How can regulators develop a roadmap to enabling secure collaboration?
A great place to start would be to identify and agree on priority areas for collaboration, such as customer onboarding or investigations. The next step could then be twofold: first, to give responsible institutions the ability to innovate within these priority areas; and second, in parallel, to create standards around these areas, i.e., regarding the data to be used, analyses to conduct, the legal basis for moving forward, etc.
Read more on our solutions for financial crime and compliance.
Read how the Cyber Defence Alliance (CDA) uses HE to investigate fraud.