The role of data sharing in AML & CFT in the era of data leaks

Explosive data leaks and dumps have become the new norm in the world of international finance. After the global fallout of the Panama Papers and the Paradise Papers in recent years, we have witnessed yet another massive data dump in 2020, billed as the “Luanda Leaks.”

Like its predecessors, the trove of data made public by a hacker in Portugal sheds light on how Africa’s richest woman built her business empire in Angola through nepotism, corruption, and possible money laundering.

The leaks reveal how western firms and banks, despite existing KYC norms, were willing to engage with companies owned by Isobel dos Santos. The exposé particularly highlights how professional services firms like KPMG, BCG, and PwC chose to work with dos Santos even as western banks opted to stay away.

Yet again, data leaks like these highlight the multi-faceted nature of international financial crimes. Government agencies alone cannot enforce the rule of law – they need the cooperation of private sector stakeholders, banks, financial service firms, and others.

Is data sharing the need of the hour?

Employee activists, hacktivists, and other whistleblowers serve an important function in the modern financial world, highlighting extreme cases of white-collar crime. But they should not be our primary defense against money laundering and corruption.

Data sharing between stakeholders can lead to better policing of financial networks and early detection of money laundering. And the financial world is waking up to this reality, in the wake of highly damaging scandals, particularly in the EU – in the Dutch and Nordic banking systems – in recent years.

The major agencies like Europol and the Financial Action Task Force (FATF) have been pushing for increased cooperation and collaboration between the public and private sector in recent years in the EU. Even the European Banking Federation endorses this stance.

A system where regulators and private financial institutions work in harmony to prevent crime may see too utopian to some. But there are working examples that the EU can look up to – across the Atlantic in the US, and much closer home, across the Channel in the UK.

What the UK data sharing model is all about

The shock of 9/11 forced the US authorities to provide their AML/CFT regulations with some real “teeth” to combat terrorist funding. Through the draconian Patriot Act, with its amendments to the Banking Secrecy Act (PDF), US banks and financial institutions are required to take considerable steps in KYC, enhanced due diligence, and improved data sharing.

But consumer privacy concerns are a major factor in the EU, unlike in the US where homeland security gets priority. So, the US system where banks and government agencies can freely share customer data may not be feasible in the European policy environment.

This is why the recent UK initiative in public-private financial data sharing, called the Joint Money Laundering Intelligence Taskforce (JMLIT) has caught the attention of regulators in many EU nations.

The JMLIT creates a closed ecosystem overseen by the UK Financial Conduct Authority (FCA), where 40+ banks, the Serious Fraud Office, the non-profit fraud prevention service Cifas, and the British police all collaborate for AML/CFT data sharing.

Why the JMLIT is an improvement on existing AML/CFT systems

The current AML/CFT systems in place encourage banks to flag potential criminal activity through suspicious transaction reports (STRs). According to Europol, only 10% or all STRs are investigated by the police, leading to only 1% prosecution.

With each new banking scandal, the major banks are spending billions to enhance their KYC and STR capabilities. But without close collaboration between law enforcement and the banks, the former will not be able to improve their ability to zero in on reports that actually warrant further action.

This is why the JMLIT is important – it takes AML/CFT beyond a mindset of basic compliance where banks just create hundreds of thousands of low-quality STRs and leave it to the police to figure out. It promotes enhanced intelligence sharing, which will heavily benefit law enforcement agencies in the early detection and effective prosecution of money laundering.

The drawbacks of JMLIT and possible solutions

It is quite clear that the UK system has caught the fancy of agencies. Both the FATF and Europol have championed it as a model worthy of emulation across Europe. The Germans have already started a similar initiative, and the Swedes expected to follow shortly.

But there are concerns whenever there is increased collaboration between the government and powerful private financial institutions like banks. Who will shoulder the majority of the expenses involved in improved compliance and data sharing?

How can regulators bring in stronger laws to prosecute bankers for criminal liability (like in the US) while simultaneously securing their cooperation? These are all policy questions with no easy answers.

But perhaps the biggest issue with initiative like the JMLIT in the EU is privacy. Europe is home to some of the strictest safeguards to individual privacy in the world. The German version of the JMLIT reflects the difficulty in copy-pasting the UK system to the continent – it does not allow customer data sharing, only typologies of criminal financial transaction flows.

If you cannot bulldoze over privacy concerns with laws (like in the US), then the only option is to create some sort of safeguards against misuse or leak of data into the public domain. New technologies like blockchain, which create encrypted data networks that are extremely secured against tampering, might provide an answer.

The concerns about public-private data sharing in the context of AML/CFT are all too real. But there is no doubt that it holds the key to the future of effective enforcement. Technology will play a key role, along with sensible policy-making.