FATF Works to Balance Data Sharing and Privacy

FATF (the Financial Action Task Force) has issued a report: Partnering in the Fight Against Financial Crime – Data Protection, Technology and Private Sector Information Sharing. The report discusses the importance of balancing privacy with the need for financial services providers to share information to help stop the spread of financial crime. John and Elliot discuss the goals of the reported activities and the focus of several of the case studies set out in the report.

FATF Works to Balance Data Sharing and Privacy TRANSCRIPT

Elliot Berman: Hi, John, how are you today?

John Byrne: Hi, Elliot. I'm good. Thanks. How's it going?

Elliot Berman: It's going well. I met some of my colleagues who I'd never met before because they had joined the company since the pandemic. I was in person at the Cleveland office earlier in the week. So that was fun. And now I'm here, with my weekly conversation with you.

And I saw something from FATF that just came out. It's a paper about an initiative they have on data production technology and private sector information sharing. Did you see that announcement?

John Byrne: I did. You know, obviously we've always, as AML practitioners, we've always cared about improving the information sharing landscape and certainly, as we know, way back when with the Patriot Act, which will reference, but also because QuantaVerse being part of our world and the importance in the cyberspace of sharing information. I think this is not just a very timely document, but it's something that I know our community continually asks about. How can we better use the data we have to help each other better prepare for financial crime prevention?

They categorize it FATF can't mandate anything, but they can certainly offer strong recommendations. That can be part of an evaluation process. But also, they have some case studies that give some current examples of information sharing. While again, not perfect could be useful for other jurisdictions that are actively considering one of their recommendations.

And that is to improve private sector information sharing. So again, I think, you know, 20 years ago, with the Patriot act, the information we had at hand was certainly not as robust as it is today. So we're even in a better position as practitioners to share more vital information. And this, like I said, comes at a very important time.

Elliot Berman: Agreed. One of the key premises of this initiative that FATF is involved in is recognizing the challenge but the importance of balancing privacy regimes with information sharing to support anti-money laundering and anti-terrorist financing regimes as well. And the importance of doing both, for strong, stable governments and things like that. So it's a very interesting piece. And you mentioned the case studies. I think it's worthwhile to just spend a couple of minutes.

I know there was an interesting, well, there is one about the US, which really talks about 314B. So I assume you took a look at that?

John Byrne: Right. And as we've talked about before, the AMLA law and certainly recommendations from the community has been the 314B. A good starting point needs to be updated for a variety of reasons.

Some will argue it should be mandatory. I'll leave that to others and debate that, in part, because, in many cases, large banks don't always respond quickly enough. The smaller institutions when they have 314B requests, which is as our listeners know. You know, a stable of, you know, I have some information here. I'm trying to get some more from another institution in the region or another institution that has similar products, that sort of thing.

So, to put that in there as an example is good. And as many others, the other one, though, you and I talked about briefly offline was from the jurisdiction of Estonia, and they called it AML Bridge. And I know that goes a bit further. How do they do that from your perspective?

Elliot Berman: Yeah. So they talk about the fact that they've created a secure digital platform that is provided by an independent third-party organization. And it was participants which appeared to be mostly member banks based on the writeup that appeared in the report. And this is their phrase pseudo-anonymized data so that that's what's exchanged.

So it's principally transaction data with end-to-end encryption. So again, coming back to what I mentioned earlier, part of the whole issue here is how you balance the management of personal private data and being able to not let it get into the wild inappropriately. But also share what needs to be shared so that organizations who are potentially chasing the same set of transactions or same bad actions can do.

And so they've been doing that, and the information is shared in near real-time on a near real-time basis. And again, as I mentioned, the goal is collaborative investigation. So they've had a fair amount of use since March of this year. In a short time, they've had 1200 collaborative private investigations. And, well, I guess that was as of March. And that was from a period of about a year ago. So in a nine-month period, they had 1200 of them, which is, you know, a good start. And this is a test case.

John Byrne: Right, it is. And it's a small jurisdiction.

Obviously, the other thing that probably led to the amazing detail in what's almost a 70-page report is the recognition that, you know, anytime you're collecting and using data, that's gonna include personal data besides the obvious reasons cuz of laws and regulations that any misuse of that data that doesn't relate to someone that's not involved in suspicious activity needs to be avoided and prohibited. So trying to figure that out, you gotta take your data systems and manage them. And as they say, in accordance with applicable rules and you know, so the legal frameworks have to be navigated. So I think that's, again, obvious to us that are practitioners, but it's not always something that gets mentioned.

So I thought that was useful. So they acknowledged that. So that's part of it. And then we've both seen there's a series of recommendations that we would urge people to read just high level. They take a couple of approaches in the recommendations, and they say things like the public sector needs to be part of this.

So whether it's the regulatory or law enforcement side, they use the term utilizing regulatory sandboxes and pilot programs. And I think pilot programs are something that we've seen. In the AMLA laws as well. Let's do something on innovation. Let's do something on sharing, you know, across jurisdictions, that sort of thing.

So I think using pilots makes a lot of sense. So that's one of them one of the recommendations. Are there other recommendations that struck you as important? 

Elliot Berman: Well, I mean, the private sector should consider the application of privacy-enhancing technologies.

Where they're fit for the purpose, take steps toward data preparation pursuing to, you know, pursue data protection by design. The idea that you build into your core systems and the way you handle data, that you're protecting it from day one. It's not painting some protection on it on the way out the door.

And establish early and ongoing engagement with the data privacy protection authorities. And one of the things you and I spoke about also offline, is that at the moment, the bus doesn't have a particularly comprehensive data privacy regime at the national level. Data privacy is tucked into a number of different places, and more and more states in the US are beginning to adopt their own privacy regimes, which isn't a bad thing.

But again, with 50 states, plus the District of Columbia and Puerto Rico, and another protector, it gets pretty complicated to figure out how to navigate. You know, as a business, whether it's a bank, and, you know, there are many banks in the US and other financial service providers that provide services across state lines.

So coordinating with those is a challenge, but hopefully, this will be another prompt to the US to begin to think about how to come up with a national privacy regime.

John Byrne: Yeah. And, at the end, they talk about what they're calling concrete results of public-private partnerships.

There are a few examples in there. I roll my eyes a little bit about the Russia one, but the other ones, UK and Australia, they talk about the ENT exchange. Canada's, project-based partnerships include, or at least the outcomes have, according to court, new typologies and indicators that show what happens when you cooperate with the private sectors, significant increases, and a lot of briefings.

So Fintran their FinCEN is doing a number of briefings to domestic and international audiences. The obvious things in the recommendations, just some of the examples of current partnerships that are working well, is also, I'd say, pretty important reading toward the end of the report.

Elliot Berman: Yeah. I think this report is a worthy look.

I'm a fan of FATF generally. I mean, I think they do interesting things and because they're not a government, but they have government representatives from many participating nations. I think they get the right people in the room and can have a lot of influence and get people thinking about stuff that's really important. Not that they weren't thinking about it before, but with colleagues from around the globe. So we really do get a unified approach because, as you and I have talked about many times, global crime, corruption, fraud, and these are all global things.

There is local stuff, but a lot of these things cross national borders because they're pretty porous. And, it's important to have a group that's helping foster a global view on how to deal with it.

John Byrne: Right. And so the report again, Partnering in the Fight Against Financial Data Protection Technology and Private Sector Information Sharing, is available, of course, on FATF's website, a newly issued report. So we would urge folks to take a look at that.

Elliot Berman: We'll link to the report on the description of this podcast that appears on our website. So final link there too. So, John, I know you've got some interesting things in the pipeline. Any interviews you wanna talk about a couple of those? 

John Byrne: Yeah. So, the interviews that are coming up include one with the Director of the Center for Banking at Marquette university of an interesting partnership that that school has done with a micro finance organization in Central America.

And they talk about how they help local farmers and other small businesses handle sort of, you know, day-to-day banking. So, when we talk about inclusion, I think that's important. Next week we'll have a conversation with an expert in export issues about a recent FinCEN guidance. That's coming up. Also, I'm going to be talking in the next few weeks, I think I've mentioned it before, and he's been on the podcast before, the preeminent expert in the US. And I would argue globally, Stef Cassella on asset forfeiture. And then we have a few other things that I'm working on as well.

Elliot Berman: Yes. And on Thursday, July 28th, will be this month's AML voices webinar. And we're gonna have a really good conversation on what do you really need to know related to KYC? So very practical and a great discussion among experts. So if you'd like to register for that go to our website and you can do that. And we hope that you'll do that. So, John, you have a great weekend, and I will talk to you next week.

John Byrne: Will do take care of yourself, Elliot. See ya.

Elliot Berman: Yep. Bye-bye.