The SWIFT Institute has released new research on the challenges of information statecraft for today’s global financial community. The report, ‘Multinational Banking and Conflicts among US-EU AML/CTF Compliance & Privacy Law: Operational & Political Views in Context,’ focuses on the duality between laws that seek to use data to protect the financial system and laws that seek to protect data privacy. It reveals the many compliance areas that will challenge multinational financial institutions as they integrate privacy into their anti-money laundering (AML) and counter-terrorism finance (CTF) operations over the next two years.
According to the study, the European Union’s Anti-Money Laundering Directive (4AMLD) requires enterprise-wide data protection within AML/CTF operations across a multinational financial institution (MFI), while US law does not, which creates regulatory risk. In the US, data is typically the property of the entity that possesses it, for example a bank, whilst in the EU’s rule-based privacy regime data ownership belongs to the individual as a human right, this can conflict with AML/CTF regulations.
The study’s author, Dr. Michelle Frasher, says, “The US and EU subscribe to Financial Action Task Force (FATF) recommendations, but there are notable differences in implementation. The EU is setting the terms of data protection in AML/CTF compliance, and there are few people with the knowledge and skillsets to communicate across these disciplines. As the EU Member States establish technological and organizational safeguards for AML/CTF data protection within the next two years, officials should engage in cooperative and collaborative dialogues with the financial services to create workable solutions.”
Frasher’s research found that both US and EU law mandates MFIs’ cooperation with national authorities, but EU firms with operations in the US may be at greater risk for data requests from US authorities, which may run afoul of EU privacy expectations as data is shared across the group. MFIs must consider the location of their servers to determine their risk exposures to foreign authority access as well as data breaches.
Furthermore, the US Patriot Act’s mandatory data searches for subjects “reasonably suspected” of money laundering or terrorist financing challenges European data collection, retention, deletion, purpose limitation, or access requirements. Even so, EU Member States and national security intelligence agencies are not covered by EU data protection law.
“With this research, we aimed to present a comparative analysis of US federal and EU-level AML/CTF and data protection laws,” adds Frasher. “Challenges notwithstanding, data privacy programs benefit AML/CTF compliance because they create accountability trails, help financial institutions produce better data to authorities, and lend reputational currency. Despite the regulatory conflicts, the financial services industry has an opportunity to contribute to data privacy/AML/CTF solutions that fit their operations.”
The report concludes that firms can address complex compliance challenges by creating integrated AML/CTF, information technology, and privacy teams, or encourage employees to seek cross-functional training to break down information and education stovepipes inherent in MFI organizational structures.