One of the great problems in financial services is the misuse of data.
As countries around the world pass new data protection laws and enhance enforcement, compliance teams are facing some challenging issues.
One key issue is whether anti-money laundering (AML) and know your customer (KYC) processes provide sufficient justification for processing personal data.
It’s a fruit of the poisoned tree situation. Institutions acquire information, usually for reasons of customer onboarding, or AML, and then it somehow leaks its way out into the sales team. We’ve now discovered that this asset-rich customer isn’t very leveraged and we can now sell to them. Most of the time the banks get caught so the temptation continues. And this is, fundamentally, a problem of natural justice. The idea that people are innocent until proven guilty is what gives criminals room to operate and so there’s a constant battle to decide how far into the lives of the virtuous we’re prepared to intrude in to catch the sinful.
Pleasing everyone all of the time
There are some big questions to be asked around how it’s possible to keep financial services regulators, data protection regulators and – most importantly – customers happy, how to satisfy US regulators and process data lawfully in the EU or UK and what can be done to improve privacy protection without compromising compliance.
One of the key problems is that there are two bodies of legislation. There’s a body of legislation to do with money laundering and countering the funding of terrorism and preventing fraud. As is common with soft legislation, this organisation is only concerned with those things while simultaneously being overreaching. This creates an environment where banks, sometimes unjustifiably and sometimes justifiably, feel that anything is justified in the pursuit of that end. Which means that they collect a great deal of data and do an enormous amount of processing. They also do a lot of routine surveillance and monitoring and buy data in from third parties.
These banks have had their knuckles rapped by the financial service regulators for not doing enough AML checking. But the consequence of this is that they then do too much.
Going above and beyond
The regulations on minimisation and limitation of purpose say that you should only collect the information that is absolutely necessary for the purpose, that you should be strictly limiting what you do with that information to the purposes to which it was collected. But banks often go above and beyond what the law asks for. Then the law is rewritten or the regulator reinterprets the rules to make necessary what wasn’t previously necessary, because everybody’s doing it.
A good case in point is the retention of passport copies. What the law originally said was that the financial institutions’ authorised officer needed to see identification documentation, verify it and record the fact that they have done so.
Then it became clear that it was quite difficult for banks to demonstrate to regulators that they’ve done this sufficiently. So they started keeping copies of the passport as a way of evidence in compliance.
Now it’s regulatory guidance to keep copies – which is a potential disaster from a privacy point of view because if a bank is hacked, the hacker has everything they need to go and steal your identity somewhere else. The fundamental point is there’s this tension between trying to achieve the potentially virtuous end of limiting money laundering and terror financing and trying to comply with the equally virtuous end of respecting people’s personal boundaries.