By Alon Kaufman
Financial institutions are investing substantial resources in combating money laundering and other forms of financial crime. Indeed, LexisNexis calculates that the estimated cost of compliance across major global markets has surged to more than $180 billion. Among the largest factors driving the growth of compliance costs are new regulations and privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Banks, which are extremely reliant on the analysis of massive data sets to fight financial crime as required by law, face the delicate task of navigating a complex regulatory landscape with complicated rules on the use, storage and handling of data.
This leads to a difficult compliance dilemma: Which do financial institutions prioritize—compliance with stringent data privacy regulations or with anti-financial crime regulations? To resolve this conflict, financial institutions will need to break out of old paradigms and adopt new, privacy-enhanced information-sharing strategies that enable more efficient financial crime investigations than conventional means—which can yield false positive rates of up to 90 percent.
How financial criminals gained the upper hand
The United Nations reports that up to $2 trillion in funds is laundered through the global financial system every year, associated with a range of illicit activities, including terrorism, drug-trafficking, cybercrime, human-trafficking and more. As a result, governments around the world have implemented a variety of anti-money laundering laws and regulations: from requiring banks and other financial institutions to conduct know-your-customer processes, to monitoring and investigating suspicious transactions, to reporting instances of crime to law enforcement.
Despite the broad nature of financial crime compliance processes and substantial spending combating financial crime—some $1.28 trillion annually—malicious actors appear to have the upper hand, with fraud at major financial institutions up 235 percent annually according to the LexisNexis 2019 True Cost of Fraud Study.
What accounts for the low ROI on anti-crime spending? While financial regulators and experts have been advocating inter-bank information sharing for financial crime compliance for some time, institutions are hampered by a plethora of data privacy, storage and security regulations that, though justified, undermine their ability to collaborate across borders, institutions, branches and sometimes even internal teams.
A bank, for instance, often cannot share information across its own offices located in different countries, due to data localization laws. On the other hand, financial criminals do collaborate across borders and organizations—putting financial institutions and law enforcement at a distinct disadvantage.
Financial regulators and experts like the multilateral Financial Action Task Force endorse “rapid, meaningful and comprehensive sharing of information from a wide variety of sources, across the national and global scale.” What the financial industry needs now is a modernized, viable framework for putting this guidance into action, while still protecting data privacy.
Reaping the benefits of effective cooperation
Better inter-institutional collaboration would significantly enhance critical financial crime compliance processes, including customer onboarding and KYC; transaction monitoring; and investigating suspicious fund transfers.
The often-cumbersome and friction-prone KYC process has spurred more than 10 percent of corporate clients to say they were changing banks. If institutions would be able to collaborate more effectively on analytics, they could obtain information more efficiently, while uncovering risks more comprehensively—without inconveniencing new clients and denting their competitive edge.
Consider politically exposed persons. The classic method of determining whether an individual is a PEP is to consult commercial PEP lists. But regulators have said that this is insufficient as a standalone measure. If financial institutions could share relevant information on PEPs, this would enable faster, more secure verification by eliminating accounts using synthetic identities.
Such cooperation would also reduce the staggering rate of false positives in transaction monitoring—for example, by giving institutions more information about the source of funds, related accounts, and more. And if financial bodies could facilitate smoother collaboration on the investigatory process, they could gather necessary data and evidence more easily, write more robust Suspicious Activity Report narratives and overcome investigative dead ends.
Take for example the case of a financial transaction in a new location not previously linked to an account. Banks should be able to join forces to determine whether the transacting parties might be family members or share a mutual business interest with the account-holder—insights that can significantly cut down on investigatory time and SARs.
Of course, improved information-sharing would also be a boon to regulators, who would benefit from higher-quality SARs, from the ability to conduct investigations more efficiently with more targeted and relevant information and from the ability to share data with regulated institutions in order to encourage even greater efficiency in anti-AML and compliance efforts.
Bridging vital priorities
But with increased information sharing, how do we guarantee compliance with data privacy regulations? In other words, how can institutions share information in a way that does not jeopardize the confidentiality of our most sensitive financial information?
The bottom line: Financial institutions need solutions that will enable both information sharing in a timely manner and data privacy.
Privacy-enhancing technologies make this possible. While a diverse array of solutions and technologies fall under this umbrella, there are a few that are particularly relevant for solving privacy challenges that arise when collaborating on data: Secure multi-party computation, which is valuable for benchmarking between parties, especially when they need an aggregate result from their data analysis; aggregated data analysis in cases where precise individual results aren’t necessary—for instance, with census data; and homomorphic encryption, or HE.
HE enables computation and analysis on encrypted data: a breakthrough capability, as for a long time, only data at rest or in transit could be encrypted—but not data in use. In other words, organizations can analyze data and extract vital insights without having the underlying sensitive information exposed. The United Kingdom’s Financial Conduct Authority has called HE a solution that can allow institutions to share information “without compromising the security or confidentiality of the underlying data.”
What’s more, HE can be used to encrypt both data and models—paving the way for inter-institutional collaboration on building and testing models, monetizing data and analyzing information in countries with data localization requirements—all with compliance, privacy and trust built in.
Interpol has warned that bad actors are exploiting the ongoing COVID-19 crisis to commit even more financial crime, exacerbating current economic volatility. In this climate, financial institutions cannot afford to compromise on anti-crime efforts or privacy protection. Privacy-enhancing technologies bridge these two needs—making our world safer, while keeping our data protected and private.
Alon Kaufman is CEO and co-founder of Duality Technologies, a data science firm focused on secure and privacy-enhanced information sharing for financial crime solutions