The estimated amount of money laundered around the world every year is 2 – 5% of global GDP, or €690 billion – €1.72 trillion, according to the United Nation Office on Drugs and Crime. In order to intercept even a small fraction of these transactions, financial institutions are harnessing more and more data. At the same time, consumers and regulators, especially in Europe, are putting more pressure on businesses to be compliant with data privacy laws. How can the two approaches co-exist? “Data Privacy vs. AML/KYC” is one of the many exciting panel discussions of the virtual Fintech Inn conference taking place on October 21-22.
Back in 2017, Consult Hyperion was forecasting that financial institutions in Europe could face fines totalling €4.7 billion in the first three years under the General Data Protection Regulation (GDPR). Although this grim forecast has proven to be an overestimation, “Finance, Insurance and Consulting” companies have received a sum total of €25.1 million in GDPR fines so far, according to the GDPR Enforcement tracker.
“GDRP is one of the regulations that contradict other regulations. What needs to be done is to clearly define what are the principles of GDPR vis-a-vis other regulations. Once we clearly draft the underlying procedural framework, we need to give very specific guidelines to all obliged entities and the business world,” says Marios M. Skandalis, Director of Compliance at Bank of Cyprus.
Among the areas where clearly drafted procedures are needed Mr. Skandalis mentions data storage. Although GDPR stipulates limits the period that an entity can hold on to customer data, in some cases (for example, when a customer is involved in a legal dispute), measures should be different.
“We need to clearly identify and understand three areas when data should be stored: when it’s a legal obligation, when it’s in the public interest, or when it’s a legitimate interest of the corporation,” Mr. Skandalis states.
The question of educating the public about the benefits of AML and privacy regulation is seen as important by the panelists.
“Both AML and privacy requirements are a force for good for society, people in general and customers. We need to do a lot of work educating and setting the whole framework of trust, which isn’t the easiest thing to do in these turbulent times,” says Martynas Bieliūnas, Managing Partner of Privacy Partners Group and the panel’s moderator.
According to another participant of the discussion, Faisal Islam, AML officers today have a hard time including the aspect privacy in the work that they do. In fact, traditionally, an AML officer will rarely have had privacy training, as it’s not part of their learning curriculum. At the same time, most fintechs have their privacy policy limited to the terms and services on their website, and the AML officer is not included in any questions regarding privacy.
“The adversary of an AML officer is an illicit person who is using data they sought without permission or is being deceptive in other ways to layer transactions. To counter their actions, AML officers need as much data as possible themselves, and their work is made significantly better with access to more data. They have to walk a line of ‘I have to do what I have to do within the bounds of what is allowed’, as they do have personal liability for not fulfilling an AML obligation, but no personal liability for crossing the privacy line,“ says Faisal Islam, Head of FC/AML at Sentinels.ai, a company providing data-driven transaction monitoring for confident risk decisions.
Identity verification, which is enhanced by such advanced tools as Facial Recognition and 3D Liveness Detection, which prevents fraudsters from impersonating someone else by using everything from 2D images to life-like silicone masks, is one of the fields where AML and Privacy regulations intersect.
“AML and Privacy regulations for identity verification providers are the main regulations where we, providers, act as experts in the field. Working with highly sensitive data enforces us to follow very strict data security guidelines. To make sure those guidelines are fulfilled, we invest in technology, server architecture, and audited certifications like ISO 27001,” says Domantas Čiuldė, co-founder and CEO of iDenfy, an identity verification provider. “A continuous dialogue between identity verification providers and regulators helps to contain knowledge in the AML field. We ensure that the data given to us is only used for the purpose of combating ML/TF. We help financial institutions (and/or business units) to be sure that their clients are reliable and verified, while complying with the latest AML requirements.”
According to another panelist Taavi Tamkivi, the future might hold a shift from a focus on fighting fraud based on wrongdoers’ identity to a focus on their actions.
“Currently, actual behavioural monitoring is heavily under-prioritized. If we become better at behaviour detection with AI and other new technologies, the approach will shift from ‘who the person is’ to ‘what the person does’. This ultimately decreases the pressure on privacy data processing and puts more emphasis on more complex AML investigations,” says Taavi Tamkivi, co-founder and CEO of Salv, an Estonian AML platform for enterprises and fintechs.
Join this and other discussions on the hottest fintech trends and challenges during the virtual Fintech Inn 2021 conference. Held on 21-22 October, Fintech Inn 2021 will bring together 250+ enterprises and start-ups, as well as 1000+ investors, policymakers, entrepreneurs and technology leaders from all over the world to exchange knowledge and discuss topics from green finance to startup media. You can get your free ticket to one of the largest industry events now on myOnvent platform.
