Data privacy law needs amendment to combat AML/CTF threats - The International Approach
Data privacy law may need to be amended to allow regulators more leeway so that they can better counter the threats of money laundering and terrorist financing, said a Swedish regulator at the recent Fintech Festival held in Singapore.
Erik Thedéen, director general at Finansinspektionen (Sweden's Financial Authority), told a panel that some of the data privacy legislation in Europe, which had taken a long time to reach its final form, is so strict that it has become an issue for regulators when it comes to combating money laundering and terrorist financing.
"When it [data privacy legislation] was finally ready, it seemed a little bit too strict given the threats we see when it comes to AML [anti-money laundering]. This is a subject which we should have collaborations between banks, regulators and consultants because it is nothing to do with competition or cartel. It is something [for the] public good," he told the conference.
While banks are keen to set standards and best practices for AML, data privacy law has presented some obstacles, Thedéen said.
"This needs to be widely discussed because it was a lagging legislation that was brought about when we had different discussions around terrorist and money laundering," he said.
Restrictions in data and information sharing
Despite the advent of technology, financial institutions continue to face restrictions in data and information sharing between branches across jurisdictions, according to Conan French, fintech advisor at Institute of International Finance (IIF), who moderated the session on the challenges that technology alone cannot solve. Aggregating and sharing data from one institution to another within a single domestic market remained another challenge, he told the conference.
"AML [anti-money laundering] and KYC [know-your-customer] is an area [in which] we have seen amazing events, where technology is used to achieve things for fraud prevention, but today we don't have the data sharing and data structure in place to have the same impact in efficiency and effectiveness," he said.
Lack of data-sharing structure and technology
The lack of data sharing structure and technology is a problem which is particularly challenging for the industry and the public sector to solve, as was evident from the money that financial institutions had spent on AML and KYC, French said. Industry figures showed that banks spent between 20 to 30 percent on AML and KYC compliance, and those figures represented nearly to 23 to 30 percent of banks' net profits.
"… you have that level of resources committed to something [AML and KYC]. On the other side we are seeing estimates of maybe 1 to 5 percent of financial crime being caught with the current system. We think this lays out a pretty strong imperative to do something different," he said.
French said regulatory technology (regtech) was an area where the opportunities for more efficient and effective solutions were clear. He encouraged the industry, policymakers and technology entrepreneurs to come together to address some of the AML and KYC problems so that regulatory supervision and compliance could be made much more efficient, automated and successful.
Data security in Japan
The importance that Japan placed on data security was evident in its introduction of open application planning interface (API) systems for banks, said Motonobu Matsuo, deputy director general, credit and insurance systems at the Financial Services Agency (FSA). The FSA placed great emphasis on striking a balance between innovation and customer production, and in doing so, it prohibited venture companies from getting into the API business, according to Matsuo.
The FSA involved banks, fintech companies and data specialists in setting certain standards to ensure data security.
"… data has to be safe … if one person gets into the security system, the whole system is going to get ruined. We kind of set the standards but we didn't decide on the details but left them to the banks and the fintech companies," he said.
Given that banks have always had high standards on data security, the FSA imposed requirements on fintech companies by requiring them to sign data security contracts with banks, Matsuo said.
"By doing that, data security can be achieved and this will also allow venture companies to get into the API business, he said.