Data privacy law needs amendment to combat AML/CTF threats - The International Approach
29 November 2017 Bachir El Nakib (CAMS)
Recent instances of cyber-attacks targeting third party service providers of government agencies and private sector organisations have coincided with the latest release of the Australian Cyber Security Centre (ACSC)’s 2017 Threat Report.
This report comes as a timely reminder of the ongoing digital threats to organisations, such as those in the financial services sector, especially with the rise of innovation and financial technologies (FinTech) in this market. ACSC identified over 47,000 cyber incidents over the last year (up 15%) and reported that 7283 of these cyber security incidents affected major Australia business. It estimates that business email compromises alone cost Australian businesses over $20 million.[1] Many of these breaches involve exploiting security vulnerabilities in the systems of third party contractors.
Indeed, financial institutions are attractive targets for hackers and cyber-criminals because, under Australia’s Anti-Money Laundering and Counter Terrorism Financing (AML/CTF) laws that encompass a strict Know Your Customer (KYC) regime, financial institutions are mandated to verify their consumers’ identity, and keep records of customers and their transactions.[2] AUSTRAC’s recent high-profile action against a major Australian bank for alleged breaches of AML/CTF laws and KYC requirements demonstrates the strict stance that Australia’s financial intelligence agency adopts towards compliance with these laws. However, compliance with AML/CTF laws also means that extremely large amounts of personal and financial information are stored on the servers and databases of Australian financial services organisations – ripe for hackers and cyber criminals to target.
It, therefore, comes as no surprise that the newly released ACSC’s 2017 Threat Report sets out that:
“Cybercrime conducted by criminal and state-sponsored cyber adversaries remains a persistent threat to Australian financial institutions. Criminal groups continue to conduct malicious cyber activity such as deploying malware on a network to steal online banking credentials or conducting large, multi-stage intrusions to facilitate larger scale theft. The global financial system is likely to face challenges from a growing volume of increasingly sophisticated malicious activity.
Foreign state and criminal groups are demonstrating the capabilities and operational tradecraft to conduct major intrusions into financial institutions. The adverse effects of these actions on second parties and on confidence in system security will probably have wide ranging repercussions.
Despite this, the many recent instances of unauthorised access to and unauthorised disclosure of personal information raise questions about the attitudes of some organisations towards compliance with the APPs. From a public policy perspective, lacklustre approaches to financial data security is highly problematic. If the market wants to encourage investment, whether that be the simple opening of a bank savings account by retail clients, investments in superannuation funds or through a start-up FinTech platform, investors need to have full confidence in the law, regulators and the financial industry to protect their personal KYC information from misuse, interference and loss.
In February 2017, Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017,which amends the Privacy Act. This legislation, which will come into force in February 2018, requires federal government agencies and private sector organisations with a turnover of more than $3 million to notify the Office of the Australian Information Commissioner and affected individuals of eligible data breaches. The notification of individuals whose data has been breached allows them the opportunity to take steps to protect themselves from the consequences of the data breach. It is also possible the public embarrassment, and reputational and commercial damage associated with public disclosure, will be seen as incentives to encourage financial service organisations to implement measures to protect their customers’ KYC information, in the interest of avoiding negative publicity.
Where third party contractors are involved, the new legislation potentially allows for notification by either party. This means that the ‘primary data collector’ may be obliged to notify if the contractor has not done so – even if the contractor is at fault for the data breach. Under this new notification regime, if the parties fail to comply with notification requirements, they could be both liable to material civil penalties. In addition, while a contractor may be responsible for a data breach and may have an obligation to notify individuals of that breach, your organisation may suffer the ‘reputational hit’ as a result. For this reason, we recommend that service provider agreements contain clear obligations on the service provider to notify the principal to allow for management of identified issues, as well as compliance with the new laws.
With this legal framework in mind, we note that, in some recent cases, victims of cyber attacks have been vulnerable because of their lacklustre cyber security protocols. In one recent instance, it was alleged that the ‘sloppy’ data security protocols of a government’s third party service provider included using generic passwords such as “admin” and “guest” on their public facing webservers. Although the contracting organisation itself was not at fault in this instance, ultimately, it is still responsible for the setting of standards and accreditation.[3]
This approach can be similarly applied to the financial services sector. From an optics point of view, if a bank’s customer details are collected by and stored with a third party, any data loss by the third party provider will inevitably cause embarrassment and reputational and financial damages to the bank itself.
Thus, financial services organisations and entities that are subject to the Privacy Act in general, are reminded of the need to ensure that their own data security protocols, and those of their service providers, are adequate and compliant with Privacy laws. From a legal point of view, this can be done through adequately drafted cyber security clauses in service agreements and relevant audits. Agreements that require third party service providers to warrant that they have adequate data protection measures in place to meet privacy laws and standards, coupled with extending liability to service providers for any loss and damage as a result of the service provider’s cyber security lapses, will encourage greater cyber protections in the expanding FinTech world.
It’s also worth remembering that it’s not just compliance with the Privacy Act that matters – your contractor may meet the threshold requirements for Privacy Act compliance and still lose your data
Data privacy law may need to be amended to allow regulators more leeway so that they can better counter the threats of money laundering and terrorist financing, said a Swedish regulator at the recent Fintech Festival held in Singapore.
Erik Thedéen, director general at Finansinspektionen (Sweden's Financial Authority), told a panel that some of the data privacy legislation in Europe, which had taken a long time to reach its final form, is so strict that it has become an issue for regulators when it comes to combating money laundering and terrorist financing.
"When it [data privacy legislation] was finally ready, it seemed a little bit too strict given the threats we see when it comes to AML [anti-money laundering]. This is a subject which we should have collaborations between banks, regulators and consultants because it is nothing to do with competition or cartel. It is something [for the] public good," he told the conference.
While banks are keen to set standards and best practices for AML, data privacy law has presented some obstacles, Thedéen said.
"This needs to be widely discussed because it was a lagging legislation that was brought about when we had different discussions around terrorist and money laundering," he said.
Restrictions in data and information sharing
Despite the advent of technology, financial institutions continue to face restrictions in data and information sharing between branches across jurisdictions, according to Conan French, fintech advisor at Institute of International Finance (IIF), who moderated the session on the challenges that technology alone cannot solve. Aggregating and sharing data from one institution to another within a single domestic market remained another challenge, he told the conference.
"AML [anti-money laundering] and KYC [know-your-customer] is an area [in which] we have seen amazing events, where technology is used to achieve things for fraud prevention, but today we don't have the data sharing and data structure in place to have the same impact in efficiency and effectiveness," he said.
Lack of data-sharing structure and technology
The lack of data sharing structure and technology is a problem which is particularly challenging for the industry and the public sector to solve, as was evident from the money that financial institutions had spent on AML and KYC, French said. Industry figures showed that banks spent between 20 to 30 percent on AML and KYC compliance, and those figures represented nearly to 23 to 30 percent of banks' net profits.
"… you have that level of resources committed to something [AML and KYC]. On the other side we are seeing estimates of maybe 1 to 5 percent of financial crime being caught with the current system. We think this lays out a pretty strong imperative to do something different," he said.
French said regulatory technology (regtech) was an area where the opportunities for more efficient and effective solutions were clear. He encouraged the industry, policymakers and technology entrepreneurs to come together to address some of the AML and KYC problems so that regulatory supervision and compliance could be made much more efficient, automated and successful.
Data security in Japan
The importance that Japan placed on data security was evident in its introduction of open application planning interface (API) systems for banks, said Motonobu Matsuo, deputy director general, credit and insurance systems at the Financial Services Agency (FSA). The FSA placed great emphasis on striking a balance between innovation and customer production, and in doing so, it prohibited venture companies from getting into the API business, according to Matsuo.
The FSA involved banks, fintech companies and data specialists in setting certain standards to ensure data security.
"… data has to be safe … if one person gets into the security system, the whole system is going to get ruined. We kind of set the standards but we didn't decide on the details but left them to the banks and the fintech companies," he said.
Given that banks have always had high standards on data security, the FSA imposed requirements on fintech companies by requiring them to sign data security contracts with banks, Matsuo said.
"By doing that, data security can be achieved and this will also allow venture companies to get into the API business, he said.