For the last two decades, financial institutions (FIs) and governments worked on different sides of the spectrum to combat financial crime. Governments imposed rules that sometimes curtailed FIs in the fight of such crimes. Now both parties are looking for ways to work closer together to achieve a more positive outcome for all.
As part of this combined effort, both the government and FIs are harnessing the benefits of modern technology to pre-empt fraudsters from conducting their affairs. This article covers the historic challenges of a disparate approach between government and FIs to combat such crime, as well as the current challenges and the benefits for all of society in a new paradigm that combines cutting- edge technology, such as network analysis.
Financial criminals are smart people. They know how to find their way through the weaknesses of regulation. The main one exploited to date is the relative isolation of FIs when it comes to fighting against financial crime. This is a universal challenge, but in France data privacy has always been a very sensitive topic and the government has been careful to ensure its citizens are protected from having their privacy and data exploited. While this position has been justified—particularly in light of recent revelations around data privacy and social networking platforms, it has had an unintended consequence, which criminals have been able to exploit. Legislation to protect individual rights to privacy also meant that banks could not share information on criminal activity with other banks, and sharing within banks was also very difficult.
An example: a criminal finds a pattern to commit fraud or to launder money, and executes their approach in a bank branch located in Paris. The criminal can then move 500 kilometres away to Lyon and repeat the exact same steps in the exact same banks, cheating the exact same process.
Data Privacy Regulations are structured in such a way that banks are not authorised to share any sensitive or personal information between branches. Even after having successfully established and proven the crime, the branch in Paris would not be able to transfer the information to any other branch. The crime could then be replicated many times in the same bank and the same approach repeated across different FIs. One can imagine the frustration that this caused banks, knowing they are being robbed and having the information within their organisation to prevent it, yet not being able to use those resources in their fight.
Reputational Risk for Government
For years, the French government has considered this to be an issue for FIs—be it the bank or its insurer—rather than the government’s issue, and it did not want to bend the data privacy regulation. FIs were unable to act.
Given the rising international expectations to fight against financial crime, the government understood that there was also a reputational risk for it and that the financial sector may be undermined if it is not able to properly fight against financial crime. Therefore, the impact that FIs felt for years was also a knock on reputational risk for the government.
This is an important paradigm shift—rather than an FI adhering to a government’s direction, both parties now work together for their joint benefit.
Different Levels of Data Sharing
Once the need to extend the possibility of data sharing is agreed upon, the first step to address is to share related information to confirm and prove the financial crime (author, pattern, etc.). Referencing the example at the beginning of the article, when the financial crime is proven in a branch in Paris, the information can then be transferred to the other branches.
While financial crime may still be possible in this case, the overall impact would be severely reduced. Also, authorisation would be given to share information across FIs, which would then allow them to organise themselves in working sessions where they could share the identities, patterns, etc., of the financial crime attempted against them. As a first step, this pushes financial criminals to reinvent their pattern constantly to keep masking its activities. For example, this type of data sharing is conducted by the Insurance Fraud Bureau in the United Kingdom with the Insurance Fraud Register.1
However, this is only a first step in the data sharing process, as this enters into effect only after the first financial crime is conducted. Although it is more efficient, it remains only a very reactive approach. Despite all the FIs being quicker, there is still a time between the proof of a financial crime and the ingestion by all relevant systems.
The next stage of the fight is to prevent the crime from happening through an increase of data sharing before the financial crime happens. One of the most innovative ways to do this is to create a network based on data from the FI. This more effective approach is often referred to as network analysis. In a nutshell, creating a network is creating all links between all entities that are available in the set of data provided by the FI, in order to provide a 360-degree view of the risk. The more data, the more holistic the view of what is happening, and then the more efficient the detection of the risk.
In this example, the financial criminal would go to several branches in a short period of time and provide each one the same details (e.g., mobile phone, email address, physical address). In the silo architecture, no one would have the credentials to be able to compare data and this suspicious behaviour. With a network analysis approach, the connection would be obvious and an investigation could start immediately, before the crime is completed. Ultimately, it could even be possible to reject the onboarding of the prospect.
To date, the network analysis approach has been mostly deployed using the data from a single FI. The next stage is to use data from different FIs. In this model, an independent not-for-profit organisation reconciles of data from all of the FIs, and provides feedback of the financial crime risk to the appropriate FI. There are multiple initiatives on this model. One ran in France in the insurance sector where the government authorised data sharing after two years of intense negotiation to collectively share data from different FIs. More recently, the Dutch Banking Association (Nederlandse Vereniging van Banken or NVB) launched a similar initiative to share data and to make it more difficult for criminals to launder money in the Dutch financial sector.2
A Point Around GDPR Regulation
One question that is commonly asked when talking about data sharing is the EU’s General Data Protection Regulation (GDPR). In order to maximise the strengths of network analysis, it would need to rely on more data sharing, assuming less and less limitations. At first glance this could contradict with GDPR, which poses constraints and rules when it comes to data sharing and processing.
FIs’ concern is justified, as they could be caught in between missing compliance regulation and data privacy regulations that could result in more efficient financial crime fighting.
However, regulators do not want to prevent FIs from their financial crime fighting activities. Looking at article six of GDPR,3 it is clear that data can be processed for compliance with a legal obligation to which the FI is subject (that covers compliance and counterterrorism financing) or for the purpose of the legitimate interests pursued by the controller (which will broadly cover fraud).
After years of financial crime fighting with a scattered response, the government and FIs are now working in partnership. The government is setting up the legal framework to manage data privacy expectations and to accompany FIs in their fight against financial crime, and to deploy ground breaking technology, such as network analytics, on a broader scale. The benefits for the governments, FIs and society in general could be large.
- “About the IFR,”Insurance Fraud Register, https://www.theifr.org.uk/en/about/
- “Dutch banks join forces to combat money laundering,” De Nederlandse Vereniging van Banken, 19 September 2019, https://www.nvb.nl/english/dutch-banks-join-forces-to-combat-money-laundering/
- “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),” Official Journal of the European Union, 27 April 2016, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. See Article 6: Lawfulness of processing.