Pain Points in AML Intelligence Sharing
It's no surprise that in the current situation the criminals have the upper hand - they can communicate, they can spread their activity across several financial institutions, and they can just go on to the next financial company when they do get found out. Whereas financial institutions work in silos - they cannot share relevant information on malefactors, they cannot see payment networks beyond their own institution and they certainly cannot know what kind of payment histories suspicious entities have had before. So what's stopping financial companies from exchanging this information?
1. Privacy. Is unauthorised data sharing between banks legal? The short answer is "no" (the GDPR, and (in our case) other relevant laws such as Bank Secrecy Act, make it so). Thank god. We trust our banks with a lot of information in exchange for the bank's services. Questions like Who are you related to? Where did you get that 100,000 USD? Who else owns the company "ASD private consulting"? are safely kept in the bank. But what if the answers to those questions reveal possible criminal activity? Can the bank alert other financial institutions that a customer is not to be trusted? Currently, no, unless the other bank specifically asks for this. Fair enough, but could they upload this information then into some database where it could be seen and used, when needed? This leads us to the other angle of our challenge.
2. Security. In this day and age, as all financial institutions should know, it's not a question of whether you'll get hacked, but when. A specific and large amount of customer data can't really be stored in a conventional database, no matter how secure its "borders". The information in there is considered sensitive by all standards.
3. Auditability. If any kind of customer (good or bad) data is being shared, there are a lot of flags raised concerning the access/privacy involved. Not only whether data sharing is legally valid, but how is the identity of the sharer being stored (or even, protected)? How to avoid turning this into tipping off or sniffing? If data is being encrypted, who can decrypt it and why? Something more elaborate than a conventional request/receive logic needs to be implemented.
I’m curious to see if other industry professionals agree with me. What kind of challenges do you see that I haven’t mentioned? Feel free to contact me directly or even better, let’s start a discussion in the comments section, so others can also chip in.
good stuff, Taavi. We (Acuminor) are actively working on creating a technology platform for public/private partnerships that will allow the industry to share (non GDPR sensitive) data on the latest criminal methods and modus to help prevent financial crimes.