2012 could well go down as a turning point for the industry. Billions in fines have raised consciousness of the need for better financial crime processes, systems and controls.
Regulators have found sanctions breaches, anti-money laundering deficiencies and bribery failures – and will likely to continue to do so as they examine historical compliance. We need only look at the UK’s thematic reviews over the past two years to see the significant weaknesses which exist among banks’ Financial Crime systems and controls.
With the EC releasing the fourth Anti-Money Laundering Directive (AMLD IV) by the end of this year, alongside the US’ FinCEN’s rule on customer due diligence and the IRS’ FATCA, there will be a great number of new rules in 2013. The combined impact of these rules will produce new problems for compliance officers, operations teams and technology organisations across the globe.
For many financial institutions, there will be a multitude of locations and platforms where customer data is stored. With operations dispersed over many businesses and locations, an international bank will likely have undergone a number of mergers and acquisitions resulting in hundreds or thousands of places where information on the customer can be housed, shared and used for a variety of purposes.
The net effect of financial crime rules is that firms need to produce information on their customer and their customers’ extended network (e.g., their customers) with more accuracy and speed. What’s worse, firms are expected to stay on top of the constantly shifting mass of information and maintain it to a high quality standard.
In addition, these rules require an increasingly extensive view of the firm’s relationships with employees, contractors, suppliers and business partners. How firms will upgrade their ability to manage differing data hierarchies and monitor requirements from what is loosely understood as ‘KYC’ today will be the order of the day in 2013.
For many firms upgrades will require considerable investment and, whilst there are many commercial solutions available, it is the linkages between them that are proving tricky. If your customer data infrastructure is robust, extending it to meet the new requirements could well be straightforward – but still require significant resource to address millions of records. Gaining a ‘good enough’ holistic view of, not just your customer, but all your relationships, is becoming increasingly difficult.
However, a new drive from the EU from non-financial regulators will exacerbate firms’ problems in this arena by cutting across many of the imperatives for financial crime. The EU General Data Protection Regulation and Directive were signed into force in January 2012 and contain highly prescriptive and extremely expensive sanctions that reach up to 5% of a firm’s worldwide turnover. The ‘right to be forgotten’ (whereby you can request all data that refers to you to be deleted) has even been given status as a human right.
The biggest impact of the new regulation is the widened scope of what can be considered a ‘data subject’. Any information, now, that can identify a natural person, either indirectly or directly, is considered to be ‘personal data’. This information may now mean phone numbers, email addresses or even entity identifiers (fund managers for example) will be subject to new controls.
In a nutshell, 2013 will find solution architects scratching their heads over how to satisfy diametrically opposed demands: how to make customer data processing both more transparent and less transparent at the same time. Neither challenge is cheap but failure to meet both could be quite expensive.
The full impact of these rules has yet to be ascertained, but there have been several consequences that are coming to the surface. FATCA, the IRS’ tax evasion regulation, has been cited as a key area that may be impacted by these rules. The transmission of personal data across borders is generally prohibited under the EU regulation without a number of conditions being met. One of these conditions is informing the data subject of where their data will be sent and for what purpose.
As such, the cross-border reporting requirements of ‘US indicia’ (i.e., whether an account holder is a US citizen or not) embedded into FATCA have been flagged as a problem. For many EU financial institutions, registration under FATCA as a compliant Foreign Financial Institution (FFI) may mean breaking EU law unless they have their data privacy and customer data controls up to scratch.
Anti-fraud is another area where firms rely on the provision 3rd party ‘personal data’ from financial intelligence units (FIUs) in order to conduct adequate anti-fraud checks. The restriction in the use of criminal conviction data, under the EU regulation, is rather a deal breaker when it comes to adequate fraud systems and controls. Overall, when attempting to seize control of your customer data for the vast array of regulatory requirements, these added rules mean that you not only have to know more about your relationships with customers, your staff or 3rd parties, but you have to have the ability to track and monitor that information across a range of situations to ensure that it is ‘safe’. You also need to tell people why you are collecting the information and give them a way to request its removal. No small order for the new Data Protection Officer that is meant to be in place!
However, it looks as if this set of requirements is not yet done. The regulation is facing serious criticism from a number of parties. In the UK, the Treasury Select Committee released a November report indicating the prescriptive nature of the rules, going so far as to say that European Union lawmakers need to “go back to the drawing board”. The UK Information Commissioner flat out said that the rules “cannot work”. It remains to be seen whether anyone on the Continent takes any notice.
Will the forces of financial crime overcome the desire to protect human rights? It’s too early to say at this juncture. However, it is clear that the battle for data transparency frameworks will feature prominently in your 2013 plans.
- More customer data means an ever-increasing data privacy challenge
- The application of new technologies will be required for adequate data control
- Architects will be challenged to balance competing regulatory objectives for transparency.