Authorities and financial institutions (FIs) are highly aware of the challenge of detecting financial crime. Modern criminals are using increasingly more complex structures and are acting across multiple financial institutions and jurisdictions. Parties, such as FIs, FIUs , and law enforcement, operating alone encounter challenges in the identification and tracing of suspicious behavior. Therefore, collaborative information sharing among private organizations (e.g., FIs) and public authorities (e.g., FIUs, law enforcements, and regulators) is needed in order to detect highly networked activities in money laundering, terrorist financing, or consumer fraud (domestic and global).
However, the crucial point in sharing customer and transaction data is the restrictions imposed by data privacy laws. The protection of privacy and the individuals’ right to control their personal information are a core value of modern society, which is why every institute has to ensure that the stored data is kept confidential and secured. The question is, how can we solve the dilemma of analyzing data across multiple participating organizations and protecting it at the same time? One central and promising approach is the so-called privacy-enhancing technology (PET), which aims at enabling participants to analyze and share data without disclosing any sensitive personal information.
Going one step further, one has to ask how the appliance of privacy preserving analytics can be used to tackle financial crime. This question has been observed by the Future of Financial Intelligence Sharing (FFIS) program. In January 2021, the FFIS published an Innovation and Discussion Paper, which analyzes how cryptographic technology can be of use in the detection of financial crime. Having tested 10 different PET providers in a case study, the FFIS delivered insights into the status of development, capabilities, and challenges of this technology.
The tested technologies are based on encryption and allow the requesting party to send a query to a data owner without disclosing it. The execution of the computations takes place in encrypted format and the results will not be decrypted before they are sent back to the requestor’s own trusted environment. Therefore, neither sensitive data is shared with the requestor nor are the sensitive query parameters shared with the data owner. Also, it is important to mention that PET providers use different functionalities and work in different parts of the compliance world. Some of them can work together, others are rather isolated.
Technology Capabilities & Challenges
Privacy-enhancing technology can be used to check external sets of data in order to gain new information about matching customer profiles, transactions, or Suspicious Activity Reports (SARs), and helps to detect discrepancies in the client reference data (e.g., via reports). This can lead to identifying differences in data, setting indicators of discrepancy detection, detecting suspicious behavior, or even generating a set of reference data for the market.
The collaboration in transaction analysis can be useful to analyze the payment behavior and to identify “risky money flows” through different financial institutions while performing computations. Furthermore, the aggregated information can help to detect unusual behavior among different participants. Ideally, this would be used in the future to also collaborate cross-border.
The capabilities of this technology reach up to machine learning on a group wide approach across different countries. Data from subsidiaries of a group in non-domestic countries can be incorporated for a machine learning algorithm without sharing the underlying data. This approach could even be applied within different parties who want to enrich their machine learning capabilities with combined data.
Not only the private sector but also the above-mentioned public entities and public private partnerships (e.g., AFCA in Germany, JMLIT in UK, or APPPI in Austria) can benefit from this new technology. Using a platform to connect databases across a network of financial institutions generates a bird-eye-view and helps to identify suspicious patterns.
All in all, it is easy to see how PETs are offering a great potential in new technology which can help public and private participants to act more efficiently against financial crime. Also, PETs constitute a valuable approach for future collaborations in this fight. That is why FFIS has a point in analyzing this option on a long-term basis as criminal organizations with complex global structures have to be faced with collaborative power to detect suspicious behavior.
Still, there are many obstacles to overcome. The acceptance and the usefulness in the market is depending on many factors. Some of the key challenges are the technical complexity, the data quality, and the interoperability. FIs are already facing challenges in their internal IT infrastructures – it might be even more difficult to harmonize systems across different FIs and to support the exchange of data between private and public sectors. In addition, the costs (e.g., computational, operational, or hardware) can be tremendous, as well.
Even more critical is the legal uncertainty. Due to the high regulatory risk – there is practically no regulatory acknowledgement or guidance – companies are afraid to adopt PETs. This causes a great deal of uncertainty in the market and prevents companies from investing.
It is clear that the development of PETs cannot go without a general standard, a legal framework, and an appropriate governance, preferably transnationally harmonized for private and public collaboration. There is a need for a common regulatory approach, coordination, and guidance since the exchange of data and protection of privacy can no longer be governed separately. We need the authorities and the standard setters (e.g., FATF, Wolfsberg Group, and Egmont Group) to act quickly and to guide the development of the global fight against financial crime into the right direction. With around 10 FFIS in the EU block, the EU might be well equipped with experiences to play a leading role in this discussion. For a global approach, it would also be beneficial to include the US in this discussion and to benefit from the experiences of the US FinCEN Exchange.
Nevertheless, there are already steps taken in the right direction, which provides hope. The president of the Financial Action Task Force (FATF), Dr. Marcus Pleyer, has realized the potential of this new technology and emphasizes the need for collaboration in the public and private sector. At present, the necessity for new AML regulations constitutes a discussing point in European circles. Within the FIUs, information sharing is already common practice (e.g., multi-lateral agreements, and information sharing based on goAML) and the key for an effective detection of financial crime and legal prosecution. For instance, the Egmont Group uses a system – Egmont Secure Web (ESW) – which allows a better and secure communication among FIUs worldwide.
In summary, it can be stated that the necessary technology already exists, it just needs more attention and investment. The journey has just started and the day when PETs will play a key role in the anti-financial crime detection does not seem far away anymore. Let’s hope the regulators and the standard setters take their place quickly to support privacy-enhancing technologies. The framework needs to be created to modernize the financial crime investigations and to keep up with the technological capacities of bad actors.
Let us stay tuned on how to make information exchange easier whilst staying GDPR compliant.
