DIgital globe showing USA Patriot Act and privacy-first data sharing

The USA PATRIOT Act: How CPOs Can Adopt a Privacy-First Approach To Secure Data Collaboration

For financial institutions, tackling fraud, cybercrimes and money laundering remains among their most challenging tasks. The data they require to succeed exists across multiple owners and jurisdictions, so the ability to share that information is a key requirement. As an example of the scale of the data fragmentation challenge, Ron Shevlin of Cornerstone Advisors recently published a story on disparate data sets in financial services. He found that the average millennial couple might have four checking accounts, and might do business with up to forty different financial providers – and that’s for those of us who aren’t trying to obscure our illicit activities! In this reality, it becomes even more apparent why data collaboration to fight financial crimes is such a challenge, yet absolutely crucial.

Over more than two decades, the USA PATRIOT Act Section 314(b) has gone a long way to address this need, permitting financial institutions to share information with one another. Specifically, the law registered financial institutions to work together to identify and report activities that may involve money laundering or terrorist financing activity, including predicate offenses, to the federal government.

While Section 314(b) has been well-received, it remains underutilized. The main barriers to reaching its full potential include resourcing, prioritization, quality, trust, scalability, regulatory clarity, and underlying them all, privacy.

Why are financial institutions still hesitant to share data?

The reality of sharing and interacting with financial data in a timely manner is problematic, given its fragmented nature. As evidenced above, the average financial institution only sees a sliver of its own customers’ financial activity since it is spread out across multiple banks, payment providers, apps, and more. This means that the data needed to tackle these crimes may reside with other organizations, in other countries, or with other teams.

While the legislation grants a safe harbor to share data related to anti-money laundering and combating the financing of terrorism, it does not mandate participation. As such, one challenge is that 314(b) requests are often dealt with manually, which requires adequate resourcing and prioritization. This is often difficult to come by, given the recipient’s own limited time and internal priorities. This highlights the need for appropriate incentives to collaborate and tools to enable efficiency.

Different interpretations of the legislation have also created a gray area around the exchanging of information on predicate offenses. FinCEN interprets 314(b) as allowing information sharing on predicate offenses to money laundering and terrorist financing, such as fraud, cyber crimes and more – but not all financial institutions agree. Further formal legal clarification on precisely what information can be shared and under which circumstances will give financial institutions greater confidence that their activities are well within the letter of the law.

A further concern is what would happen if something went wrong in the sharing of information. In the event of a cyberattack or data breach that leads to exposure of shared data, the fallout in terms of reputational damage and lawsuits could be severe, not to speak of the potential response by any organization named as a money laundering or terrorist financing suspect.

Privacy and security are pillars of the financial system and the lack of suitable protections have been barriers to scaling up and automating information sharing under the legislation. Practical solutions are needed to overcome these issues and make the process of participating in 314(b) more seamless and cost-effective in order to increase the law’s effectiveness – as well as address any potential privacy issues which may arise.

Why previous attempts of wider collaboration have failed

Despite these challenges, there have been several efforts to collaborate at scale to prevent financial crimes, including the establishment of utilities and consortia. However, these have typically leant on manual approaches and the sharing of strategies rather than actual data, which only goes so far.

These other attempts have often lacked automation, and their manual nature have made them difficult to scale. The processes required to share data on a one-to-one basis don’t work when it comes to sharing data with an entire network.

Transaction monitoring systems are also in place across the industry, and these go a long way towards helping users understand risk and suspicion. The challenge with these systems is that they rely on data that the firm or jurisdiction already has, and therefore make decisions based on limited information – so they don’t actually address the data sharing and collaboration problem, and often yield huge false positive rates.

A privacy-first approach

If financial institutions could first solve their privacy and security issues, they would also be able to address all of their other key challenges around trust, scalability, regulatory compliance and resourcing.

Solving for privacy helps firms collaborate as a network, at scale – instead of 1:1, which is one of the major contributors to cost. It also opens the door for participants in data collaboration projects to automate processes and create strong governance in order to manage capacity and workflow – known as “Privacy Enhanced Automation”. In fact, the benefits are clear: participants of technology-enabled consortia have reported efficiency gains of between 90%-99% in AML investigations as a result of better and more timely information sharing, as well as an ability to find more previously-unknown suspects.

All this would increase efficiency and allow financial institutions to prioritize and resource the sharing of data under 314(b) more effectively. It would also help ensure that trust is maintained between all participants as well as between participating institutions and regulators, as all participants can be sure that their data is safe.

Privacy enhancing technologies (PETs) are one approach to address the privacy issue, and firms are adopting them increasingly in the field of financial crime and money laundering. The term covers an array of technologies, including homomorphic encryption, which enables institutions to derive insights from data while still encrypted, and share these insights between parties in zero-trust environments.

When applied properly, PETs can allow institutions, which are authorized to share information under 314(b), to do so confidently with the assurance that information is secure. The data itself remains decentralized, meaning it does not move across parties. Homomorphic encryption also means the firm’s customer relationships are never revealed, and that responses cannot be attributed back to a specific financial institution, thereby preserving competition and customer trust.

PETs are rapidly changing the game in the fight against financial crime. For Chief Privacy Officers, they are becoming an essential tool in the move towards a privacy-first approach, allowing firms to fully leverage Section 314(b) to better protect and serve their customers, mitigate risk and cut costs, and ultimately become business enablers.