Businessman hand holding money showing conflict between data privacy and anti-money laundering
For Banks, Data Privacy and Anti-Money Laundering Don’t Have to Be Incompatible by Rina Shainski, Chairwoman and Co-Founder at Duality Technologies

For Banks, Data Privacy and Anti-Money Laundering Don’t Have to Be Incompatible

Every year, terrorists, drug lords, human traffickers, and other assorted criminals launder some $1.6 trillion in illicit funds across the globe. New advances in artificial intelligence and machine learning promise to help banks rapidly identify and thwart illicit transactions – but even as a growing number of institutions implement sophisticated technological solutions, only about 1 percent of laundered funds are seized and frozen. As the International Institute of Finance notes, a major factor hindering banks’ anti-money laundering (AML) efforts is a lack of sufficient information-sharing among institutions to flag suspicious accounts and activities. The problem? The need for more data sharing clashes with the growing movement to enforce stringent data privacy standards. Toughening data privacy standards like the European Union’s General Data Protection Regulation (GDPR) impose strict limits on the processing and sharing of personal information, posing a real barrier to efficient AML and Know Your Customer (KYC) procedures alike.

But while there may indeed be an inherent conflict between AML and data privacy, financial institutions can resolve it using innovative technologies designed to preserve data privacy. Here’s a look at the seemingly challenging landscape confronting financial institutions – and how tech can help.

AML compliance: Big investments, small returns

Why have Big Data solutions become a top priority for institutions looking to ramp up their AML efforts? Primarily because compared to other methods, they offer a much more efficient and effective pathway for preventing financial crimes.

Banks’ investments in KYC and customer due diligence have climbed over the past two decades, but the return on those investments has been so far unsatisfactory. Mandatory KYC procedures were among the provisions contained in the post-9/11 USA PATRIOT Act, with an eye toward choking off terrorists’ financing. KYC requires banks to verify clients’ identities, ensure that they are not engaged in illicit activity, and to gauge potential risk factors. Across the Atlantic, the EU’s Fourth Anti-Money Laundering Directive (4MLD) imposes similar standards requiring banks to collect and process client data.

Yet, as long as banks can only analyze their own data, investigators are denied the full picture of potentially suspicious activities. By combining advances in machine learning with privacy-enhanced information sharing across institutions and even national boundaries, financial institutions can be significantly more effective in their increasingly expensive chase after money launderers and financial criminals.

Resolving regulatory conflicts

Fundamentally, anti-money laundering and data privacy are wildly divergent. The former depends on the sharing and analysis of reams of data. The latter calls for minimizing the collection and processing of data.

Certain AML procedures may violate the spirit of data privacy regulations like GDPR, but the conflict could also extend to the letter of the law. 4MLD, for instance, requires institutions to share customer data with foreign regulatory bodies, but GDPR bans data-sharing with third countries. Notably, GDPR provides for data transfers for “important reasons of public interest,” but that standard isn’t clearly defined.  Moreover, many banks outsource their KYC procedures to third parties, a process that entails data transfers that may not be GDPR-compliant.

Are global anti-money laundering regulations and growing privacy regulation therefore incompatible? Not necessarily. With Privacy-Enhancing Technologies (PETs) – technologies that protect personally identifying information (PII) throughout the data life cycle – financial institutions can achieve two vital goals: combating money laundering and preserving their clients’ data privacy, all while making their AML compliance efforts far more efficient thanks to information sharing. Solutions using PETs can enable organizations to map PII within their systems, effectively manage data access, and even perform analysis on encrypted sensitive data – thus preventing it from undue exposure.

Accordingly, leading authorities like the UK’s Financial Conduct Authority (FCA) have identified PETs as possible solutions to addressing the inherent conflict between data privacy and AML/KYC regulations, naming technologies like homomorphic encryption and zero-knowledge proofs as enablers of sensitive  data processing “without compromising the security or confidentiality of the underlying data.” While these specific use-cases help ensure data privacy while the data is being analyzed, PETs also encompass a much broader range of solutions covering the entire data life cycle.

Applying PETs will enable financial industry players to join forces on business-critical processes, while remaining compliant with data-privacy regulations. When banks deploy homomorphic encryption, for instance, they can analyze encrypted data and safely collaborate with KYC specialists and other financial institutions – running advanced analytics on combined, encrypted data sets while safeguarding clients’ data privacy.

Therein lies the great promise of PETs: These solutions aren’t about finding a compromise between data privacy and AML – they allow financial institutions to have their proverbial cake, and eat it too.