Speed read: In this second awareness update, Anita Clifford considers the challenges that could arise as private entities are drawn further into the investigation of money laundering through the new information sharing network.
An emerging priority
The advent of the new information sharing channel indicates that greater private sector involvement in intelligence gathering is an emerging priority for international bodies and national authorities concerned about money laundering.
In May 2016, the NCA launched the Joint Money Laundering Intelligence Taskforce (‘JMILT’), an intelligence sharing pilot which brought together UK enforcement authorities, the British Bankers Association and more than forty major banks. The success of JMILT is expressly referred to in the Explanatory Notes expanding upon the rationale for the new information sharing channel.
Beyond this, at an international level, in June 2016 the Financial Action Taskforce (‘FATF’) launched the Consolidated FATF Standards on Information Sharing, amalgamating into one document excerpts of various recommendations and Interpretive Notes made over the years which touch on the subject of information sharing. [1] Although none of the excerpts suggest that countries should develop a comprehensive framework to enable the regulated sector to more easily share information, as the UK has chosen to do, the Consolidated Standards highlight that for some time information sharing within the private sector and between the public and private sectors has been on the policy agenda. The FATF Recommendations, published in 2012, expressly recommend that financial institutions involved in cross-border banking should be able to request customer due diligence (‘CDD’) information from correspondent banks. [2] Recommendation 17 further permits regulated firms to rely on CDD information sourced by other regulated firms. Implicit in both recommendations is the sharing of information by the private sector.
In June 2017, FATF also opened to public consultation its Draft Guidance for Private Sector Information Sharing, highlighting that further private sector involvement in the fight against money laundering is to be expected. Notably, the Draft Guidance refers to information sharing as ‘key’ to promoting financial transparency and protecting the integrity of the financial system. [3] All, according to FATF, stand to benefit from “continuous dialogue between the public and private and private sectors”. [4] The reasons are becoming increasingly familiar. More information being shared means a better level of intelligence ultimately able to be provided to enforcement authorities. For regulated entities, opportunities to confer and access more intelligence about a client or work stream means a better understanding of the attendant risks and, consequently, a better ability to mitigate those risks and navigate the choppy compliance waters.
Against this background, countries other than the UK have also begun to move toward formal AML information sharing framework. Australia, for instance, has developed a channel for the sharing of AML information between the private and public sectors. In March 2017, AUSTRAC launched the Fintel Alliance, the world’s first private / public partnership to combat money laundering. Central to its activities is the exchange of ‘near real-time intelligence’ between Australian law enforcement agencies, Australia’s four largest banks as well as other institutional players such as Macquarie Bank, PayPal and Western Union. [5] Telling of its keen interest in further developing private sector information sharing, the NCA is the Fintel Alliance’s first international collaborator. [6]
Some broader considerations
The JMILT pilot, new sharing framework in POCA and NCA interest in the Australian project suggests that regulated entities will be expected to do more in the fight against money laundering in future. However, if private entities are to be led further into the fold and information channels are to develop between regulated entities and to / from the regulated sector and enforcement authorities, several issues require consideration.
Data protection
At a broader level, an inherent tension exists between expectations that the private sector will share information and various data protection legislative frameworks. In the UK, the new regime deftly skirts around the tension by providing absolute legal cover to regulated entities that disclose information – disclosure restrictions ‘howsoever imposed’ are disapplied. An expectation that regulated entities will share information with each other and with law enforcement, however, seems at odds with the ever-growing protections applicable to the storage and handling of personal data and wider discussion of an evolving right to be forgotten. Notably, the UK’s new information sharing framework in POCA does not contain any reference to the age or type of the information that an entity may now request from another in the regulated sector.
Data protection legislation fundamentally prohibits the processing, transfer or sharing of personal data. Depending on the framework in place in a country, the sharing of personal data may require consent. Breach of the prohibitions by individuals and corporates can attract criminal sanction.
When AML information is shared between regulated entities across borders, such as within a corporate group, data protection inconsistencies can present difficulties. Not all legislative frameworks, for example, contain a ‘law enforcement’ exemption to the prohibition on personal data disclosure as permissive as that in the UK. [7] Similarly, not all such exemptions may be sufficiently wide to encompass the disclosure of AML information to private entities, as opposed to public authorities.
Additionally, there are legislative differences as to when consent to disclose personal data is required as well as how, by whom and in what circumstances it can be given. In a money laundering context, ‘consent to disclose’ is a red herring. Unless a blanket clause permits a regulated entity to disclose personal data to third parties, obtaining the consent of an individual to disclose his or her personal data to another entity about a money laundering suspicion would fall foul of the ‘tipping off’ offence provisions. [8]
Inconsistencies in the level of data protection in a jurisdiction could also mean, for instance, a UK regulated entity could ultimately be sharing personal data with a private entity abroad that is not subject to equivalently rigorous collection, transfer, storage or sharing requirements or which is situated in a jurisdiction containing more exemptions to data prohibitions. When the European Union (‘EU’) General Data Protection Regulated (‘GDPR’) takes effect on 25 May 2018, EU Member States will have the most comprehensive data protections in the world. This contrasts with the level of data protection in the United States which are contained in a mix of sector-specific, State and federal laws, with the latter containing wide permissions for disclosure and no provisions regarding data retention periods. [9]
Operational challenges
Further practical challenges arise if the intelligence channels from and between regulated entities are to widen. It is, to an extent, a case of needing to build from the ground up. In its Draft Guidance, FATF noted that an absence of information sharing processes and policies, different IT tools and data formats as well as lack of knowledge as to the kind of information in the possession of the private sector posed a challenge to efficient public / private sector information sharing. These same issues are just as relevant to calls for information sharing to increase within the private sector. Aside from the practicalities of sharing information that is timely and accessible, careful policies and memoranda of understanding will need to be developed by regulated firms to ensure that confidential information is handled appropriately when it is disseminated, disclosures are properly logged by both parties and that any information shared is used only for AML purposes, in other words, the purpose for which it was requested. [10] The question also arises, if sensitive AML-related information is to be shared between private entities, a degree of independent oversight or accountability is required.
Trust
There is a further tension which is worthy of attention. If in the fight against money laundering regulated entities are expected to perform dual roles – that of an intelligence agency as well as a business – what are the implications for the client relationship and business generally? The UK’s information disclosure regime in sections 339ZB – 339ZG of POCA is voluntary but an individual’s awareness that their personal information could now be shared with other professionals and subsequently with authorities as part of a ‘real time intelligence’ programme erodes client trust. As presently configured, the information sharing provisions in POCA mean that the client would not have the ability to sue for breach of confidence or other disclosure restrictions. In the short-term a focus on preserving client relationships may cause smaller, regulated businesses to refuse requests for information to be disclosed under the new POCA framework. More broadly, a client may become reluctant to provide information which may affect the type and quality of service that a regulated business provides. Greater formalised cooperation between private sector entities and, perhaps eventually, the private sector and enforcement authorities in countries like the UK and Australia could even propel transactional business elsewhere.
Conclusion
Is it the case that if there is ‘nothing to hide’, data and erosion of trust concerns should not matter? This seems simplistic. Perhaps more to the point is that to effectively combat money launderers the private institutions they use should be drawn further into the intelligence gathering and investigation process. The complex nature of transactions and speed at which they are facilitated is a reason for developing more frameworks to make it easy for regulated entities to share information with each other and with the authorities. There is a line of travel in this direction but the broader issues identified in this piece first merit consideration. Further, as information sharing continues to evolve, it might also be queried what some of the largest private institutions, with a trove of potential intelligence at their fingertips, will expect from enforcement authorities in return.
[1] Financial Action Task Force, ‘Consolidated FATF Standards on Information Sharing’ (2016) available at: http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/Consolidated-FATF-Standards-information-sharing.pdf.
[2] Page 11.
[3] Page 3.
[4] Ibid.
[5] AUSTRAC, ‘About Fintel Alliance’ (2017) available at: http://www.austrac.gov.au/about-us/austrac/fintel-alliance
[6] AUSTRAC, ‘Fintel Alliance: Operations Hub’ (2017) available at: http://www.austrac.gov.au/sites/default/files/fa-announcement-operations-hub-v1.pdf
[7] Section 29 of the Data Protection Act 1998.
[8] In the UK, see section 333 of POCA and Recommendation 21 of the FATF Recommendations which states that “Financial institutions, their directors, officers, and employees should be prohibited from disclosing (‘tipping off’) the fact that a suspicious transaction report (STR) or related information is being filed with the FIU”.
[9] European Parliament Directorate-General for Internal Policies, Policy Department, ‘A Comparison between US and EU Data Protection Legislation for Law Enforcement’ (2015) available at: http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU%282015%29536459_EN.pdf
[10] Page 21.
