Multinational Banking and Conflicts among US-EU AML/CTF Compliance & Privacy Law: Operational & Political Views in Context
80 Pages Posted: 6 Jul 2016
Date Written: July 1, 2016
In Information Statecraft, states employ legal and technological methods to acquire data to map behaviors and expose the illicit economy and networks of political violence. Yet, because financial institutions (FIs) possess that data, governments must depend on their cooperation. Financial data is both commercial and a source of intelligence and is governed by two often opposing legal regimes.
A comparative analysis of US and EU AML/CTF and data protection laws illuminated issues within 19 compliance areas that will challenge multinationals as they integrate privacy into AML/CTF operations. The EU’s 4th Anti-Money Laundering Directive (4AMLD) promotes enterprise-wide compliance programs with data protection across the group, and US law restricts data due to confidentiality concerns and does not require privacy in compliance programs, which created risks at every point in the study. Other areas of high regulatory (and reputational) risk for multinational financial institutions lay in local authority data requests; sensitive data collection and transfers involving politically exposed persons and their families; vendor compliance with the US-EU Privacy Shield; the prohibition of KYC data use for commercial purposes for EU data subjects; and the practice of profiling and monitoring client relationships using semi-automated and automated software. Profiling deserves special attention since the EU General Data Protection Regulation (GDPR) gives data subjects the right to object to profiling, to understand the legal outcomes of computer-aided decision-making, and the right to challenge these decisions (applicable to de-risking), but with restrictions according to Member State law.
Data privacy programs benefit AML/CTF compliance because they create accountability trails, help FIs produce better data to authorities, and lend reputational currency. Despite the regulatory conflicts, the financial services have an opportunity to contribute to data privacy/AML/CTF solutions that fit their operations as the GDPR invites private associations to create codes of conduct. The private sector should develop these codes in tandem and in cooperation with Member State efforts to create technological and operational data safeguards that will be written in the next two years. Firms should prepare for these changes by conducting data inventories, mapping data flows, creating integrated AML/CTF, information technology, and privacy compliance teams, or incentivizing cross-disciplinary training for their employees so they can implement multidisciplinary and trans-jurisdictional policies and procedures.
Keywords: AML, CTF, Compliance, Regulation, EU, US, Information Statecraft, Data Protection
JEL Classification: G28, H73, K20
Suggested Citation: Suggested Citation