Most financial institutions aspire to implement a truly global customer due diligence program that shares and re-uses data, measures and manages risk consistently and drives efficiency of the Group’s AML / KYC practices. However, this approach is at the mercy of in-country rules, which place restrictions on the movement of data and access to that data.
KYC, AML and other regulations, such as BCBS 239, that mandate the collection and sharing of data are often at odds with adherence to local data privacy obligations and potentially interfere with the right to privacy. While most of these regulations concern the actions of legal persons, a sizeable percentage of these - particularly regulations covering surveillance, record keeping and reporting, information exchange, powers of competent authorities and sanctions for violations of applicable rules – require the processing of personal information i.e. data relating either directly or indirectly to identifiable natural persons. This brings the world of regulation into direct conflict with data privacy rules.
Furthermore, the lack of global harmonization of data privacy rules and specific in-country regulations governing data privacy and protection add a most perplexing and complex layer to an already complicated situation.
Different in-country rules and constraints imposed on the collection, storing and sharing of data is creating a regulatory, data and operational headache for most financial institutions.
The phrase caught between a rock and a hard place comes to mind!
While each region has nuances on how data must be safeguarded, which can be quite variable on a cross-jurisdictional comparative basis, certain common themes can be ascertained:
1. Data Residency Requirements
The requirement to keep data within the jurisdiction (in-country) mandates local and foreign companies to process and retain the personal data of data subjects within that country itself. This introduces a complication for global companies operating a shared services model for KYC / AML compliance. Complexity is further added by the fact that where ‘data sovereignty’ dictates that data will be subject to the regulations of that region, additional sovereignty is also applied to politico-economic unions. For example, data pertaining to EU data subjects will also be subjected to EU sovereignty.
2. Countries Offering Comparable Protection Level
Certain countries mandate that in order for data to be transferred outside their borders, the data processor must ensure that the country receiving the transfer offers a comparably adequate level of protection. The European Commission has so far recognized the following countries as providing adequate protection - Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. On 2 February 2016, the European Commission and the United States agreed on a new framework for transatlantic data transfers: the EU-U.S. Privacy Shield. On 29 February 2016, the European Commission published a draft adequacy decision and the relevant commitments by U.S. authorities. European Union Article 29 Working Party (WP 29) has made numerous criticisms of the Framework voicing concerns about the lack of cohesion between the GDPR and EU/US Privacy Shield, the strength and independence of the US ombudsman, as well as lack of surveillance protection for EU citizens. Although these recommendations are not binding, WP 29 is an influential body and it remains unclear whether the final decision will be formally adopted.
3. Personally Identifiable Information (PII)
Sensitive personal data is defined within most local data protection legislation. Personally Identifiable Information can be used on its own or in conjunction with other information to identify, contact or locate a single person, or to identify an individual in context and must be adequately safeguarded to minimize the risk of theft, leakage and abuse. Managing Personally Identifiable Information creates challenges as, typically, only a limited number of users should be able to see the data and its use must be restricted.
4. Protection of Associated Entities
While the contract party can be considered to have provided consent to storage of their data, the same cannot be said for associated parties. Where these Associated Entities are individuals (such as directors, shareholders, beneficial owners), it is important to apply the highest level of protection. Certain jurisdictions provide specific protection for these associated entities and create a need for their existence and relationships to the contracted party to be hidden from general users
5. Contractual Confidential Agreements
In commercial contracts, a clause may be introduced to mandate the need for Non-Disclosure Agreements, which seeks to limit availability of information on a need-to-know basis. With a genesis in contractual law rather than jurisdictional-specific privacy regulations, nevertheless, financial institutions and companies must adhere to these privacy provisions or face a claim for punitive damages.
6. Confidential Deals
A Chinese wall is the ethical barrier between different divisions of a financial (or other) institution to avoid conflict of interest. A Chinese wall is said to exist, for example, between the corporate-advisory area and the brokering department of a financial services firm to separate those giving corporate advice on takeovers from those advising clients about buying shares. To maintain integrity and avoid reputational damage, it is imperative to have adequate technology underpinning this virtual segregation.
In our next blog, I’ll explore ways in which financial institutions can overcome some of these challenges when implementing a global regulatory due diligence compliance program.
Download our whitepaper on KYC vs Data protection:
Download our whitepaper on KYC vs Data protection - the Next Compliance Hurdle, where Laura examines how financial institutions can manage local jurisdictional KYC obligations and deal with complex security and data privacy requirements across jurisdictions. She considers the global and cross- jurisdictional data protection laws (check out the Jurisdictional Use Cases at the end of this document) and how these can be categorized into common themes.