A Call to Action: The Regulator’s Role in Supporting Privacy-Enhancing Technologies for Data-Driven Financial Crime Investigations

A Call to Action: The Regulator’s Role in Supporting Privacy-Enhancing Technologies for Data-Driven Financial Crime Investigations

Combating financial crimes and protecting privacy are equally critical goals in modern society. 

Financial crimes, when left undetected, can legitimize illegal profiting from systems of injustice on a global scale. Disregard for privacy can undermine an individual’s freedom to control how their personal information is used and disseminated. Risky data practices can further expose people to irreversible harms such as social profiling, identity theft, and data breaches.

These goals each safeguard important rights and interests—neither of which should be marginalized for the other. However, with the growing demand for data in anti-money laundering (AML) and anti-terrorist financing initiatives, privacy regulations are often portrayed as an impediment to a higher cause. It’s time we have a conversation about this misperception, and chart a new way forward with regulators on board.


Modernizing Financial Enforcement, Integrating Privacy by Design

Following our contribution to the Future of Financial Intelligence Sharing (FFIS)’s case study paper on cryptographic privacy-enhancing technologies (PETs) in financial services, Inpher advised the HM Treasury with policy recommendations on mobilizing privacy-forward solutions in the global fight against financial crime. HM Treasury is a member of the UK government’s Economic Crime Innovation Working Group, alongside the Financial Conduct Authority and the National Economic Crime Centre.

Inpher is a vocal advocate of privacy-preserving techniques that modernize financial crime investigations without compromising or centralizing financial data. Privacy by design will be essential to developing and facilitating secure and privacy-compliant automation that financial institutions critically need.

Banks and financial regulators are falling behind the technological capacities of bad actors. PETs can enable banks to adopt better adversarial technologies that do not operate at the expense of privacy.

Therefore, we believe it’s unproductive and incorrect to view privacy and financial enforcement as separate or conflicting issues. Rather, they are highly interactive policy objectives that can, and should, be achieved together.


No More Missed Opportunities

Financial crime enforcement and privacy intersect when banks require additional customer and transaction data in order to flag suspicious activities that could signal money laundering, terrorist financing, or consumer fraud.

Modern financial crimes are getting increasingly more complex and global, and thus difficult to detect manually. Banks working alone simply don’t have all the information to detect global financial crimes efficiently or timely enough for regulators to intervene. We highlighted this challenge in our policy brief to the HM Treasury:

The analyst gets a limited snapshot from one bank’s internal financial records, which lack comprehensive network insights that can be derived from collaborative information sharing among banks for anti-money laundering and fraud detection efforts. It is clear that banks need more access to better data, but are demoralized by  privacy regulations and a lack of commercial incentives to collaborate and create an industry consortium against financial crimes.

Access to inter-bank and cross-industry data can offer banks and regulators the opportunity to identify suspicious patterns across a network of financial institutions. These valuable bird’s-eye view insights cannot be extracted from a single source of data.

With limited regulatory vehicles that grant broad data-access across institutions and industries, PETs can unlock critical opportunities for private-public partnerships and AML ecosystems to expedite financial investigation and enforcement.


Need for a Common Regulatory Approach

Privacy and financial enforcement are highly intersectional, but are unfortunately governed separately without regulatory coordination in the UK and the European Union (EU). This regulatory fragmentation has impeded actionable policy discourse on the burgeoning role of privacy-enhancing technologies in financial enforcement.

A clinical separation of these issues denies the reality of an exceedingly data-centric financial services industry—where banks subject to both the General Data Protection Regulation (GDPR) and the 5th Anti-Money Laundering Directive (5AMLD) are challenged by two seemingly contradictory regulatory mandates.

The newly implemented 5AMLD takes a preventative approach to regulatory reporting and due diligence that errs on the side of over-inclusion. This data-maximalist regime encourages, and often requires, the collection, processing, and analysis of large amounts of financial information. The GDPR, on the other hand, strictly requires data transfers to have a lawful basis, and to adhere to fair information principles such as data minimization, purpose specification, and retention limitation.

In 2019, the UK Information Commissioner’s Office (ICO) acknowledged these tensions in response to the HM Treasury’s consultation on the ‘Transposition of the 5th Anti-Money Laundering Directive’:

We have reviewed the consultation paper and identified that the current focus of many of the questions do not specifically require data protection input from this office at this time. However, there are aspects of the proposed changes under 5MLD that may have implications for the privacy of individuals.

Data protection is not, and should not be seen, as a barrier to an effective anti-money laundering and counter-terrorist financing regime. It is possible to introduce the changes required by 5MLD in a way that takes account of data protection legislation. […] A policy approach that considers data protection early in the design process, as required under GDPR, is likely to reduce the risk that concerns will be raised with the ICO in future regarding the lawfulness and fairness of the UK’s anti-money laundering regime.


A Call to Action…

More than a year later, privacy-enhancing technology companies are still praying for a consistent regulatory approach that actively promotes and ingratiates ‘data protection by design’ in the processing of financial information.

In the meantime, these persistent obstacles continue to impede the necessary adoption of PETs in financial services: (1) the lack of commercial trust and market awareness; (2) lack of regulatory guidance; and (3) lack of organizational incentives to invest in PETs to replace legacy systems.

(1)    Regulatory Support: From Demonstration to Deployment of PETs

Cryptographic technologies—secure multi-party computation (MPC) and fully homomorphic encryption (FHE)—can preserve analytical precision and allow secure collaboration across data silos for unprecedented industry-wide information coordination. Inpher is actively engaged in cryptographic privacy safeguards that can be applied (1) bank-to-bank, (2) bank-to-regulator, and (3) regulator-to-regulator to enable knowledge-sharing for AML and fraud detection without exposing the underlying personal information between parties.

In the 2019 Financial Conduct Authority (FCA) Tech Sprint, we leveraged an MPC solution to graph algorithms that detected clusters and substructures of money laundering activity—using decentralized, privacy-preserving computing to identify the source account, intermediaries, and target destination of funds.

Applying rapidly evolving academic research to commercial solutions, we have made multiple order-of-magnitude advancements in the performance of both FHE and MPC without compromising accuracy—and have successfully demonstrated proof of concept to solve real-world privacy and security challenges in banking, compliance, and financial inclusion.

However, despite years of peer-reviewed literature that guarantees the efficacy of our PETs solutions, there is practically no regulatory acknowledgement of FHE and MPC in the best practices published by data protection authorities or financial regulators. Despite our successful AML use case in the FCA Tech Sprint, there is still little regulatory support to greenlight and evangelize PETs as an emerging necessity for financial institutions operating in a legal landscape that requires privacy-by-design.

(2)    Only Regulators Can Clear the Specter of Regulatory Risk

Companies are afraid to adopt PETs because of regulatory risk. This reticence leads to missed collaborative opportunities and the systemic marginalization of privacy in financial services.

  •  Inpher, HM Treasury Economic Crime & Innovation Working Group Consultation

We need data protection authorities to actively engage in policy dialogue with financial regulators to help progress the standardization of PETs with common standards and requirements. Without regulatory blessing, financial institutions will stay inert against privacy innovation due to the potential difficulties of navigating compliance.

These adoption challenges can be alleviated with:

  • stakeholder engagements that bring together PETs companies with industry partners;

  • regulatory clarity on the standards of anonymization under the GDPR and matching it up with the capacities of commercially available PETs in best practice guides; and

  • supporting both regulatory sandboxes and commercial sandboxes (stronger no-action letters) that allow financial institutions to explore privacy innovation with regulatory approval.

With this call to action, Inpher hopes to bring together stakeholders in the financial crime enforcement ecosystem to advocate for privacy-enhancing approaches to AML and fraud detection systems.

If you’re interested in learning more or speaking with the Inpher team, reach out to us today!