Compliance challenge for banks from US/EU law differences
Variations in US and European (EU) law can lead to compliance challenges for the multinational banking community, claims a research paper compiled by the SWIFT Institute.
The conflict centres particularly on anti-money laundering (AML) and counter terrorist finance (CTF) legislation according to the report, entitled ‘Multinational Banking and Conflicts among US-EU AML/CTF Compliance & Privacy Law: Operational & Political Views in Context’.
The study focuses on the duality between laws that seek to use data to protect the financial system and those aiming to protect data privacy.
Its author, Dr Michelle Frasher, says there are many compliance areas that will challenge multinational financial institutions as they integrate privacy into their AML and CTF operations over the next two years.
According to the study, the EU’s AML Directive (4AMLD) requires enterprise-wide data protection within AML/CTF operations across a multinational financial institution (MFI), while US law does not, which creates regulatory risk.
In the US, data is typically the property of the entity that possesses it, for example a bank, whilst in the EU’s rule-based privacy regime data ownership belongs to the individual as a human right, this can conflict with AML/CTF regulations.
“The US and EU subscribe to Financial Action Task Force (FATF) recommendations, but there are notable differences in implementation,” comments Dr Frasher. “The EU is setting the terms of data protection in AML/CTF compliance, and there are few people with the knowledge and skillsets to communicate across these disciplines.
“As the EU member states establish technological and organisational safeguards for AML/CTF data protection within the next two years, officials should engage in cooperative and collaborative dialogues with the financial services to create workable solutions.”
The research also found that both US and EU law mandates MFIs’ cooperation with national authorities; however EU firms with operations in the US may be at greater risk for data requests from US authorities, which may run afoul of EU privacy expectations as data is shared across the group. MFIs must consider the location of their servers to determine their risk exposures to foreign authority access as well as data breaches.
Furthermore, the US Patriot Act’s mandatory data searches for subjects “reasonably suspected” of money laundering or terrorist financing challenges European data collection, retention, deletion, purpose limitation, or access requirements. Even so, EU member states and national security intelligence agencies are not covered by EU data protection law.
“With this research, we aimed to present a comparative analysis of US federal and EU-level AML/CTF and data protection laws,” adds Frasher.
“Challenges notwithstanding, data privacy programs benefit AML/CTF compliance because they create accountability trails, help financial institutions produce better data to authorities, and lend reputational currency.
“Despite the regulatory conflicts, the financial services industry has an opportunity to contribute to data privacy/AML/CTF solutions that fit their operations.”
The report concludes that firms can address complex compliance challenges by creating integrated AML/CTF, information technology, and privacy teams, or encourage employees to seek cross-functional training to break down information and education ‘stovepipes’ inherent in MFI organisational structures.