19 Challenges between US and EU AML/
CTF Compliance and Privacy Laws
About the Research
In August 2016, the SWIFT Institute released a new research report into the challenges of information statecraft for today’s global financial community. The report titled ‘Multinational Banking and Conflicts among US-EU AML/CTF Compliance & Privacy Law: Operational & Political Views in Context,’ focuses on the duality between laws that seek to use data to protect the financial system and laws that seek to protect data privacy. It reveals 19 areas that will challenge multinational financial institutions as they integrate privacy into their anti-money laundering (AML) and counter-terrorism finance (CTF) operations over the next two years.
19 Challenges between US and EU AML/
CTF Compliance and Privacy Laws
severity of risk - from low to high - posed by 19 key
compliance areas to multinational financial institutions.
Severity
The severity level of risk for each case is calculated either through conflicts between data privacy and AML/CTF legislation, or where there are noticeable gaps in either US or EU AML or privacy requirements.
19 Challenges between US and EU AML/
CTF Compliance and Privacy Laws
-
Third Countries with 'Inadequate' AML & Data Protection programmes
High SeverityEurope's group-wide AML and data protection requirements impact all EU and US firms in some capacity. EU and US banks may engage with high-risk markets, but EU firms must put...
-
Cross-Institutional Data-Sharing:
PATRIOT 314(b) & 4AMLDHigh Severity4AMLD specifies data-sharing in the context of CIP and
CDD requirements or data-sharing within a group, but it does not include inter-institution AML data-sharing at the EU level. -
Enterprise (Group)-wide Sharing – SARs & Supporting Data
High SeverityThe conflicts between US and EU views on enterprise-wide SAR and underlying data-sharing present one of the greatest obstacles to a cohesive AML compliance strategy.
-
Prohibition of AML Data for Commercial Use
High SeverityThe EU prohibits the use of AML data for commercial purposes, which presents one of the highest risks to financial institutions since banks usually use such data to improve their services.
-
Criminal Reporting & Sensitive Data
High SeverityFinancial institutions must take note of and monitor the activities of their clientele for criminal offences as identified by national laws for SARs and other reports. 4AMLD narrowly defines predicate…
-
Outsourcing Relationships
High SeverityUS and EU financial institutions are accountable for the actions of vendor services, whether or not these services are directly regulated under AML law. 4AMLD allows Member States to authorize...
-
Third Party Reliance for CIP & CDD
High SeverityThe US and EU authorize financial institutions to use data from other institutions if they are part of the same group and subject to the same AML rules.
-
Beneficial Ownership & Registries
High SeverityBoth 4AMLD and US regulation have set a 25% minimum interest to determine a company’s ownership. Listing those with < 25% interest is determined by a financial institution’s risk assessment, which leaves...
-
Data Transfers to Third Country Authorities
Medium SeverityThe Umbrella Agreement covers data transfers between EU-US authorities, but there are broad allowances for transfers and further processing to national security groups. European companies with…
-
FIU & LEA Data Requests
Medium SeverityThe discrepancies among US and EU laws complicate data collection for authorities, and challenge MFIs who must be aware of what can and cannot be shared depending on the jurisdiction....
-
Data protection
Medium SeverityWhile there are few legal differences between EU and US RBA strategies, conflicts rise substantially when the EU’s rules-based data protection regime is placed within AML/CTF risk-based operations.
-
Risk-Based Approach (RBA)
Medium SeverityThe US and EU have adopted an RBA within the BSA), the USA PATRIOT Act, and 4AMLD, rather than a rules-based approach, because they believe that financial institutions are best...
-
Politically Exposed Persons (PEP) & Enhanced Due Diligence (EDD)
Medium SeverityFATF standards and national laws require financial institutions to conduct EDD on clients serving in prominent domestic and foreign public roles. PEP definitions change according to the jurisdiction, but typically...
-
Customer Identification Program (CIP) & Customer Due Diligence (CDD)
Medium SeverityThe US and EU provide a minimum amount of information that must be collected from a customer, but neither provide financial institutions with standards of how to confirm an individual’s identity.
-
Financial Institution Data Retention
Low SeverityThe EU requires that financial institutions hold data for five years with a possible extension of another five years, but limits retention to a total of ten years with specific safeguards to ensure data security.
-
FIU to FIU SAR Sharing
Low SeverityJust as MFIs are expected to cooperate with LEAs and FIUs, the AML/CTF regime demands that criminal justice and national security communities seek cooperative relationships.
-
Multinational Financial Institutions Cooperation with Financial Intelligence Units (FIUs) & Law Enforcement Authorities (LEAs)
Low SeverityIn Europe, 4AMLD obligates MFIs to respond to LEA and FIU information requests in accordance with national laws. EU law prohibits authorities from directly requesting data from MFIs outside...
-
Illicit Economy Threat
Low SeverityThe US and EU recognize that the illicit economy and transnational political violence are a threat to their economic well-being and national security and believe that the FATF Recommendations are...
-
FATF Recommendations
Low SeverityThe US and EU have committed themselves to the FATF Recommendations and the application of these guidelines within national laws promotes a high level of congruence across the...
-
Third Countries with 'Inadequate' AML & Data Protection programs
High SeverityEurope's group-wide AML and data protection requirements impact all EU and US firms in some capacity. EU and US banks may engage with high-risk markets, but EU firms must put in place EU AML and data protection policies to satisfy EU regulators; US companies must establish US-level AML programmes while complying with local regulations. The GDPR holds firms accountable for any data transferred to a third country, including onward transfers.
-
Cross-Institutional Data-Sharing:
PATRIOT 314(b) & 4AMLDHigh Severity4AMLD specifies data-sharing in the context of
CIP and CDD requirements or data-sharing within a group, but it does not include inter-institution AML data-sharing at the EU level. However, USA PATRIOT § 314(b) promotes inter-firm data-sharing of any data "possibly" relating to ML and TF, as long it does not expose the existence of an SAR or share an SAR. Still, financial institutions are hesitant to use the programme because it was difficult to share underlying data and not expose a possible SAR filing.
-
Enterprise (Group)-wide Sharing – SARs & Supporting Data
High SeverityThe conflicts between US and EU views on enterprise-wide SAR and underlying data-sharing present one of the greatest obstacles to a cohesive AML compliance strategy. When foreign branches, subsidiaries and affiliates cannot access and share enterprise data they cannot see client, transactional, or behavioural links across their businesses, which can create repetitive or incomplete reports to national authorities. The report found that both US and EU laws impose legal controls that inhibit data flows.
-
Prohibition of AML Data for Commercial Use
High SeverityThe EU prohibits the use of AML data for commercial purposes, which presents one of the highest risks to financial institutions since banks usually use such data to improve their services. There is no legal requirement for US financial institutions to separate AML/CTF from commercial data use. US firms operating in the EU or dealing with European clients must monitor employee data access and use.
-
Criminal Reporting & Sensitive Data
High SeverityFinancial institutions must take note of and monitor the activities of their clientele for criminal offences as identified by national laws for SARs and other reports. 4AMLD narrowly defines predicate offences and the GDPR has special restrictions on the collection and dissemination of criminal data. In contrast, the US has a broader list of criminal activities that may cause MFIs to violate EU proportionality principles and promote function creep. EU MFIs must share information about suspicious activities within the group, and data may reach the US through affiliates and subsidiaries of EU firms. The transfer of this data may violate Member State rules.
-
Outsourcing Relationships
High SeverityUS and EU financial institutions are accountable for the actions of vendor services, whether or not these services are directly regulated under AML law. 4AMLD allows Member States to authorize outsourcing relationships and makes vendors accountable to data protection law. Vendors that provide open-source KYC data to help financial institutions conduct CDD and EDD measures will face US data privacy challenges, since the EU defines PII as any data that identifies an individual or their behaviours. This contrasts with US law that utilizes various definitions of PII depending on the data type and use.
-
Third Party Reliance for CIP & CDD
-
Beneficial Ownership & Registries
High SeverityBoth 4AMLD and US regulation have set a 25% minimum interest to determine a company’s ownership. Listing those with < 25% interest is determined by a financial institution’s risk assessment, which leaves financial institutions open to subjective regulatory measures. Identity validation and status within BO is riskier for US banks who are not obligated to follow up, unless they determine that the client is a risk. Both the US and EU have opted for central registries, but will differently determine public data access.
-
Data Transfers to Third Country Authorities
Medium SeverityThe Umbrella Agreement covers data transfers between EU-US authorities, but there are broad allowances for transfers and further processing to national security groups. European companies with branches in the US must comply with legal data requests from US authorities, but may not be shielded from EU scrutiny for doing so. Similarly, EU citizens just recently gained redress rights for data held by US authorities, but American citizens have always enjoyed these rights in the EU.
-
FIU & LEA Data Requests
Medium SeverityThe discrepancies among US and EU laws complicate data collection for authorities, and challenge MFIs who must be aware of what can and cannot be shared depending on the jurisdiction. Again, EU companies are vulnerable to data protection scrutiny when they are in the US as PATRIOT § 314(a) enables authorities to request lead information on individuals suspected of ML or TF.
-
Data Protection
Medium SeverityWhile there are few legal differences between EU and US RBA strategies, conflicts rise substantially when the EU’s rules-based data protection regime is placed within
AML/CTF risk-based operations. EU privacy law is meant to be applied with limited exceptions, which can clash with RBA methods that involve collecting and analysing volumes of personal data to determine risk. The US does not require data protection controls (beyond information security) in AML/CTF compliance which produced legal and operational conflicts at nearly every point of the study. -
Risk-Based Approach (RBA)
Medium SeverityThe US and EU have adopted an RBA within the BSA), the USA PATRIOT Act, and 4AMLD, rather than a rules-based approach, because they believe that financial institutions are best positioned to spot behaviours that contribute to the illicit economy and terrorist activities. RBA aims to help MFIs create more consistent enterprise-wide programmes that reflect operations across lines of business, clients, and geographical locations.
-
Politically Exposed Persons (PEP) & Enhanced Due Diligence (EDD)
Medium SeverityFATF standards and national laws require financial institutions to conduct EDD on clients serving in prominent domestic and foreign public roles. PEP definitions change according to the jurisdiction, but typically include PEPs, their immediate families, and close personal and business associates. Probing the personal relationships of PEPs and their families can breach sensitive data categories protected by the GDPR.
-
Customer Identification Program (CIP) & Customer Due Diligence (CDD)
Low SeverityThe US and EU provide a minimum amount of information that must be collected from a customer, but neither provide financial institutions with standards of how to confirm an individual’s identity. In the EU, these requirements are left up to Member State law, which can leave verification to the financial institution’s discretion. US and EU FIs must notify customers of their AML/CTF data collection obligations. 4AMLD and the GDPR gives customers the right to check the accuracy of their account data, contest it, and make corrections to data utilized for commercial relationships, but it is unclear where legislators and regulators would restrict access to data used for
AML/CTF since it could fall under exemptions for national security.
-
Financial Institution Data Retention
Low SeverityThe EU requires that financial institutions hold data for five years with a possible extension of another five years, but limits retention to a total of ten years with specific safeguards to ensure data security. In the US, financial institution data retention is typically five years but can be extended to six years or longer if requested by the Secretary of the Treasury. These requirements place huge demands on an
MFI's technological and staffing resources.
-
FIU to FIU SAR Sharing
Low SeverityJust as MFIs are expected to cooperate with LEAs and FIUs, the AML/CTF regime demands that criminal justice and national security communities seek cooperative relationships. The US and EU have established Memorandums of Understanding (MOUs) that outline the nature of FIU to FIU contacts but they have only recently added data-sharing to the Umbrella Agreement.
-
Multinational Financial Institutions Cooperation with Financial Intelligence Units (FIUs) & Law Enforcement Authorities (LEAs)
Low SeverityIn Europe, 4AMLD obligates MFIs to respond to
LEA and FIU information requests in accordance with national laws. EU law prohibits authorities from directly requesting data from MFIs outside their jurisdictions. Authorities should use official channels when they need information held by a financial institution in another state. However, EU data stored or accessible in the US is subject to acquisition by US authorities via subpoenas. Both US and EU MFIs, face legal uncertainties involving national intelligence agencies as data protection laws do not apply or have limited authority.
-
Illicit Economy Threat
Low SeverityThe US and EU recognize that the illicit economy and transnational political violence are a threat to their economic well-being and national security and believe that the FATF Recommendations are central to curbing these dangers within their borders and across the globe.
-
FATF Recommendations
Privacy confilcts
Report
aml
|
|
dpp
|
aml
|
Full version of the report, last updated September 21, 2016.