Customer Due Diligence and Data Protection: Striking a Balance

Identity verification is the starting point for most financial transactions, but making sure a person is who they claim to be — and that they aren’t engaging in criminal activity — has become a complex and costly process in the digital age. A consensus is emerging among financial services providers (FSPs) that pooling resources to tackle customer due diligence (CDD) requirements collaboratively — as some are now doing through know-your-customer (KYC) utilities — can lower compliance costs, improve CDD risk management and, thus, facilitate financial inclusion.

Yet for these collaborative CDD arrangements to work, FSPs, regulators and other parties must be able to exchange customer data in ways that are often prohibited by a complex web of information laws, rules and obligations. Given the pressures being placed on FSPs to meet CDD requirements, what’s needed now is a new information-sharing framework that strikes a balance between the need to share data for CDD purposes and important concerns around individuals’ rights.

The laws, rules and obligations that currently govern information sharing in most countries are wide-ranging, spanning customer-banker confidentiality, public sector secrecy, data protection and anti-money laundering and combatting the financing of terrorism (AML/CFT). Here is a look at the main information-sharing rules FSPs must consider and how these rules can make it more difficult to meet CDD obligations.

Bank confidentiality

The contractual relationship between a banker and a customer typically prohibits the banker from disclosing information about the customer’s affairs and accounts to third parties. However, there are exceptions to this confidentiality obligation. For example, it does not prevent the bank from disclosing a customer’s information if it is required to do so by law. This is precisely what AML/CFT laws do: compel banks to report suspicious transactions and customers to national financial intelligence units (FIUs) without customers' knowledge and consent. However, these laws limit further information sharing. They prohibit FSPs from informing anyone else about reports filed with an FIU, including customers and other FSPs, making it harder for providers to alert others to CDD issues.

Secrecy laws

Secrecy laws are a common governance feature of public sector organizations. They are designed to protect certain classes of information by prohibiting government organizations, employees and contractors from divulging such information. As in the case of customer confidentiality, exceptions do apply. One such exception may be disclosure that necessarily occurs in the performance of another legal duty — e.g., disclosure to an oversight body during a statutory inspection. However, secrecy provisions in AML/CFT laws generally inhibit CDD collaboration by restricting the ability of a country’s FIU to share information with FSPs about specific cases of criminal conduct.

Data protection laws

Data protection laws — sometimes referred to as “information privacy laws” — are designed to give individuals control over how their personal information is collected and processed. They typically involve other rights and obligations, such as a right of access to personal information, the right to correct errors in one’s own data and requirements that personal data be kept accurately and securely. Although data protection laws provide important protections, they generally require FSPs to obtain the consent of customers — including suspected criminals — before sharing their personal information with other FSPs.

Data protection rights, however, are not absolute. They can be trumped by other rights, such as the community’s right to a safe and secure society when supported by national security and law enforcement interests if other compensating protections are put in place. Limitations on data protection may, for example, relate to protecting society against the risks of money laundering and terrorist financing.

New approaches to old barriers

Some types of collaborative CDD, such as commercial KYC utilities, have found ways to share some information, but their effectiveness is hampered by a patchwork of laws and regulations that are not fit for this purpose —  i.e., they have not been designed to support AML/CFT objectives.

Rethinking information sharing to facilitate AML/CFT measures means developing a bespoke legal framework that authorizes the necessary information flows in a way that is consistent with fundamental rights like privacy protection. Such a framework could be supplemented by technical standards and rules that help to operationalize it by encouraging a common digital approach to information sharing.

A new legal framework could:

• Allow FIUs to confidentially share information with one or more FSPs — and FSPs to share information with one another — if it is reasonably believed that such information will be treated securely and confidentially and aid in AML/CFT efforts.
• Allow changes to customer information to be shared for AML/CFT purposes among FSPs that have a customer in common, as long as they have a formal agreement and if the customer is informed and has an opportunity to correct the data or prevent sharing.
• Allow utilities to monitor transactional patterns on behalf of multiple FSPs, possibly even allowing the utility to file reports with FIUs on behalf of the FSPs, subject to appropriate control measures.
• Regulate data standardization to make it easier for one FSP to share data with another.
• Outline the conditions for allowing regulated entities to rely on KYC utilities for CDD purposes, relieving them from liability for errors in KYC utilities’ data where their reliance was reasonable (e.g., there was no reason to doubt the accuracy of the data).

Collaborative CDD, including KYC utilities, can significantly improve the effectiveness and efficiency of AML/CFT. To achieve these benefits, however, we need to improve the current information sharing framework. A new framework, collaboratively designed by all stakeholders, can sensitively align individual rights, the commercial operations of FSPs and national security interests.