latest-news-headlines Market Intelligence /marketintelligence/en/news-insights/latest-news-headlines/banks-turn-to-privacy-enhancing-tech-for-aml-to-overcome-data-regulation-hurdle-61074568 content esgSubNav
Discover more about S&P Global’s offerings
In This List

Banks use privacy-enhancing tech to tackle money laundering as regulation lags
Blog

Banking Essentials Newsletter: September 18th Edition

Loan Platforms: Securing settlement instructions and prioritising the user experience

Blog

Navigating the New Canadian Derivatives Landscape: Key Changes and Compliance Steps for 2025

Blog

Getting an Edge with Services: Driving optimization by embracing technological innovation


Banks use privacy-enhancing tech to tackle money laundering as regulation lags

The emergence of privacy-enhancing technology could fundamentally change the way banks around the world work to detect financial crime, allowing them to exchange data with each other while complying with increasingly stringent data protection regulation. Banks and technology companies now call for a clearer regulatory stance on the use cases.

One key challenge for banks is that they are left to detect financial crime by looking only within their own individual institution, with laws on secrecy and personal integrity limiting the possibilities of sharing intelligence. As a result, highly organized criminal networks can operate unnoticed while financial institutions spend large amounts targeting the low-hanging fruit in the criminal food chain. In an era of rising concerns about the protection of personal data, the uphill battle is only getting steeper.

Luckily for the banks, privacy-enhancing technology, which covers techniques that can support information sharing between entities for analytical purposes without them having to disclose the underlying and potentially sensitive data, could help them overcome this hurdle. Such technologies include homomorphic encryption, secure multiparty computation and zero-knowledge proof.

SNL Image

"We believe that the desire for privacy is not a passing trend," said Cécile Bartenieff, COO of Global Banking and Investor Solutions at Société Générale SA, speaking at a Sibos webinar Nov. 10. "We must be ready to operate in a world that prioritizes data security and privacy. And we are definitely convinced that privacy-enhancing technology delivers the technical solution for that."

Bartenieff made the comment as she presented Project Danie, a Europe-based initiative in which three investment banks earlier this year tested a solution that can help them, as part of their know-your-customer efforts, to identify data anomalies against equivalent values submitted by peers without sharing any underlying client data.

The Royal United Services Institute, or RUSI, a U.K.-based think tank on international defense and security, has recently identified nine case studies globally, Danie being one of them, in which privacy-enhancing technology techniques have been trialed by banks for financial crime detection purposes.

Although most are still in a proof-of-concept or pilot stage, the interest in this technology is clearly on the rise. That is especially true in "jurisdictions that have a significant legislative environment for protecting personal privacy," Nick Maxwell, head of RUSI's Future of Financial Intelligence Sharing program and author of the research, told S&P Global Market Intelligence.

Seven of the nine case studies have taken place in Europe and most have been developed since the EU implemented GDPR, a law on data protection and privacy, in 2018.

'Legitimate interests'

Privacy-enhancing technologies are "not silver bullets," but they provide a new opportunity for data exchange to happen in a more targeted and secure way, enabling banks to better meet GDPR requirements around security and principles of data minimization, said Guy Cohen, head of policy at Privitar, a U.K.-based provider of privacy-enhancing technology, also speaking at Sibos on Nov. 10.

Legally speaking, banks can share information for financial crime purposes under GDPR, which allows organizations to process personal data without obtaining consent when necessary for compliance with a legal obligation or the purposes of pursuing "legitimate interests," explained Taavi Tamkivi, CEO of Estonian technology company Salv and a former global lead of compliance at TransferWise.

But a lack of methods to do so securely and in compliance with other GDPR requirements means that banks have so far exchanged information to a very limited extent and typically via means that are slow and not scalable, such as phone calls or emails, Tamkivi said in an interview.

Salv is working with banks such as Swedbank AB (publ) and Skandinaviska Enskilda Banken AB in Estonia to pilot a solution where users can submit information around suspected politically exposed persons, their relatives and close associates, and receive feedback as to whether other banks have characterized the same customer as such. The solution does not reveal the source bank nor that the request has been made.

Transaction monitoring is another area where banks are seeing opportunity for this emerging technology. In a proof of concept in the U.K. last year, three high street banks worked with Deloitte and tech company FutureFlow to map transaction networks and identify potential malicious actors that had deliberately moved funds among multiple banks to avoid detection.

Not only could banks use FutureFlow's platform to analyze accounts that they had already deemed suspicious, but they could also share transactional data at a "pre-suspicion" stage, meaning there was no preconceived suspicion related to the transactions, said Vadim Sobolevski, co-founder of FutureFlow, in an interview. The platform would then highlight accounts that it found to be part of complex, opaque or nontransparent networks and which deserved the banks' attention.

Legal uncertainty

Despite the opportunities, uncertainty around the stance of the regulators and the legal basis for processing the data means banks remain hesitant to jump fully onboard with these technologies and move from testing to implementation.

"[Privacy-enhancing technology] really helps us to prove to the regulators that we are conforming to the GDPR. What we would like to see is the regulators taking a firm stance with organizations and encouraging the adoption of this kind of technology," said Paul Branley, director of strategy, innovation and testing at Lloyds Banking Group PLC, speaking at Sibos Nov. 10. The lender has itself been testing a privacy-enhancing technology solution developed by Duality, a homomorphic encryption company, along with other banks.

"I speak to a lot of people that [say] they haven't had that direction from their regulators that 'yes, if you do it that way, that is fine, we agree, go ahead.' That's something where regulators can really help by giving confidence that, when used in that way, that is a legitimate and well-balanced case," said Cohen of Privitar.

He said there is particularly uncertainty around how various, often relatively new, pieces of legislation intersect, be it laws on data protection, data localization, banking secrecy, competition and anti-money-laundering, and as such, joint leadership from financial and data protection regulators is needed.

Tamkivi of Salv also urged regulators to clarify and define more specifically under which conditions banks can exchange information related to financial crime. The company has started testing its technology for politically exposed persons and associates because this is the most straightforward and best defined from a legal perspective, but it has identified another 11 potential use-cases for the technology where the legal framework is more unclear, Tamkivi said.

Regulator engagement

In an effort to tackle those regulatory hurdles, banks and technology companies are increasingly working with authorities when building their solutions, with the U.K. highlighted as one country where regulators have taken a somewhat active role in promoting privacy-enhancing technology.

For example, the FCA, the U.K's financial regulator, hosted a tech sprint in 2019, focused on the use of privacy-enhancing technology specifically for anti-money-laundering purposes, attended by technology companies such as Salv, FutureFlow and Duality, as well as banks including Lloyds, Citigroup Inc., HSBC Holdings PLC, Barclays PLC, Goldman Sachs Group Inc., NatWest Group PLC and Standard Chartered PLC.

FutureFlow was also among the first participants in a sandbox initiative launched by the country's data protection authority, the ICO, in 2019. It resulted in an exit report, released Nov. 5, in which the ICO concluded that "it appears likely" that the data processed by FutureFlow's platform "is processed securely and not in a way which breaches U.K. data protection legislation."

Whether it will be enough reassurance for banks is too early to say. If you ask Sobolevski of FutureFlow, the next step needed for privacy-enhancing technology to take off is really for the financial institutions themselves to show leadership and move toward implementing it. He pointed to Transaction Monitoring Netherlands as a "remarkable" example of an initiative led by banks in the private sector, and which only later gained support from regulators.

Transaction Monitoring Netherlands is a collaboration between five Dutch banks — ING Groep NV, Rabobank, ABN AMRO Bank NV, Triodos Bank NV and Volksbank NV — to build a solution for collective transaction monitoring, formally established in July. Its aim is to identify unusual patterns in payments traffic that individual banks cannot identify.

It has backing from the country's financial intelligence unit and other government entities; the Dutch government has proposed legal amendments that would provide the legal basis for such monitoring.