Navigating the convergence of AML and data privacy

The fight against money laundering and terrorist financing is a justified global priority, prompting increasingly stringent anti-money laundering (AML) and counter-terrorism financing (CTF) regulations. However, these efforts must be carefully balanced against the fundamental rights to privacy and data protection. Recent legislative developments in the United Kingdom, New Zealand, and Australia highlight the challenges of aligning these two critical objectives.

Converging and diverging regulatory frameworks

In general, privacy laws worldwide are being strengthened to better safeguard individuals' personal information. In parallel, AML/CTF rules are tightening, often requiring captured service providers to collect, store, and share more personal data to meet compliance obligations. 

This has led to a convergence of data privacy and AML/CTF frameworks in most countries, but also growing divergence in others, making compliance an intricate endeavour. 

UK bucks the trend

The UK's proposed Data Protection and Digital Information Bill is bucking the trend with controversial reforms which would greatly expand the UK government's ability to monitor the bank accounts and financial data of beneficiaries receiving welfare payments. 

While the government estimates this could save £600 million over 5 years by cracking down on benefit fraud, critics warn it is an overreach that could lead to beneficiaries having other sensitive personal and financial information accessed without proper justification.

Another amendment in the Bill further weakens data subject rights by lowering the standard for data controllers to reject requests for information about the use of their personal data, a significant factor in AML. The change makes it easier for companies to avoid providing transparency to data subjects about how their personal information is being used and processed.

ANZ follow EU

 But as noted, the UK is a rarity. Australia's current Privacy Act Review Report makes a number of recommendations that intersect positively with AML/CTF legislation. 

Norton Rose Fulbright, an Australian law firm and Tranche 2 advocate, goes into great detail to outline which of the proposed reforms are relevant to AML/CTF compliance. The most relevant reforms they identified are:

• Strengthened notice requirements for businesses when collecting and disclosing personal information overseas. In their opinion, this could create tensions with AML/CTF obligations given that many reporting entities maintain offshore hubs to conduct customer due diligence.
• Additional obligations for entities handling employee records. Again, in their view, companies may need to review employee AML/CTF due diligence procedures to check they would continue to comply.
• Steps to limit dealing with personal information that an entity no longer needs to retain. Proposal 21.7 recommends that APP entities establish their own maximum and minimum retention periods for the personal information they hold. This means that AML/CTF entities must balance this against record-keeping requirements such as retaining CDD data for 7 years.

Over in New Zealand, the recent Privacy Amendment Bill proposes amendments with a focus on improving transparency around the collection of personal information and enabling individuals to exercise their privacy rights. While the amendments are not directly written in relation to the AML/CFT Act, there are potential implications and relevance for AML compliance efforts:

• Indirect collection notification (New IPP 3A)
  The key amendment introduces a new notification obligation when agencies collect personal information indirectly (from sources other than the individual). This could be relevant for AML/CFT reporting entities that collect customer information from third-party sources during customer due diligence processes. 
• Exceptions to notification
  The notification requirement has exceptions, including when "compliance would prejudice the security or defence of New Zealand, or the international relations of the Government of New Zealand". This could potentially be relevant for AML/CFT efforts aimed at combating financial crimes linked to national security or international relations.
• Retention periods
  While not directly addressed in the amendments, the explanatory note mentions the need for entities to establish appropriate retention periods for personal information, considering legal obligations. AML/CFT reporting entities have specific record-keeping requirements (e.g. retaining CDD data for 7 years) that may need to be factored into data retention policies.

Overall, the proposed changes in ANZ aim to enhance personal data protection, which could require businesses to carefully review and adjust their AML/CTF data handling practices to remain compliant with both privacy and AML/CTF obligations – while in the UK things look set to become a lot looser.

Common pitfalls and addressing compliance gaps

Regardless of these impending privacy regulatory changes, companies routinely fail to adequately protect personal data or fully meet AML/CTF requirements. The most common factors cited by AML auditors include:

• Lack of robust policies and procedures 
• Insufficient employee training
• Outdated data management systems
• Disregard or a lax approach towards personal information / personally identifying information (PII) by using unsecured emails or leaving documentation on desks 
• Siloed approaches between compliance teams and frontline staff

To bridge these gaps, a proactive, comprehensive strategy is crucial:

• Conduct thorough risk assessments to identify AML/CTF and data privacy vulnerabilities.
• Implement clear policies aligned with both regulatory regimes.
• Provide ongoing training to foster compliance culture.  
• Invest in advanced data management and monitoring technologies.
• Foster cross-functional collaboration between compliance teams and frontline staff.
• Continuously review and update controls as rules evolve.

The rising concern of biometrics 

While those pitfalls and fixes are relatively straightforward, one very obvious and rapidly escalating convergence of AML/CTF and data privacy considerations is the use of biometric identifiers such as facial recognition. Proposed legislative changes in the UK’s Bill and under consideration elsewhere would significantly expand government powers to retain individuals' biometrics indefinitely, even without criminal convictions.

As noted by Bell Gully, another law firm,“The new amendments to the [UK] Bill allow the retention of biometric data by the UK Counter Terrorism Police. Under the proposed new reforms, biometric data of individuals who pose a potential terrorist threat can be retained for as long as an INTERPOL notice is in force. Furthermore, the biometric data of individuals with foreign convictions can be retained by the UK Government indefinitely.”

For AML/CFT compliance, unfettered access to robust biometric databases could revolutionise identity verification and investigations into financial crimes. However, this poses grave privacy risks for customers given biometrics' sensitive, immutable nature and potential for misuse or breaches.

Principles like data minimisation under GDPR in the EU and the relevant Acts in ANZ, demand any personal data collection, including biometrics, be adequate, relevant and limited. Indefinite government biometric retention as proposed in the UK Bill challenges these tenets and could undermine public trust in AML/CFT programmes.

Striking the right balance

As the legislative landscape continually evolves, regulators must carefully balance empowering crucial AML/CTF efforts without compromising customer privacy and civil liberties. Companies will increasingly be faced with navigating this complex intersection through:

• Robust data governance and security controls
• Clear policies governing acceptable PII data use
• Advocating for pragmatic, risk-based regulatory approaches 
• Enabling customer transparency and choice where possible

And legislators will continue to warn and fine companies as their guidance is refined.

Ultimately, combating financial crime hinges on both AML/CTF rigour and fidelity to data privacy principles. While challenging, it can be achieved within companies by investing in people, processes, and technology. Data should flow through standardised systems with automated checks and embedded privacy controls. Regular monitoring and independent audits are key.

At a macro level, collaborative efforts between government, industry and privacy advocates are essential to harmonise these complementary objectives and uphold the integrity of the global financial system while preserving essential human rights.