Infolog has been providing information to numerous government, financial and corporate clients for two decades.
The recent AML/CFT requirements are a relatively new variation of the need for timely, accurate, comprehensive, and economical data to meet business requirements. We have been asked to input on how ‘technological solutions can bring huge benefits to the AML industry, but how they must still be used with caution’. The technology to provide, accumulate, track, and present data is incredibly powerful and pervasive.
AML, CFT, KYC, PEP, CDD, EDD, SOW, SOF, eIDV – more TLAs than the American government!
The AML/CFT requirements are such that they cannot be met without the technology and automation now available, but for a very small sum of money the relevant data is collated and provided to support the AML/CFT processes. Multi-source reports verifying name, date of birth, and address abound. But, not all are equal.
Information gathering is undertaken within a legislative framework in which we also need to consider data stewardship, data retention, and data persistence and privacy. Who is to hold the data, for how long? How is access being managed? We also then need to move into the area of consent, and not just consent but ‘informed consent’, freely given, which is a higher standard again, and may be withdrawn at any time. Consider also the access requirements as set by the owners of the data. Government at a very high level has recently taken the approach that their databases are an ‘asset’, an approach I think is appropriate. DIA, NZTA, and Credit Agencies are quite prescriptive in that the data they expose should not be collected in any form to create a new dataset, for example:
Under the Identity Information Confirmation Act 2012, there must be a direct relationship between an Intermediary (Infolog or other approved information supplier) and the Reporting Entity, to use the DIA’s confirmation service. Therefore, those in the middle offering supporting AML services, as an Intermediary, AML agent, or other role, only inherit their authority or rights to access based on the end-users' (Reporting Entities) lawful right. This is a concern of mine as I do see some AML service providers now offering a reduced price as they will first refer queries against their own databases. This is a clear indication that there is both retention and reuse of the data. Some argue they are not reusing the data itself, but rather that it was a ‘pass’, or this detail was ‘confirmed’. This approach is still to be tested, but not one I would advocate.
We also ask the question that consent freely given for one transaction, should that transfer to another transaction? Even so, this leads to questions about the ownership of that client data, did I intend to give my ‘informed consent’ for a third party to hold, store, and use my personal details? Was this made clear to me?
With the later tranches of AML reporting entities, we are dealing with organisations who are quite naïve when considering all of the above requirements. However, it is essential that any system design and business process must allow for all of the above criteria, and events to be managed. We have been meeting these diverse and conflicting needs for 20 years.
To provide a better understanding, the US government’s National Institute of Standards and Technology (NIST) has a very useful new Privacy Framework 1.0 for protecting peoples’ personal privacy.
This framework may be used when developing new products and services to ensure that they tick all the privacy boxes.
This is a good tool when conducting the privacy impact assessments that regulations like EU data protection rules (GDPR) and the new California Consumer Privacy Act (CCPA) demand. It isn’t a compliance toolkit for meeting the requirements of specific regulations, instead, it’s a voluntary toolkit that you can use to think about your approach to privacy. You can use parts of or all of it - NIST isn’t prescriptive.
As NIST points out, cybersecurity and privacy are connected, but different. Some privacy events aren’t related to cybersecurity incidents, but stem from other issues like over-aggressive data collection, poorly thought-out marketing practices, procedural or manual mishandling of data.
"The AML/CFT requirements are such that they cannot be met without the technology and automation now available."
Visit Infolog for more information.
You can also contact Infolog at +64 9 414 4001 or email them at email@example.com.
Check out our Privacy Trust Marked AMLOnline Portal to see how we have incorporated new technology to assist you with your AML/CFT requirements.