FATF Issues New Report on Data Protection, Technology, and Private Sector Information Sharing

The Financial Action Task Force (FATF) has released a report highlighting how financial institutions (FIs) can responsibly implement information-sharing initiatives among private sector entities. These initiatives are becoming a key frontier in helping regulators and financial institutions better understand and mitigate money laundering and terrorist financing risks more effectively. 

Based on lessons learned by members of the FATF and its Global Network, the report finds that private sector information-sharing measures can be achieved in compliance with data protection and privacy (DPP) rules, subject to key tests and requirements.

The report aligns with the FATF’s wider priority of countering illicit finance related to cyber-enabled crime through data analytics and industry partnerships, as highlighted by its new Singapore Presidency in early July. 

COSMIC platform case study 

The report includes eight case studies where entities have endeavored to balance anti-money laundering, combatting the financing of terrorism, and counter-proliferation financing (AML/CFT/CPF) requirements with DPP rules. Singapore’s COSMIC platform, which will enable banks to share and analyze information on customers and transactions, features as a use case. 

Set to launch in the first half of 2023, COSMIC is owned and operated by the Monetary Authority of Singapore (MAS). Through the platform, FIs will be able to securely share information when “material risk thresholds” are breached, resulting in transactions being “red flagged” to enable easier tracking and faster responses to criminal behavior.

While the Personal Data Protection Act (PDPA) is Singapore’s principal data protection regulation, the PDPA provides a legislative route for “other written law” to prevail over the Act’s requirements. In light of this, MAS is making legislative amendments to the Financial Services and Markets Act to create a regulatory framework for COSMIC that accommodates the sharing of risk information between FIs for AML/CFT/CPF purposes. 

To further ensure the security of the data collected and shared by FIs, COSMIC features a user-authentication mechanism, data encryption, entity resolution, and network-linked analysis.

Recommendations for responsible collaboration

The FATF has also developed recommendations for the public and private sectors to help entities avoid common pitfalls when undertaking information exchange.

For the private sector, the FATF recommends using privacy-enhancing technologies, pursuing data protection at the outset, establishing early and ongoing engagement with data protection authorities, and identifying appropriate metrics to measure success. Its suggestions include:

• Undertaking a Data Protection Impact Assessment to help assess compliance and identify and mitigate risks
• Conducting a Human Rights Impact Assessment to ensure compliance with human rights obligations (including the right to privacy)

For the public sector, the FATF recommends actively facilitating regular dialogue between data protection and AML/CFT/CPF authorities, including:

• Highlighting particular typologies or key data types that would most benefit from information sharing
• Using regulatory sandboxes and pilot programs to test information-sharing initiatives, understand the policy implications, and build trust
• Holding regular forums between AML/CFT/CPF authorities, data protection authorities, and private sector institutions to share experiences, discuss challenges, and develop relationships

Key takeaways

Compliance teams looking to enhance their information exchange procedures should consider the additional resources provided by the FATF, some of which include:

• Guidance related to Stocktake on Data Pooling, Collaborative Analytics, and Data Protection
• Information about Opportunities and Challenges of New Technologies for AML/CFT
• Guidance on Digital Identity 

As the launch date for COSMIC draws closer, compliance staff from all FIs operating in Singapore should ensure they understand how the platform will be used, especially as the initiative is likely to expand to other sectors and focus areas.