public-private information-sharing partnerships:...
TRANSCRIPT
Public-Private Information-Sharing
Partnerships: Effective Tool to Strengthen Fighting
Financial Crime
Jānis Brazovskis, CAMS
2019
2
Table of Contents
1. Introduction ................................................................................................................ 3
2. Public-private information-sharing partnerships ....................................................... 5
3. Examples of U.K., U.S.A., Australia ........................................................................ 7
4. What is needed for sustainable and effective PPP? ................................................. 11
5. Governance and accountability ................................................................................ 13
6. Conclusion ............................................................................................................... 16
References .................................................................................................................... 18
3
1. Introduction
Financial crime is an unprecedented threat to the integrity of the financial
system and a source for systemic risk. Recent cases involving ABLV Bank, Danske
Bank, HSBC, ING, Deutsche Bank, and Pilatus Bank, to name a few, demonstrated that
the anti-money laundering and countering of financial terrorism (AML/CFT) system,
particularly in Europe, lacks robustness and coherence. These recent cases had attracted
special attention even from the European Parliament Special Committee on Financial
Crimes, Tax Evasion and Tax Avoidance. The Committee has particularly deplored the
fact that the systemic shortcomings in AML/CFT enforcement regimes, fueled with
inappropriate supervision in various European countries, has led to the mentioned high-
profile cases.
The Committee has noted with great concern that the proceeds from illicit
activities in the European Union (EU) are estimated to amount to EUR 110 billion per
year, corresponding to 1% of the Union’s total GDP. The Committee also highlighted
that in some EU member states up to 70% of money laundering cases have a cross-
border dimension, and further noted that the scale of money laundering is estimated by
the United Nations organization to be the equivalent to between 2 to 5% of the global
GDP, or around EUR 715 billion to 1.87 trillion a year.
Undoubtedly, the scale of proceeds derived from serious crime, skyrocketing to
a large extent through the financial system, is significant by any measure and of high
risk. As it adversely affects the financial system and every customer, the most feasible
response from financial institutions would be de-risking. However, the International
Monetary Fund (IMF) has concluded that de-risking in correspondent banking
relationships could undermine not only individual customers but could also have an
adverse effect on certain countries’ long-term growth and financial inclusion. The IMF
also stated that remedial actions to resolve de-risking in correspondent banking and all
adverse repercussions of this process will be time consuming and would require
collective action on the part of public and private stakeholders. Measures would include
improved communication between correspondent and respondent banks, and removal
of impediments to information sharing. Thus, information-sharing arrangements, either
statutory or even more importantly voluntary information-sharing partnerships, could
contribute to disruption of financial crime and all kinds of serious crime. Creation of
effective public-private information-sharing partnerships, considering the
overwhelming conviction that they could be one of the most remarkable game changers,
will become one of the topical issues for the coming years in the realm of AML/CFT
compliance and combating financial crime.
The Financial Action Task Force (FATF) and heads of Financial Intelligence
Units (FIU) met in the margins of the FATF plenary and agreed on two reports: one
addressing how large international financial institutions identify a suspicious activity,
and the other describing practical considerations in setting up public-private
partnerships. These reports will be disseminated through the FATF Global Network.1
1 FATF Business Bulletin, November 2018, available from: http://www.fatf-
gafi.org/media/fatf/documents/FATF-Business-Bulletin-November-2018.pdf.
4
While our good colleagues in FIUs will be delivering their considerations, this
white paper presents examples of already operational public-private information-
sharing arrangements and discusses some practical considerations needed for setting up
workable public-private information-sharing partnerships across the globe, their
integration in a cross-border network, as well as the importance of good governance for
the accomplishment of this task.
Pure suspicious transaction report (STR) and suspicious activity report (SAR)
reporting is not bringing reasonable results. Numbers of STRs and SARs are growing
at an 11% pace annually. Eighty to ninety percent of suspicious reporting is of no
immediate value to active law enforcement investigations.2
To wit, Latvia is an example of the underlying evidence for the previous
statement. Lately, Latvia has gone through a tremendous transformation within its
financial sector. According to the Financial and Capital Market Commission of Latvia
(FCMC) (financial regulator in Latvia), in less than in a year, the share of foreign
deposits has been reduced almost by half. In September 2018, this share constituted
20.5% of all deposits; however, in 2017, the share was as high as 39.7%. The FCMC
also reported that not only had the volume of risky deposits decreased, but also the
payment (transactions) scale, in particular in U.S. dollars, had dropped. Since 2015,
payments in U.S. dollars in Latvian banks have declined more than 10 times.3
These developments had been handled by remedial actions in the AML/CFT
field taken by public authorities and financial institutions since 2016, and particularly
have been reinforced by the events described below.
Latvia’s third-largest bank, ABLV Bank, went into controlled liquidation after
the United States (U.S.) Financial Crimes Enforcement Network (FinCEN) decided to
propose a ban on ABLV Bank’s access to the financial system of the United States due
primarily to money laundering concerns. On August 23, 2018, the Committee of
Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of
Terrorism (MONEYVAL) published its Fifth Round Mutual Evaluation Report on
Anti-Money Laundering and Counter-Terrorist Financing Measures of Latvia. The
report called for immediate actions to combat money laundering and terrorist financing
in line with Latvia’s risk profile and, among other priority actions, stated that Latvia
should pursue money laundering as a priority and seek to systematically prosecute a
2 The Role of Financial Information-Sharing Partnerships in the Disruption of Crime, RUSI
Occasional Paper, Nick J Maxwell and David Artingstall, October 2017, available from:
https://rusi.org/sites/default/files/201710_rusi_the_role_of_fisps_in_the_disruption_o
f_crime_maxwwell_artingstall_web_4.2.pdf. 3 Infographics: Transformation of Latvian banking sector Q3 2018, Financial and Capital Market
Commission of Latvia, 6 November 2018, available from: http://www.fktk.lv/en/mediju-
telpa/pazinojumi-masu-informacijas-l/2018/7331-infographics-transformation-of-the-
latvian-banking-sector-q3-2018.html.
5
wider range of money-laundering offences, including third-party and stand-
alone/autonomous money laundering.4
According to the data available in the 2016 report prepared by the Latvian FIU,
15,758 STR and SAR reports were received by the FIU in 2016. In its turn, the FIU
prepared and sent to law enforcement agencies only 231 materials for further
investigation. This fact certainly indicates a lack of efficiency of the present system,
which is merely reporting, and has been recognized as such by MONEYVAL as well.
It is widely recognized that the private sector is an important partner in the fight
against money laundering, terrorist financing, and other serious crimes. The private
sector as a trustful partner is perfectly equipped to provide valuable and useful
information which is relevant and appropriate to law enforcement agencies and other
governmental institutions. Effective and timely information-sharing assists the law
enforcement community to fulfill its tasks better and defend public interests more
effectively. Needless to say, information-sharing partnerships should involve two-way
traffic between the public and private actors. Information-sharing partnerships could be
achieved through an appropriate information sharing mechanism, whereby law
enforcement agencies also share—contrary to the currently dominant model of sheer
obtaining of information—strategic, operational, and specifically targeted information
(data) with obliged financial institutions and eventually designated non-financial
entities.
2. Public-private information-sharing partnerships
As one of the most promising facilities of information sharing, the FATF
Guidance on Private Sector Information Sharing recognizes the already established and
operational public–private information-sharing partnerships in several countries that
have delivered positive results. Within the framework of such information-sharing
partnerships, information is shared and exchanged among law enforcement agencies,
FIUs, private-sector entities, and vetted employees of private entities, and in some
cases, information sharing involves international counterparts as well. Information
sharing usually takes place in a purposefully designed and secure environment. Such
an environment facilitates secure data-acquiring process, operational analysis of the
data obtained, and further research by private entities to fill the potential information
(data) gaps, and to make reporting on suspicious transactions more effective and useful
for further investigations by law enforcement agencies.
The FATF Guidance on Private Sector Information Sharing provides that
within the framework of public-private information-sharing partnerships, the private
sector entities should be involved not only as a source of information (reporting entities)
but also as a recipient and eligible user of sensitive data and intelligence from law
enforcement agencies. This notion requires a significant shift in the prevailing
4 Anti-Money Laundering and Counter-Terrorist Financing Measures, Latvia, Fifth Round Mutual
Evaluation Report, July 2018, Committee of Experts on the Evaluation of Anti-Money Laundering
Measures and the Financing of Terrorism (MONEYVAL), Council of Europe, available from:
http://www.fatf-gafi.org/media/fatf/documents/reports/mer-fsrb/Moneyval-Mutual-Evaluation-Report-
Latvia-2018.pdf.
6
incumbent mindset of the law enforcement community which was used to viewing
private entities as just a source of information and proof providers for decades. An
overwhelming secure environment and a tailor-made conduit of information sharing are
compulsory to enable an information-sharing partnership that succeeds and delivers
tangible, measurable results.
The vital role of public-private information-sharing partnerships in increasing
the efficiency of anti-financial crime systems is recognized and strongly advocated by
prominent and well-recognized private sector professionals, too. Erik Barnett, Regional
Head of Europe for Financial Crime Threat Mitigation at HSBC, stated:
HSBC was a founding member of both the JMLIT and Europol’s Financial
Intelligence Public Private Partnership, and we advocate for these mechanisms
in other parts of the world. The real power we have against financial crime and
transactional criminals is the collective ability to assist one another in a
proportionate and lawful manner to ensure we protect the integrity of the
financial system and better serve our customers and communities.5
The FATF Guidance on Private Sector Information Sharing further concludes
that information-sharing partnerships play an important role not only in the activities
of financial institutions, supervisors, and law enforcement authorities that are directly
aimed to disrupt financial crime, but they enable them to channel limited available
resources more efficiently and to develop innovative methods of combating money
laundering, terrorist financing, and other kinds of serious crime.
Weaknesses and gaps in the information exchange and sharing systems can
cause various severe deficiencies, ultimately make the fight against financial crime
ineffective, and waste large amounts of earmarked resources. For example, the role of
the private sector in detecting and identifying the proceeds of crime is often
significantly reduced by the limited flow of information. In most countries, the obliged
entities are prohibited from sharing customer information and data, not only with one
another but even among the entities that belong to the same financial group. An
unintended and adverse result may occur when one obliged firm decides the risk level
of a particular customer to be unacceptable any longer and chooses termination of the
business relationship, while the client in question may freely open a new account with
another obliged entity that is unaffiliated or, in the worst case, even affiliated with the
original obliged entity. Under these odd circumstances, the financial institution
approached by the particular customer is bound to begin the customer identification
process from the very start, either ignoring or not knowing the information and data
already compiled by the first obliged institution.
For this purpose, the FATF also encourages financial institutions to consider
mutual exchange of information within the framework of private–private information
sharing arrangements. Law enforcement agencies, which in a lawful way through
typologies or specific information on financial crime can provide more information on
trends and typologies of financial crime, should also be involved to the extent
5 “The importance of public-private partnerships,” Erik Barnett, June-August 2018, ACAMS Today,
Vol.17 No. 3.
7
reasonably permissible in information sharing within the framework of private–private
information sharing arrangements.
3. Examples of U.K., U.S.A., Australia
There are good examples of already effective models of different kinds of
operational public-private information-sharing partnerships (PPP) under different
jurisdictions.
Over recent months and years, partnership models that appear to provide for
dynamic information sharing on financial crime risks between public and
private sectors have developed in the U.K., the U.S., Australia, Hong Kong,
Singapore, and Canada. They are constituted and operate in different ways, but
this paper takes the view that they can be classified as a new type of information-
sharing exchange—FISPs. Engagement with these partnerships by regulated
entities has been voluntary and, as such, represents activity beyond the current
minimum regulatory requirements of AML/CFT regimes.6
One of the most well-known mechanisms of already operational public-private
information-sharing partnerships is the Joint Money Laundering Intelligence Taskforce
(JMLIT) in the United Kingdom (U.K.).
The JMLIT is structured into three main units: Operations Group, Experts
Working Groups (includes expert groups in several priority areas), and Alerts Function.
The targets, tasks, and workstreams of the JMLIT are determined and monitored by the
Management Board, led by the U.K. FIU—the National Crime Agency (NCA).
The JMLIT Operations Group encompasses 13 major banks, the NCA and
other law enforcement agencies, the UK Anti-Fraud Office (CIFAS), the U.K. Financial
Conduct Authority, and the HM Revenue and Customs Service (HMRC).
The Operations Group is based on a clear legal framework ensuring the
lawfulness of the information sharing as well as a predefined contractual relationship
on the information sharing among the group members. The legitimate “Channel” or
“Conduit” for the information sharing needed for the lawful JMLIT operation is
provided by Article 7 of the Crime and Courts Act.
This legal provision explicitly provides that a person is allowed to disclose
information to the NCA if this disclosure is necessary for performance of the NCA
duties. The Article also provides that the information obtained by the NCA through
disclosure by private individuals may be used only for execution of the NCA duties.
Legislation states that information is exchanged through the U.K. FIU within the
JMLIT Operations Group. Therefore, the members of the JMLIT Operations Group are
6 The Role of Financial Information-Sharing Partnerships in the Disruption of Crime, by Nick J
Maxwell and David Artingstall, October 2017, RUSI Occasional Paper, available from:
https://rusi.org/sites/default/files/201710_rusi_the_role_of_fisps_in_the_disruption_o
f_crime_maxwwell_artingstall_web_4.2.pdf.
8
deemed to disclose information to the NCA. The Law also stipulates that in accordance
with the provisions of Article 7, information disclosure to the NCA does not constitute
a breach of confidentiality or any other restriction, i.e., privacy or private data
protection (Safe Harbor provision).
Thus, basically the above-mentioned legislation establishes the needed secure
environment to banks, law enforcement agencies, and other members of the JMLIT
Operations Group for information sharing, which is required for more effective
combating financial crime. At the same time, members of the Operations Group are
subject to a clearance check (requirement for appropriate vetting to be allowed to work
with classified information and files) as information, such as on particular cases under
the investigation provided by the law enforcement agencies and proliferated by the
NCA within the Operations Group, may be marked as confidential or secret.
It should be particularly noted that establishing the JMLIT does not repeal or
even affect the statutory duty to file STRs or SARs when an obliged entity detects
suspicious transactions. The new model does not modify the legal procedure, by which
law enforcement agencies request and obtain information (proof of evidence and
documents) from financial institutions or the NCA, nor does it pay attention to the legal
requirements for information sharing within financial groups or among financial
institutions within the private-private information sharing arrangements.
The information disclosure and sharing within the JIMLIT framework must
comply with four conditions:
The first condition requires that both the entity disclosing the information and
the recipient of the disclosed information be obliged entities (to operate in the regulated
business); however, the information exchanged within the framework by the obliged
entities must be obtained while performing legal duties (KYC, CIP, screening, or
monitoring) of the obliged entities.
The second condition is that the information can only be shared if it is requested
by the NCA or the other entity in need of the information. In other words, an obliged
entity is not authorized to share information with other members of the JIMLIT purely
on its own initiative without a prior request from the NCA or the entity requesting the
particular information.
The third condition provides that the NCA should accordingly be notified in
advance on the intended information disclosure. If the disclosure is initiated by the
NCA itself, it is obliged to properly notify the disclosing entity. In case the information
disclosure is requested by an obliged entity, the NCA forwards the requested
information to the entity concerned.
The fourth condition demands full awareness on the part of the obliged entity
that disclosing and sharing the information will be useful or might be useful for
combating financial crime.
The JMLIT Expert Working Groups encompass a wide range of participants.
They include less significant banks, independent researchers, and representatives of
other businesses. The main task of the Expert Working Groups is to identify new threats
9
of financial crime and to develop an appropriate methodology for their timely detection
and identification, and effective prevention of freshly identified threats. The Expert
Working Groups also take part in the elaboration of the JMLIT long-term task
proposals. Meanwhile, the JMLIT Alert Function is designed to alert the broader
financial sector to the risks and typologies of money laundering, terrorist financing, and
other financial crimes.
In its recently published Mutual Evaluation Report of the United Kingdom, the
FATF states:
The U.K. proactively investigates, prosecutes, and convicts a range of TF
activity, in line with its identified risks in this area. A particularly positive
feature of the system is the strong public/private partnership on TF matters. This
is facilitated by the Joint Money Laundering Intelligence Task Force (JMLIT)
which facilitates public/private information sharing including on TF and ML
investigations.7
Along with the JMLIT public–private information sharing framework, the
United Kingdom has been developing private-private information sharing arrangement.
In 2017, Article 11 of the Criminal Finances Act entered into force, which provides for
amendments to the United Kingdom Proceeds of Crime Act. The amendments are
called to establish a platform for information sharing on ML/TF within the regulated
private financial sector. The amendments made a legal foundation for the information
sharing channel among private obliged entities irrespective of their belonging to the
same consolidated financial group.
In the United States, the information exchange between law enforcement
agencies, supervisors, and the private sector fighting money laundering is governed by
Article 314 of the Patriot Act.
Section 314 (a) of the Patriot Act provides for the right of the U.S. law
enforcement agencies of different levels, federal, state, local, as well as foreign (EU),
to approach private financial institutions. The information sharing mechanism is based
on the programs developed by the U.S. Financial Crime Network (FinCEN). The
FinCEN program enables law enforcement authorities to contact more than 16,000
financial institutions. The FinCEN system is based on a legitimate request from the law
enforcement authority (reasonable suspicion of money laundering) for individuals,
companies, or organizations involved in money laundering. Upon receipt of a request
from law enforcement authorities, FinCEN assesses the request and sends it to the
addressees (financial institutions). Upon receipt of the request, financial institutions
examine their information systems and ascertain whether the requested information on
the persons concerned is at their disposal.
The FinCEN program provides investigators the ability to find out about
financial institutions that have information on potential money laundering. Without this
7 Anti-money laundering and counter-terrorist financing measures–United Kingdom, Fourth Round
Mutual Evaluation Report, 2018, FATF, available from: http://www.fatf-
gafi.org/publications/mutualevaluations/documents/mer-united-kingdom-2018.html.
10
system, the potentially useful information could never be revealed. However, it should
be underlined that Article 314 (a) gives the right to request and receive only
confirmation that a particular financial institution has the requested information. In
order to obtain information on persons at the disposal of a financial institution, law
enforcement authorities should undergo the statutory process for obtaining information.
Moreover, FinCEN invites financial institutions to participate at individual
information exchange meetings in discussion of more specific details of individual
cases with a view to improving reporting on suspicious transactions and identifying
typologies of money laundering.
In contrast, Section 314 (b) of the Patriot Act provides for the right of financial
institutions to share information among themselves in order to better identify and report
potential cases of money laundering. Furthermore, Section 314 (b) offers financial
institutions protection from legal liability, civil liability including (Safe Harbor).
However, for financial institutions to be protected from legal liability, they have to meet
certain requirements set for information sharing. For example, financial institutions
must be registered in FinCEN's Secure Information Exchange System (SISS) and,
before sharing information, make sure that the financial institution receiving the
information is registered in the system. Moreover, the exchange of information is only
protected if it is done with the aim of preventing money laundering.
The Australian public-private partnership for information sharing takes place
within the Fintel Alliance which is headed by the Australian FIU of the Australian
Transaction Reports and Analysis Centre (AUSTRAC). The Fintel Alliance consists of
the Operations Hub and the Innovation Hub.
The tasks of the Fintel Alliance's Operations Hub are to analyze and exchange
operational real-time information needed to fight money laundering. The Operations
Hub operates at the AUSTRAC premises and consists of private institutions (major
banks), FIUs, government representatives, and law enforcement agencies working in a
single area of investigations. All members of the Fintel Alliance Operations Hub team
must undergo a security clearance (receive an access permit to secret and confidential
information). In addition, the Fintel Alliance has also developed international
cooperation, e.g., the U.K. NCA is involved in the work of the Fintel Alliance. Members
of the Fintel Alliance Operations Hub work on specific anti-money laundering cases,
such as Panama Papers investigation and the identification of digital money mules.
The Rules for the Exchange of Information within the Fintel Alliance are
governed by the Members Protocol. Given that Australian legislation does not provide
for exchange of information within the private sector, the Members Protocol states that
information obtained within the Fintel Alliance may be disclosed outside the
Operations Hub only upon prior written permission of AUSTRAC as well as when
explicitly provided by law.
On the other hand, the Fintel Alliance Innovation Hub has the task of improving
financial transaction and payment accounting systems along with improving the
regulatory framework for a more effective fight against money laundering.
11
Public-private partnerships have also developed in recent years in Canada,
Hong Kong, and Singapore. In the case of Singapore and Canada, public-private
partnerships take the form of analytical information processing that clarifies the various
typologies of money laundering to be incorporated in the monitoring and screening
systems of financial institutions. Meanwhile, in May 2017, the FMLIT public-private
partnership pilot project, based on the U.K. JMLIT model (on sharing of operational
(individual cases) information), was launched.
International studies reveal that the development of public-private information-
sharing partnership mechanisms is largely linked to the inefficient current system in the
fight against money laundering. So, experience in the United Kingdom, the United
States, Australia, and other countries shows that PPPs significantly improve the
effectiveness of AML/CFT activities, including reporting on suspicious transactions. In
order to be effective in fighting the dynamically developing financial crimes, only
reliance on technical compliance with predefined procedures and official guidelines,
particularly, if these rules are binding solely within single jurisdictional boundaries will
give no results. Countries should therefore improve and revisit their legislation in order
to facilitate removal of outdated regulatory barriers and restrictions, and truly motivate
and proportionally protect the frameworks of effective public-private information-
sharing partnerships not only in their jurisdictions but across the globe.
Examples of the above described countries show that information-sharing
partnerships can be divided into two broad categories: 1) statutorily mandated
information sharing and 2) information sharing in the form of public-private
partnerships, where law enforcement and industry come together to discuss matters
such as certain ML typologies, risks, and best practices in prevention. These
partnerships may be formal and informal, from organized meetings with select bank
members to the informal exchange of information between a wide range of financial
and law enforcement institutions.8
4. What is needed for sustainable and effective PPP?
The tone at the top has proved to be a cornerstone of a successful national
financial information-sharing partnership, just like it is a foundation for an effective
and functional AML/CFT compliance program. High-level support from political and
business stakeholders is one of the key principles of successful financial information-
sharing partnership program.9
As it follows from the examples above, forging of robust AML/CFT-related
information sharing arrangements requires demanding, effortless commitment on both
sides—public authorities and private entities. The founders of the partnerships are to be
free of the burdensome legacy of the past—a legacy that consisted of the long-standing
8 “The Developing Partnership Between Financial Institutions and Law Enforcement,” by Claiborne
(Clay) W. Porter and Robert Dedman, The International Comparative Legal Guide to: Business Crime
2019, 9th edition, Global Legal Group, available from: https://www.navigant.com/-
/media/www/site/insights/gic/2018/iclg-business-crime-2019.pdf. 9 Ibid.
12
legislation which in almost any country was kept as a bulletproof safe box of banking
secrecy for decades, if not for centuries.
For successful public-private information-sharing partnerships, a true and
profound leadership and the tone at the top of all parties are essential. In order to build
leadership, the parties should first come to a consensus on the type of public-private
information-sharing partnership they would like to establish in their jurisdiction: either
a functional one which will promote better understanding of certain typologies to assist
fighting money laundering/terrorist financing (ML/TF), or to establish an operational
arrangement allowing the parties to work together in investigation of individual cases.
This decision, like all decisions in prudent AML/CFT compliance programs, must be
risk-based. Risk assessment should take into account all inherent risks of both parties,
particularly focusing on the privacy policy and data protection issues. If risk assessment
demonstrates too many obstacles for the establishment of operational partnership
(commonly preferred by law enforcement agencies), it is worthwhile to begin with the
functional one. The most important thing is to start with something in order to meet
another important provision for effective PPP—trust. Leadership and trust combined
will ensure that both public and private leaders are committed to make partnership a
success, build confidence in the approach selected by the risk assessment process, share
the same objectives, and last but not least, avoid risks.
Successful public-private partnership requires clear and, as far as possible,
straightforward legislation which enables and facilitates information exchange and
sharing to the extent and level necessary to make an information sharing arrangement
truly operational and effective.
Information sharing should be proportional, lawful, privacy and data protection
compliant. Accomplishment of this task requires that countries generate and encourage
a regular and focused dialog between AML/CFT authorities (FIUs), law enforcement
community, data protection bodies, financial supervisors, and obliged entities involved
in partnerships for facilitating greater policy and regulatory coherence.
This dialog should include the notion that privacy and personal data protection
rules do not exclude or even prohibit clear and proportional safe harbor rules and
public-private information-sharing partnerships.
Countries should advocate and compel AML/CFT authorities, law enforcement
agencies, and private stakeholders to engage with data protection authorities in order to
come up with coherent policy and guidance regarding proportionate and lawful
information sharing for better combating financial crime and protecting overall
financial stability. There should be straightforward understanding among all parties
involved that the obliged firms and all law enforcement bodies act legitimately and in
the interests of general public.
Thus, all parties, including legislators, governments, law enforcement bodies,
regulators, and data protection authorities have a vital role in designing and enshrining
into national legislation comprehensive Safe Harbor arrangements which are truly
operational and effective, and do not contradict the essential human rights on privacy.
13
5. Governance and Accountability
Robust governance and accountability (independent testing) of the public-
private information sharing arrangement along with legislative clarity is at the core of
the process that, at the same time, involves governmental and private entities which
naturally apply different operational protocols. Governance of information (data) flows
and channels, policies, and procedures that ensure proper integration of the obtained
data in internal controls of financial institutions are the main provisions for partnership
to become a success story in enhancement of combating financial crime. For example,
the Fintel Alliance (Australia) published a detailed member protocol covering
objectives, governance, information security, vetting, and dispute resolution
arrangements.
Governance and accountability are fields where the third line of defense plays
a vital role. It is important to remember that auditors should not compromise their
ordinary professional standards and rules while auditing and, consequently, providing
a report and making recommendations on the entity’s involvement and outputs of this
involvement in the public-private information-sharing partnership. Auditors should
audit the public-private information-sharing partnership arrangement following the
very same audit circle as in any other already incumbent process. However, while
setting up an audit program for public-private information-sharing partnership, auditors
are called to onboard all specifics of this brand-new arrangement.
To this end, auditors should first do their homework—familiarize themselves
with public-private partnerships to the best extent possible. It is preferable for auditors
to be aware of the entity’s decision to take part in public-private partnership from the
very inception of this commitment. Since the process requires particular scrutiny of
privacy and data protection as well as vetting of the employees involved and
management of the whole process, auditors at the initial stage of this process could
become the first line of defense. They could reasonably challenge the arrangements and
processes established by the entity for its smooth and unfettered participation in
information-sharing partnership.
Prioritizing and focusing on audit risks of any financial institution’s engagement
(on a voluntary basis in most jurisdictions) in public–private partnerships should be
assessed up front before an institution commits itself to be a part of the arrangement.
Auditors should have a seat at the committee which decides on involvement in
information-sharing partnership.
Auditors should gather their own data necessary for issuance of independent
opinion. In this regard, internal auditors should have the knowledge and ability to
directly access the data they need to support their opinion. Since the tone at the top is
of utmost importance for successful partnership, auditors should emphasize all kinds of
relationships within the organization. There should be a high level of trust between the
management, officers involved in public-private partnership, civil servants, and the
auditors while auditing public-private information sharing arrangements. Public-
private information-sharing partnerships are brand new in the tool kit, which is
dedicated to combat financial crime; so, one should embrace the innovation. Perhaps,
it is most important when auditing truly revolutionary things like public-private
14
partnerships. When auditing public-private information-sharing partnerships, like in
any other audit, auditors need to constantly challenge how they do the audit and why
they do it.10
Auditors should define and document the methodology they will apply in
auditing the institutions’ involvement in public-private information-sharing
partnership. Since involvement in partnership is strictly voluntary, this requires a well-
grounded and risk-based decision of the board (or an equivalent body) of the institution
on its commitment to be a party of the partnership. This decision should be documented
properly. It would be highly unacceptable for a financial institution, which had decided
to enter the information sharing without a proper well-grounded decision, to simply
declare its termination of being a party of the partnership or, in case of operational
partnership, apply the cherry-picking method in participation. Such an approach could
have a severely adverse impact on the institutions’ reputation among members of the
partnership. Thus, auditors should pay specific attention to the institution’s decision to
enter the partnership.
Another important area for internal auditors of public-private information-
sharing partnerships is compliance with privacy rules and lawful sharing of personal
data. In this context, auditors should pay special attention to the institution’s
compliance with the “formal” requirements concerning data protection rules. For
instance, the EU 5th Anti-Money Laundering Directive explicitly states that illicit funds
are moved through different financial institutions to avoid detection and reemphasizes
the importance of information exchange not only among group members, but among
other financial institutions as well, with due regard to data protection rules as set out in
the national law. In this context, the EU General Data Protection Regulation (GDPR)
should be properly considered. The GDPR, amongst other strict requirements,
stipulates that in case of high risk to the rights and freedoms of natural persons, the
financial institution should carry out an impact assessment, the outcome of which is to
be considered to demonstrate the financial institution’s compliance with the
requirements of the GDPR. If the impact assessment reveals the presence of high risk,
which the financial institution cannot mitigate by appropriate measures in terms of
available technology and implementation costs, a consultation with supervisory
authority should take place prior to the data processing (information sharing). Auditors
should not only audit whether the impact assessment has been carried out and its results
properly documented, but also the audit methodology of the impact assessment,
parameters, identified risks, measures applied for mitigation of high risks, and, if
circumstances warrant, the results of consultations with supervisory authorities. Since
at least two supervisory authorities are likely to be involved (prudential and data
protection), the entity should obtain and document the opinion from both.
10 “Auditing in a Frictionless World: Six Tips to Start the Journey," by Jim Pelletier, November 2017,
Internal Auditor, p. 8, available from: https://iaonline.theiia.org/blogs/Jim-
Pelletier/2017/Pages/Auditing-in-a-Frictionless-World-Six-Tips-to-Start-the-Journey.aspx.
15
At all stages, information sharing is primarily about privacy and data protection;
the audit program of an institution’s involvement in public-private partnership should
include, at least, the following:
proper identification of the scope of the audit program, considering regulation of
information sharing in different jurisdictions under which a financial institution
operates;
policies and procedures on the institution’s participation in public-private
information-sharing partnership; decisions of the board (or similar committee) on
entering into public-private partnership;
impact assessment of information sharing, especially its effectiveness in
comparison to the traditional reporting;
specific risks associated with the institutions’ involvement with public-private
partnership, tools to mitigate these risks;
test samples (particularly on vetting of institutional representatives in operational
partnerships, if the institution participates in it);
test results and proper documentation of these results;
auditing of training provided to the employees on public-private information-
sharing partnerships, focusing on the training program correspondence to the risk
(impact) assessment outcomes;
constant, defined monitoring of the whole process and remediation of
deficiencies; and
follow-up of the results. Audit should follow the results and implementation of
the remediation actions and provide constant feedback to the management,
including advice on the best tools for facilitation of the best outcome.
Trust is at the core or heart of any relationship; this is especially true for
partnerships where public and private entities are involved. Trust is defined as “the firm
belief in the reliability, truth, ability, or strength of someone or something.”
Internal auditors speak increasingly of the need to be trusted advisors. [….] the
term advisor encompasses the full spectrum of an internal auditor’s work, from
providing consultation and advice at the request of management to generating
recommendations for corrective actions as the result of an assurance
engagement. In the end, I believe we are advisors in our professional roles every
day.11
The role of the trusted advisor should be particularly re-emphasized and
reconfirmed to AML auditors, once the institution decides to become a party of public-
private partnership.
Ultimate beneficial ownership (UBO) secrecy is one of the impediments to
effectively generating results for information-sharing arrangements, either public-
private or private–private.
11 Trusted Advisors: Key Attributes of Outstanding Internal Auditors, by Richard F. Chambers, 2017,
Internal Audit Foundation, p. 2.
16
For overcoming this barrier, state registers play an important role in information
sharing, and are growing at an unprecedented rate. State registers could become a model
for public–private information-sharing partnership’s prudent governance.
The 5th EU AML/CFT Directive calls for greater transparency in information
available about UBOs of firms. This piece of legislation is strengthening the role of
state registers in information sharing on UBOs and plays a more active role in state
registers regarding validating data stored in their files. Some countries already have
established targeted account registers that are populated with data of UBOs obtained by
financial institutions during KYC/CIP processes. Data in account registers are not
available publicly and are accessible only for law enforcement and some other specially
designated governmental bodies when carrying out their public duties.
On the other hand, company registers hold records of UBOs filed by companies
on their own. Submitting inaccurate information is a criminal offence in some countries.
Information on UBOs held by company registers is available to the general public.
Smooth and effective interaction and cross-reference between these two
databases would be beneficial for further enhancement of verification of customers and
improvement of investigation of financial crime. This would also serve as a trusted and
reliable source of information for public-private partnerships, and as an invaluable
source of information for independent testing of these partnerships and data accuracy
on UBOs obtained by financial institutions when performing KYC and CIP. This is a
way that participation of the financial institution in public-private partnership, along
with its reporting duty to the state registers, could increase the quality of data at the
disposal of the institution and, consequently, improve the quality of independent testing
of many processes and procedures in the financial institution.
6. Conclusion
There are several already operational public-private and private–private
information-sharing partnerships with the same underlying core principles:
Mutual trust and leadership
Legislative certainty and clarity
Prudent and well-structured coordination of actions, either nationally or
internationally
Availability and provision of all necessary resources for all parties involved in
partnerships. (Resources provided to law enforcement agencies should be
commensurate with the scale of financial crime and be proportionate to the
resources provided to the private sector.)
Governance and accountability (Partnerships should be based on robust
governance and accountability protocols and arrangements. This particularly
emphasizes the role of independent testing of the arrangements and need for
protection of privacy and personal data.)
Technology, automation, and analytical resources (This requires an on-going
investment from both parties of the partnership.)
Structured communication, risk-based training, and education as an enabler for
further expansion of public-private information-sharing partnerships
Ongoing dialog between the AML authorities and data protection authorities for
creation of coherent information sharing standards
17
FATF and heads of FIUs of FATF members should consider the following
matters to be included in their guidelines:
Address all aspects of cross-border information sharing between the public and
private sector.
Stress the importance of good governance and accountability of public-private
partnerships in order to avoid any doubt about misuse of personal data or
disruption of privacy by public-private partnerships. To this end, clear
expectations regarding independent testing of these partnerships and minimum
standards of communication about the results and effectiveness of public-
private partnerships should be established.
18
References
Chambers, R. (2018, June 25). Internal auditors can audit anything — but not
everything. Internal Auditor. Retrieved from
https://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Auditors-Can-
Audit-Anything---but-Not-Everything.aspx
Chamber, R. (2018, September 10). Writing an impactful audit report: 6 tips for being
more persuasive. Internal Auditor. Retrieved from
https://iaonline.theiia.org/blogs/chambers/2018/Pages/Writing-an-Impactful-
Audit-Report-6-Tips-for-Being-More-Persuasive.aspx
Chamber, R. (2018, November 5). Five future developments that could elevate
internal audit's stature. Internal Auditor. Retrieved from
https://iaonline.theiia.org/blogs/chambers/2018/Pages/5-Future-
Developments-That-Could-Elevate-Internal-Audits-Stature.aspx
CTITF. (2009, October). CTITF working group report: Tackling the financing of
terrorism, counter-terrorism implementation task force. United Nations.
Retrieved from
https://www.un.org/counterterrorism/ctitf/sites/www.un.org.counterterrorism.c
titf/files/ctitf_financing_eng_final.pdf
Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May
2018 amending Directive (EU) 2015/849 on the prevention of the use of the
financial system for the purposes of money laundering or terrorist financing
and amending Directives 2009/138/EC and 2013/36/EU. (2018, May 18).
Official Journal of the European Union. Retrieved from https://eur-
lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018L0843
FATF. (2018, October). International standards on combating money laundering and
the financing of terrorism & proliferation: The FATF recommendations.
FATF. Retrieved from www.fatf-gafi.org/recommendations.html
FATF. (2017, November). Consolidated FATF standards on information sharing:
Relevant excerpts from the FATF recommendations and interpretive notes.
FATF. Retrieved from http://www.fatf-
gafi.org/publications/fatfrecommendations/documents/consolidated-fatf-
standard-information-sharing.html
FATF. (2017, November). FATF guidance: Private sector information sharing.
FATF. Retrieved from www.fatf-
gafi.org/publications/fatfrecommendations/documents/guidance-information-
sharing.html
FinCEN. (2019, June 18). FinCEN’s section 314(a) fact sheet. U.S. Department of the
Treasury. Retrieved at
https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf
19
FinCEN. (2016, November). FinCEN’s section 314(b) fact sheet. U.S. Department of
the Treasury. Retrieved at
https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf
Frau, G. (2017, October 5). Oversight of cross-border funds distribution: The
assurance and benefits provided by an effective AML and CTF audit.
ACAMS. Retrieved from
http://files.acams.org/pdfs/2017/Oversight_of_Cross-
Border_Funds_Distribution_G.Frau.pdf?_ga=2.14745845.2145140720.15449
70581-764892732.1496774099
Kofod, J. & Niedermayer, L. (2018, November 9). Draft report on financial crimes,
tax evasion and tax avoidance (2018/2121(INI)). Special Committee on
financial crimes, tax evasion and tax avoidance, European Parliament.
Retrieved from
http://www.europarl.europa.eu/cmsdata/156723/TAX3%20Final%20draft%20
report.pdf
Lopez, N. I. (2017, October 5). Anti-money laundering training … One size does not
fit all. ACAMS. Retrieved from http://files.acams.org/pdfs/2017/Anti-
Money_Laundering_Training_N.Lopez.pdf?_ga=2.48439397.2145140720.15
44970581-764892732.1496774099
Maxwell, N. J. & Artingstall, D. (2017, October). Occasional paper: The role of
financial information-sharing partnerships in the disruption of crime. Royal
United Services Institute (RUSI). Retrieved from
https://rusi.org/sites/default/files/201710_rusi_the_role_of_fisps_in_the_disru
ption_of_crime_maxwwell_artingstall_web_4.2.pdf
NCA Joint Money Laundering Intelligence Taskforce (JMLIT). (n.d.). Retrieved from
http://www.nationalcrimeagency.gov.uk/about-us/what-we-do/national-
economic-crime-centre/joint-money-laundering-intelligence-taskforce-jmlit
Office of Inspector General. (2017, September 18). Audit report: Terrorist financing/
money laundering: FinCEN’s 314 information sharing programs are useful
but need FinCEN’s attention. U.S. Department of the Treasury. Retrieved
from https://www.treasury.gov/about/organizational-
structure/ig/Audit%20Reports%20and%20Testimonies/OIG-17-055.pdf
Porter, C. W. & Dedman, R. (2019). The developing partnership between financial
institutions and law enforcement. The International Comparative Legal Guide
to: Business Crime 2019, 9th edition. Global Legal Group. Retrieved from
https://www.navigant.com/-/media/www/site/insights/gic/2018/iclg-business-
crime-2019.pdf
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation). (2016, April 27). Official
20
Journal of the European Union. Retrieved from https://eur-
lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679
The Institute of Internal Auditors (IIA). (2018, May). IIA position paper: Internal
auditing’s role in corporate governance. Retrieved from
https://na.theiia.org/about-ia/PublicDocuments/Internal-Auditings-Role-in-
Corporate-Governance.pdf
Wilejto-Rieken, M. (2018, May 17). USA PATRIOT Act, section 314(a) and 314(b)
information sharing: Beneficial and detrimental effects of the act. ACAMS.
Retrieved from
http://files.acams.org/pdfs/2018/USA_Patriot_Act_M_Wilejto-
Rieken.pdf?_ga=2.69471187.2145140720.1544970581-
764892732.1496774099