Public-Private Information-Sharing

Partnerships: Effective Tool to Strengthen Fighting

Financial Crime

Jānis Brazovskis, CAMS

2019

2

Table of Contents

1. Introduction ................................................................................................................ 3

2. Public-private information-sharing partnerships ....................................................... 5

3. Examples of U.K., U.S.A., Australia ........................................................................ 7

4. What is needed for sustainable and effective PPP? ................................................. 11

5. Governance and accountability ................................................................................ 13

6. Conclusion ............................................................................................................... 16

References .................................................................................................................... 18

3

1. Introduction

Financial crime is an unprecedented threat to the integrity of the financial

system and a source for systemic risk. Recent cases involving ABLV Bank, Danske

Bank, HSBC, ING, Deutsche Bank, and Pilatus Bank, to name a few, demonstrated that

the anti-money laundering and countering of financial terrorism (AML/CFT) system,

particularly in Europe, lacks robustness and coherence. These recent cases had attracted

special attention even from the European Parliament Special Committee on Financial

Crimes, Tax Evasion and Tax Avoidance. The Committee has particularly deplored the

fact that the systemic shortcomings in AML/CFT enforcement regimes, fueled with

inappropriate supervision in various European countries, has led to the mentioned high-

profile cases.

The Committee has noted with great concern that the proceeds from illicit

activities in the European Union (EU) are estimated to amount to EUR 110 billion per

year, corresponding to 1% of the Union’s total GDP. The Committee also highlighted

that in some EU member states up to 70% of money laundering cases have a cross-

border dimension, and further noted that the scale of money laundering is estimated by

the United Nations organization to be the equivalent to between 2 to 5% of the global

GDP, or around EUR 715 billion to 1.87 trillion a year.

Undoubtedly, the scale of proceeds derived from serious crime, skyrocketing to

a large extent through the financial system, is significant by any measure and of high

risk. As it adversely affects the financial system and every customer, the most feasible

response from financial institutions would be de-risking. However, the International

Monetary Fund (IMF) has concluded that de-risking in correspondent banking

relationships could undermine not only individual customers but could also have an

adverse effect on certain countries’ long-term growth and financial inclusion. The IMF

also stated that remedial actions to resolve de-risking in correspondent banking and all

adverse repercussions of this process will be time consuming and would require

collective action on the part of public and private stakeholders. Measures would include

improved communication between correspondent and respondent banks, and removal

of impediments to information sharing. Thus, information-sharing arrangements, either

statutory or even more importantly voluntary information-sharing partnerships, could

contribute to disruption of financial crime and all kinds of serious crime. Creation of

effective public-private information-sharing partnerships, considering the

overwhelming conviction that they could be one of the most remarkable game changers,

will become one of the topical issues for the coming years in the realm of AML/CFT

compliance and combating financial crime.

The Financial Action Task Force (FATF) and heads of Financial Intelligence

Units (FIU) met in the margins of the FATF plenary and agreed on two reports: one

addressing how large international financial institutions identify a suspicious activity,

and the other describing practical considerations in setting up public-private

partnerships. These reports will be disseminated through the FATF Global Network.1

1 FATF Business Bulletin, November 2018, available from: http://www.fatf-

gafi.org/media/fatf/documents/FATF-Business-Bulletin-November-2018.pdf.

4

While our good colleagues in FIUs will be delivering their considerations, this

white paper presents examples of already operational public-private information-

sharing arrangements and discusses some practical considerations needed for setting up

workable public-private information-sharing partnerships across the globe, their

integration in a cross-border network, as well as the importance of good governance for

the accomplishment of this task.

Pure suspicious transaction report (STR) and suspicious activity report (SAR)

reporting is not bringing reasonable results. Numbers of STRs and SARs are growing

at an 11% pace annually. Eighty to ninety percent of suspicious reporting is of no

immediate value to active law enforcement investigations.2

To wit, Latvia is an example of the underlying evidence for the previous

statement. Lately, Latvia has gone through a tremendous transformation within its

financial sector. According to the Financial and Capital Market Commission of Latvia

(FCMC) (financial regulator in Latvia), in less than in a year, the share of foreign

deposits has been reduced almost by half. In September 2018, this share constituted

20.5% of all deposits; however, in 2017, the share was as high as 39.7%. The FCMC

also reported that not only had the volume of risky deposits decreased, but also the

payment (transactions) scale, in particular in U.S. dollars, had dropped. Since 2015,

payments in U.S. dollars in Latvian banks have declined more than 10 times.3

These developments had been handled by remedial actions in the AML/CFT

field taken by public authorities and financial institutions since 2016, and particularly

have been reinforced by the events described below.

Latvia’s third-largest bank, ABLV Bank, went into controlled liquidation after

the United States (U.S.) Financial Crimes Enforcement Network (FinCEN) decided to

propose a ban on ABLV Bank’s access to the financial system of the United States due

primarily to money laundering concerns. On August 23, 2018, the Committee of

Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of

Terrorism (MONEYVAL) published its Fifth Round Mutual Evaluation Report on

Anti-Money Laundering and Counter-Terrorist Financing Measures of Latvia. The

report called for immediate actions to combat money laundering and terrorist financing

in line with Latvia’s risk profile and, among other priority actions, stated that Latvia

should pursue money laundering as a priority and seek to systematically prosecute a

2 The Role of Financial Information-Sharing Partnerships in the Disruption of Crime, RUSI

Occasional Paper, Nick J Maxwell and David Artingstall, October 2017, available from:

https://rusi.org/sites/default/files/201710_rusi_the_role_of_fisps_in_the_disruption_o

f_crime_maxwwell_artingstall_web_4.2.pdf. 3 Infographics: Transformation of Latvian banking sector Q3 2018, Financial and Capital Market

Commission of Latvia, 6 November 2018, available from: http://www.fktk.lv/en/mediju-

telpa/pazinojumi-masu-informacijas-l/2018/7331-infographics-transformation-of-the-

latvian-banking-sector-q3-2018.html.

5

wider range of money-laundering offences, including third-party and stand-

alone/autonomous money laundering.4

According to the data available in the 2016 report prepared by the Latvian FIU,

15,758 STR and SAR reports were received by the FIU in 2016. In its turn, the FIU

prepared and sent to law enforcement agencies only 231 materials for further

investigation. This fact certainly indicates a lack of efficiency of the present system,

which is merely reporting, and has been recognized as such by MONEYVAL as well.

It is widely recognized that the private sector is an important partner in the fight

against money laundering, terrorist financing, and other serious crimes. The private

sector as a trustful partner is perfectly equipped to provide valuable and useful

information which is relevant and appropriate to law enforcement agencies and other

governmental institutions. Effective and timely information-sharing assists the law

enforcement community to fulfill its tasks better and defend public interests more

effectively. Needless to say, information-sharing partnerships should involve two-way

traffic between the public and private actors. Information-sharing partnerships could be

achieved through an appropriate information sharing mechanism, whereby law

enforcement agencies also share—contrary to the currently dominant model of sheer

obtaining of information—strategic, operational, and specifically targeted information

(data) with obliged financial institutions and eventually designated non-financial

entities.

2. Public-private information-sharing partnerships

As one of the most promising facilities of information sharing, the FATF

Guidance on Private Sector Information Sharing recognizes the already established and

operational public–private information-sharing partnerships in several countries that

have delivered positive results. Within the framework of such information-sharing

partnerships, information is shared and exchanged among law enforcement agencies,

FIUs, private-sector entities, and vetted employees of private entities, and in some

cases, information sharing involves international counterparts as well. Information

sharing usually takes place in a purposefully designed and secure environment. Such

an environment facilitates secure data-acquiring process, operational analysis of the

data obtained, and further research by private entities to fill the potential information

(data) gaps, and to make reporting on suspicious transactions more effective and useful

for further investigations by law enforcement agencies.

The FATF Guidance on Private Sector Information Sharing provides that

within the framework of public-private information-sharing partnerships, the private

sector entities should be involved not only as a source of information (reporting entities)

but also as a recipient and eligible user of sensitive data and intelligence from law

enforcement agencies. This notion requires a significant shift in the prevailing

4 Anti-Money Laundering and Counter-Terrorist Financing Measures, Latvia, Fifth Round Mutual

Evaluation Report, July 2018, Committee of Experts on the Evaluation of Anti-Money Laundering

Measures and the Financing of Terrorism (MONEYVAL), Council of Europe, available from:

http://www.fatf-gafi.org/media/fatf/documents/reports/mer-fsrb/Moneyval-Mutual-Evaluation-Report-

Latvia-2018.pdf.

6

incumbent mindset of the law enforcement community which was used to viewing

private entities as just a source of information and proof providers for decades. An

overwhelming secure environment and a tailor-made conduit of information sharing are

compulsory to enable an information-sharing partnership that succeeds and delivers

tangible, measurable results.

The vital role of public-private information-sharing partnerships in increasing

the efficiency of anti-financial crime systems is recognized and strongly advocated by

prominent and well-recognized private sector professionals, too. Erik Barnett, Regional

Head of Europe for Financial Crime Threat Mitigation at HSBC, stated:

HSBC was a founding member of both the JMLIT and Europol’s Financial

Intelligence Public Private Partnership, and we advocate for these mechanisms

in other parts of the world. The real power we have against financial crime and

transactional criminals is the collective ability to assist one another in a

proportionate and lawful manner to ensure we protect the integrity of the

financial system and better serve our customers and communities.5

The FATF Guidance on Private Sector Information Sharing further concludes

that information-sharing partnerships play an important role not only in the activities

of financial institutions, supervisors, and law enforcement authorities that are directly

aimed to disrupt financial crime, but they enable them to channel limited available

resources more efficiently and to develop innovative methods of combating money

laundering, terrorist financing, and other kinds of serious crime.

Weaknesses and gaps in the information exchange and sharing systems can

cause various severe deficiencies, ultimately make the fight against financial crime

ineffective, and waste large amounts of earmarked resources. For example, the role of

the private sector in detecting and identifying the proceeds of crime is often

significantly reduced by the limited flow of information. In most countries, the obliged

entities are prohibited from sharing customer information and data, not only with one

another but even among the entities that belong to the same financial group. An

unintended and adverse result may occur when one obliged firm decides the risk level

of a particular customer to be unacceptable any longer and chooses termination of the

business relationship, while the client in question may freely open a new account with

another obliged entity that is unaffiliated or, in the worst case, even affiliated with the

original obliged entity. Under these odd circumstances, the financial institution

approached by the particular customer is bound to begin the customer identification

process from the very start, either ignoring or not knowing the information and data

already compiled by the first obliged institution.

For this purpose, the FATF also encourages financial institutions to consider

mutual exchange of information within the framework of private–private information

sharing arrangements. Law enforcement agencies, which in a lawful way through

typologies or specific information on financial crime can provide more information on

trends and typologies of financial crime, should also be involved to the extent

5 “The importance of public-private partnerships,” Erik Barnett, June-August 2018, ACAMS Today,

Vol.17 No. 3.

7

reasonably permissible in information sharing within the framework of private–private

information sharing arrangements.

3. Examples of U.K., U.S.A., Australia

There are good examples of already effective models of different kinds of

operational public-private information-sharing partnerships (PPP) under different

jurisdictions.

Over recent months and years, partnership models that appear to provide for

dynamic information sharing on financial crime risks between public and

private sectors have developed in the U.K., the U.S., Australia, Hong Kong,

Singapore, and Canada. They are constituted and operate in different ways, but

this paper takes the view that they can be classified as a new type of information-

sharing exchange—FISPs. Engagement with these partnerships by regulated

entities has been voluntary and, as such, represents activity beyond the current

minimum regulatory requirements of AML/CFT regimes.6

One of the most well-known mechanisms of already operational public-private

information-sharing partnerships is the Joint Money Laundering Intelligence Taskforce

(JMLIT) in the United Kingdom (U.K.).

The JMLIT is structured into three main units: Operations Group, Experts

Working Groups (includes expert groups in several priority areas), and Alerts Function.

The targets, tasks, and workstreams of the JMLIT are determined and monitored by the

Management Board, led by the U.K. FIU—the National Crime Agency (NCA).

The JMLIT Operations Group encompasses 13 major banks, the NCA and

other law enforcement agencies, the UK Anti-Fraud Office (CIFAS), the U.K. Financial

Conduct Authority, and the HM Revenue and Customs Service (HMRC).

The Operations Group is based on a clear legal framework ensuring the

lawfulness of the information sharing as well as a predefined contractual relationship

on the information sharing among the group members. The legitimate “Channel” or

“Conduit” for the information sharing needed for the lawful JMLIT operation is

provided by Article 7 of the Crime and Courts Act.

This legal provision explicitly provides that a person is allowed to disclose

information to the NCA if this disclosure is necessary for performance of the NCA

duties. The Article also provides that the information obtained by the NCA through

disclosure by private individuals may be used only for execution of the NCA duties.

Legislation states that information is exchanged through the U.K. FIU within the

JMLIT Operations Group. Therefore, the members of the JMLIT Operations Group are

6 The Role of Financial Information-Sharing Partnerships in the Disruption of Crime, by Nick J

Maxwell and David Artingstall, October 2017, RUSI Occasional Paper, available from:

https://rusi.org/sites/default/files/201710_rusi_the_role_of_fisps_in_the_disruption_o

f_crime_maxwwell_artingstall_web_4.2.pdf.

8

deemed to disclose information to the NCA. The Law also stipulates that in accordance

with the provisions of Article 7, information disclosure to the NCA does not constitute

a breach of confidentiality or any other restriction, i.e., privacy or private data

protection (Safe Harbor provision).

Thus, basically the above-mentioned legislation establishes the needed secure

environment to banks, law enforcement agencies, and other members of the JMLIT

Operations Group for information sharing, which is required for more effective

combating financial crime. At the same time, members of the Operations Group are

subject to a clearance check (requirement for appropriate vetting to be allowed to work

with classified information and files) as information, such as on particular cases under

the investigation provided by the law enforcement agencies and proliferated by the

NCA within the Operations Group, may be marked as confidential or secret.

It should be particularly noted that establishing the JMLIT does not repeal or

even affect the statutory duty to file STRs or SARs when an obliged entity detects

suspicious transactions. The new model does not modify the legal procedure, by which

law enforcement agencies request and obtain information (proof of evidence and

documents) from financial institutions or the NCA, nor does it pay attention to the legal

requirements for information sharing within financial groups or among financial

institutions within the private-private information sharing arrangements.

The information disclosure and sharing within the JIMLIT framework must

comply with four conditions:

The first condition requires that both the entity disclosing the information and

the recipient of the disclosed information be obliged entities (to operate in the regulated

business); however, the information exchanged within the framework by the obliged

entities must be obtained while performing legal duties (KYC, CIP, screening, or

monitoring) of the obliged entities.

The second condition is that the information can only be shared if it is requested

by the NCA or the other entity in need of the information. In other words, an obliged

entity is not authorized to share information with other members of the JIMLIT purely

on its own initiative without a prior request from the NCA or the entity requesting the

particular information.

The third condition provides that the NCA should accordingly be notified in

advance on the intended information disclosure. If the disclosure is initiated by the

NCA itself, it is obliged to properly notify the disclosing entity. In case the information

disclosure is requested by an obliged entity, the NCA forwards the requested

information to the entity concerned.

The fourth condition demands full awareness on the part of the obliged entity

that disclosing and sharing the information will be useful or might be useful for

combating financial crime.

The JMLIT Expert Working Groups encompass a wide range of participants.

They include less significant banks, independent researchers, and representatives of

other businesses. The main task of the Expert Working Groups is to identify new threats

9

of financial crime and to develop an appropriate methodology for their timely detection

and identification, and effective prevention of freshly identified threats. The Expert

Working Groups also take part in the elaboration of the JMLIT long-term task

proposals. Meanwhile, the JMLIT Alert Function is designed to alert the broader

financial sector to the risks and typologies of money laundering, terrorist financing, and

other financial crimes.

In its recently published Mutual Evaluation Report of the United Kingdom, the

FATF states:

The U.K. proactively investigates, prosecutes, and convicts a range of TF

activity, in line with its identified risks in this area. A particularly positive

feature of the system is the strong public/private partnership on TF matters. This

is facilitated by the Joint Money Laundering Intelligence Task Force (JMLIT)

which facilitates public/private information sharing including on TF and ML

investigations.7

Along with the JMLIT public–private information sharing framework, the

United Kingdom has been developing private-private information sharing arrangement.

In 2017, Article 11 of the Criminal Finances Act entered into force, which provides for

amendments to the United Kingdom Proceeds of Crime Act. The amendments are

called to establish a platform for information sharing on ML/TF within the regulated

private financial sector. The amendments made a legal foundation for the information

sharing channel among private obliged entities irrespective of their belonging to the

same consolidated financial group.

In the United States, the information exchange between law enforcement

agencies, supervisors, and the private sector fighting money laundering is governed by

Article 314 of the Patriot Act.

Section 314 (a) of the Patriot Act provides for the right of the U.S. law

enforcement agencies of different levels, federal, state, local, as well as foreign (EU),

to approach private financial institutions. The information sharing mechanism is based

on the programs developed by the U.S. Financial Crime Network (FinCEN). The

FinCEN program enables law enforcement authorities to contact more than 16,000

financial institutions. The FinCEN system is based on a legitimate request from the law

enforcement authority (reasonable suspicion of money laundering) for individuals,

companies, or organizations involved in money laundering. Upon receipt of a request

from law enforcement authorities, FinCEN assesses the request and sends it to the

addressees (financial institutions). Upon receipt of the request, financial institutions

examine their information systems and ascertain whether the requested information on

the persons concerned is at their disposal.

The FinCEN program provides investigators the ability to find out about

financial institutions that have information on potential money laundering. Without this

7 Anti-money laundering and counter-terrorist financing measures–United Kingdom, Fourth Round

Mutual Evaluation Report, 2018, FATF, available from: http://www.fatf-

gafi.org/publications/mutualevaluations/documents/mer-united-kingdom-2018.html.

10

system, the potentially useful information could never be revealed. However, it should

be underlined that Article 314 (a) gives the right to request and receive only

confirmation that a particular financial institution has the requested information. In

order to obtain information on persons at the disposal of a financial institution, law

enforcement authorities should undergo the statutory process for obtaining information.

Moreover, FinCEN invites financial institutions to participate at individual

information exchange meetings in discussion of more specific details of individual

cases with a view to improving reporting on suspicious transactions and identifying

typologies of money laundering.

In contrast, Section 314 (b) of the Patriot Act provides for the right of financial

institutions to share information among themselves in order to better identify and report

potential cases of money laundering. Furthermore, Section 314 (b) offers financial

institutions protection from legal liability, civil liability including (Safe Harbor).

However, for financial institutions to be protected from legal liability, they have to meet

certain requirements set for information sharing. For example, financial institutions

must be registered in FinCEN's Secure Information Exchange System (SISS) and,

before sharing information, make sure that the financial institution receiving the

information is registered in the system. Moreover, the exchange of information is only

protected if it is done with the aim of preventing money laundering.

The Australian public-private partnership for information sharing takes place

within the Fintel Alliance which is headed by the Australian FIU of the Australian

Transaction Reports and Analysis Centre (AUSTRAC). The Fintel Alliance consists of

the Operations Hub and the Innovation Hub.

The tasks of the Fintel Alliance's Operations Hub are to analyze and exchange

operational real-time information needed to fight money laundering. The Operations

Hub operates at the AUSTRAC premises and consists of private institutions (major

banks), FIUs, government representatives, and law enforcement agencies working in a

single area of investigations. All members of the Fintel Alliance Operations Hub team

must undergo a security clearance (receive an access permit to secret and confidential

information). In addition, the Fintel Alliance has also developed international

cooperation, e.g., the U.K. NCA is involved in the work of the Fintel Alliance. Members

of the Fintel Alliance Operations Hub work on specific anti-money laundering cases,

such as Panama Papers investigation and the identification of digital money mules.

The Rules for the Exchange of Information within the Fintel Alliance are

governed by the Members Protocol. Given that Australian legislation does not provide

for exchange of information within the private sector, the Members Protocol states that

information obtained within the Fintel Alliance may be disclosed outside the

Operations Hub only upon prior written permission of AUSTRAC as well as when

explicitly provided by law.

On the other hand, the Fintel Alliance Innovation Hub has the task of improving

financial transaction and payment accounting systems along with improving the

regulatory framework for a more effective fight against money laundering.

11

Public-private partnerships have also developed in recent years in Canada,

Hong Kong, and Singapore. In the case of Singapore and Canada, public-private

partnerships take the form of analytical information processing that clarifies the various

typologies of money laundering to be incorporated in the monitoring and screening

systems of financial institutions. Meanwhile, in May 2017, the FMLIT public-private

partnership pilot project, based on the U.K. JMLIT model (on sharing of operational

(individual cases) information), was launched.

International studies reveal that the development of public-private information-

sharing partnership mechanisms is largely linked to the inefficient current system in the

fight against money laundering. So, experience in the United Kingdom, the United

States, Australia, and other countries shows that PPPs significantly improve the

effectiveness of AML/CFT activities, including reporting on suspicious transactions. In

order to be effective in fighting the dynamically developing financial crimes, only

reliance on technical compliance with predefined procedures and official guidelines,

particularly, if these rules are binding solely within single jurisdictional boundaries will

give no results. Countries should therefore improve and revisit their legislation in order

to facilitate removal of outdated regulatory barriers and restrictions, and truly motivate

and proportionally protect the frameworks of effective public-private information-

sharing partnerships not only in their jurisdictions but across the globe.

Examples of the above described countries show that information-sharing

partnerships can be divided into two broad categories: 1) statutorily mandated

information sharing and 2) information sharing in the form of public-private

partnerships, where law enforcement and industry come together to discuss matters

such as certain ML typologies, risks, and best practices in prevention. These

partnerships may be formal and informal, from organized meetings with select bank

members to the informal exchange of information between a wide range of financial

and law enforcement institutions.8

4. What is needed for sustainable and effective PPP?

The tone at the top has proved to be a cornerstone of a successful national

financial information-sharing partnership, just like it is a foundation for an effective

and functional AML/CFT compliance program. High-level support from political and

business stakeholders is one of the key principles of successful financial information-

sharing partnership program.9

As it follows from the examples above, forging of robust AML/CFT-related

information sharing arrangements requires demanding, effortless commitment on both

sides—public authorities and private entities. The founders of the partnerships are to be

free of the burdensome legacy of the past—a legacy that consisted of the long-standing

8 “The Developing Partnership Between Financial Institutions and Law Enforcement,” by Claiborne

(Clay) W. Porter and Robert Dedman, The International Comparative Legal Guide to: Business Crime

2019, 9th edition, Global Legal Group, available from: https://www.navigant.com/-

/media/www/site/insights/gic/2018/iclg-business-crime-2019.pdf. 9 Ibid.

12

legislation which in almost any country was kept as a bulletproof safe box of banking

secrecy for decades, if not for centuries.

For successful public-private information-sharing partnerships, a true and

profound leadership and the tone at the top of all parties are essential. In order to build

leadership, the parties should first come to a consensus on the type of public-private

information-sharing partnership they would like to establish in their jurisdiction: either

a functional one which will promote better understanding of certain typologies to assist

fighting money laundering/terrorist financing (ML/TF), or to establish an operational

arrangement allowing the parties to work together in investigation of individual cases.

This decision, like all decisions in prudent AML/CFT compliance programs, must be

risk-based. Risk assessment should take into account all inherent risks of both parties,

particularly focusing on the privacy policy and data protection issues. If risk assessment

demonstrates too many obstacles for the establishment of operational partnership

(commonly preferred by law enforcement agencies), it is worthwhile to begin with the

functional one. The most important thing is to start with something in order to meet

another important provision for effective PPP—trust. Leadership and trust combined

will ensure that both public and private leaders are committed to make partnership a

success, build confidence in the approach selected by the risk assessment process, share

the same objectives, and last but not least, avoid risks.

Successful public-private partnership requires clear and, as far as possible,

straightforward legislation which enables and facilitates information exchange and

sharing to the extent and level necessary to make an information sharing arrangement

truly operational and effective.

Information sharing should be proportional, lawful, privacy and data protection

compliant. Accomplishment of this task requires that countries generate and encourage

a regular and focused dialog between AML/CFT authorities (FIUs), law enforcement

community, data protection bodies, financial supervisors, and obliged entities involved

in partnerships for facilitating greater policy and regulatory coherence.

This dialog should include the notion that privacy and personal data protection

rules do not exclude or even prohibit clear and proportional safe harbor rules and

public-private information-sharing partnerships.

Countries should advocate and compel AML/CFT authorities, law enforcement

agencies, and private stakeholders to engage with data protection authorities in order to

come up with coherent policy and guidance regarding proportionate and lawful

information sharing for better combating financial crime and protecting overall

financial stability. There should be straightforward understanding among all parties

involved that the obliged firms and all law enforcement bodies act legitimately and in

the interests of general public.

Thus, all parties, including legislators, governments, law enforcement bodies,

regulators, and data protection authorities have a vital role in designing and enshrining

into national legislation comprehensive Safe Harbor arrangements which are truly

operational and effective, and do not contradict the essential human rights on privacy.

13

5. Governance and Accountability

Robust governance and accountability (independent testing) of the public-

private information sharing arrangement along with legislative clarity is at the core of

the process that, at the same time, involves governmental and private entities which

naturally apply different operational protocols. Governance of information (data) flows

and channels, policies, and procedures that ensure proper integration of the obtained

data in internal controls of financial institutions are the main provisions for partnership

to become a success story in enhancement of combating financial crime. For example,

the Fintel Alliance (Australia) published a detailed member protocol covering

objectives, governance, information security, vetting, and dispute resolution

arrangements.

Governance and accountability are fields where the third line of defense plays

a vital role. It is important to remember that auditors should not compromise their

ordinary professional standards and rules while auditing and, consequently, providing

a report and making recommendations on the entity’s involvement and outputs of this

involvement in the public-private information-sharing partnership. Auditors should

audit the public-private information-sharing partnership arrangement following the

very same audit circle as in any other already incumbent process. However, while

setting up an audit program for public-private information-sharing partnership, auditors

are called to onboard all specifics of this brand-new arrangement.

To this end, auditors should first do their homework—familiarize themselves

with public-private partnerships to the best extent possible. It is preferable for auditors

to be aware of the entity’s decision to take part in public-private partnership from the

very inception of this commitment. Since the process requires particular scrutiny of

privacy and data protection as well as vetting of the employees involved and

management of the whole process, auditors at the initial stage of this process could

become the first line of defense. They could reasonably challenge the arrangements and

processes established by the entity for its smooth and unfettered participation in

information-sharing partnership.

Prioritizing and focusing on audit risks of any financial institution’s engagement

(on a voluntary basis in most jurisdictions) in public–private partnerships should be

assessed up front before an institution commits itself to be a part of the arrangement.

Auditors should have a seat at the committee which decides on involvement in

information-sharing partnership.

Auditors should gather their own data necessary for issuance of independent

opinion. In this regard, internal auditors should have the knowledge and ability to

directly access the data they need to support their opinion. Since the tone at the top is

of utmost importance for successful partnership, auditors should emphasize all kinds of

relationships within the organization. There should be a high level of trust between the

management, officers involved in public-private partnership, civil servants, and the

auditors while auditing public-private information sharing arrangements. Public-

private information-sharing partnerships are brand new in the tool kit, which is

dedicated to combat financial crime; so, one should embrace the innovation. Perhaps,

it is most important when auditing truly revolutionary things like public-private

14

partnerships. When auditing public-private information-sharing partnerships, like in

any other audit, auditors need to constantly challenge how they do the audit and why

they do it.10

Auditors should define and document the methodology they will apply in

auditing the institutions’ involvement in public-private information-sharing

partnership. Since involvement in partnership is strictly voluntary, this requires a well-

grounded and risk-based decision of the board (or an equivalent body) of the institution

on its commitment to be a party of the partnership. This decision should be documented

properly. It would be highly unacceptable for a financial institution, which had decided

to enter the information sharing without a proper well-grounded decision, to simply

declare its termination of being a party of the partnership or, in case of operational

partnership, apply the cherry-picking method in participation. Such an approach could

have a severely adverse impact on the institutions’ reputation among members of the

partnership. Thus, auditors should pay specific attention to the institution’s decision to

enter the partnership.

Another important area for internal auditors of public-private information-

sharing partnerships is compliance with privacy rules and lawful sharing of personal

data. In this context, auditors should pay special attention to the institution’s

compliance with the “formal” requirements concerning data protection rules. For

instance, the EU 5th Anti-Money Laundering Directive explicitly states that illicit funds

are moved through different financial institutions to avoid detection and reemphasizes

the importance of information exchange not only among group members, but among

other financial institutions as well, with due regard to data protection rules as set out in

the national law. In this context, the EU General Data Protection Regulation (GDPR)

should be properly considered. The GDPR, amongst other strict requirements,

stipulates that in case of high risk to the rights and freedoms of natural persons, the

financial institution should carry out an impact assessment, the outcome of which is to

be considered to demonstrate the financial institution’s compliance with the

requirements of the GDPR. If the impact assessment reveals the presence of high risk,

which the financial institution cannot mitigate by appropriate measures in terms of

available technology and implementation costs, a consultation with supervisory

authority should take place prior to the data processing (information sharing). Auditors

should not only audit whether the impact assessment has been carried out and its results

properly documented, but also the audit methodology of the impact assessment,

parameters, identified risks, measures applied for mitigation of high risks, and, if

circumstances warrant, the results of consultations with supervisory authorities. Since

at least two supervisory authorities are likely to be involved (prudential and data

protection), the entity should obtain and document the opinion from both.

10 “Auditing in a Frictionless World: Six Tips to Start the Journey," by Jim Pelletier, November 2017,

Internal Auditor, p. 8, available from: https://iaonline.theiia.org/blogs/Jim-

Pelletier/2017/Pages/Auditing-in-a-Frictionless-World-Six-Tips-to-Start-the-Journey.aspx.

15

At all stages, information sharing is primarily about privacy and data protection;

the audit program of an institution’s involvement in public-private partnership should

include, at least, the following:

proper identification of the scope of the audit program, considering regulation of

information sharing in different jurisdictions under which a financial institution

operates;

policies and procedures on the institution’s participation in public-private

information-sharing partnership; decisions of the board (or similar committee) on

entering into public-private partnership;

impact assessment of information sharing, especially its effectiveness in

comparison to the traditional reporting;

specific risks associated with the institutions’ involvement with public-private

partnership, tools to mitigate these risks;

test samples (particularly on vetting of institutional representatives in operational

partnerships, if the institution participates in it);

test results and proper documentation of these results;

auditing of training provided to the employees on public-private information-

sharing partnerships, focusing on the training program correspondence to the risk

(impact) assessment outcomes;

constant, defined monitoring of the whole process and remediation of

deficiencies; and

follow-up of the results. Audit should follow the results and implementation of

the remediation actions and provide constant feedback to the management,

including advice on the best tools for facilitation of the best outcome.

Trust is at the core or heart of any relationship; this is especially true for

partnerships where public and private entities are involved. Trust is defined as “the firm

belief in the reliability, truth, ability, or strength of someone or something.”

Internal auditors speak increasingly of the need to be trusted advisors. [….] the

term advisor encompasses the full spectrum of an internal auditor’s work, from

providing consultation and advice at the request of management to generating

recommendations for corrective actions as the result of an assurance

engagement. In the end, I believe we are advisors in our professional roles every

day.11

The role of the trusted advisor should be particularly re-emphasized and

reconfirmed to AML auditors, once the institution decides to become a party of public-

private partnership.

Ultimate beneficial ownership (UBO) secrecy is one of the impediments to

effectively generating results for information-sharing arrangements, either public-

private or private–private.

11 Trusted Advisors: Key Attributes of Outstanding Internal Auditors, by Richard F. Chambers, 2017,

Internal Audit Foundation, p. 2.

16

For overcoming this barrier, state registers play an important role in information

sharing, and are growing at an unprecedented rate. State registers could become a model

for public–private information-sharing partnership’s prudent governance.

The 5th EU AML/CFT Directive calls for greater transparency in information

available about UBOs of firms. This piece of legislation is strengthening the role of

state registers in information sharing on UBOs and plays a more active role in state

registers regarding validating data stored in their files. Some countries already have

established targeted account registers that are populated with data of UBOs obtained by

financial institutions during KYC/CIP processes. Data in account registers are not

available publicly and are accessible only for law enforcement and some other specially

designated governmental bodies when carrying out their public duties.

On the other hand, company registers hold records of UBOs filed by companies

on their own. Submitting inaccurate information is a criminal offence in some countries.

Information on UBOs held by company registers is available to the general public.

Smooth and effective interaction and cross-reference between these two

databases would be beneficial for further enhancement of verification of customers and

improvement of investigation of financial crime. This would also serve as a trusted and

reliable source of information for public-private partnerships, and as an invaluable

source of information for independent testing of these partnerships and data accuracy

on UBOs obtained by financial institutions when performing KYC and CIP. This is a

way that participation of the financial institution in public-private partnership, along

with its reporting duty to the state registers, could increase the quality of data at the

disposal of the institution and, consequently, improve the quality of independent testing

of many processes and procedures in the financial institution.

6. Conclusion

There are several already operational public-private and private–private

information-sharing partnerships with the same underlying core principles:

Mutual trust and leadership

Legislative certainty and clarity

Prudent and well-structured coordination of actions, either nationally or

internationally

Availability and provision of all necessary resources for all parties involved in

partnerships. (Resources provided to law enforcement agencies should be

commensurate with the scale of financial crime and be proportionate to the

resources provided to the private sector.)

Governance and accountability (Partnerships should be based on robust

governance and accountability protocols and arrangements. This particularly

emphasizes the role of independent testing of the arrangements and need for

protection of privacy and personal data.)

Technology, automation, and analytical resources (This requires an on-going

investment from both parties of the partnership.)

Structured communication, risk-based training, and education as an enabler for

further expansion of public-private information-sharing partnerships

Ongoing dialog between the AML authorities and data protection authorities for

creation of coherent information sharing standards

17

FATF and heads of FIUs of FATF members should consider the following

matters to be included in their guidelines:

Address all aspects of cross-border information sharing between the public and

private sector.

Stress the importance of good governance and accountability of public-private

partnerships in order to avoid any doubt about misuse of personal data or

disruption of privacy by public-private partnerships. To this end, clear

expectations regarding independent testing of these partnerships and minimum

standards of communication about the results and effectiveness of public-

private partnerships should be established.

18

References

Chambers, R. (2018, June 25). Internal auditors can audit anything — but not

everything. Internal Auditor. Retrieved from

https://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Auditors-Can-

Audit-Anything---but-Not-Everything.aspx

Chamber, R. (2018, September 10). Writing an impactful audit report: 6 tips for being

more persuasive. Internal Auditor. Retrieved from

https://iaonline.theiia.org/blogs/chambers/2018/Pages/Writing-an-Impactful-

Audit-Report-6-Tips-for-Being-More-Persuasive.aspx

Chamber, R. (2018, November 5). Five future developments that could elevate

internal audit's stature. Internal Auditor. Retrieved from

https://iaonline.theiia.org/blogs/chambers/2018/Pages/5-Future-

Developments-That-Could-Elevate-Internal-Audits-Stature.aspx

CTITF. (2009, October). CTITF working group report: Tackling the financing of

terrorism, counter-terrorism implementation task force. United Nations.

Retrieved from

https://www.un.org/counterterrorism/ctitf/sites/www.un.org.counterterrorism.c

titf/files/ctitf_financing_eng_final.pdf

Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May

2018 amending Directive (EU) 2015/849 on the prevention of the use of the

financial system for the purposes of money laundering or terrorist financing

and amending Directives 2009/138/EC and 2013/36/EU. (2018, May 18).

Official Journal of the European Union. Retrieved from https://eur-

lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018L0843

FATF. (2018, October). International standards on combating money laundering and

the financing of terrorism & proliferation: The FATF recommendations.

FATF. Retrieved from www.fatf-gafi.org/recommendations.html

FATF. (2017, November). Consolidated FATF standards on information sharing:

Relevant excerpts from the FATF recommendations and interpretive notes.

FATF. Retrieved from http://www.fatf-

gafi.org/publications/fatfrecommendations/documents/consolidated-fatf-

standard-information-sharing.html

FATF. (2017, November). FATF guidance: Private sector information sharing.

FATF. Retrieved from www.fatf-

gafi.org/publications/fatfrecommendations/documents/guidance-information-

sharing.html

FinCEN. (2019, June 18). FinCEN’s section 314(a) fact sheet. U.S. Department of the

Treasury. Retrieved at

https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf

19

FinCEN. (2016, November). FinCEN’s section 314(b) fact sheet. U.S. Department of

the Treasury. Retrieved at

https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf

Frau, G. (2017, October 5). Oversight of cross-border funds distribution: The

assurance and benefits provided by an effective AML and CTF audit.

ACAMS. Retrieved from

http://files.acams.org/pdfs/2017/Oversight_of_Cross-

Border_Funds_Distribution_G.Frau.pdf?_ga=2.14745845.2145140720.15449

70581-764892732.1496774099

Kofod, J. & Niedermayer, L. (2018, November 9). Draft report on financial crimes,

tax evasion and tax avoidance (2018/2121(INI)). Special Committee on

financial crimes, tax evasion and tax avoidance, European Parliament.

Retrieved from

http://www.europarl.europa.eu/cmsdata/156723/TAX3%20Final%20draft%20

report.pdf

Lopez, N. I. (2017, October 5). Anti-money laundering training … One size does not

fit all. ACAMS. Retrieved from http://files.acams.org/pdfs/2017/Anti-

Money_Laundering_Training_N.Lopez.pdf?_ga=2.48439397.2145140720.15

44970581-764892732.1496774099

Maxwell, N. J. & Artingstall, D. (2017, October). Occasional paper: The role of

financial information-sharing partnerships in the disruption of crime. Royal

United Services Institute (RUSI). Retrieved from

https://rusi.org/sites/default/files/201710_rusi_the_role_of_fisps_in_the_disru

ption_of_crime_maxwwell_artingstall_web_4.2.pdf

NCA Joint Money Laundering Intelligence Taskforce (JMLIT). (n.d.). Retrieved from

http://www.nationalcrimeagency.gov.uk/about-us/what-we-do/national-

economic-crime-centre/joint-money-laundering-intelligence-taskforce-jmlit

Office of Inspector General. (2017, September 18). Audit report: Terrorist financing/

money laundering: FinCEN’s 314 information sharing programs are useful

but need FinCEN’s attention. U.S. Department of the Treasury. Retrieved

from https://www.treasury.gov/about/organizational-

structure/ig/Audit%20Reports%20and%20Testimonies/OIG-17-055.pdf

Porter, C. W. & Dedman, R. (2019). The developing partnership between financial

institutions and law enforcement. The International Comparative Legal Guide

to: Business Crime 2019, 9th edition. Global Legal Group. Retrieved from

https://www.navigant.com/-/media/www/site/insights/gic/2018/iclg-business-

crime-2019.pdf

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April

2016 on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing Directive

95/46/EC (General Data Protection Regulation). (2016, April 27). Official

20

Journal of the European Union. Retrieved from https://eur-

lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679

The Institute of Internal Auditors (IIA). (2018, May). IIA position paper: Internal

auditing’s role in corporate governance. Retrieved from

https://na.theiia.org/about-ia/PublicDocuments/Internal-Auditings-Role-in-

Corporate-Governance.pdf

Wilejto-Rieken, M. (2018, May 17). USA PATRIOT Act, section 314(a) and 314(b)

information sharing: Beneficial and detrimental effects of the act. ACAMS.

Retrieved from

http://files.acams.org/pdfs/2018/USA_Patriot_Act_M_Wilejto-

Rieken.pdf?_ga=2.69471187.2145140720.1544970581-

764892732.1496774099