Financial institutions generally are not keen on sharing information about their customers with peers in the industry. Given the threats of customer poaching and cross-sell attempts, aided by the use of emerging technologies, data mining and analytics, most financial institutions look at information sharing with suspicion.
While this temperament is fair in terms of business and competition, there is a flip side to it when seen from the risk management perspective. Banks truly stand to gain from information sharing among industry players, especially in the anti-money laundering compliance domain.
Many leading international banks have had to pay hefty fines for not being able to report suspicious activities, which was as a result of deficiencies in their compliance programs. Financial institutions are now over-cautious, and visibly over-loaded, when it comes to filing SARs, due to the fear of being penalized. The number of suspicious activity reports rose from 669,000 in 2013 to almost a million in 2016, according to U.S. Treasury’s Financial Crimes Enforcement Network (FINCEN).
While these fines may not necessarily be due to lack of information on suspicious activities of a customer, but more information could have undoubtedly helped avert such scenarios.
The USA PATRIOT Act created measures, some being voluntary, for financial institutions to share critical information with other industry players and law enforcement agencies. The section 314(b)of the Act permits financial institutions to share information with one another in order to identify and report activities that may involve money laundering or terrorist activity. Shareable information includes details around the proceeds of one or more specified unlawful activities, customer profiles, and information to identify and report activities that may involve terrorist activity or money laundering.
While there have been in-principle alignment on the benefits of information sharing among financial institutions, it is not known if the option provided has been utilized to the extent for which they were created. A report by FinCEN showed “that only one 314(b) related SAR for every two financial institutions was filed in 2012. In a previous study in 2011, FinCEN had noted that 314(b) participation by smaller FIs was tepid”. Although no public information is available for the subsequent period, there is no known evidence of improvement.
A streamlined process will help industry players in this regard.
To begin with, the objective of the program should only be risk management through collaborative effort. The customer data received during the process should never be mis-utilized or cross-utilized for business purposes. While the legislation clearly mentions the purpose, the participating financial institutions should have checks and balances to comply with this fundamental requirement. Since the AML compliance function is typically centralized, the data access privilege should be restricted only to the central team supported by data encryption methods.
Currently, the entire process of information sharing is manual. A centralized process, fully or partially automated, akin to a case management solution can be considered through a nodal agency. The channel of information sharing can be digitized and secured through application programming interfaces (APIs). The data can also be saved on the cloud. The recommendation is on similar lines to the centralized e-KYC system set up in some countries (including India).
While the legislation provides immunity, banks are still concerned about sharing customer data made available to them in a fiduciary capacity. Banks’ apprehensions can be put to rest, and the risk of legal battles can be reduced if customer contracts or the terms and condition clauses of the offerings include a provision on information sharing by the financial institution a part of risk management programs.
Another critical aspect of information sharing is the ‘absence of recourse’ to the remitter of the information. The receiver of information should complete an independent investigation and decide on its own will if it wants to go ahead with SAR filing, and so on. The information received from another financial institution should only be considered as one of the inputs and any SAR filing decision should be taken after a comprehensive review.
What do you think? Is the industry ready to make judicious use of the information shared? How will the customers react to this change? Please let us know your thoughts in the comments section below.