GDPR; Fraudulent transactions and personal data

Pieter van Hoogstraten
Pieter van Hoogstraten
gdpr_3_site-1-300x200Recently the Dutch Financial Intelligence Unit (FIU) published a record amount of almost 10 billion euro of – discovered – fraudulent financial transactions over 2018. Think of money laundry of – often – drugs profits and the financing of terrorism. As part of the National Police, the FIU is the independent authority for financial institutions to report, by law, suspicious transactions. It assesses transactions brought to its attention by banks and others. Think of the payment of an expensive apartment with the proceeds of the sale of an ancient sculpture via a Dubai-bank. Or of 100.000 euro paid in small parts to a banana exporter in South America.
In 2018, out of billions of transactions the FIU sieved 58 thousand suspicious transactions. With a total value of 9,7 billion euro. In 2017 it captured 40 thousand transaction with a value of 6,7 billion euro. Europol estimates the total value for these transactions to be 200 billion.

Banks, investment funds and other financial institutions are misused by criminal gangs and terrorists. It is well known that the quality of its financial infrastructure attracts criminals to the Netherlands. And that will be no less. Obligated by law, financial institutions need to act to prevent money laundry and financial support of criminal acts and terrorism. They do so by collecting abundant information on their customers in processes like ‘know your customer’ (KYC) and ‘customer due diligence ‘(CDD) and by monitoring all of their transactions.

KYC is about the construction of an accurate profile of a customer in the context of requested services. In a CDD customer data are processed in the context of an array of risks. Directives for such CDD’s may add up to 50 pages of text. The ultimate goal is to exclude the risk a person or institute is involved in serious crime.

Recently, the Netherlands Authority for the Financial Markets (AFM) publicly addressed several Dutch Banks for non-complying to their role as a gatekeeper in this matter. ING settled with the Public Prosecutor’s Office for a record € 775 million euro to prevent prosecution for its failing policies in anti-money laundering. This year Rabobank was fined with 1 million euro because it did not get its customer files together. In March this year, the Dutch National Bank issued a formal designation – a last warning – to Triodos Bank to eliminate short fallings in its KYC and CDD. The same for the Volksbank, who was also fined for not reporting suspicious transactions.

And just now, ABNAMRO is publicly notified on the shortcomings in its control on the integrity of 5 million retail customers. In addition, its risk assessment is not up to par.

Automation is key

For financial institutions, the award-winning Dutch-British fintech Safened controls the identity of new customers very fast. It allows banks to facilitate customers to open a new account on a mobile device within minutes and still comply to KYC regulations. Sales Directeur Kirk Gunning calls the company “a sort of bouncer to keep out the bad guys.” For the check on 5 million files automation is imperative. All data need testing against European directives on money laundry and financing terrorism, and against the banks own risk policy framework. With the help of US-based RDC ABNAMRO checks possible matches with a global blacklist of some ten million people.

All banks use robots (RPA) for preparatory data processing. Bots collect and process data and link these to transaction records. With artificial intelligence these bots get more and more sophisticated in selecting the few suspicious transactions out of the millions of transactions every day: the needle in the haystack. After that, popped-up anomalies are processed manually. Every large bank hosts hundreds of employees dedicated to this laborious hard work.

Automating controls

In more than one occasion, Frank Elderson, director for supervision at the Dutch Central Bank stated that – in spite of the hundreds of millions of euros spend – banks fail to comply. He misses a 'conviction at the top': boardrooms do not reflect the task as a gatekeeper as a key competence of the bank. The heart of the matter may be the tension between commerce and profit and the cost to help battle crime.

Fines may pave the way, but appropriate tooling will certainly help to promote compliance to a part of daily management. We suggest not only to automate KYC and CDD, but also automate the control of the compliance. That will bring insights in things like the number of correct KYC files, omissions and inaccuracies and bootstrapping remediation, locations or departments where compliance is most hurt, etc. This high-level dashboard – with capabilities to drill down to source data – are presented in ServiceNow – in use by most of the Dutch banks – as their enterprise service platform for IT service management. Its powerful modules for Governance, Compliance, and Risk (GRC) present this excellent opportunity.

This may look like:

This suggested routine brings the level of compliance on the agenda in the board. The quality of the customer files – defined in terms of legislation and the bank own policy statements – is available. And every control cycle fuels the improvement of the quality of the underlying data.

Personal data

GDPR restricts the use of personal data for ‘secondary purposes. Fighting fraud implies the opposite. As an example: a bank noticed suspicious transactions on a specific account. When questioned on the details of transactions the customer closed the account. Out of precaution, the bank may have initiated this by itself. In both cases this individual may open an account around the corner and start – without any history – anew. For quite some time, banks plea for cooperation in fighting money laundering. And this makes sense: the example shows two know more than one. And sometimes the combination of separate small pieces of information may lead to the identification of malpractices.

To live up to legal requirements, GDPR allows the exchange of personal data. The higher the risk on money laundry, the more data may be exchanged under certain conditions. In the balance between individual control over personal data and law enforcement, banks will get the permission to build a transaction monitor. This helps to screen transactions.
Banks remain responsible for their own supervisory tasks. They still need to define their own risk policies and to offset these to the individual privacy rights of their clients. It is not a bad idea to have such a policy evaluated by the Dutch Data Protection Authority and other stakeholders. More than ticking boxes, the protection of personal data is a commitment.

Related articles / whitepapers

- ARTICLE 1: GDPR: getting used to the new status quo

- ARTICLE 2: GDPR: fraudulent transactions and personal data [ARTICLE ABOVE]

- ARTICLE 3: GDPR; Profiling and automated decision making

- WHITEPAPER: Improve IT service management with AIOps