Other parts of this series:
Regulations place restrictions on banks and other financial institutions when they share customer data with other institutions in the industry. For example, under the General Data Protection Regulation (GDPR) in Europe, the processing of data should have a clear “lawful basis”. Any violation could attract penalties of up to 20 million Euros, or four percent of a company’s worldwide turnover. However, GDPR clarifies that, for several purposes related to financial crime, legal requirements take precedence.1
Similarly, the California Consumer Privacy Act (CCPA) of 2018 requires companies to provide consumers with the ability to access or delete personally identifiable information (PII) or to opt out of relationships without discrimination.2
However, outside of regulatory constraints on data sharing, sharing customer data for financial crime management – even within the industry — is challenging. Banks and other financial institutions with a global footprint can only share Know Your Customer (KYC) data across geographies if customer terms and conditions clearly state that such data sharing will occur within the organisations’ legal entities. These provisions are still subject to local data protection laws in some countries. Variations also exist where sharing non-citizens’ data is permitted within the legal entity’s business perimeter.
This complex regulatory environment has compounded the challenge for firms to manage the risk of financial crime by increasing compliance costs incurred through operations built around non-standardised processes. It also increases the risk of losing customers and new business.
To counter this challenge, firms are moving towards collaborative efforts – both across jurisdictions and across organisations – to help manage challenges related to financial crime.
Collaborative approaches, such as those initiated in Europe and the US, allow firms to adopt a joined-up, transparent, cost effective approach to managing financial crime risk arising from exited customers, by means including:
- Establishing standard information exchange principles and common risk typologies for sharing information on exited customers – for example, customers that are exited from one bank due to non-compliance with risk policy could be acceptable for account opening at another bank. Common minimum terms and definitions of information exchange can help address potential variations in risk appetite.
- Creating harmonised policy standards in consultation with the regulators to strengthen risk management across the industry.
- With a harmonised policy, it is feasible to create a standardised target operating model and permit mutualisation of records by banks, which provides for consistency in delivery and assurance, such as agreement upon and standardisation of the way information about exited customers should be interpreted and utilized for decision making among participating banks. Ownership, maintenance and governance of the model should be an important consideration for the setup of this model, as well.
By collaborating and sharing intelligence, learnings and information, banks and other financial services firms can better manage financial crime risks related to exited customers, fostering greater transparency and gaining operational efficiencies.
In the next blog in this series, we will look at the use case for analytics in developing a customer exit data strategy.
- “Lawful basis for processing,” Information Commissioner’s Office website, Guide to the General Data Protection Regulation. Access at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
- “The Consumer Right to Privacy Act of 2018 – Version 2,” Office of the Attorney General, California, November 20, 2017. Access at: https://oag.ca.gov/system/files/initiatives/pdfs/17-0039%20%28Consumer%20Privacy%20V2%29.pdf