Information Sharing in the Era of Coronavirus Tracing Apps – A New Context for Fighting Financial Crime?

Coronavirus infection tracing apps have brought the formerly obscure and specialist topic of ‘centralised’ versus ‘decentralised’ data analysis into the spotlight, in a way that few could have foreseen. Coronavirus has also led to a rapid escalation of a wider debate across liberal democracies about the legitimacy of state access to citizens’ private data in pursuit of the public good. This context may have implications beyond the immediate focus on public health, to include the field of financial crime detection and prevention.

Over 30 years ago, the international system for tackling money laundering established a centralised data collection model for ‘suspicious’ activity. A fundamental feature of this model is for private sector regulated entities, including financial institutions, to be obliged to identify and report their suspicions to government Financial Intelligence Units (FIUs). However, new analytical technologies and, perhaps, new political realities about the boundaries of privacy, should cause us to think again about how we use financial data to identify financial crime.

This is where the field of privacy enhancing technologies (PETs) comes in, the subject of the latest Future of Financial Intelligence Sharing (FFIS) study by this author, considering the rise of 'privacy preserving' decentralised analytical capabilities to tackle financial crime. These cryptographical capabilities allow for the 'use' of data, without having 'access' to the data. With PETs, data owners can allow an analyst to process their data for certain functions, without the data owner needing to disclose the underlying data to the analyst.

In the past, it was necessary to decrypt all data and centralise it to conduct analysis. In essence, PETs remove the need to do this. PETs allow for queries to be run on sensitive data, across multiple organisations and even across borders, revealing, for example, macro analysis, population statistics and trend identification, without any underlying sensitive data ever being disclosed or shared through the analytical process.

A year ago, the UK Financial Conduct Authority hosted a week-long Global Anti-Money Laundering and Financial Crime TechSprint which focused on how PETs can facilitate the sharing of information about money laundering and financial crime concerns. This event allowed over 60 organisations to come together and explore ways in which PETs could be applied, using an enormous synthetic construction of two years of financial data.

This work and additional pilots highlighted in the FFIS case study mapping exercise indicate the broad range of potential applications for PETs in the world of financial crime prevention and anti-money laundering.

This field of technology can be, perhaps, difficult to grasp and can seem counterintuitive. PETs can allow data to be made more useable and less accessible at the same time; information sharing can be increased and at the same time privacy guarantees can be strengthened.

Some may view PETs as a 'solution, looking for a problem'. The technology seems complicated; and data quality and data interoperability remain as key challenges for inter-institutional sharing.  Furthermore, data processors (rather than data owners, perhaps) may ask themselves, ‘How can I have comfort in my analytical decisions if I do not have the opportunity to see the raw data myself? Why can I not just receive all the information unencrypted, “in the clear”?’

These concerns may be legitimate and each use-case will need individual consideration.

Implications for Policy-Makers

However, until recently, the level of understanding by policymakers and the public about this type of decentralised approach to analysis has been very limited. Now, widespread discussion of coronavirus tracing apps has encouraged mainstream engagement with the idea of decentralised analysis of large amounts of sensitive data. In this context, there may be an opportunity for a more sophisticated debate about the implications of the technology for the overall reporting system used to tackle financial crime.

Historically, the approach to reporting financial crime, both in the UK and similar countries, has led to massive, and ever-increasing amounts of reporting from the private sector being sent to FIUs. The vast majority of that information is not used directly to support law enforcement investigations. FIUs, of course, may be keen to hold on to large inflows of reporting 'just in case' something becomes useful for investigations in the future. And there are, no doubt, individual examples of that scenario occurring. However, perhaps like the ill-fated attempt by the UK’s National Health Service to centralise data required for coronavirus tracing, advances in analytical technology should cause us to think again about whether the overall process for reporting financial crime still makes sense.

Australia is already exploring the potential capabilities of PETs to steer the reporting of financial crime risk. AUSTRAC (Australia’s FIU) is building a platform to run privacy preserving analysis over the Australian retail banking market. The approach will help identify patterns and typologies of crime, and determine how suspicious accounts are linked across multiple financial institutions. The AUSTRAC 'Alerting Project' is designed to achieve these outcomes, without – in itself – revealing any private account or transaction information. Only once a threshold for suspicion has been reached will AUSTRAC then use normal regulatory notices to request the underlying details of the relevant accounts.

The Australian initiative is still in its ‘discovery phase’. Other privacy preserving pilots in the private sector have been completed in the Netherlands and the UK to map transaction flows across retail banks and search for evidence of financial crime across the entire network. The work is still nascent, but progressing apace.

The new Germany presidency of the Financial Action Task Force – the global standard setter on anti-money laundering – has recently set out digital transformation as its number one priority. At an international level, this may provide an opportune context to reflect on whether a centralised reporting framework of raw information is the most effective, efficient and secure model in the digital era.

The coronavirus pandemic has increased familiarity and general literacy with regard to decentralised analytical tools that rely on personal data, and public debate has developed in relation to the use of this private data to support social benefits. The open question for the financial community – both public and private sectors – is whether efforts to tackle financial crime can build on this opportunity.

Inspired by the ambition (at least) of ‘track and trace’ technology, can the detection of financial crime move to be digital, operate in real-time, and discover threats as they flow across the whole network?

The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.