The UK Data Protection Bill and its Impact on National Security

Lisa Osofsky is EMEA Regional Chair and EMEA Head of Investigations and Dayna Bordin is EMEA Deputy Head of Financial Crime Compliance

The Data Protection Bill (“DPR” or “the Bill”) comes into effect on 25 May 2018 and is intended to incorporate into English law the data protection rights that will be afforded under the EU General Data Protection Regulation (“GDPR”).  The UK government claims the GDPR will increase customer confidence in the digital economy but a new set of national data rights and obligations may prove challenging for a government that must focus on national security, particularly the growing threat of terrorism.

The recent shift in terrorist attacks from large scale to ‘lone wolf’ or small group attacks raises a similar question for intelligence agencies and financial institutions alike. How do we identify and prevent attacks that require only ‘micro finance’ levels of funding, where even legitimate items such as a car or a van, knives or household cleaners, are used in devastating and unpredictable assaults?

The current system of data sharing that can be marshalled to flag and identify potential attackers can be assured, from a data protection perspective, if similar standards are maintained across the UK and the rest of the EU, with the UK offering protection that is seen to be equivalent to that in the EU. The small print of the government’s ‘statement of intent’ with regard to the DPR, however, makes clear that there will be provisions for the state to access data. Specifically, the ‘statement’ notes: “Increased cross-border data exchanges are key to tackling the threats posed by terrorism and organised and online crime.” Recent terror attacks, both at home and abroad, demonstrate the need for international cooperation to tackle these threats. Detail on how to marry individuals’ rights to privacy with the state’s need to protect its citizens will become clear only after the final content of the Bill is revealed and, within any new Act, once the Bill has been fully debated in Parliament.

While the government sifts through these and other concerns in the wake of Brexit, in the commercial sphere, financial institutions meanwhile must rethink their own customer screening and transaction monitoring systems in the light of a raft of new anti-money laundering rules and regulations and an increased reputational risk of being associated with terrorist financing.

If data can be stored and shared to help analyse patterns of customer behaviour that help identify transactions leading up to a terrorist act, before that act is perpetrated, then banks can play a significant role pursuing in the wider battle against terrorism. The challenge will be in incorporating new restrictions on maintaining and sharing customer data under the GDPR (and the DPR) in a way that enables banks (and mobile phone network providers) to identify early on those customers who may pose a terrorist threat.

The process of intelligence-based analysis and compliance controls will inevitably run up against a host of data protection and privacy issues. The UK is, however, leading the way in information sharing through the Joint Money Laundering Intelligence Taskforce. The JMLIT combines the knowledge sharing of the private and public sector in a more aggressive way than even initiatives underway in the US. However, whereas the sharing of information among the UK government and banks has been widely welcomed, national restraints on sharing across borders can limit effective sharing of customer data, even within a single global institution. Data protection laws may mean major global banks based in the US, UK, France or Germany are unable to see, on a real-time basis, information about a customer or transaction that happens, for example, in Turkey, Somalia, or Egypt or even within other European member states.

On-boarding customers requires vetting before take on but anti-money laundering (AML) compliance technology systems frequently analyse completed transactions and many AML controls deal with the laundering of money obtained from illegal activities already carried out. Some wholesale revisions may be needed to tackle terrorist attacks that have yet to occur. The ability to predict the ‘lone-wolf’ attack under the current AML regime is a high mountain to climb.

Technological Advancements

Advances in compliance screening software mean that, however challenging, it is possible to re-scan retail banking client even daily. As a result, there is the possibility of scanning all retail customers against known terrorist lists on a regular basis, picking up future terrorists who may ‘sit on’ accounts for many months before the accounts become active – as is potentially the case with student bank accounts opened long ago.  However, banks must have the correct names to screen against or else they are working in the dark. If the names of these terrorists are not present on any government sanctions list, it becomes difficult to trace underlying activity.

Risk-based Approach to Monitoring Customers

Assuming it takes time to adopt regular retail client re-screening, significant work will continue to be done by banks to identify the very small number of retail customers who present a terrorist risk. The good news here is that banks’ internal intelligence units have become ‘smarter.’ Complex screening typologies, a method of financial profiling, helps detect patterns in customer transactions and focus on the right customer files for in-depth review. Expanding on this success, financial institutions may benefit by broadening their approach to network analysis transactions series involving numerous customers.  Some banks are already ahead of the game, carrying out targeted intelligence-driven data analytics to identify the specific patterns of transactional behaviour consistent with terrorist financing.

New approaches to customer monitoring and repeat due diligence may look to create data points based on the wide array of data currently available. Banks can see the location where transactions occurred and can focus in on areas that border known regions where terrorists operate. Purchases that do not fit with an account’s history—even innocuous purchases such as low-cost camping equipment—can be flagged. Artificial intelligence tools may play a role in analysing this data.

Given the millions of different transactions customers enact each day in just one country for one bank, financial intelligence units will be radically rethinking how they work with a range of new technology. The right tools will allow financial institutions to leverage internal and external ‘big data’ to analyse it for historic patterns and predictive behaviour.

Any new data protection legislation will need to balance the rights of the individual to privacy with the need for the state to offer its citizens safety and security. Retention of data and access to that data will remain a focal area for years to come as that balancing act plays out in the face of the ever-changing nature of terrorist acts and the ways they are financed.