It’s been almost a year since the General Data Protection Regulation (GDPR) came into force. Under this law, companies, including banks, are required to protect their customers’ data. Obviously, banks already had to protect customer confidentiality, but now they also have to ensure that access to customer information is granted to as few people as possible within their organizations.
Companies such as Microsoft are already under investigation, and the Institute for social security (UWV) in the Netherlands risks being held liable for a €150.000 fine if they don’t improve their data security practices before the 31st of October 2019. A study by the Kaspersky Lab found that 31% of data breaches have resulted in employment termination for senior non-IT staff members.
Like the European Union, the United States also seems to be increasing the strictness of data protection standards. On 28 June 2018, California passed the California Consumer Privacy Act (CCPA), a law that’s very similar to GDPR. This legislation will come into effect on the 1st of January 2020, and it’s expected that other states will follow in California’s footsteps.
One of the GDPR’s directives is that data is not to be collected just because it is available: data collection is instead to be kept to a bare minimum. Adhering to this guideline is challenging for compliance departments at banks. In the past, data had been seen as a valuable resource, and the thinking was: the more data, the better. Covert data gathering is also prohibited under the new rule. The complexity of the regulations is often confusing for employees in compliance departments at banks since they’re tasked with collecting data while also adhering to GDPR.
Compliance with regulations preventing financial crime seems to be in conflict with GDPR compliance. Yet failing to comply fully with both of these regulations poses a significant risk for banks. The fines for failing to comply with crime-prevention regulations are significant, but the penalties for GDPR non-compliance aren’t any smaller. To give you an idea: the maximum fine for failing to comply with GDPR is 20 million euros or 4% of a banks’ global annual income, whichever is higher. This same fine is also the penalty for not reporting data breaches to the authorities within the set deadline of 72 hours.
It isn’t a surprise that banks worry about complying with GDPR, particularly since GDPR compliance appears to reduce their ability to prevent fraud and meet data breach reporting requirements.
Anonymization through process automation
One of the GDPR preferred guidelines states that personal information is to be anonymized during data processing. If a bank can prove that an individual’s identity can’t be ascertained from their stored data, that data need not be held to the privacy measures prescribed by GDPR.
In order to assess a security alert, you need to view the data attached to the payment that generated the alert. But there’s no need to have access to information that doesn’t generate any alerts so that data—a significant amount—need not be stored in accordance with the GDPR rules. If you can use machine learning to reduce the number of false positive alerts generated by your system, you can also reduce the amount of data in your system that’s subject to the GDPR regulations.
To understand this in more detail, you need to know how traditional transaction monitoring differs from advanced monitoring. Traditional transaction monitoring is mainly rule-based. This means that an alert is generated whenever a specific payment violates a rule. For example, a rule might identify all payments greater than €250.000. Such payments generate alerts regardless of whether or not they are fraudulent. Alerts generated by an advanced transaction monitoring system, however, are far richer in terms of the information they provide, since the system can take into account factors like an individual client’s behavior and network, amongst other things.
The image below lays out how alerts are anonymously processed. On the left side of the screen, there are four questions. The system automatically determines the answers to these questions for every payment that passes through it. It’s only possible to unlock a client’s identity when the system determines from the ‘what,’ ‘worth,’ ‘when,’ and ‘where’ questions that a payment appears suspicious. In that case, the system generates an alert and once that happens, an authorized compliance officer will investigate the case further and will be given access to relevant private data from the customer involved. This access is granted on a ‘need to know’ basis only. For the vast majority of customers, private data will be shielded from the view of everyone within the organization and the system will automatically process their payments.
Meeting the 72-hour deadline
Not only can advanced transaction monitoring systems anonymize data, but they can also automatically create and maintain an audit trail. Every action taken by the compliance officer investigating an alert is registered within the audit trail. Keeping an audit trail is essential for overall accountability when presenting the results of an investigation and is also required by GDPR regulations.
PWC has identified meeting the 72-hour deadline for reporting a data breach to the authorities as one of banks’ greatest challenges. It requires them to have processes in place and to know exactly where their data is. For most banks, this is a challenge in and of itself. When the system automatically creates an audit trail, meeting that 72-hour deadline becomes a lot easier.
To create the audit trail, seven questions must be answered from the perspective of the researcher or case investigator. Those questions are:
● What was done to arrive at the reasoning behind the case?
● Weight of the sanctioning measures?
● When was the research done?
● Where do the facts used in the case come from?
● Who was involved in the investigation?
● With what (tools?) has the investigation been conducted or completed?
● Why does it explain the probable cause?
The audit trail helps banks defend their position if authorities ask them to explain why a customer’s personal data was accessed. Automatic report creation and the ease of sharing the audit trail make 72 hours far less challenging as a deadline.
Even without GDPR, transaction monitoring remains a challenging issue for banks. In our white paper “The one thing compliance managers can change to save their bank from regulatory fines (even if workload is unmanageable)” we explain how machine learning can help to reduce the number of false positives. Interested in reading more? Get free access to our white paper here.