The Financial Action Task Force (FATF) published a report on the 20th of July sharing experiences and case studies of balancing information sharing with data protection considerations. The report is non-binding – i.e. it does not impose standards on FATF member countries, instead, it provides recommendations for the jurisdictions based on observations and lessons learnt from already implemented information-sharing initiatives.
The report includes a brief summary of AML obligations (directed at the recipients from the Data Protection field) as well as a summary of main Data Protection obligations (directed at those from the AML field). The document provides various case studies of initiatives and projects undertaken so far and directed at AML-focused information sharing with the due consideration of data protection.
The main recommendations resulting from the report are:
- The public sector should consider taking an active facilitation role in private sector information sharing initiatives, for example by updating laws or supervisory instruments as necessary; making use of regulatory sandboxes and pilot programmes; highlighting areas, typologies or data types that would benefit from sharing; identifying a lead agency/contact point to promote collaboration and co-ordination; providing guidance or checklists; building secure platforms for sharing and oversight; and developing projects to harmonise and standardise data.
- The public sector should ensure and promote regular dialogue between DPP and AML/CFT authorities, consistent with the FATF Recommendation 2, as well as internationally, for example by holding regular forums; devising a joint strategy; providing joint guidance or conducting sector-wide engagement; providing assistance to industry initiatives; and conducting joint initiatives, such as regulatory sandboxes or technology sprints.
- The private sector should consider the application of privacy-enhancing technologies where they are fit for purpose; take steps towards data preparation; pursue data protection by design; establish early and ongoing engagement with DPP authorities; develop indicators and metrics to measure success; and adopt measures to prevent de-risking related to information sharing.