SUMMARY
Globally, restrictions on cross-border flows of data aren’t a new concept but have significantly increased in the last decade
The Draft PDP Bill empowers the Central government with the right to classify any data as ‘critical personal data’, which is mandated to be processed within the country
Privacy-enhancing technologies (PETs) have emerged as one of the most effective solutions to this challenge
In the past few decades, the increasingly interconnected nature of the global economy has seen the rise of multinational corporations and brought international regulatory systems into closer interaction with each other. With this increase in global commerce, the world has also witnessed a significant spike in cross-border crimes, prime among which are money laundering and terror financing.
Every year, terrorists, drug scions and other criminals launder between $2-$3 Tn according to estimates by the World Bank. Global regulatory and monitoring organisations have made concerted efforts to limit these cash flows but there is a consensus that a majority of this activity goes undetected.
The Financial Action Task Force (FATF) is an intergovernmental organisation which is one of the leading bodies fighting various kinds of financial crime. Combating the financing of terrorism (CFT) and anti-money laundering (AML) regulation form the core of the FATF mandate. They aim to improve compliance by reviewing member countries and promoting international cooperation between countries and relevant stakeholder institutions.
This is because one of the key factors underpinning the fight against terror financing is the free flow of data within financial institutions which have a presence in multiple countries. Companies that are forced to store data locally are unable to create common databases across locations, severely impeding their ability to analyse data patterns and preempt global criminal activity.
The FATF is scheduled to evaluate India’s AML measures — and the legal framework underlying it — early next year. The last such review was done in 2010 and it is in this context that India’s AML regime will be brought under the scanner. India has traditionally been a nation plagued by rampant money laundering. The Prevention of Money Laundering Act (PMLA) came into force in 2005 and was a major move by the Indian government to clamp down on this issue.
India joined the Financial Action Task Force (FATF) in 2010 and multiple amendments to the PMLA were subsequently put forth in lieu of India’s commitment to following global standards of money laundering legislation. These amendments, along with demonetisation in 2016, curbing tax evasion via the implementation of GST in 2017, and the Fugitive Economic Offenders Act 2018 form a fundamental part of the progress India aims to display to the FATF.
However, these measures were not enough for India to successfully create a secure environment for AML regulations over the past decade. High profile frauds such as the Punjab and PMC Bank cases and money laundering investigations have brought AML regulations within the country under scrutiny. Examining India’s AML measures in isolation is not sufficient, and instead the spotlight must shift towards India’s restrictive data localisation policies.
Globally, restrictions on cross-border flows of data aren’t a new concept, but have significantly increased in the last decade. This is true in the case of India as well, with the PDP Bill and the RBI policies signalling a clear push towards data localisation measures.
For example, the Draft PDP Bill empowers the Central Government with the right to classify any data as ‘critical personal data’, which is mandated to be processed within the country. Similarly, in 2018 the RBI issued a circular mandating all payment system providers to store data locally within the country. These moves have been justified on a variety of grounds, prime among which are law enforcement, national security and personal data protection.
Several opposing views have been put out to this stream of thought and there is a growing consensus that introducing strict data localisation restrictions is antithetical to the goal of enabling regulatory supervision and law enforcement. Limiting information sharing across jurisdictions undermines financial institutions by denying them an integrated source of data from which they would be able to ramp up their monitoring and risk management systems.
Furthermore, we must consider that supervision of global institutions can also be impeded if authorities in the respective jurisdictions are unable to share timely and detailed information between them. A simple example of this would be an increased risk exposure to international clients whose data cannot be aggregated across borders. Even in the case of a domestic client, the assumption that storing data within a national territory makes it safer is highly questionable, especially in the case of financial services which are usually highly integrated into the world economy.
Having said that, some of the aforementioned public policy goals such as protecting citizens personal data are rooted in logic. Privacy-enhancing technologies (PETs) have emerged as one of the most effective solutions to this challenge. These technologies are designed to protect personally identifying information from a data source. Using this, financial institutions can move towards combating money laundering while also preserving a clients’ data privacy.
Solutions using PETs increase the efficiency of AML compliance and information sharing by protecting personal identifying information, managing data transfers and even analysing encrypted data. This has ensured that leading regulatory bodies such as the United Kingdom’s Financial Conduct Authority (FCA) have integrated PETs as a potential solution to address the existing conflict between AML regulations and data privacy.
On the whole, CFT and AML regulation is one of the biggest challenges facing the global financial system. Considering the upcoming FATF review, it is important to take stock of the progress India has made but also chart out the way forward. India’s relatively rigid data localisation policies increase our exposure to financial crime and inadvertently encourage global flows of illicit money to pass through the country.
This has the potential to impact the integrity and stability of our financial system in the long term. The path forward involves implementing data localisation only with specific policy goals in mind, while embracing the importance of bilateral and multilateral data sharing treaties. Considering only 1% of global illicit cash flow is estimated to be captured, it is clear we have a long way to go. However, the free flow of data coupled with increased compliance have the potential to help take a significant step forward in this fight against terrorism financing and global financial crime.
[The article is co-authored by Kazim Rizvi founding director, The Dialogue and Gautam Kathuria, research and engagement associate, The Dialogue]
