Adverse media v privacy

An expert opinion piece from smartKYC CEO, Dermot Corrigan

Financial crime compliance professionals would do well to reflect on the decision last week by the UK’s Supreme Court to unanimously dismiss an appeal by Bloomberg which had been sued by a businessman for infringement of privacy.

What’s that got to do with us you might ask? Quite a lot as it happens.

The businessman, a US citizen who worked for a company operating overseas and was named in court reporting only as ZXC, brought a successful claim against Bloomberg for “misuse of private information”. Bloomberg’s appeal failed on the grounds that “in general, a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation”.

Such privacy law creep, under the noses of parliament, will likely have far reaching implications for press freedom. Curiously, ZXC’s privacy is being preserved even though he was acting in a professional capacity and carrying out business activities. As Bloomberg’s Editor-in-Chief John Micklethwait observed, the Supreme Court’s ruling implied that “his company’s investors, their customers and the public…had no right to know about the Investigation.”

Bloomberg Opinion

The financial crime perspective

From a financial crime compliance perspective, particularly as it relates to customer due diligence, there are a few considerations.

FATF, the Wolfsberg Group, the FCA, and many other stakeholders have all stressed the importance of adverse media checks, although specifics about how that is defined and what it entails are scarce. In our experience, and consistent with the risk-based approach, financial institutions have chosen a very loose interpretation of adverse. That is why for example smartKYC’s software distinguishes between accusations that can be classified as controversies (suggestions, rumours etc.) and those involving a competent authority like a court or a government (legally adverse).

But what now for banks? ‘Adverse archaeology’, researching past misdemeanours using media archives will still be possible as this new ruling can’t be retrospective. But what is to be expected going forward? How does this impact perpetual KYC aspirations?

Perhaps further guidance is long overdue because there are precedents. My colleagues and I have been aware for some time of legal reporting restrictions in several European jurisdictions. Surnames are partially redacted, “Dermot C” instead of “Dermot Corrigan” for example, but this is not as some would imagine a requirement of GDPR. Rather it is newspaper editors calculating that the risk of disclosing an identity is not one worth taking in light of successful challenges based on European Court of Human Rights conventions (Article 8), which pre-date GDPR by many years.

Social media has made the whole situation a lot murkier as blogs and other non-mainstream media sites play by different rules. But while these restrictions are commonplace in Switzerland, Netherlands and Germany for example, banks have come to smartKYC for a workaround. Articles will often contain more identifying attributes than just a name (age, nationality, gender etc.) and multilingual natural language processing technology can now pick out these attributes in ‘unstructured’ text, match them against the identifiers held on file by the bank and provide a confidence score as to the likelihood that the adverse media reference is about the bank’s client. Of course, we are happy to support them but do the authorities expect banks to go this far when a surname is absent?

What will it matter that media outlets will no longer report that X “is alleged to be involved in”, “is suspected to have been”, and “is rumoured to have links to”? Privacy champions will claim a victory for personal liberty but was anyone agonising over the rights of the individual following the disclosure of the names of the suspects in the Sergei Skripal case? After all, we are not talking about salacious gossip about someone’s private life. The allegations against ZXC relate to corruption, a grave offence if international legislation is anything to go by – the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act (UKBA), the Canadian Corruption of Foreign Public Officials Act (CFPOA), France’s Sapin II etc. And besides, this wasn’t idle speculation by Bloomberg, the fact of the matter was that ZXC was under criminal investigation.

A proactive understanding of risk

At smartKYC we distinguish between intrinsic and extrinsic risks as our clients wish to be mindful of ALL the reasons why the client might represent an unacceptable risk, not just at the point of onboarding but for the entirety of the relationship. So, the applicant might not necessarily have committed an offence for there to be reason to be uncomfortable about onboarding them. It is sometimes a nuanced rather than a binary decision to do business with someone and even if that answer is yes, those extrinsic risk factors will often determine the extent of their ongoing risk vigilance.

In a previous life I ran a risk intelligence business that, among other things, predicted terrorist attacks and other politically motivated violence. While many of our rivals were of the “a bomb has gone off, don’t go there” school of ‘intelligence’, we saw it as our job to forecast risk, even though we might not get it right every time. We believed that the value of intelligence is proportionate to its ability to anticipate risk. Are financial crime professionals not in a similar position, to make a call on all factors that might constitute a risk, not just those that are a matter of record?

In conclusion…

This ruling comes as London is once again under the financial crime spotlight. Last week a former Conservative Minister, Lord Faulks, branded the UK a “laughing stock” for its response to economic crime. “Oligarch’s paradise”, “Global hub for money laundering” and “London laundromat” are just some of the headlines from last week’s national media outlets. At a time when technology can extract useful open-source intelligence, not just about adverse media but source of wealth, network risk and much more, this development illustrates that individual privacy and corporate risk diligence is a tricky balance to strike.