Banks Strain to Satisfy Competing AML, Data Protection Rules

WASHINGTON — Banks are grappling with a pair of competing regulatory deadlines that may leave them with intercontinental whiplash over the collection of customers’ personal data.

At the same time that U.S. regulators are pressing banks to comply with an anti-money-laundering rule requiring them to collect more customer information, any bank with European Union customers has just a week to meet a separate EU deadline to ramp up data protection.

“It is like a regulatory nightmare with everything coming out,” said Jennifer Newton, director of risk advisory services at Kaufman Rossin’s Miami office, speaking specifically about the EU mandate. “From a financial perspective, not a lot of them are ready and they either don’t understand the implications or what applies to them based on their customers.”

Since May 11, U.S. banks have already had to comply with pieces of the Financial Crimes Enforcement Network’s Customer Due Diligence rule. The anti-money-laundering requirement, part of regulators’ “know-your-customer” policy, requires banks to obtain customer information to report beneficial owners of business accounts. Banks’ difficulty in complying with the rule led Fincen to delay a controversial component until August.

But by May 25, some U.S. banks also must comply with the EU’s massive General Data Protection Regulation, or GDPR, if they have European account holders. That rule requires banks to adopt measures to better safeguard client information and immediately report data breaches, or they could face hefty fines.

U.S. financial firms are trying to figure out how to have separate and much more stringent data protection standards for their European customers under the GDPR, compared with U.S. standards.

For example, firms must report a data breach within 72 hours of becoming aware of it under the GDPR, but the U.S. currently imposes no similar federal timeline for reporting a breach. However, some states have separate requirements.

Typically, a bank would just implement the most stringent standard across the board to be safe, Newton said. But with GDPR, the timeline for reporting a breach is much shorter than what many U.S. banks have built into their systems. And they will first need to figure out how much of their customer base would fall under the EU requirements.

Compliance with GDPR is made doubly challenging while banks are separately building a system to report the personal information of any beneficial owner with at least a 25% stake in a company opening an account, as required under Fincen’s CDD rule.

Observers said the Fincen rule could potentially trigger requirements under the GDPR.

If one of those beneficial owners is a “European national whose data is subject to GDPR, the fact that the bank is collecting that additional data because of CDD may . . . trigger foreign protection requirements that may not otherwise apply to a data file,” said Oliver Ireland, senior counsel at Morrison & Foerster. “In practice, I don’t know how big that burden is going to be.”

Uncertainty among banks over how to implement the competing rules was the driving force in Fincen’s decision to release a “frequently asked questions” document in April to clear up some of the confusion. Then, on Wednesday, less than a week after the rule took effect, Fincen said it was delaying a portion of the rule — requiring banks to report the beneficial owners of accounts that renew or roll over, like CDs — to Aug. 9.

“During this time, Fincen will determine whether and to what extent additional exceptive relief may be appropriate for such financial products and services that were established before May 11, 2018, but are expected to rollover or renew after such date,” Fincen said in its ruling issued Wednesday.

Fincen has been working on this rule for six years but the additional extension speaks to just how complicated implementing data-related regulations has become despite a universal goal to protect the financial system.

“Although we agree on the importance of this information, there are legitimate concerns about the application of this new rule and the impact it will have on financial institutions,” Rep. Steve Pearce, R.-N.M., chairman of the Terrorism and Illicit Finance subcommittee, said during a hearing on the CDD rule Wednesday. “Adding additional requirements will likely increase this occurrence and cut business off from the financial system.”

Testifying at the hearing, Fincen Director Kenneth A. Blanco argued that the rule would instead amplify a safe financial system rather than causing more de-risking at banks. But he said the agency will monitor the rule’s implementation to watch for such issues.

“What we’re talking about is a financial system that is safe and secure that everybody can benefit from, including the banks … so I know we talk a lot about costs but I can just tell you what we’re asking for is something very simple. I cannot imagine it costing too much,” he said. But “we take de-risking very seriously” and “those are things that we’re going to take a look at and make sure that those things do not happen for the wrong reasons.”