How financial surveillance in the name of counter-terrorism fuels social exclusion

[Photo credit: Images Money]

The global counter-terrorism agenda is driven by a group of powerful governments and industry with a vested political and economic interest in pushing for security solutions that increasingly rely on surveillance technologies at the expenses of human rights.

To facilitate the adoption of these measures, a plethora of bodies, groups and networks of governments and other interested private stakeholders develop norms, standards and ‘good practices’ which often end up becoming hard national laws or binding international obligations.

A welcome analysis of this trend is contained in the report on ‘soft law’ that the UN Special Rapporteur on counter-terrorism and human rights submitted to the UN General Assembly. Her conclusion is that these ‘soft law’ instruments tend to marginalise human rights: “In almost all of these arenas human rights are visibly side-lined or marginal to the norm production phase, as well as in oversight and implementation.” And yet these ‘soft laws’ – often developed by a small number of powerful states – are implemented across the globe, as either ‘hard’ laws and regulations or through “best practices”.

This is evident in one of the focuses of the Special Rapporteur’s analysis: the Financial Action Task Force (FATF). This is the body that sets the standards for counter-terrorism and anti-money-laundering in the financial sector. This is a sector that plays an essential and powerful role in our lives, yet is opaque to most people; add to this the secrecy surrounding financial crime and counter-terrorism, and it becomes particularly impenetrable.

As the Special Rapporteur found:

The FATF’s mandate contains no references to international law, international human rights law or international humanitarian law. However, laws and policies related to the standards set up by the FATF address issues such as criminalizing and prosecuting terrorist financing, targeted financial sanctions, tackling the risk of abuse of the not-for-profit sector for terrorist financing purposes and, thus engage human rights at multiple levels. Their impact is all the more significant as States generally adopt domestic laws and policies that enable them to implement FATF standards, thereby leading to national ‘hardening’ of these otherwise soft law standards. In the Special Rapporteur’s view, human rights implications linked to the development and implementation of these standards require sustained and in-depth attention.

Significantly, the norms set up by FATF are “fast-tracked into binding legal standards”, as illustrated with the adoption of the UN Security Council resolution on terrorism financing (adopted in March 2019.) In the words of the UN Special Rapporteur, the resolution

specifically gold-plates the FATF and its norm production process by urging all States to implement the comprehensive international standards embodied in the revised Forty FATF recommendations on Combating Money Laundering, and the Financing of Terrorism and Proliferation and its interpretive notes. The FATF is an exclusive, non-transparent, State-created forum to which civil society and UN human rights entities have little or no consistent access. It has, in the financing terrorism context, become the short-cut to rule-setting, involving few constraints for States.

What, then, in Privacy International’s view, are the implications of the FATF and it’s impact on privacy? How does this organisation, probably largely unknown to many, have an impact on the rights of individuals and communities, and affect civil society around the world?

Setting the context: surveillance of financial data

Financial data is some of the most sensitive data about people, revealing not only their financial standing but also factors like family interactions, behaviours and habits, and the state of their health, including mental health. While monitoring and regulating financial transactions are important for investigating and preventing terrorist acts and other serious crimes, it is essential that it is done in a way that does not endanger human rights.

Interference with human rights and capabilities of surveillance in this sector are many, but generally fall into the following stages:

• information requirements placed upon individuals and organisations, including identity documentation for opening and using accounts, requirements to explain the reasons of financial transactions (customer due diligence);
• generation of profiles and suspicious transaction reports on individuals' and organisations’ activities based on the characteristics of the transactions;
• sharing of these reports and other financial data with Financial Intelligence Units, who then sometimes share data with law enforcement agencies;
• bulk sharing and access to data by government authorities, such as when the U.S. intelligence services gained access to SWIFT, without any safeguards or when generalised reporting is taking place to tax authorities.

These are often mandatory requirements that are not limited to investigation-led activities. In this sense, financial surveillance is markedly different to other forms of surveillance - where interferences to privacy must be on a case-by-case basis and authorised by an independent competent authority. Financial surveillance actively monitors transactions, generates intelligence on these transactions, shares data based on how the sector identifies 'suspicious activity' as opposed to being led by a law enforcement investigation. Another difference is the key role played by the private sector (including financial institutions, but also involving state agents and other actors).

The practices outlined in this briefing are generally well established and have been in place for over twenty years. The sector is facing changes however, particularly in light of counter-terrorism. These changes are driven by:

• The changing nature of terrorist financing, with the amounts of cash required to conduct terrorist acts now very small;
• The changing nature of data in the financial sector – data for the analysis, scoring and profiling of customers; and how this has led to a RegTech industry using data-driven techniques to meet with compliance;  and
• The changing use of technology to combat financial crime, including technologies like Artificial Intelligence.

Sectoral changes are also occurring with new entrants from the fintech sector as well as major platform companies entering with financial products (e.g. Apple, Google, Samsung, WhatsApp Pay), as well as innovations around blockchain (e.g. bitcoin, and the recently announced Facebook's Libra.)

The key regulatory framework that sets and monitors, but does not necessarily govern, this domain is established by the Financial Action Task Force (the FATF.)

The role of the FATF

The FATF was established in 1989 by the G7, to set standards and promote effective implementation of legal, regulatory, and operational measures for combating money laundering. In 2001 its remit was expanded to cover terrorist financing and other related threats to the integrity of the international financial system.

Though in theory it only sets recommendations, it also has a monitoring function that evaluates countries' performance. Yet the FATF contends that implementation is left to national law and financial institutions. This often means that when concerns are raised, the FATF argues that the concern resides in national implementation and is thus not their domain; yet national implementation is monitored by the FATF.

The consequences of this were highlighted by the Special Rapporteur:

while the standards are not legally binding and can therefore be characterized as ‘soft law’, consequences of non-compliance can be onerous and may negatively impact, among others, the respective country’s access to financial markets, trade, and investment. This puts considerable pressure on jurisdictions to ensure compliance and may incentivize a de-prioritization of human rights considerations.

The FATF's Recommendations have been revised a number of times, often resulting in an expansion of the interferences identified above, including:

• in 2001 it added the targeting of non-profit organisations ('NPOs') as 'particularly vulnerable' to use by terrorists which led to concerns about 'de-risking' by financial institutions;

• in 2003 it added requirements around 'customer due diligence' (CDD) and Financial Intelligence Units (FIUs), which led to concerns around identity requirements, generation of vast data sets of financial transactions, and financial exclusion.

While the Special Rapporteur found that “FATF standards have in general not undergone meaningful human rights scrutiny”, a positive change occurred in 2016, when following campaigns by civil society organisations and concerns expressed by the UN Special Rapporteur, the FATF revisited Recommendation No. 8 covering NPOs. It removed the claim that the NPO sector is “particularly vulnerable” to abuse. Changes were also made into how the FATF evaluates countries' implementation of Recommendation 8 - recognising the “chilling impact that regulations may have and not discouraging legitimate NPO activities”.

The FATF and Identity

The impact of rules surrounding money laundering and terrorist financing extends far beyond the financial sector. In particular, meeting the FATF requirements on customer due diligence is a key driver of government identification systems worldwide. Identity requirements lead to interference with privacy and other human rights, as well as social exclusion. For example Privacy International’s research has revealed how in Chile, the lack of access to a national ID number leads to a high degree of exclusion, including but not limited to financial services. Thus, the impact of the FATF recommendations far extends beyond the financial sphere.

Customer Due Diligence and its implications on privacy

Customer Due Diligence (CDD) is covered under the FATF's Recommendation No. 5. It requires that financial institutions identify the customer and verify that customer’s identity using reliable, independent source documents, data or information.

The institutions must identify the customer's identity using “reliable, independent source documents, data or information […] understand and obtain information on the purpose and intended nature of the business relationship, and conduct ongoing due diligence and scrutinise transactions.”

The problem that often arises is actually that governments go well beyond the FATF requirements. As FATF notes:

Industry feedback highlights a number of practical difficulties regarding identification and verification requirements, most of which arise pursuant to national legislative or regulatory requirements, and not the FATF Recommendations. For instance, in a normal CDD scenario, the FATF Recommendations do not require information to be gathered on matters such as occupation, income or address, which some national AML/CFT regimes mandate, although it may be reasonable in many circumstances to seek some of this information so that effective monitoring for unusual transactions can occur.

Over the years the FATF recognised the need to address financial exclusion. Excluding some actors from using the financial system they govern (e.g. by imposing too rigid frameworks and rules re: identification) risks resulting in those actors using alternative systems.

According to the FATF, they introduced a Risk Based Approach (RBA) to introduce flexibility into an otherwise rigid framework. In 2017, a new guidance articulated CDD requirements to ensure that "financial institutions can effectively identify, verify and monitor their customers and the financial transactions in which they engage, in relation to the money laundering and terrorism financing risks that they pose."

The three core elements of “identification”, “verification” and “monitoring” are intended to reinforce each other, so that the "financial institution builds knowledge of the customer".

Despite the language on RBA and financial inclusion, the FATF strongly insists on government-issued forms of identification, supports privacy invasive biometric identification systems and demands retention of identification documents raising risks of abuses and data breaches.

• Reliance on government-issued identification documentation

The FATF 2017 guidance recognises that “one of the main obstacles to providing appropriate regulated financial services or products to unbanked customers is their lack of reliable identity documentation and data verification." However, the FATF argues against an exemption approach. As such, the revised Recommendation does not modify the basic CDD requirements. Rather they clarify only how the broad RBA principle relates to the implementation of CDD measures.

• Reliance on biometric identification systems

While noting that challenges still remain, including related to the necessary technological infrastructure, the FATF supports the adoption of innovative, technology-based means to verify customer identities, including biometric registries. Of particular concerns, the FATF highlights as positive cases India's eKYC under Aadhaar, Colombia's national fingerprint database, and Pakistan's NADRA and SIM registration system. At least two of these systems have been critically analysed by civil society.

Suspicious transaction reporting

The FATF requires all countries to have legal or regulatory requirements that mandate the reporting of suspicious activities. The FATF Recommendation No 20 requires the reporting of incidents to a country's Financial Intelligence Unit. This requires internal monitoring at financial institutions to identify any unusual behaviour. 

In 2015, the FATF argued that sharing of data is a key way of combating terrorist risks, including by recommending “empowering FIUs and other competent authorities to improve the exchange of financial and other relevant information domestically and internationally in a timely manner. The ability to detect, analyse and share information about financial flows is essential to financial investigations. For terrorist-related cases, governments should be able to obtain relevant information from all sources more rapidly. To achieve this, countries should strengthen inter-agency communication among financial intelligence units, law enforcement and intelligence services; encourage spontaneous exchanges of information among countries.”

Despite the plethora of data required and of reporting, the system is far from effective. 90% of Suspicious Activity Reports (SARs) from the private sector are not relevant to law enforcement investigations. It is estimated that less than 1% of all global illicit financial flows are intercepted. This raises significant doubts as to whether the financial surveillance and reporting currently being supported by the FATF is necessary and proportionate to the achieve the legitimate aim of preventing terrorism financing.

Investigation and surveillance

The FATF Recommendation No 31 envisages wide surveillance powers to competent authorities investigating terrorist financing. Investigators must have access to “all necessary documents and information” related to these types of offenses, and are able to use investigative techniques like “undercover operations, intercepting communications, accessing computer systems and controlled delivery.” Furthermore, investigators can “ask for all relevant information held by the FIU.”

Some of these techniques, notably “accessing computer systems”, are highly intrusive to privacy and may not be justifiable under international human rights law. Government hacking for surveillance has the potential to be far more privacy intrusive than any other surveillance technique, permitting the government to remotely and secretly access our personal devices and the data stored on them as well as to conduct novel forms of real-time surveillance, for example, by turning on microphones, cameras, or GPS-based locator technology. Hacking allows also governments to manipulate data on our devices, including corrupting, planting or deleting data, or recovering data that has been deleted, all while erasing any trace of the intrusion. For that reason the UN Special Rapporteur on freedom of expression observed that hacking constitutes a “new form[ ] of surveillance” as it permits states “to alter – inadvertently or purposefully – the information contained therein,” which “threatens not only the right to privacy [but also] procedural fairness rights with respect to the use of such evidence in legal proceedings.”

There is no accompanying guidance to this recommendation. As a result, the FATF risks condoning surveillance measures which are not compliant with international human rights standards.

New technologies, new industry and new challenges

The FATF is not standing still. They are also actively watching innovations in fintech to ensure that it does not become the new cash.

In 2016 the Executive Secretary of the FATF argued that “the greatest risks of FinTech are often the lack of oversight or governance and the anonymity they can provide, a characteristic they share with cash.” He also noted that changing technology was a risk and opportunity: “In a time when teenagers can create false IDs on their computers in their bedrooms in minutes, the value of customer identification using photo ID cards is becoming increasingly limited. At the same time these teenagers – and many of us – are posting everything about ourselves on the Internet and through a myriad of devices, and are leaving a unique digital footprint. So we now have the possibility to exploit FinTech and RegTech to update and substantially improve customer due diligence.”

This indicates that they believe that additional personal data, beyond government-issued ID, can be used to develop and establish identity for the purpose of customer due diligence.

Privacy International notes that the trend of financial institutions is towards expanding the range of data they collect and analyse for CDD purposes, including to identify terrorist financing. The financial sector relies to a large extent on “open source intelligence” (OSINT) and “social media intelligence” (SOCMINT). Other forms of identification by financial institutions that do not place a reliance of formal identification also results in a great deal of privacy violations, for example by looking at the entire contents of an individual’s phone or their social media accounts. These are approached by the financial sector (as well as law enforcement officials and security agencies) as being unproblematic sources of information for their intelligence activities. They argue that this collection and analysis of data have little impact on people’s privacy as and when it relies “only” on publicly available information. This inaccurate representation fails to account for the intrusive nature of collection, retention, use, and sharing of a person’s personal data obtained from public places and through social media. The European Court on Human Rights has long held that “there is […] a zone of interaction of a person with others, even in a public context, which may fall within the scope of “private life” particularly when this data is systematically or permanently recorded.

The use of vast new data sets, combined with technologies like Artificial Intelligence systems, creates new dangers. As Privacy International has seen with the field of predictive policing, the use of artificial intelligence and algorithms to make decisions on a limited data set can result in deeply prejudicial outcomes. Given the tiny amount of illicit financial flows that are detected, the danger is that using data and analytics in this context may reinforce existing bias in historical data whilst ignoring genuine criminality that doesn’t ‘fit the mould’.

The abuses related the use of regtech solutions have been documented such as those surrounding World-Check.

These trends (and the related abuses) come together to form challenges that will make the guidance of organisations like the FATF more relevant and potentially more dangerous in the future. The way the FATF will seek to intervene and potentially regulated the fintech and regtech sectors must be monitored.

Conclusions

The FATF is sensitive to criticism on privacy issues. The FATF President Roger Wilkins AO in October 2014 delivered a speech about de-risking, celebrating the use of biometrics in developing countries. And criticising the ‘privacy lobby' for being rigid and ideological: “I think the rigid and dogmatic application of so-called ‘privacy principles’ have a lot to answer for.”

Concerns remain around customer due diligence, particularly around identity requirements and suspicious transaction reporting. The systems that the FATF celebrates involve significant interferences with rights, as exemplified in the India's Aadhaar. No identity scheme is truly universal, and it will always lead to some exclusions. Furthermore, given the scope of ID systems, they result in exclusion in areas beyond that of financial services, like health and education.

The Special Rapporteur argues that the FATF risks undermining human rights norms: The “FATF standards have been referenced and endorsed in documents produced by UN entities and organs, most recently - and prominently - by the Security Council. Such endorsement should motivate the FATF to step up measures towards ensuring that its standards are designed and implemented in compliance with norms and standards adopted under the aegis of the UN, including international human rights law. Having UN-endorsed soft law standards fall short of these recognized binding norms would send a dangerous message that risks undermining globally recognized human rights norms.”

The development of ‘soft law’ such as the FATF recommendations in the name of countering terrorism has profound implications to individuals and societies. The fact that these norms are developed by organisation few have heard about, with no meaningful civil society participation and no consideration for human rights protection put into question the legitimacy of these norms. That is why the UN Security Council should not rush to endorse these ‘soft laws’ without assessing their implications for human rights. And it is also why FATF must explicitly include in its mandate the protection of human rights and must review its recommendations to ensure compliance with human rights, particularly in relation to the risks to privacy and to social exclusion.