By Brendan Leddy, Head of Compliance and MLRO, British Arab Commercial Bank.
Brendan, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is
I have been working in compliance and financial crime roles for nearly 25 years. I started my compliance career in NYC in the 90’s (suddenly I feel old!) and moved back to Ireland in 2002 to work for Mellon Bank; I relocated to London 15 years ago and have worked in a number of International banks. I have a BA in English, Sociology and Political Science (National University of Ireland Galway), an LLB in Law (University of Wales) and in 2017 I completed an LLM in International Business Law (University of Liverpool). I am currently Head of Compliance and MLRO for BACB based in the City (the extent of regulatory change means that I am pre-occupied at present with MIFID II, GDPR, PSD2 and 4/5MLD).
We are looking forward to hearing your insight on data protection and privacy at the upcoming Fraud and Financial Crime Summit. Why do you feel this is an important talking point?
Revisions to Data protection and privacy is long overdue and the EU’s GDPR is considered by some to be one of the most lobbied pieces of legislation in history! What makes this a key talking point is not just the scale of change that is imminent but the largescale overhauling of current obligations with respect to the ways in which firms collect, store, process and protect personal data. Banks are custodians of massive amounts of personal data and the importance of data governance will be elevated to the executive level.
Can you provide an update on the new GDPR compliance rules and the importance of implementing this?
There are many sources of information available that explain GDPR but more importantly break the regulation down into small manageable deliverables. In summary,
- Banks should ensure that there is a point person within the bank who will drive the project (appoint a DPO). They will need to be supported by key staff to help cover all training requirements (employees, bank management and the board) in addition to revising all policies and procedures.
- Each department within the bank should be carrying out data audits to determine what personal data they have and how it is being held/stored. The firm should consider a compliance statement that addresses the implications of GDPR to ensure that every employee is aware of their obligations with respect to personal data.
- Many banks by default don’t include the destruction of records – between now and May firms will have the opportunity to undertake data cleansing exercises, that is, delete and destroy data that it is not required to have or hold.
- Documentation reviews should be undertaken, for example, review legal contracts, terms of business etc Ensure the firm is aware of any outsourcing arrangements that are in place or other vendors that receive your firms data. In terms of privacy and consent, firm should ensure that they know what they need data for and what they intend to do with it.
What advice would you give towards gathering data into one place for analysis?
EU data protection requires organisations to take “appropriate security measures to protect personal data.” It is based around eight principles driving the data protection regime that dictate how personal data must be acquired, maintained, updated, stored, protected and disposed of (as provided above).
What challenges are presented with managing data restrictions across borders that institutions should consider?
Right now the EU provides strong protection for personal data. If data belonging to EU businesses or citizens is stored outside the EU, the transfer of that data needs to be secure with data protection requirements at the other end at least as strong as those in the EU. There is an extraterritorial element to the GDPR.
Finally, what challenges do you foresee within the Fraud and Financial Crime landscape over the coming years?
This is an incredibly difficult question to answer in a couple of lines – I completed a dissertation on this very topic more or less. In short the challenge will be greater as those who are intent on committing crime continually change their modus operandi and organisations must continue to be vigilant.