EU/US face-off over FISA on the cards
Washington wants access to data passing through its borders
It has been clear for some time now that some of the regulations coming into force around the globe contain contradictions and inconsistencies. A large part of the work done by JWG, Banking Technology‘s partner for our regular RegTech coverage, has been in identifying these, working out their impact on systems and processes and what issues are thrown up.
In general, these are issues of detail and definition (or, rather too often, a lack of definition) and it can be the case that where two requirements are in conflict, satisfying the most onerous of them will satisfy the other by default.
That’s not going to be the case with the conflict between the US Foreign Intelligence Surveillance Act and the European data privacy and data protection proposals.
In a nutshell, the US wants to be able to see all the data there is about everything, and the European Union thinks that there is a human right to privacy – including the “right to be forgotten”, which sounds like a nice idea.
Sidestepping, for the moment, the fact that the rather ugly rationale behind FISA is to give the US government the right to snoop for political purposes, the practical implications are enormous. In order to comply with EU law, data has to be protected, so anything that touches the US would be noncompliant, presumably.
Cloud and virtualisation issues around data protection and security have long been issues for the financial services industry, but they are about to get a whole lot worse.
What about a US bank operating in the EU, storing customer data on its private cloud? Will it have to split the data, somehow? FISA covers non-US citizens and the EU legislation covers non-EU companies.
All of this will require a close look at data structures and data-handling procedures. The potentially good news is that so will most of the other regulations, and there is potential for that fabled thing, a holistic approach to the problem.
The requirements of FATCA, AML and KYC regulation are close enough for this to be a no-brainer, though more than 70% of firms don’t seem to have noticed, preferring to treat FATCA classification as a stand-alone issue.
Perhaps they think they’ve spotted a way to get round the FISA/EU conflict by doing that, but we’re not convinced.
