Summary Payment Systems Broadcast #27: Article 75 and Privacy

Insights

13 Jan

Guests Nick Maxwell and Ian Wachters recently joined Session 27 of the Payment Systems Broadcast to explore how legal gateways and privacy-enhancing technologies are reshaping the fight against financial crime.

As financial crime becomes increasingly networked and cross-border, the traditional methods of fighting it are proving alarmingly ineffective. Criminal networks operate globally, yet the institutions chasing them are often forced to monitor risk in isolation.

A new regulatory landscape in the European Union promises to change this dynamic. Article 75 of the new AML Regulation aims to provide a clear legal gateway for private-to-private information sharing. But this raises a critical question: How can institutions share data meaningfully while preserving privacy, data rights, and institutional risk controls?

To discuss this challenge, Nick Maxwell, Head of the Future of Financial Intelligence Sharing (FFIS) research program, and Ian Wachters, Commercial Advisor at Roseman Labs, together explored how Article 76 and technologies like Multi-Party Computation (MPC) could finally bridge the gap between privacy and protection.

The Legacy Problem: Siloed Defenses

The conversation began by diagnosing why the current system fails. According to Maxwell, the global anti-money laundering (AML) framework has its roots in the late 1980s, an era that could not have anticipated the speed and connectivity of modern digital commerce.

“The financial crime threats are linked across financial institutions and indeed across business sectors and across borders,” Maxwell explained. “If we run analytics in silos, we will have a very, very low efficacy.”

Under the current model, each bank must identify risk independently. If one bank exits a high-risk customer, that customer can often walk down the street and re-enter the financial system at another institution because the risk data does not travel with them. This redundancy is not only ineffective but also costly.

“It’s inefficient, it’s ineffective, it’s very costly,” Maxwell noted, adding that collaborative analytics is the necessary evolution to address these networked threats.

Article 75: A Legal Foundation for Collaboration.

Article 75 of the new EU AML Regulation is designed to address this by creating a unified rulebook to prevent money laundering across member states. Critically, it provides a specific legal basis for information sharing, addressing the longstanding tension between AML obligations and data privacy laws such as the GDPR.

“The entire purpose of Article 75 […} was that the information sharing provision would actually provide clarity and harmony with data privacy obligations,” Maxwell said.

However, the shift is not just about compliance. For financial institutions, it represents a significant operational opportunity. Wachters noted that while adoption is voluntary, the business case is clear for different stakeholders within a bank.

“If you talk to the head of risk, they may say, ‘We will be able to support it to prevent fraudulent transactions earlier,” Wachters said. “If you speak to the CEO, they will look at it from a cost perspective. By leveraging each other’s data and insights, we can reduce a lot of the effort that each of us is spending.”

Technology as the Enabler: The Role of MPC

While the law now permits sharing, the principal question remains: how do you share sensitive client data without violating privacy?

This is where Privacy Enhancing Technologies (PETs), and specifically Multi-Party Computation (MPC), come into play. Wachters explained Roseman Lab’s MPC software platform, which enables institutions to jointly analyze data without ever exposing the underlying “raw” information to one another.

“With the technology, you are able to assess a risk […] while not exposing the information,” Wachters explained.

He described the process of using the analogy of encryption and puzzle pieces. Data is encrypted at the source and split into unrecognizable fragments distributed across different servers.

“The data, in fact, doesn’t live anywhere,” Wachters explained. “The data is broken up into pieces that are impossible to recognize […] Even a quantum computer would not be able to turn them into the original numbers.”

This capability transforms the concept of data sharing. Instead of sending spreadsheets of client names, banks can ask the network specific questions, such as “Is my client connected to a known mule network?” and receive a simple “yes” or “no”answer, or risk score, without ever revealing personal identities.

“Nobody is sharing their client information,” Watchers added, highlighting how this approach aligns with GDPR principles, like data minimization and purpose limitation.

Uncovering Hidden Networks

The real-world application of this technology is perhaps most potent in detecting “mule networks,” accounts used by criminals to launder stolen funds. These networks often span multiple banks and countries, making them invisible to any single institution.

Wachters illustrated a use case where banks share attributes behind fraudulent accounts, such as device fingerprints or phone numbers, rather than just account numbers.

“You will be able to start to see your network, because you will also be able to then see how these accounts are connected […] and monitor those accounts that were set up by the same organizations but have not yet been used,” he said.

This moves the defense from reactive (closing an account after fraud has occurred) to proactive, identifying the network before the money moves.

The Road Ahead: 2030 and Beyond

Despite the promise of Article 75 and MPC, challenges remain, particularly regarding cross-border interoperability and standardization. Maxwell pointed out that while the EU is harmonizing its rules, the global landscape is still fragmented.

“We don’t use the same language around the world for thinking about scams and fraud,’ Maxwell cautioned, noting the gap between “verbal taxonomy and technical taxonomy.”

However, looking toward 2030, both guests see a future where fraud prevention is integral to payment system design, rather than an afterthought.

Maxwell envisions an ecosystem where “instantaneous alerting” and “very rapid law enforcement communication” act to restrain funds before they are lost.

As the European Union moves toward this integrated future, Article 75 serves as the critical first step, turning the act of sharing intelligence from a legal risk into a powerful operational reality.