“We Didn’t Start the Fire” is a column in collaboration with Foreign Policy for America’s NextGen network, a premier group of next generation foreign policy leaders committed to principled American engagement in the world. This column elevates the voices of diverse young leaders as they establish themselves as authorities in their areas of expertise and expose readers to new ideas and priorities. Here you can read about emergent perspectives, policies, risks, and opportunities that will shape the future of US foreign policy.
For decades, governments worldwide have struggled to strike the right balance between privacy and security. Technological advances have made this balance increasingly delicate, especially in the financial sector, where vast amounts of data are stored and often reported to the government. The now decades-old anti-money laundering regime was not designed with big data, algorithms, or artificial intelligence (AI) in mind.
Many would like more privacy protections than the data-driven financial system currently provides. According to the Federal Deposit Insurance Corporation, one-third of unbanked households who want a bank account chose to remain unbanked due to privacy concerns. As technological capabilities mature, it’s time to reevaluate and reassert consumers’ privacy rights.
HOW PRIVACY IS VIOLATED
Banking data has long been considered intimate, as illustrated by a 1979 Maryland Special Appeals court decision that stated, “If it is true that a man is known by the company he keeps, then his soul is almost laid bare to the examiner of his checking account.” Just one year before the Maryland decision, Congress codified a right to financial privacy through the Right to Financial Privacy Act. However, the act narrowly defines financial privacy and does not protect consumers from the types of suspicious activity reports mandated by federal regulators. In the era of big data, algorithms, and AI, the examiner is more akin to a psychic or a mind reader.
Even disaggregated data from just one vendor can be incredibly powerful. For example, there is the now famous 2012 story of a data scientist and statistician at Target who created a program capable of accurately predicting whether a customer was pregnant based on their purchases. The most dramatic detail of the Target example is that the program reportedly knew a teenage girl was pregnant and sent advertisements for maternity clothing and nursery furniture to her parent’s home address. This type of analysis is possible thanks to the power of record digitization, advanced computing, algorithms, and ridiculously cheap data storage rates.
Big data allows law enforcement to access growing quantities of intimate data without the constitutional protections most Americans consider reasonable.
Detailed record-keeping is integral to banking. After all, banks can’t operate without knowing whose money must go where. Further, banks must keep various details that allow them to create customer profiles capable of detecting abnormal behavior in order to comply with anti-money laundering laws like the Banking Secrecy Act. The details included in a customer profile varies by institution but usually consist of geographic location, account volume, and the types and destinations of transactions. These details could allow the right law enforcement officer to determine an individual’s religion, political leanings, or possibly even their dating history or sexual activity with reasonable accuracy. Unlike those who choose to live without smartphones or other modern conveniences due to privacy concerns, it’s near impossible to control or opt out of the level of detail banks require.
Opting out of the banking system entirely is possible but challenging, and it comes with steep costs, whether in check cashing fees or time spent paying bills in cash. Even so, those who opt out are still subject to government surveillance through identical anti-money laundering measures like the customer profiles mentioned above that also apply to businesses like Western Union and payday lenders who often cater to the unbanked.
The data revolution’s impact on anti-money laundering measures is readily observable. Since 2014, the number of Suspicious Activity Reports (SARs) — reports filed by financial institutions like banks, securities firms, and even casinos about transactions they believe could be illegal activity — filed annually rose from 1.6 million to over 3.6 million in 2022, which is a 125% increase in less than a decade. Increasingly, banks use rules-based algorithms to sift through transaction data to detect and report anomalous behavior. While the name “suspicious activity reports” may conjure up images of duffel bags full of cash, in reality, the threshold necessary to trigger a SAR is simply a private employee’s gut feeling or an algorithm’s red flag. The regulators and regulated alike have noted that this results in a better safe than sorry over-inclusive policy when reporting suspicious activity.
Most importantly, though, this information is accessible by law enforcement without a search warrant or a subpoena. Therefore, the larger the number of SARs filed, paired with the powerful insight big data provides into someone’s life, the greater the ability of law enforcement to access vast swathes of intimate data without any protection from unreasonable search or seizure.
A CALL FOR REFORM
The rebuttal heard countless times that those who aren’t doing anything illegal have nothing to hide is flawed. SAR data includes plenty of activity that is suspicious enough to trigger a SAR, such as if someone deposited an abnormally large sum of money after winning the lottery, which is certainly not necessarily unlawful or illegal. Such activity still deserves a level of privacy impossible to achieve today. Thousands of federal, state, and local law enforcement personnel can access SAR data. One should be wary of the government’s warrantless access to the treasure trove of personal information sucked up by this data vacuum and occasionally flagged by unaccountable algorithms. This level of government surveillance demands closer scrutiny and oversight.
States always walk a tightrope between privacy and security. Doing so requires constant recalibration in light of new technologies and threats. Big data allows law enforcement to access growing quantities of intimate data without the constitutional protections most Americans consider reasonable. In light of this, governments worldwide should re-evaluate their anti-money laundering measures to protect public safety and individual privacy in the 21st century.
One feasible option for anti-money laundering reform that protects consumer privacy and sustains law enforcement capabilities would be maintaining existing data collection practices but mandating search warrants. Such reform has a remarkably recent and analogous precedent; in 2018, the US Supreme Court ruled that law enforcement must obtain a search warrant before accessing location information stored by cellphone providers. The landmark ruling exemplifies governments revising privacy protections in light of technological advances.