In the fight against financial crime, collaboration is key — and now it’s finally possible. In this blogpost, Nick Goodall shares how Article 75 of the new EU AML Regulation, combined with Roseman Labs’ encrypted computing technology, makes interbank collaboration both legal and privacy-preserving. Discover how the newly launched solution Qorum enables shared investigations, secure data use, and joint SAR filings — without ever sharing raw data.
header image of blogposts titled "if criminals work ttogether, why don't why?" shown are many people that built the roof of a house together.

If criminals work together, why don’t we?

Seems obvious right? But why is it that the underground financial network is operating like a dark timeline silicon valley with tech startups and “angel” investors, and all AML investigators can do to work together is pick up the phone and wait on a hotline? Well it’s complicated and mostly about data privacy, but we’ll get to that.

For now, let’s imagine a new world. A world where the odds aren’t stacked against us and Banks can work together to stop criminals running roughshod over their institutions.  Where stolen money doesn’t just vanish into the ether when it leaves an account. 

Well, that world is much closer than you might think.

a hidden criminal network is unveiled through Qorum

The enabler.

New European AML Regulation (AMLR) was passed last year and comes into effect in 2027. Article 75 of that regulation is the thing that’s getting us excited: because it’s about sharing data between Banks

Here are the key takeaways of Article 75:

  • Data sharing partnerships between Banks or public authorities are now enshrined in regulation
  • Data can be shared for high-risk customers, or for determining whether a customer is high risk
  • Data can be shared for the purpose of fulfilling obligations to SAR filing and customer due diligence, where strictly necessary
  • All data sharing must stay compliant with GDPR
 

Of course, some questions remain: “strictly necessary” – what is that all about? “High risk customer” – how are we supposed to agree on this, when Banks set risk on internal factors?

And then there’s the really big one: how do we make sure we are compliant with GDPR?

 

 

The challenge.

As promised earlier, we are getting to this: Data privacy.

Getting GDPR compliance right is really hard. Particularly in an environment of significant public scrutiny where the wrong choice can mean that an innocent person can be blacklisted from the financial system, or worse, the police can come knocking round their door like they’re Walter White.

One approach is to use a neutral data trustee.  But then you have to give someone else special privilege with your data. So, you probably want a data trustee that’s publicly owned, like the example of EuroDat in Germany. But they’re not so common and tend to favour a transaction model where you can’t pool data for ongoing analysis.  Not to mention challenges around entity resolution with fuzzy matching criteria, such as names and addresses.

So, what’s the answer? How can we make sure that consumers’ rights are protected and, as the GDPR would put it, that data sharing is proportionate, minimal, and purpose bound?

dashboard of qorum application by spotixx for working together across banks.

The solution.

Encrypted Computing, that’s how  – specifically Multi Process Computation for the nerds out there. What on earth is that I hear you asking? Don’t worry, I didn’t know either until about a year ago when I was introduced to an exciting new company called Roseman Labs. 

You see, encrypted computing is pretty special. It means that data is encrypted at all times, even when it’s being used. This means:

  • There’s no need for a data trustee, it’s all just software!
  • Nobody, not even a computer, can see the underlying data unless through the use of highly specific authorized functions. That’s the so called “purpose binding” part of GDPR.
  • Insights can be extracted from the data without ever seeing the data itself. That’s the so called “data minimization” part of GDPR.
  • The data is scrambled and distributed to multiple different servers so it is completely hack proof and can’t be decrypted even by a quantum computer. This may seem over the top, but people are already stealing encrypted data now so that they can decrypt it in the future when quantum computers become available!

Let’s take an example. I want to know if my customer has some dodgy connections to accounts at other Banks but I don’t want to reveal any information about those accounts before I have a real suspicion. No problem. Without ever decrypting the data we can still tell you:

  • How many high risk connections your customer has,
  • Whether any SARs were filed by those connections,
  • How many times the same or similar name, address or phone number has been used to open accounts at other banks and whether they have been rated high risk or have any alerts attached to them,
  • Whether your customer is part of a known AML pattern, like a circular payment or a movement of funds to a high risk jurisdiction.
  • The list goes on and on…

    • We can even build a visual network out of the connections that investigators can explore. Still not enough to file a SAR; no problem. Now you have a clear justification that revealing more data is strictly necessary and proportional to the risk, so we can selectively display just what you need to complete your investigation, including PII. We call this the tollgate approach. If the risk is justified, we open the tollgate to the next level of data sharing.

    Suffice it to say this is a dream come true for data protection authorities. The Roseman Labs platform was built specifically for complying with GDPR, and hey! if it’s good enough for the Dutch National Cyber Security Centre, it’s good enough for us, right?

    So where are we going with all this?

     

    The innovation.

    Collaborative Investigations. Investigators at different banks and payment providers working together on the same criminal networks and reporting them together to the FIU.

    We believe in it so much we went ahead and built a product for it. It’s called Qorum, and it’s just the start. Here’s how it works:

    1. Qorum finds the networks by connecting alerts at different banks via shared transactions or identities, with attributes like names, addresses and phone numbers.
    2. Qorum scores the networks based on risk and how exposed your customers are to them.
    3. Qorum visualises the networks with detailed UIs built just for investigators.
    4. You work together in a secure workspace where investigators can chat, share insights, and upload documents.
    5. You file together attaching the same network identifier to the SAR so that the FIU can easily match them together.

     

    If you want to learn more about Qorum and encrypted computing, join us on June 24th for a webinar with Roseman Labs.  

     

    What’s next?

    We’re tackling fraud, that’s what. Watch this space for the launch of QorumFraud, more than just a fraud database: A new way to block payments, reveal mule networks, and freeze accounts before they can be used.

    Author:
    Nick Goodall, Head of Product

    Ready to join the collaborative fight against money laundering? Where do you see the biggest challenges and opportunities?  Let’s connect and discuss together!

    Read more.

    This website only uses technically necessary cookies and does not track or store any additional data. nice! But we still have to let you know, so here we are 🍪

    Close this Pop-up