National Australia Bank's Paul Jevtovic: Public-private partnerships key to data privacy In brief“People want things faster, seamless, safer, and I think we’re at that point where we need to understand what are we prepared to forego that was traditionally captured under the privacy regimes that we operate under for some of those increased services.”“We’ve got to trust each other. Government agencies have to increase their level of trust of the private sector. The private sector has to earn that trust, and you earn it by the way you protect the information, the way you collaborate without compromise.”“We need to get the balance right and I think ongoing engagement between the public and private sector, giving the individuals a voice that we actually listen to, that’s the combination that we need to get right and it’s always going to be a balance.”In this interview:1:20 – Balancing data privacy and AML requirements2:41 – Cross-border data transfers3:53 – Creating a data privacy culture5:20 – The challenges with AI7:48 – Private-public cooperation10:10 – The next five years of privacy risks Topics Cybersecurity and Privacy Artificial Intelligence Read transcript + Joe Kornik:Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and we’re joined by Paul Jevtovic, the Chief Financial Crime Risk Officer and Executive, Group MLRO, at National Australia Bank. Paul has enjoyed a long career serving Australia in national and international law enforcement, national intelligence, anticorruption and as CEO of AUSTRAC, as well as Regional Money Laundering Reporting Officer and Head of Financial Crime at HSBC. Paul will be speaking with my Protiviti colleague, Managing Director Adam Johnston. Adam, I’ll turn it over to you to begin.Adam Johnston:Thanks, Joe, and welcome, Paul. Paul, first, thanks so much for taking time out of your busy schedule to speak with us today. It’s great to have you.Paul Jevtovic:Thanks, Adam. Great to be here. Appreciate the invitation.Adam Johnston:Now, I know privacy is a topic you care deeply about, particularly given your experience across governments, law enforcement, as a former financial crime regulator and most recently, a banking and financial services executive across Asia Pacific. So, to start us off, can you describe the key challenges we face in balancing data privacy regulations and AML requirements?Paul Jevtovic:Yes. Look, it is something that is dear to my heart because I think it is both a significant challenge, but equally, a great opportunity. I think we’re at a bit of a crossroads where we are confronted with outdated privacy laws and I think that there’s probably less debate about that now and greater recognition, coupled with shifting community expectations. There is a reconciliation needed between community expectations around the kind of banking services. People want things faster, seamless, safer, and I think we’re at that point where we need to understand what are we prepared to forego that was traditionally captured under the privacy regimes that we operate under for some of those increased services. So, I think that’s the kind of landscape in which we’re trying to navigate a way forward.Adam Johnston:Yes, I know. Absolutely. How about the challenges associated with cross-border data transfers, given the varying international privacy laws?Paul Jevtovic:In Australia, for example, there’s quite a diverse range of thinking on the issue of privacy and you can imagine then if you transpose that into a global setting where there is a lack of consistency amongst jurisdictions. There are very different cultural expectations around privacy and so trying to reconcile that in a global context is a significant challenge. We need to be thinking about what are those fundamental principles upon which, from a global standards perspective, we can agree and we’ve proven that we can do that in ways. If you think about financial crime, we have the Financial Action Task Force, which nearly every country in the world has embraced and fundamentally, they’re setting global principles and global standards for everyone to follow. So, it can be done and I think that’s where we’re at on the privacy venue as well.Adam Johnston:Yes. No, fantastic. What about from an employee perspective? How do you educate employees about navigating the complexities of diligent AML practices with the safeguarding of individual rights and personal information?Paul Jevtovic:Yes. In our bank, for example, we culturally were driven by customer obsession and that fundamentally means that no matter where you work in the bank, we put our customer first, whether that’s in the quality of services, the way we engage them, keeping them safe. So, that customer obsession is critical and it’s something that 38,000 people in my organisation have buy-in because our CEO has set a very clear expectation around that. People really have bought into it and rightly so, given what our banking industry is all about. The other way is to ensure that we help educate our people and train our people. I know that our organisation has robust mandatory training around our privacy laws and around some of the challenges of navigating those laws, whilst delivering a service and keeping our customers safe.Adam Johnston:Yes, absolutely. How concerned are you that AI will be used to steal or even create identities, making KYC that much more difficult within organisations?Paul Jevtovic:Yes. Look, AI is a dual-edged sword. There is no question that it’s going to entities presenting opportunities for us to protect our customers safer, more efficiently. Technology and the maximisation of data, which really is what AI is at its core, is a real opportunity that we should embrace. However, for all the opportunities it presents, it is also a tool for organised crime and they have already embraced it and are compromising individuals and organisations.Adam Johnston:Paul, what are your thoughts, in your current role and as a former regulator, on how or even whether AI and LLMs can be developed without compromising customer privacy? Will use of technologies that anonymise and pseudonymise customer data undermine the effectiveness of these models?Paul Jevtovic:The issue is going to be, how do we ensure anonymisation so that we can maximise LLMs in using case studies, et cetera, the sharing of data within a large multi-jurisdictional organisation and then the sharing of data more broadly between organisations. Why is that important? The reality is that no one organisation, whether it be government or private sector, is going to be able to defend itself, its customers against serious and organised crime. I’ve been on the public record saying that I think the greatest nemesis of organised crime is a unified public and private sector working in harmony. I think LLMs are a great opportunity, but again, it’s going to be the ability to anonymise and protect the privacy aspect of the data that each of our organisations deal with.Adam Johnston:Yes, and Paul, just given your experience as well, maybe, what are your views on that cooperation between private and public sector and is it advancing? Is it keeping pace?Paul Jevtovic:Yes. Look, I think it is advancing and is it advancing fast enough? From a personal perspective, no. I would like to see it accelerated for the reasons I’ve mentioned. I believe it is a differentiator for how we fight crime globally. I don’t think it was ever anticipated by the criminals that governments and the private sector would work hand in hand, together, and I think that’s been exploited for a very, very long time. We’ve seen just in some of the evolution of the last, let’s say, decade of public-private partnerships, how powerful we can be. We’re only at the tip of the iceberg, I think, of realising our true capabilities when we work as one. If I was to point at a very good example, is the way governments and the private sector have come together around tackling cyber. There is a very good example. If I think back to tragedies like 9/11 where the war against terror unified both public and private. I’d like us to stop waiting for catastrophes, to come together and actually realise the opportunities that exist, but things have got to continue to evolve. For example, we’ve got to trust each other. Government agencies have to increase their level of trust of the private sector. The private sector has to earn that trust and you earn it by the way you protect the information, the way you collaborate without compromise. So, I think we have made progress. We’re not making it fast enough and I think there’s a lot more that we can do.Adam Johnston:Yes, great insights. I’m contemplating, is it even realistic to think that financial institutions can protect customer privacy anymore just given the pace of hackers and criminals, which are often first to adopt the new technologies and different methods, and so as you allude, that partnership and cooperation is critical for both to keep pace. Does the financial services industry do enough to inform customers about their privacy rights, how their data is used? Is there more financial services industry should be doing or even regulators, for that matter, to inform customers on how their data is being used?Paul Jevtovic:Yes. Look, I think from my own organisation, it is a priority and it is something we’re very conscious of, but I think—look, scams have highlighted just how critical and how education, it’s got to be limitless because the risk—and again, staying with scams for a minute, the typologies around the type of scams criminals are committing are evolving. You and I are going to finish this interview and there will be new scam typologies that didn’t exist before we started. There’s the reality of our environment and so that education process must be constant. It must continually evolve and so I think again, it goes to my earlier point about a shared responsibility. I think, as an organisation, we have the responsibility to help our customers understand that risk and that should be regularly available information on our products and services, which I know are a priority for our business colleagues.Adam Johnston:Yes, fantastic. Paul, looking out three to five years, what is your view on privacy risk for financial institutions? What will they be facing? What’s your advice to institutions that are committed to being best in class in managing these risks?Paul Jevtovic:Yes. Look, in our organisation and in previous organisations I’ve been involved with, and particularly in the last, let’s say, 12 to 15 years where data became such a critical commodity in business, in the way we fight crime, I think the role of customer advocates and privacy advocates, data advocates within organisations need to have an appropriate voice to ensure that we are conscious in all the decisions we make around those issues, around privacy, around data ethics, et cetera. I think there needs to be an ongoing education around the ethical use of data, whether that be through a privacy lens, is the use consistent with the reasons for which an individual provided the data in the first place? So, there needs to be that constant consciousness, if you like, around the ethics around how we use data. Again, I would say the third pillar for me is education and training. This is a space that I think organisations need to continue to invest in from an education perspective.Adam Johnston:Look, Paul, thank you so much. Very valuable insights and we’ll obviously be keeping an eye on the future of privacy. Any final comments before we hand back over to Joe?Paul Jevtovic:Now, look, Adam, thank you. Thanks, Protiviti, for providing a platform to share some of those thoughts. I would just say that we shouldn’t be afraid of some of the challenges. They can sound daunting. Privacy has been a taboo subject in many jurisdictions for a very long time. I think the more we talk about it, the less taboo it will become and we just need to have eyes wide open. I think we’ve worked very hard around protecting privacy for decades. I would hate to see the baby out with the bath water here. We need to get the balance right and I think ongoing engagement between the public and private sector, giving the individuals a voice that we actually listen to, that’s the combination that we need to get right and it’s always going to be a balance. Let’s not be mistaken. The threat of serious and organised crime is not diminishing. They are embracing technology faster, arguably, than legitimate industries and organisations. So, we’ve got to respond to that, and I would like to see that response in the shape of greater unification of the public and private sectors.Adam Johnston:Fantastic. Paul, look, thanks again. Thanks so much for your time and with that, we’ll hand back over to Joe.Joe Kornik:Thanks, Adam, and thanks, Paul. Thank you for listening to the VISION by Protiviti interview. On behalf of Adam Johnston and Paul Jevtovic, I’m Joe Kornik. We’ll see you next time.