Global Healthcare Insurance Provider Balances Data Privacy Requirements with Centralized Oversight for Utmost Effectiveness in Regulatory Compliance
Challenge: Local Data Privacy Laws Preventing Centralized Operation
A global healthcare insurance provider sought to put in place an AML compliance program that would support both their U.S. headquarters and their regional offices in 10+ countries worldwide. Strict data privacy laws in certain non-U.S. countries, especially in Asia, prevented them from developing a fully-centralized program that would ensure consistent processes and results at all of their locations.
Solution: Develop a Hybrid Approach to Fulfill Local and International Requirements
The provider knew that they must meet the local data privacy regulations prohibiting data from leaving the countries of many of their office locations. Yet, they also needed to satisfy the company's desire for a more centralized compliance program that altogether would process over 30 million customer and vendor records every day. To resolve this challenge, the provider decided to implement a hybrid approach toward data processing and decision-making. First, a centralized server on a secure-cloud was put in place to handle most countries’ data processing needs, while the countries with strict data privacy laws were given their own on-premise solutions in accordance with each country's regulations. To better cater to local regulatory requirements, each country was allowed to screen against the sanctions and PEP lists that are relevant to their own regulations in addition to the core watch lists. Further, customized matching rules were developed to accommodate culturally different name structures by country, e.g., Thai and Chinese. Finally, a consistent approach to training and reporting was adopted for better central oversight and efficiency.
Result: Consistent Approach that Accounts for Local Regulations and Knowledge
This hybrid approach enabled the insurance provider to achieve better centralized oversight of their compliance operations where regulations permitted, while also allowing them to adhere to local regulations and to leverage local knowledge for exception reviews and decision-making. This ultimately resulted in maximizing the effectiveness of their compliance program.