information sharing, 13 min read

Edgars Pastars on How Compliance Teams Can Work Better With Legal | Follow the Money #6

Jacob Story
Jacob Story
Head of Marketing

Most compliance teams have a legal problem — but not a legal issue. A communication one. The question “can we do this?” almost always comes back as “it depends” — and nothing moves.

In this episode of Follow the Money, host Dr Nicola Harding speaks with Edgars Pastars — partner at COBALT, one of the Baltic region’s leading law firms, and adviser to Finance Latvia. Edgars sits at a rare intersection: he is a lawyer who holds both CAMS and CGSS certifications, which means he understands both sides of the table.

He has also put that into practice at market scale, helping build the legal infrastructure behind Latvia’s intelligence sharing programme — part of the country’s broader journey from near-FATF greylisting in 2020 to a confirmed highly effective rating in 2026. He also chairs the ACAMS Baltic chapter board and lectures at Riga Graduate School of Law.

The internal conversation and the external transformation, it turns out, are the same conversation at different scales.

Dr Nicola Harding: A compliance officer calls their legal team and says “can we do this?” — and the answer comes back: “it depends,” or “probably not.” The compliance person is stuck. They either don’t move, or they move without the legal cover that’s so important. You’ve articulated this as the difference between two questions: “is it mandatory?” and “is it allowed?” It feels like a subtle distinction, but I suspect it changes everything about how those conversations actually work. Can you explain it in practice?

Edgars Pastars: The main mistake that AML professionals — or business people — are making with lawyers is they’re just throwing some vague question over the wall and they expect legal to provide all the answers and give their sign-off. It doesn’t happen like this.

From a compliance perspective, their mission is to fight financial crime. They think: if we’re doing the right thing, then everything we use to achieve this goal is legal and proportionate. But it’s not always the case. AML teams are mostly interested in the idea that the more information we can have, the better — but that’s not always the most compliant answer.

From a legal perspective, lawyers think differently. They sometimes stick to an approach I’d call “lawful but awful.” Their mission is to protect the institution — to stop it from abusing the legal framework, from breaching the law, and then being held liable for that breach.

Both of them have their own legitimate missions. You need to find common ground. And one of those ways is to start the conversation with the legal department and explain: what risks are we addressing here? Why is this reasonable? What is the necessity? What information are we gathering and what will we achieve by it?

Everything still depends on the text of the law — and I’d say the vibe the lawyer can feel in the boardroom. It’s important that business people set the tone at the top. Then the lawyer can decide: this is serious, the organisation would like to move to information sharing, or some other arrangement to help address money laundering risks.

Start the conversation by engaging them in solving the problem. Like a little kid — you give them a toy and they’re trying to figure out how it works. With lawyers, you can’t just say “can we do this?” That’s not the right way to approach it.

Dr Nicola Harding: If the compliance officer makes their case and legal still won’t give permission — is that the end of the conversation? How do you bring them on board?

Edgars Pastars: It depends what type of lawyer you’re addressing. If it’s a data protection lawyer, you need to understand how their mind works — it’s structured around data protection law, GDPR in Europe, for example. You need to present your case in the light of the mindset of the lawyer you’re talking to. A civil law lawyer is one approach; a criminal or defence lawyer is a different one entirely.

But first, you need to start with the problem and solve it together — rather than prepare the whole solution and then say “take it or leave it.”

We had a recent example when we set up information sharing on fraud. There was quite a vague sentence in the law, but it was still there — and that made the lawyers happy, but not happy enough. In order to convince them, we started thinking about risk mitigating measures. We said: okay, the information could be shared — but how can we reduce the amount we share? For how long are we keeping or processing the data?

“If you start talking about risk mitigating measures, you’ve started to engage the lawyer in the conversation. It’s like showing a bone to a dog.” — Edgars Pastars, Partner, COBALT

Start with the pain moments, the trigger points. That’s how to start a conversation — not by starting an inter-department fight.

Scaling the conversation: getting competing banks to share data

Dr Nicola Harding: You’ve done this not just within one institution but across several competing banks — getting them to sit down and agree to share data under a legal framework that didn’t fully exist. How do you even open that conversation to a bank’s board or their compliance leadership?

Edgars Pastars: First you need to find common ground — or I would say common pain — for all the banks involved. Sometimes negotiating something between banks is like forming a coalition government in the parliament. But all of them are lacking something. They’re always lacking information. So if they see benefit to it, it opens the door for conversation.

But that’s not enough. Banks are different — and one of the things that makes them different is their size. A bigger bank may feel like it’s losing competitive advantage by sharing information. So all of them must benefit somehow. And they must also contribute. What you share is what you get. If one bank is sharing and the other is just receiving, that’s not a partnership — it’s a one-way street.

Most compliance officers sitting in a bank can convince their boards by saying: we will need less money to mitigate those risks. We will have better information, so we are less exposed to financial crime. We can fight crime more efficiently. And it means for you — the board — that the probability of being fined and having our reputation damaged is way lower if we have this additional tool.

For example, if one customer is offboarded in one bank due to serious, grounded suspicions of money laundering — and then this customer immediately moves to another bank — or it’s a money mule who was caught red-handed in one bank and then moves to another. If you don’t have a warning system, you are not protected from those risks. Most likely you will catch them, but only after they have done their dirty work. And this creates exposure for you.

“Information sharing is like buying a radar — once you have it, you can’t live without it.” — Edgars Pastars, Partner, COBALT

Fragmentation: the vulnerability criminals rely on

Dr Nicola Harding: In financial services, we don’t always think of the threat as external — as one that cuts across all our competitors. It’s one of the genuinely unique propositions within the commercial world: we’re all centred around the same adversary rather than each other as competitors.

Edgars Pastars: The criminal world is exploiting one vulnerability we all have as financial institutions, and this vulnerability is fragmentation.

As we work in silos — our organisations are separate and not sharing information, either typologies or even real names, operational data — they are getting the benefit of that. It’s for the benefit of the criminals for us to be less equipped and fragmented in our approach to tackle financial crime.

How Latvia built its intelligence sharing infrastructure

Dr Nicola Harding: Latvia was on the verge of FATF greylisting in 2020. What changed on the ground, and how instrumental were these projects in creating a new compliance environment?

Edgars Pastars: First of all, we need to talk about several types of information sharing — and you constantly need to improve all of those solutions. They’re not static. You can’t just say “all done, we can move on.”

Back in 2018, when we had issues with almost being greylisted for non-compliance with FATF standards in terms of efficiency — we had laws and regulations which were mostly compliant, but the efficiency was poor. So we started discussing how to improve efficiency. Efficiency means that banks can spot suspicious transactions, they can report them, those reports are actionable, and the police can investigate and then freeze and seize those illicit assets.

Then our colleagues from the UK’s National Crime Agency helped us with some advice on public-private partnerships — how the banks and the police could meet on some safe ground, a safe space, and discuss things. Discussions which are not strictly allowed by banking secrecy, but which could lead to evidence obtained in due process.

We came up with this public-private partnership model, which is super effective. It was not common for any continental law country to have such an approach back then. It really helped banks to talk with the police. For example, if the police are monitoring one client, the bank can meet with the police or the financial intelligence unit at their office and say: what should we do, how do we do the monitoring? Then the police can ask: what data do you have? The bank says: we have this data, but you need to request it. And now the police can request that data more precisely — targeting what they actually need, not just what they think the bank could have.

Afterwards, we understood that public-private partnership is not the only thing we need. We already had some private-to-private information sharing on offboarded or rejected customers. And then we understood that we need a structured approach. We can’t just share lists of people without ensuring that the data is protected, and that this right is not abused by banks.

So we ensured that the sharing is structured. We have clear rules on what we can and cannot share — for example, a bank’s risk appetite for rejecting a customer cannot be shared. Only significant and appropriate data is shared, and it is deleted after a set period of time. You can’t keep it forever, because sharing this data could facilitate financial exclusion. You need to be accurate when you share something.

That’s why we chose Salv’s platform. How we can share in a safe way, with structure. But of course, the structure was set up by us — what is shared, what can be shared, what is definitely prohibited from sharing, and how to ensure quality and data consistency. Because you can’t just say “Edgars was rejected and most likely he was a money mule.” It doesn’t work like that. You need to provide structured data so you can analyse it and have it in good quality. It’s not about whether you can or cannot share. It’s about ensuring that the data is kept in good quality and that the right of sharing is not abused.

What intelligence sharing looks like operationally

Dr Nicola Harding: What does the compliance benefit actually look like for any bank participating? What do they get that they wouldn’t get from their own data alone?

Edgars Pastars: They’re joining a collective effort of figuring out who the bad actors are in the system — not only for money laundering, but for sanctions evasion, terrorism financing, and fraud.

If you want to fight fraud, which is a hot topic right now, you can’t actually do that without sharing information across the whole fraud chain — mule accounts, device identifiers. If one bank notices that money is flowing to a mule account in another country, if that bank immediately warns others, the other banks can stop money flows to that specific account. For five hours, for a day — it’s enough to protect hundreds of victims who are being targeted by scammers right now. Otherwise, those banks couldn’t stop the money. Most likely they’d use algorithms to analyse transactions, but more people would have been harmed.

When it comes to AML, you need to set clear criteria. Risk appetite cannot be part of the equation. You need clear rules: if you have grounded suspicions of money laundering activity, you share those risk indicators. But the other bank is not entitled to fully rely on this information — it’s just a risk indicator. It means: maybe accept the client, but do enhanced due diligence on specific transactions. Be more vigilant. You see risk patterns, you see those risk pockets. You might have spotted them eventually on your own — but maybe after one or two weeks, maybe a month. Here, you can spot the risk faster and know what to target.

The role of regulators

Dr Nicola Harding: What was the role of the regulators in all of this — were they for it, against it, partners?

Edgars Pastars: When we first presented the public-private partnership idea, eight or nine years ago, not all institutions understood what it actually meant. We needed to do some convincing — but at some point they got excited about the results this information sharing could bring.

When it comes to private-to-private information sharing, there was a sort of supervisory expectation that this sharing should take place — it wasn’t out of the blue. Those rules had been included in the law for about fifteen years, but with a different mindset back then. We saw that we could utilise those old norms and improve them.

I’d say policymakers and supervisors were helpful. And in our case, a key factor was that the people at the data protection authority were quite familiar with anti-money laundering. That’s not the most common background for data protection officials — but because of their previous work, it was easier to explain what financial crime prevention is and why information sharing helps.

But the one thing you must not forget is competition. Sharing information between competitors can create a breach of competition law. There must be assurances that competition law is followed — for example, what kind of information is shared must not create any sort of agreement to specifically service or not service segments of clients, or to use the data for commercial purposes. That’s something you need to keep in mind when setting up information sharing arrangements.

Why having CAMS and CGSS as a lawyer changes everything

Dr Nicola Harding: You hold both CAMS and CGSS certifications, which most lawyers do not. Why does that combination matter for projects like this?

Edgars Pastars: My background is policy. I came from the public sector, doing quite a lot of policy work — not just focusing on how something is written in the law, strictly sticking to the letter of it.

Lawyers focus on compliance with the law. It’s mostly black and white — compliant or not. There might be some interpretation, you can argue in a courtroom, but then the court decides, not you. Here you need to make a decision yourself. In order to make risk-based decisions and understand how risk is governed, what approach you should take, what the best practices are — I decided to go for those certifications.

They were useful to give structure to what you know. It’s like a bookshelf. You’re obtaining the bookshelf, and then you are ordering and putting your books there.

Also, the clients of any law firm don’t just expect legal advice. They expect that you understand risk — because business is based on risk, on how you take it, share it, manage it. If you don’t understand that mindset, you are not able to set up any compliance approach. A rules-based approach imposed by lawyers who are not sophisticated enough creates the risk of over-compliance — focusing on ticking boxes rather than going after the actual risk, where your efforts actually matter.

Advice for markets starting from scratch

Dr Nicola Harding: Do you have any advice for anyone trying to implement a similar project in their country?

Edgars Pastars: Learn from others. Don’t hesitate to reach out. Read RUSI — the think tank in Britain — their work is great, and they actually helped us. We could present that it’s not just our crazy idea, but that other countries are doing this and reputable think tanks are writing about it.

Start with mapping your needs and bring your authorities on board — but don’t go to them only with a problem. You need to show the risk, the mitigating measures, what you will do to address it. Don’t just show what you will gain. Show also what you will do to reduce the risks.

You need people who are leaders in their industry and who can advocate for this. Mostly, information sharing fails because of phobias — people are scared that privacy will somehow be abused. Come up with a plan for how you will address that. There are plenty of ways. Think thoroughly through all the possible objections and address them.

Now, with the AML regulation coming into force, go for the maximum you can right now. During negotiations, you will most likely be asked to remove some of your ideas — so start ambitious.

And you need a partner from a technological point of view. We made this mistake in the past: you only talk about sharing, but the key part is technology. What will you use for the sharing? How will you measure the success of the data you shared and used? How will you ensure that this data is safe?

You can’t just exchange emails or use a WhatsApp group. That’s not sharing — it’s something that is most likely illegal, because you’re not protecting the data. Try to find what your peers have done in other countries. And have a partner with you who can provide those services — regardless of what kind of sharing you are doing, whether privacy-enhancing technologies or operational data, you need someone who knows it.

Dr Nicola Harding: What strikes me most about Edgars and his work is that he sits inside two conversations that most people treat as entirely separate. The first is internal: how do compliance officers and their lawyers actually collaborate? The second is external: how do you move an entire market and build the legal infrastructure that makes transformation possible?

But they’re not separate at all. They’re the same conversation. The market only transforms when the internal conversation changes. When legal stops asking “is it mandatory?” and starts asking “how is it allowed?” — that’s when you get the permission structures that let institutions collaborate at scale.

Get clear on what you actually need. Brief your lawyer with the mandate, not a question. And understand that “we can’t” is often code for “I don’t have permission to say yes yet.” Your job is to give them that permission.

×
ISO/IEC 27001 logo
Aicpa logo
GDPR compliant logo
OWASP logo

We build security to our products and organisation from the start. We use security best practices (incl. ISO 27001, CIS etc.) to ensure that our security management system meets the highest standards.

Salv has an ISO/IEC 27001: 2022 certificate, as well as ISAE 3000 compliant SOC 2 Type 2 report.