Circular Image

F.S. Gürses

info

Please Note

5 records found

Master thesis (2025) - A.V. Kerkhoven, J.A. Annema, F.S. Gürses
Context and Problem Statement As financial crime grows more complex, governments have tightened Anti-Money Laundering (AML) regulations, with banks serving as the first line of defense. The Know Your Customer (KYC) process, used to identify and monitor clients, is central to this effort. To keep up with the resource intensive process, banks are beginning to turn to machine learning (ML), hoping to improve detection while lowering costs. However, this shift raises new concerns: opaque algorithms may introduce bias, reduce transparency, and unintentionally exclude vulnerable groups from the financial system. In the Netherlands, recent reports have shown how well-intentioned AML measures can lead to discriminatory practices. As the EU prepares to implement the new AML Regulation (AMLR) in 2027, which will further tighten compliance. While policy and technical discourse continues, there is little understanding of how these changes affect society as a whole. Research Gap and Question The literature showes that while AML policies and the integration of ML have been widely studied from regulatory, technical, and institutional perspectives, their broader societal effects remain underexplored. Most research focuses on costs and benefits for banks and governments, mostly neglecting the indirect impact on society. This thesis addresses that gap by systematically analyzing how ML integration into KYC processes shifts the societal costs and benefits of AML compliance. While most evaluations of ML in finance focus on technical or regulatory performance, this research applied a qualitative Social Cost-Benefit Analysis (SCBA) to examine broader social consequences such as exclusion, inequality, and institutional trust. By analyzing current practices and exploring how ML changes these dynamics, the study contributes to a more balanced understanding of innovation in financial compliance. The main research question was therefore formulated as follows: “How does the implementation of machine learning in the KYC process alter the relevant social costs and benefits of the current KYC process under AML regulation?” Methodology This thesis applies a qualitative SCBA framework (Romijn and Renes, 2013) to explore the societal effects of AML regulation through the KYC process, with a specific focus on the impact of ML. The research followed the first five SCBA steps as outlined in Dutch policy guidelines (Romijn and Renes, 2013), including problem definition, establishing a baseline, defining the policy alternative, identifying social effects, and identifying costs. The social effects and costs were not quantified in this research due to the qualitative nature of the identified effects. Due to data limitations the final three SCBA steps were excluded. Primary data was collected through 9 semi-structured interviews with experts from the corporate sector, academia, and human rights advocacy. Interviewees were selected based on their expertise in AML, KYC, and/or ML, and their ability to reflect on broader societal implications. A preliminary KYC process diagram and stimulus texts based on literature were used to structure and enrich the interviews. Interview data was analyzed using thematic analysis in ATLAS.ti, following the six-step method of Willig and Rogers (2017). Emerging codes were grouped into themes and translated into nine key social effects, e.g. inequality, crime reduction, and consumer surplus. These effects were then visualized in a conceptual model showing their interrelations and the impact of ML. Triangulation with existing literature was used to enhance validity. Key Insights The following key findings highlight the most important insights regarding the social costs and benefits of the KYC process and the impact of machine learning within AML compliance. • The KYC Process Has Dual Social Impacts ii iii This thesis examined the social costs and benefits of KYC processes under European AML regulation. Using thematic analysis of expert interviews, the study identified a wide range of interconnected social effects. The candidate positive effects include reduced crime and improved government financial health. Identified potential negative effects include increased administrative burdens on consumers, reduced economic participation, and rising inequality. • Machine Learning Amplifies Both Benefits and Harms The introduction of ML into the KYC process intensifies many of these effects. For the benefits, ML can improves the detection of financial crime and may enhance the efficiency of public enforcement and private compliance. The identified harms that ML can raise were opportunity costs due to legal uncertainty, introduces privacy risks, and may increase stress among consumers. • The KYC Process can Intensify Social Harm and Unequal Burden Distribution A central finding is that society bears the weight of the costs, even though financial institutions and governments control the design and implementation of AML systems. ML expands the surveillance function of banks, blurring the line between private and public roles and potentially reducing accountability. Vulnerable groups can be disproportionately affected through exclusion, algorithmic bias, and stress. This points to a structural imbalance in who benefits from technological innovation and who suffers from its unintended consequences. Conclusions This thesis explored how machine learning reshapes the social costs and benefits of KYC processes under AML regulation. Based on expert interviews and qualitative SCBA, the study found that ML amplifies both the benefits, such as improved crime detection, and the risks, including legal uncertainty, exclusion, and inequality. The effects are interconnected, with societal consequences often falling disproportionately on the public. By framing KYC as a socio-technical system, this research highlights the need for ethical oversight and systems thinking. ML introduces not just technological change; it also creates a responsibility to ensure that its effects are fair and beneficial to society as a whole. Actionable Recommendations This study highlights the need for a more balanced and accountable approach to integrating machine learning in AML compliance. Policymakers should move beyond a narrow enforcement focus by embedding social impact assessments into AML policy design and collaborating with academic experts. Regulation must ensure that ML systems are not only legally compliant but also socially fair and explainable. Financial institutions must take responsibility for the real-world effects of ML in KYC, prioritizing explainability, bias mitigation, and transparent vendor oversight. Close engagement with regulators and researchers is key to setting fair and practical standards. Finally, society, though not directly involved in implementation, bears many of the negative impacts. Public awareness, advocacy, and particip ...

Addressing vulnerabilities and challenges in Machine Learning practice

Master thesis (2022) - A.E. Wolters, Marijn Janssen, R.I.J. Dobbe, F.S. Gürses, Nick Jetten
There is a need for a more comprehensive sociotechnical systems view on ML. Such a view looks at the development and use of an ML system in practice as being a sociotechnical ML system: "a system consisting of technical artefacts, human agents and institutions, in which a machine-based subsystem influences its real or virtual environment by automating, supporting or augmenting decision-making". This research takes on this view to design a sociotechnical guide for ML practice, centring the specication of sociotechnical ML systems. Taking on the guidelines contributes to a safe and effective development and use of ML systems. ...
Email communication is a crucial part of the daily processes of enterprises. Organizations can opt for traditional infrastructure on-premise or use cloud-based email services provided by (foreign) cloud service providers. In Europe in particular, organizations from crucial sectors have been adopting cloudbasedemail services. The level of cloud adoption can vary strongly within these sectors. Nevertheless, this trend towards the use of cloud-based email services brings societal implications for the sovereignty of European data. Email services hosted with foreign cloud service providers can be susceptible to surveillance by foreign governments and intelligence agencies, which violates privacy of European individuals. The attack space further includes invasion with political and monetary incentives that may also impact security, as data is hosted with cloud service providers who might have weak security protocols. We measured the level of cloud adoption for seven crucial sectors in Europe: executive governments, healthcare, SME’s, higher educational institutes, NGO’s and financial services. We have conducted a DNS analysis on MX records from a Farsight (SIE) dataset to measure the prevalence of cloud service providers. The results revealed the prevalence of extremely dominant cloud service providers, Microsoft and Google in Europe. The dominant position obtained by these providers means that two aspects in governance of this socio-technical system in Europe must be attended to if Europe wants to regain control over their data and infrastructures: (1) European regulation focus needs to shift and (2) awareness must be raised at managerial level in enterprises. ...

Analysing the use of UWB in mobile phones from a multi-actor perspective, magnifying privacy concerns and formulating guidelines

Ultra-Wideband (UWB) technology became unregulated within the EU in 2007. Most recently, it was integrated into mobile phones in 2019, notably Apply and Samsung adding it to all their newer models. While UWB is characterised as a radio technology with any signal above 500 MHz, it operates within the 6-9 GHz
range in mobile phones. This allows for fast data rate, low power secure
communication, multipath facilities and accurate localization. While the integration of UWB is mostly advantageous to users and innovators, its ability of accurate localisation may lead to severe privacy concerns

The aim of the thesis is to understand the privacy concerns of UWB’s integration into mobile phones by answering the main research question: how do experts and users perceive privacy concerns of UWB usage in mobile phones; and how can they be mitigated? It was subsequently broken down into three sub-research
questions: 1. What are the possible applications of UWB in mobile phones? Phones have other incumbent radio technology embedded such as Bluetooth (BLE) and Wi-Fi, however it seems like UWB is being integrated to serve additional purposes. The answer to this question seeks to understand from gray and research literature how UWB can be used in mobile phones and what advantage it gives over incumbent technology. Research shows UWB gives phones the ability for indoor navigation, gesture-based control, foot traffic analysis for smart retail, teleconference systems, proximity-based localization, key-less entry among others.

This leads to research question 2. What are the potential privacy concerns associated with UWB? The incorporation of new technology capable of accurate localization leads to privacy concerns. All privacy issues were categorised on the basis of three paradigms: social, surveillance and institutional mentioned in Gurses and Diaz, 2013. This was initially done by interviewing experts from the three groups of privacy experts, policy regulators and technology experts. Analysis of their answers showed that UWB privacy concerns seem relatively similar to BLE and Wi-Fi localization, albeit with higher granularity. UWB allows mobile phones companies, third parties and governments track people accurately indoors, push advertisements depending on location, obtain relative relationships between people based on distance leaving people with no place to hide. Subsequently, user interviews were carried out to see if they could identify the same concerns of UWB. Results showed that that from the data of users interviewed, all of them believed that accurate data
localization of people is crossing a line that users cannot push back on. A majority of them saw most of the same privacy issues as the experts showing that, as people get more adept with technology they understand
how it can affect their privacy. A common question that was asked across all the interviews was how can we protect our privacy in the face of such penetrating innovation as time lapses.

Which is the final sub-research question: 3. What are technical and societal approaches to address privacy concerns? Experts provided solutions that were more industry oriented which included decoupling UWBfrom other location-based services, provision of opt-out settings on a more prominent basis, reworking license agreements, industry wide discussion and self-regulation in terms of privacy. However, users gave answers that were more user-centric and gave more control to the common public. This included users neggotiating their own privacy agreements, compensation models for loss of privacy, a more holistic regulation process and finally, trying to break the control of big tech companies. This shows that users and experts have very similar understanding of privacy issues but very different views on how privacy should be protected. Perhaps, it may be time for regulators to pay heed to user suggestions. These suggestions were then compared with privacy mitigation strategies mentioned in literature. Notably, the most overarching concept that needs to be incorporated is the concept of Privacy-by-design which can then be broken down into technical and societal strategies. Technical approaches included concepts such as obfuscation, k-anonymiser, differential privacy, dummy localization and access control mechanisms. All the technical strategies seemingly had the same issue of requiring third-party applications to function. Sophisticated security measures and privacy statements would then be needed to ensure these companies do not choose monetary gain over user privacy. Societal approaches included concepts of data-for-all, technical regulatory bodies and finally, breaking up of big tech companies. As time passes and innovations become more pervasive, it may be too late to incorporate privacy protection actively. The time to protect privacy is now. ...

A Statistical Disclosure Control Tool for Microdata Sets

Master thesis (2020) - A. Rawat, M.F.W.H.A. Janssen, F.S. Gürses, M.S. Bargh
Governments across the world looking to implement Open Government Data (OGD) initiatives undergo many problems. One such problem is the risk to privacy from opening data sets as most of the data is at a microdata level which corresponds to specific individuals. A solution to such a predicament is the application of Statistical Disclosure Control (SDC) techniques on microdata. SDC methods anonymize microdata that reduces the risk of disclosure while also maintaining the value of the data. SDC methods can be applied by using software tools, however, these tools are designed from the perspective of experts or for the purpose of demonstration. Moreover, ongoing research has led to the slow progress in not only the development of these tools, but also their adoption. Resulting in limited support material and even smaller user base. As a consequence, individuals or organizations looking to adopt these tools to satisfy their data privacy objectives cannot use them. Out of many SDC tools, ARX is a stable application that equips its users with an arsenal of techniques to anonymize microdata sets. It also undergoes regular updates, thus keeping pace with the current developments in the field of SDC techniques. Despite this, ARX is not widely used due to its perceived complexity. This thesis addresses the problem of the complexity that is associated with ARX which makes it difficult to adopt them to anonymize their data sets. The thesis provides a solution to this problem by developing a prototype tool which reduces the complexity of SDC techniques through a simplified, user-friendly approach to data anonymization. The thesis does not aim to enhance privacy methods or improve the functionalities of already existing tools by proposing a replacement. The thesis tries to bridge the gap which implicitly occurs when privacy tools are designed from the perspective of experts. It is understood that the protection of private data should only be handled by experts. However, to build that expertise, people have to be introduced to simpler tools without being overwhelmed by the complexity that is immanent with concepts of SDC. ...