As recent substantial fines incurred by traditional banks demonstrate, the financial crime compliance (FCC) system in banking is relatively weak and in need of major improvement.
The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.
While new FinTech solutions may be deployed to solve some of these issues, the advancement and proliferation of FinTech has itself introduced new FCC risks and concerns, associated in particular with the adoption and transformation of new FinTech, the move to digitalization, and the entry of new neobanks and virtual banks (VBs) into the banking ecosystem. This article proposes some measures to be considered in response to this.
1. Digitalization and modularization: FCC risks ownership, oversight, and the evolution of the 3LOD
Digitalization and open application programming interfaces will lead to the modularization of core functions in the business and operating model of the bank, some of which can be outsourced. How would this affect the three lines of defense (3LOD) model within the firm? Does it introduce the risk that risks are identified and managed in a modular (i.e. siloed) manner? Take, for example, a bank that decides to outsource its online sales function to a third-party service provider. Can the bank shift the first line FCC risk ownership to the third party? Can it fully automate any line of defense (e.g. detective or preventive controls), or would we expect a third party to have and implement a separate full 3LOD altogether?
2. FCC risk assessment and mitigating systems and controls
The emphasis on digitalization will lead to greater focus on the integrity and design of systems and controls. This will require closer attention to be placed on understanding the bank’s underlying business and operating model; the nature of the provisioning of financial products and services; the nature and volume of transactions; the systems and platforms used; as well as customer, merchandiser, and supplier relationships in the identification of FCC risks.
Before implementing new or developing FinTech, banks and financial institutions (FIs) should heed the standards of the Financial Action Task Force (FATF) and the standards, regulations, and guidelines of various international standard-setters and regulators on compliance risk management. Examples include the U.S. NIST Cybersecurity Risk Management Framework and the FATF guidelines on virtual assets.
3. New FCC and compliance competencies and skillsets
FinTech introduces new conditions and requirements that are beyond the current competencies and skillset of most compliance and FCC professionals. The old approach of “throwing bodies” (headcount) at a compliance problem or issue will not work in this digital era, in which FinTech will be used to solve not only existing/old FCC problems, but also new, more complex and risky problems created by digitalization.
There is an urgent requirement to upskill and retool existing compliance and FCC professionals in areas such as data analytics and the use of visualization tools; in the exercise of professional judgment in an era of machine learning and artificial intelligence (AI); and in the management of real-time transfers and payments across multiple channels and over wider geographical spread. It is interesting to note some leading regulators and their industry/educational bodies—for example, the Institute of Banking and Finance Singapore and the Monetary Authority of Singapore and the U.K. Chartered Banker Institute—are already looking to support the industry workforce to upskill for the digital era.
4. Digital identity and e-KYC utility
A digital identity is a core enabler for the ongoing uptake of digital services, facilitating both convenience and security for users. Recent trends and developments in biometrics and behavioral analytics enable the management and authentication of users’ identity, which is critical for digital banking, transfers, and payments.
It is suggested that the financial services industry should work collaboratively on a public-private partnership basis to drive a broad consortium of banks, payments providers and operators, innovation hubs, and regulators to create and develop standardized know your customer (KYC) information and datasets, and to further promote a standardized e-KYC approach. The aim of this endeavor should be the creation of a global standard that meets the needs of all stakeholders.
5. Financial crime information sharing
Improved detection, prevention, and prosecution of financial crime would be enabled by enhanced information sharing on known and suspected financial crime across the industry, with regulators and law enforcement and across borders.
6. Machine learning, AI, and behavioral analytics
Machine learning, AI, and behavioral analytics—from either specialized third-party technologies, VBs, or banks themselves—are currently viewed as the industry’s “best kept secret,” offering a competitive advantage in FCC. Nevertheless, it is envisaged that the various members of the banking ecosystem could collaborate to create a network of trusted data sources, shared behavior models, and broadcast events. A drive to further develop the case for standards and best practices is also highly encouraged as this will provide greater assurance to the regulators, investors, and consumers.
An agile mindset
The intersection of new FinTech and FCC presents extremely dynamic terrain. As FinTech continues to improve—and at times to disrupt the way in which consumers and businesses participate in the financial services industry—a host of thorny FCC challenges emerge for regulators, banks, and FIs. These include how to define the FCC risks at play; if, how, and to what extent a new FinTech service or innovation falls within the scope of existing regulations; and, for banks, FIs, and other institutions that partner with FinTech startups, how to ensure compliance with rules on third-party risk.
Because FinTech poses unique FCC and regulatory risks, both FinTech companies and those that use FinTech must be prepared for these challenges. Startups pride themselves on being nimble, but they are obligated to understand the financial crime implications of their technology and the regulatory environment in which they operate. To the extent they are engineering their own forms of FinTech or partnering with startups or others, banks, FIs, neobanks and VBs, and other institutions must tread responsibly in embracing financial innovation.
FCC and compliance officers will need to understand existing approaches to FCC will be challenged, and they must embrace a more agile mindset to better understand the FCC risks arising from different possible business and operating strategy and models in their FCC risks assessments. Upskilling will be necessary to enable compliance officers to thrive in this new environment.
Thomas Wan is course director at International Compliance Training Academy. The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.