Risk Based Approach

Case Study: Digitisation Support

Designing Financial Crime Compliance Programme for Africa-Focused Digital Product

A case study of how FINTRAIL helped an international banking group launch a new digital product, by designing an innovative, tech-focused financial crime compliance programme.

See how FINTRAIL designed bespoke policies and procedures, processes for customer onboarding and ongoing monitoring, to ensure full regulatory compliance, effective risk mitigation, and great customer experience.

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch with the team at: contact@fintrail.co.uk

When you should carry out ongoing Due Diligence and how to remediate gaps

The FINTRAIL and Jumio teams have been discussing why regulated businesses are expected to perform ongoing Due Diligence on clients, why it is important to remediate gaps identified, and the approach businesses should consider when performing this remediation.

In this report you will find examples of the different scenarios when you should consider refreshing your Due Diligence. It also highlights why it is important to remediate gaps and how you should seek to operationalise this process.

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch with the team at: contact@fintrail.co.uk

FinTech Approaches to Sanction Regimes

Announcing Expert Working Groups and Topic 1: Sanctions compliance

The FFE have kicked off a series of topical roundtable discussions among industry leaders, with the aim of connecting senior decision makers to discuss their own internal approaches to common challenges. These Expert Working Groups are under Chatham House Rule, with FINTRAIL acting as secretariat to facilitate discussion amongst experts. Thanks to RDC and RUSI, too, for providing expert insights alongside our FinTech experts.

Our first Expert Working Group focused on FinTech approaches to sanctions regimes, and gathered 18 sanctions experts from 8 different FinTech industries. After just two in-depth sessions, we were able to glean insight on best practices that we hope you find useful when benchmarking your own approach. 

As a sneak peek into some of those insights:

  • Around 30% of the FinTechs we spoke with have a sanctions-specific risk assessment to support their risk-based approach, with several more working to create one.

  • Unanimously, Expert Working Group participants are typically using conservative (or even very conservative) fuzzy matching thresholds ranging from 70%-85%, especially compared to industry averages closer to 85%-92%.  

  • C-Suite and board members are increasingly expected to have sight of the Sanctions program and/or Sanctions-specific policies, vs. just the broader Compliance or Anti-Money Laundering program.

Check out the full report for more, and reach out to us at ffe_admin@fintrail.co.uk to share any insights of your own. And be sure to stay tuned for further Expert Working Group insights!

ON DEMAND: FINTRAIL- Elliptic Cryptoasset Compliance Virtual Bootcamp

***NOW AVAILABLE ON DEMAND***

For financial crime compliance professionals, cryptoassets are one of the hottest topics around. With regulators and global watchdogs like the Financial Action Task Force zeroing in on cryptoassets, any compliance team that isn’t educated on cryptoassets has a major blind spot. 

Cryptoassets are no longer a fringe financial technology: cryptoassets have a total market value of more than $250 million; bitcoin is among the top ten currencies globally in terms of the overall value of banknotes and coins in circulation; and over $500 billion flows between the banking sector and cryptoasset businesses annually. Cryptoassets are now a feature of the financial landscape. This exciting technology presents both compliance challenges and business opportunities for teams not only at cryptoasset businesses, but also for banks and FinTechs who can no longer ignore this burgeoning asset class.  

That’s why we’re partnering with the team at Elliptic to launch our first ever cryptoasset compliance virtual bootcamp. Originally launched on 30 June 2020, this online bootcamp is one we’ve designed to assist banks, FinTechs, and cryptoasset firms alike in identifying strategies for managing financial crime risks in this new phase of cryptoassets. We’ve launched this initiative to help compliance teams in their journey, and to educate and ensure the wider regulated sector understands the cryptoasset industry, how it may affect their business, and how best to practically address the risks while harnessing new opportunities. The bootcamp focuses on how your business can apply an effective risk based approach towards cryptoassets. This ensures the highest risks to your business are the focus of your compliance efforts, with less impactful risks sitting lower down the priority list. 

Led by FINTRAIL’s Danielle Jukes and Elliptic’s David Carlisle, and featuring guest speakers from around the financial crime compliance space, this complementary virtual bootcamp will include three engaging sessions across June and July. Each session will focus on the key pillars that we see as vital to a strong cryptoasset financial crime risk management framework. Content for the sessions will include: 

SESSION 1: CRYPTOASSET RISKS . . . WHAT’S YOUR APPETITE? 

Effective risk management starts by defining your risk appetite. If you are a cryptoasset business, have you articulated to your staff which risks you’re willing to accept? For example, are there certain countries that present especially high cryptoasset risks and with which you won’t do business? And if you are a FinTech or bank, have you clearly defined what degree of interaction your business will or won’t have with cryptoassets, and do your staff understand how to ensure adherence to that risk appetite? Until you’ve defined your risk appetite, you can’t expect your compliance team to develop an effective response. In this session, we’ll provide you with a conceptual framework for defining your cryptoasset risk appetite and using that foundation for effective risk management.

  • Key takeaways: an understanding of how you can develop a risk appetite statement on crypto, and how it can affect your business, relevant examples of statements related to cryptoassets.

SESSION 2: ASSESSING AND GETTING TO GRIPS WITH THE FINCRIME RISKS:

Cryptoassets present specific financial crime risks and feature heavily in some typologies more than others. Understanding these risks and executing a crypto-specific risk assessment is critical to managing risk exposure, whether your platform offers cryptoasset services directly or not. If you are a cryptoasset business, do you understand which fincrime typologies present the highest risks to your platform? Do you offer privacy coins or other services that may present an elevated risk to your profile? If you are a FinTech or bank, while you may not offer cryptoasset services, do you understand crypto-specific typologies that may expose your business to indirect cryptoasset risks that are sometimes very difficult to detect? This session will equip you with the know-how you require to conduct an effective cryptoasset risk assessment for your business. 

  • Key takeaways: an understanding of different types financial crime risks, how they present themselves within cryptoassets, and how your business can assess these risks.

SESSION 3: SYSTEMS AND CONTROLS - MANAGING YOUR CRYPTOASSET RISKS IN PRACTICE 

Managing cryptoasset risks requires access to systems and controls that can detect and protect against bespoke risks. Your compliance team should be working to solve the following questions:.

  • For cryptoasset businesses, do you have access to these bespoke cryptoasset monitoring tools tools, and are they configured appropriately to your business needs? 

  • For banks and fintechs, are you able to detect and assess risks related to counterparties who may be dealing in cryptoassets? Solutions exist that can enable you to do so, but they require expertise your business may not possess. 

  • Filing SARs and undertaking reporting obligations related to cryptoassets can present specific challenges. Are you equipped to navigate these challenges? 

  • Key takeaways: an understanding of what systems and controls are out there, and how they can fit into your wider anti-financial crime framework.

This bootcamp will help your compliance team work through these and other questions, and in doing so, will empower you to execute on a vital component of your financial crime risk management framework. If these three pillars are executed effectively, then your compliance team can confidently tackle the risks associated with cryptoassets. 

You don’t want to miss out on this opportunity to learn from FINTRAIL and Elliptic’s experts in cryptoasset compliance.

How to conduct Customer Risk Profiling in the Gaming Industry

Regulations and Guidance

As part of the regulated sector within the UK, those in the gambling sector classified as remote or non-remote operators, are required to meet their obligations within the Money Laundering Regulations 2017. One of these requirements is to assess the level of risk a client may represent to the business and apply appropriate due diligence to match that risk. 

The Gambling Commission, in its industry guidance for the prevention of money laundering and combating the financing of terrorism under section 6.2, also highlights the need for operators to perform risk profiling against its customers.  

Paragraph 6.2 from the Gambling Commission’s industry guidance for the prevention of money laundering and combating the financing of terrorism.

What does this mean practically?

Having a clear understanding of the inherent financial crime risk within the business is important. This is likely to be already done through a risk assessment process but when thinking about financial crime in the gambling sector the most prevalent risks are probably fraud or traditional money laundering. 

An example could look like:

A table of financial crime inherent risk ratings with levels for the gambling industry

Once the inherent financial crime risk is understood, it allows for better context of what risks the operator may be exposed to and subsequently what needs to be considered when assessing the risk of the customer. 

Consideration can then be made on the data points used which would initially be obtained through the registration process and any due diligence information collected. Whilst data points like country are still important, given that the key financial crime risk may be fraud, operators may wish to consider additional data points such as the email address, phone number or device to be included.

Now the data points have been established, in line with the inherent financial crime risks, an operator can consider how the scoring itself will work. Whilst you may think a complex risk profiling model is best, that may not be the case as it needs to be scalable, easily modifiable and explainable to the regulators.

Finally once the scoring is complete, ensuring you map the output to your due diligence process is the final step. This will enable an operator to offer a lower friction process for lower risk customers whilst still being able to identify higher risk customers allowing the application of enhanced due diligence. 

Dynamic Model

The profiling of an operator’s customers shouldn’t stop at onboarding though. In order to operate an effective customer risk profiling model which meets the regulatory requirements, mitigates the risk of financial crime and protects customers from harm from a responsible gambling perspective, operators should ensure it is dynamic. This means that rather than just using the data collected at onboarding to assess the customers risk, operators should use data collected from how the customer interacts with the product and also any additional due diligence obtained.  

Responsible Gambling

It is no surprise that some of the more recent fines coming from the Gambling Commission relate to operators failure to protect its customers from a responsible gambling perspective alongside failures to have appropriate controls to guard against money laundering.

In May the Gambling Commission published tighter measures to be implemented by operators, as part of their COVID-19 response, to protect their customers during lockdown. These measures include various points on assessing their clients:

  • Review thresholds and triggers for new customers to reflect the operator’s lack of knowledge of that individual’s play and spend patterns

  • Conduct affordability assessments for individuals picked up by existing or new thresholds and triggers which indicate consumers experiencing harm - limiting or blocking further play until those checks have been concluded and supporting evidence obtained, and;

  • Implement processes that ensure the continual monitoring of their customer base – identifying patterns of play, spend or behaviours have changed in recent weeks.

Responsible gambling has strong links to financial crime with various cases documented being linked to those who were using stolen funds to spend. This means that responsible gambling is an important risk factor to be included within any operator's customer risk profiling model alongside the traditional financial crime risks mentioned above. Data points for consideration could be methods of payment, deposits and behavioural patterns.

If operator’s continue to ineffectively implement custom risk assessment models, and choose to not include a responsible gambling aspect, we can only expect more fines to be issued in the near future for both responsible gambling and money laundering failures.


How to approach creating a new customer risk assessment model

Here are FINTRAIL and TruNarrative’s key takeaways when considering a customer risk profiling model:

  • Understand the inherent risk your customers represent to the business

  • Ensure you select the correct data points unique to your clients and product offering

  • Make sure the risk profiling is dynamic and doesn’t just stop once the customer is onboarded

  • Consider the inclusion of responsible gambling within your customer risk profiling 

  • Marry your due diligence process to your customer risk profiling

  • Take into consideration how you would implement your model using technology providers like TruNarrative to ensure if a players risk or behaviour changes, you get an instant alert and action

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch with the team at: contact@fintrail.co.uk

This article is also available via TruNarrative’s website.

How to use Compliance as an enabler in Digital Transformation

Digital transformation for onboarding is a hot topic at the moment, given that much of the world is currently living their life from their sofas and managing their day-to-day financial needs from home. Having worked on transformation projects before with traditional FI’s, alongside assisting various FinTechs in the creation of new digital offerings, we at FINTRAIL thought it would be a good opportunity to move the spotlight onto compliance, and fly the financial crime flag by discussing some of the common misconceptions.

 

Front end change is just the tip of the iceberg

The ‘tip of the iceberg’ cliche has never been more appropriate when it comes to describing common misconceptions towards digital transformation. The main message is that a good user experience isn’t solely dependent on a minimal field registration journey, and that there are other components that need to be considered which the customer can’t see. Getting these components implemented effectively are equally as important and the focal point is our good friend - ‘a risk-based approach’. Having a robust risk-based approach can be the key for a slick user experience and dictate your approach to CDD, custom screening and risk management, enabling you to target your controls on your highest risk areas.

Image of front end change is the tip of the iceberg. Registration depicted above water, while the rest of the compliance processes depicted underwater as the main body of the iceberg

Less is more

It would be logical to assume that the less information you collect from your customer the better, and that allowing a customer to sign up by just inserting an email and password will drive your Trustpilot reviews through the roof. Ignoring the fact that this probably doesn’t actually meet your ID&V requirements, we would like to suggest that less isn’t always more. By creating a shortened registration process you may well get more sign ups, but if you subsequently need to perform downstream due diligence to address gaps, you could be creating a poor user experience further down the line, perhaps even in a critical situation when dealing with a vulnerable customer whose account has been frozen and they need urgent access to funds.  We don’t necessarily mean your registration process should be 100 fields deep across 10 pages but there is certainly a happy medium. 


Business enabling Anti-Financial Crime (AFC)

A common misconception is that financial crime compliance can be the blocker when it comes to innovation in these projects. It probably comes as no surprise that we at FINTRAIL would offer a healthy challenge to those naysayers. 

So, you are 6 months into your digital transformation project, it’s all on JIRA (other platforms are available) or you have a lovely Gantt chart. You have lined up all your sprints and it suddenly occurs to you that you should speak to your compliance team. After 45 minutes debriefing your compliance team, they have a bunch of questions and recommendations before you can move the project forward, resulting in you putting a big red “Stuck” against it. While you may have translated this into a no, these recommendations do not necessarily mean no, and even if it is a no, is that really surprising considering you have only introduced them as stakeholders so late on? Obviously we are focusing on the negatives here to emphasise our point and the above is certainly not a reflection on most businesses’ these days.

Some of the most successful projects we have been part of are the ones where AFC stakeholders have been included as part of the journey rather than just at sign off. There is a new breed of financial crime professionals who want to be viewed as business enablers and able to offer a great user experience as much as the next product owner.

A RACI (responsible, accountable, consulted, informed) matrix is often used in project delivery to divvy up people’s roles. With that in mind your approach may have been previously to assign compliance a consulted duty, but we would encourage you to increase their involvement in order to reduce blockers downstream and increase compliant innovation.

RACI project management chart with Compliance/financial crime function moved from consulted to responsible/accountable

Being a Compliance Champion

Equally it is not just the business that needs to take ownership of transformation, it can also be the fincrime function itself. Embracing change has never been more important in a digital enabled world and as fincrime professionals we should be just as excited by these new developments. Whether it is the implementation of a new due diligence process or screening programme, don’t be afraid to rip up the policy and start again. There is no reason why the financial crime team cannot be the driver for change.

Build, Buy or Both?

Like the ‘tip of the iceberg’, ‘build or buy’ is also becoming a bit of a cliche. What we do know is that you will likely need to partner with some technology providers in order to achieve your future state goals. Equally, even if you partner with someone, there will be an element of building that goes hand in hand. There are a variety of great providers available with a range of capabilities but we would like to reposition the ‘build or buy’ question. No single provider will solve all of your needs, and equally, to build everything in house isn’t logical when there are specialist systems available. This potentially means that the ‘build or buy’ question is a goose chase and in fact an amalgamation of the two is the best approach to adopt. 

Takeaways

Here are our top takeaways to be a compliance champion when it comes to digital transformation:

  • User experience does not stop on the physical registration page; it continues throughout the customer lifecycle

  • Less is not always more when it comes to identification programmes

  • Treat your compliance/ fincrime team as business enablers, engaging them in discussions earlier

  • Answer your build, buy or both question

  • A risk-based approach marries itself perfectly with transformation projects

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch at: contact@fintrail.co.uk

FINTRAIL- Elliptic Cryptoasset Compliance Virtual Bootcamp

For financial crime compliance professionals, cryptoassets are one of the hottest topics around. With regulators and global watchdogs like the Financial Action Task Force zeroing in on cryptoassets, any compliance team that isn’t educated on cryptoassets has a major blind spot. 

Cryptoassets are no longer a fringe financial technology: cryptoassets have a total market value of more than $250 million; bitcoin is among the top ten currencies globally in terms of the overall value of banknotes and coins in circulation; and over $500 billion flows between the banking sector and cryptoasset businesses annually. Cryptoassets are now a feature of the financial landscape. This exciting technology presents both compliance challenges and business opportunities for teams not only at cryptoasset businesses, but also for banks and FinTechs who can no longer ignore this burgeoning asset class.  

That’s why we’re partnering with the team at Elliptic to launch our first ever cryptoasset compliance virtual bootcamp. Launching on June 30, this online bootcamp is one we’ve designed to assist banks, FinTechs, and cryptoasset firms alike in identifying strategies for managing financial crime risks in this new phase of cryptoassets. We’ve launched this initiative to help compliance teams in their journey, and to educate and ensure the wider regulated sector understands the cryptoasset industry, how it may affect their business, and how best to practically address the risks while harnessing new opportunities. The bootcamp focuses on how your business can apply an effective risk based approach towards cryptoassets. This ensures the highest risks to your business are the focus of your compliance efforts, with less impactful risks sitting lower down the priority list. 

Led by FINTRAIL’s Danielle Jukes and Elliptic’s David Carlisle, and featuring guest speakers from around the financial crime compliance space, this complementary virtual bootcamp will include three engaging sessions across June and July. Each session will focus on the key pillars that we see as vital to a strong cryptoasset financial crime risk management framework. Content for the sessions will include: 

Session 1: Cryptoasset risks . . . What’s your appetite? 

Effective risk management starts by defining your risk appetite. If you are a cryptoasset business, have you articulated to your staff which risks you’re willing to accept? For example, are there certain countries that present especially high cryptoasset risks and with which you won’t do business? And if you are a FinTech or bank, have you clearly defined what degree of interaction your business will or won’t have with cryptoassets, and do your staff understand how to ensure adherence to that risk appetite? Until you’ve defined your risk appetite, you can’t expect your compliance team to develop an effective response. In this session, we’ll provide you with a conceptual framework for defining your cryptoasset risk appetite and using that foundation for effective risk management.

  • Key takeaways: an understanding of how you can develop a risk appetite statement on crypto, and how it can affect your business, relevant examples of statements related to cryptoassets.

Session 2: Assessing and Getting to Grips with the FinCrime Risks:

Cryptoassets present specific financial crime risks and feature heavily in some typologies more than others. Understanding these risks and executing a crypto-specific risk assessment is critical to managing risk exposure, whether your platform offers cryptoasset services directly or not. If you are a cryptoasset business, do you understand which fincrime typologies present the highest risks to your platform? Do you offer privacy coins or other services that may present an elevated risk to your profile? If you are a FinTech or bank, while you may not offer cryptoasset services, do you understand crypto-specific typologies that may expose your business to indirect cryptoasset risks that are sometimes very difficult to detect? This session will equip you with the know-how you require to conduct an effective cryptoasset risk assessment for your business. 

  • Key takeaways: an understanding of different types financial crime risks, how they present themselves within cryptoassets, and how your business can assess these risks.

Session 3: Systems and Controls - Managing Your Cryptoasset Risks in Practice 

Managing cryptoasset risks requires access to systems and controls that can detect and protect against bespoke risks. Your compliance team should be working to solve the following questions:.

  • For cryptoasset businesses, do you have access to these bespoke cryptoasset monitoring tools tools, and are they configured appropriately to your business needs? 

  • For banks and fintechs, are you able to detect and assess risks related to counterparties who may be dealing in cryptoassets? Solutions exist that can enable you to do so, but they require expertise your business may not possess. 

  • Filing SARs and undertaking reporting obligations related to cryptoassets can present specific challenges. Are you equipped to navigate these challenges? 

  • Key takeaways: an understanding of what systems and controls are out there, and how they can fit into your wider anti-financial crime framework.

This bootcamp will help your compliance team work through these and other questions, and in doing so, will empower you to execute on a vital component of your financial crime risk management framework. If these three pillars are executed effectively, then your compliance team can confidently tackle the risks associated with cryptoassets. 

You don’t want to miss out on this opportunity to learn from FINTRAIL and Elliptic’s experts in cryptoasset compliance. You will also be awarded a certificate of attendance after attending all three sessions. 

Remote Delivery: NuBank Financial Crime Compliance Project

In the current climate the notion of ‘working from home’ has become the new norm. This means that some businesses have had to rapidly adapt how they work, how they deliver their products and services to their clients, and how they remain top of their game. Whilst FINTRAIL do have physical offices in London, Singapore, the US, we operate flexible working for our employees, and have also conducted fully remote projects in the past. We feel that these projects and our working set up has allowed us to quickly adapt to this new normal and we thought we would share some of our insights with the wider community. 

One of our most recent fully remote projects involved working with NuBank on a Financial Crime Compliance project. NuBank is a Latin American neobank and they have one of the largest customer bases in the region and sector, and in January 2020 confirmed they hit the 20 million customer target. NuBank was a completely new client for FINTRAIL, and also one of our largest projects where there would be no face-to-face, or in person element at all.

The project spanned three jurisdictions; Brazil, Mexico, and the UK. This involved assessing, and analysing regulation from Brazil and Mexico, as well as scheduling calls to accommodate for two quite different time zones! After the project had been completed, we had a feedback session with NuBank to discuss what worked, and maybe what didn’t, when conducting a remote project. NuBank was very pleased with our work. They commented that we were aligned with them as a business, and the project results were above and beyond what was expected. We are confident that our work can be delivered in a fully remote nature, and this project only helped to solidify that confidence.

Infographic highlighting the key takeaways from the NuBank remote project and what the client liked.

Key learnings:

  • Get the basics right. This may sound simple, but the client should be clear on the project timelines and deliverables. Having this understanding at the start and throughout helps to ease both sides of any unnecessary stress, and improves time management and control of the project. When a project involves no face-to-face aspect, all communication becomes much more scheduled, and therefore understanding the scope and nature of the project is key. This extends to us as FINTRAIL too, we always ensure that we understand a company and its products to the best of our ability when conducting a project.

  • Communicate, communicate, communicate (with the relevant people). Ensuring that the correct people are involved in the conversation is very important, especially during a remote project. With often already packed diaries, no one wants to sit on a video call that they cannot contribute to, or that they are not needed for.  By inviting the correct and relevant stakeholders only to meetings where they are needed prevents video call fatigue within the project, helping for each conversation to be meaningful and for people to remain engaged. 

  • Leverage technology.  Tools such as Slack can really help with interim communication between larger video meetings. Slack allowed for timely access to key pieces of information, and to lay the groundwork for more in depth meetings. It was also crucial to have this kind of communication due to multiple time zones. Emails felt a bit stiff and formal, and could get lost in a pile, whereas the Slack messages could be picked up whenever suited, and answered quickly and easily.

Get in Touch

If you are interested in speaking to the FINTRAIL team about the topics discussed here or how we are working remotely with clients globally today on all aspects of their financial crime programme, please feel free to get in touch with one of our team or at contact@fintrail.co.uk.

FINTRAIL joins Tide on the Jumio Webinar: Covid-19 Anti Financial Crime Best Practices

Gemma Rogers, Co Founder at FINTRAIL joined Rebecca Marriott and Matthew Tataryn of Tide and Sam Duggan of Jumio for a live panel discussion moderated by Claire Galbois-Alcaix. In the webinar they cover:

  • The financial crime impact COVID-19 has had on financial services providers

  • The main financial crime threat factors that businesses are having to adjust to

  • How the FCA's latest recommendations can help businesses in the short term

FINTRAIL on the Sibylline Podcast: No Lockdown Here – Covid & Financial Crime

FINTRAIL’s APAC MD, Payal Patel, joins Sibylline COO Tamara Makarenko and Samantha Sheen for a conversation about the impact COVID is having on financial crime.

Their discussion covers why financial crime is ‘surviving’ lockdown, new financial crime trends, the regulatory response, and how companies can safeguard themselves. The podcast ultimately outlines a few ‘Golden Rules’ of how we can build our resilience to this unfolding financial crime environment.

FINTRAIL on the Captivated Audience - Season 1, Episode 26

In this episode, FINTRAIL’s James Nurse, joins hosts Sam Sheen and Marie Lundberg on the Captivated Audience podcast.

In this episode James offers insights from recent FINTRAIL papers on Social Media and Financial Crime, and the iterative risk approach to pre and post pandemic working for FinTech.