eKYC

A Year in Review: Financial Crime in the Middle East and Africa in 2020

2020 has clearly been a year like no other.  Both businesses and criminals have had to adapt to the abrupt and far-reaching impacts of the COVID-19 pandemic.  This has drastically accelerated the shift away from cash to digital payments, and encouraged both governments and global actors such as the Financial Action Task Force (FATF) to promote a shift towards digitisation.  The pandemic also provided ample opportunities for criminals to devise new schemes and take advantage of a rapidly changing, uncertain environment.  Many financial institutions in the Middle East, particularly the Gulf Cooperation Council (GCC) struggled with sluggish performance, but most still planned to grow their compliance teams and increase compliance spend over the course of the year, with a focus on technology.  

Below are some of the key financial crime stories and trends from the year across the MEA region:

Fraud and COVID-19

COVID-19 has created opportunities for organised criminals and fraudsters across the globe, and MEA is no exception.  The region has traditionally been dominated by cash payments, but the pandemic accelerated a huge shift to digital transactions (e.g. a PwC survey shows 53% of Middle East respondents making purchases online).  This change, coupled with public anxiety which left people vulnerable to scams, led to a massive increase in fraud including phishing, online shopping fraud, impersonation fraud, and fake charitable appeals. The UAE, for instance, saw a 250% increase last year in cyberattacks, including phishing and ransomware incidents.

Financial institutions need to respond by re-examining their fraud controls, conducting risk assessments to capture the latest threats, and educating their customers on new risks and typologies.  Informal collaboration or industry groups such as the regional charters of the FinTech FinCrime Exchange can be invaluable here.

Spotlight on digital onboarding and eKYC

Regulators in the Middle East and Africa were already moving towards greater digitisation and use of technology to fight financial crime, and this trend has only been accelerated by the COVID-19 pandemic.  In April 2020 the Arab Monetary Fund published a report on ‘Digital Identity and e-KYC Guidelines for the Arab Countries’ to further the debate on adopting digital onboarding tools.  Within the Middle East, the UAE and Bahrain have been the national frontrunners - Bahrain launched an eKYC project mandated by the Central Bank of Bahrain in 2019, to facilitate KYC data sharing amongst participating financial institutions which has continued to develop over the course of 2020, and the UAE introduced its own eKYC platform which went live in July last year.   

As more and more firms look to digitise their compliance processes, against this backdrop of growing official support, care must be taken to select technological solutions which allow firms to reduce any potential risk exposure, and that their use and integration is properly assessed and re-evaluated on an ongoing basis.

FATF Mutual Evaluation Report on the UAE

One major regional news story in 2020 was the publication of FATF’s critical Mutual Evaluation Report on the UAE’s money laundering and terrorist financing controls.  FATF stated the UAE needed to make “fundamental and major improvements” to its AML/CTF systems, and placed it under a year-long observation to ensure that it is properly implementing its recently adopted laws.

The UAE has faced other criticism last year.  It was the only GCC state included in a list of 82 major money laundering jurisdictions identified by the US State Department in March.  A report from the Carnegie Endowment in July on financial crime in Dubai highlighted a number of risk areas and stated that “Dubai’s prosperity is a steady stream of illicit proceeds borne from corruption and crime.”  The investigative and policy organisation The Sentry issued a report in November on how Dubai has become the main destination for illicit gold from Africa.

While the UAE government works to meet FATF requirements over the next 12 months, individual financial institutions need to ensure they have up-to-date risk assessments that reflect the financial crime threats relating to the country highlighted by these external sources, and then align their procedures and controls to address and mitigate the risks.

MEA regulators start to warm up to cryptocurrencies

The growth of cryptocurrency remained relatively low-scale but continued to show promise across both Africa and the Middle East.  Commentators believe the growing level of interest in Africa in particular, and compelling crypto use cases (the instability of fiat currencies and high remittance fees) will force regulators’ hands and encourage the issue of crypto-specific regulations in the near future.  2020 saw the issue of new regulations in Nigeria, South Africa and the UAE, with other jurisdictions such as Kenya and potentially Saudi Arabia likely to follow soon.  The UAE and Bahrain (which issued crypto regulations in early 2019) have both granted licenses to crypto exchanges under the relevant regulations, and currently have a number of crypto companies in their sandbox programmes.

The growing adoption and acceptance of cryptocurrencies in the MEA region will not only require crypto firms themselves to establish robust compliance programmes, but also other companies with potential exposure to them, such as conventional banks.  Crypto is perceived to be a high-risk sector but this does not mean it should be off-limits, and with greater knowledge and training on the associated risks and necessary controls, an increasing number of financial institutions are likely to engage with it in the coming years.

Slow steps towards greater transparency and access to data

Finally, 2020 has seen some positive developments relating to one of the region’s key issues in financial crime compliance, namely transparency and accessibility of data.  A small number of governments have made moves to align themselves with international standards, such as the UAE, Egypt and Kenya, which all introduced new requirements in 2020 for companies to declare their ultimate beneficial owners.  The onus is now on industry bodies to lobby to make all this information public, and on financial institutions to work out how best to integrate these new sources of information into their onboarding, customer risk assessment, and ongoing due diligence processes. Once again, technology is likely to play an increasing role here.

FINTRAIL in 2020

2020 was a key year for FINTRAIL’s coverage of the Middle East and Africa, with the appointment of Maya Braine as managing director, allowing for dedicated coverage and enhancing our understanding and expertise.  We completed several exciting projects with a focus on the region, including an ongoing assignment to provide training to compliance teams across Kenya, Nigeria and South Africa, and the launch of a digital product focusing on the African diaspora.  We also became a Venture Acceleration Partner  of Bahrain FinTech Bay, one of the world’s leading FinTech hubs.  We have ambitious plans for the region in 2021, so watch this space!

If you would like to contact us about any of the topics raised in this article, or about your financial crime compliance needs in the MEA region, please contact maya.braine@fintrail.co.uk. FINTRAIL can assist with performing risk assessments, providing training, implementing RegTech solutions, composing policies and procedures, and designing and reviewing FinCrime controls. For more details on our services, please visit our website.

COVID-19 and the rush to Digital Onboarding

By Jessica Cath (Senior Consultant, FINTRAIL)

In July 2020, FINTRAIL wrote about the hot topic of digital onboarding and how to use Compliance as an enabler to necessary digital transformation.  With much of the world living life from their sofas and managing their day-to-day financial needs from home, COVID-19 had kickstarted a rush for digital onboarding. 

Three months later, as we settle into the new normal, we have an opportunity to reflect on the potential risks of implementing new technologies in challenging circumstances, as well as the opportunity to refine the digital journey going forward.

Successful digital implementation in the long term depends on fully understanding the technology and the associated risks – and how these risks fit within your risk assessment and existing control frameworks.

FIRST IMPRESSIONS MATTER

A streamlined onboarding process is vital for both customers and firms. 

Onboarding is the first opportunity to showcase quality relationship management, build trust with new customers, and demonstrate both efficiency and technological prowess. Onboarding is also expensive and scattered with regulatory requirements, so it is vital for firms to get it right first time and in a short timeframe. 

Digital onboarding can offer solutions. Replacing or refining traditional and often paper-based onboarding channels can speed up the process, improve user experience, reduce costs and - if implemented correctly - enhance compliance with regulatory requirements.

COVID-19 AS AN ACCELERATOR

The arrival of COVID-19 meant that digital onboarding capabilities became a matter of priority. Lock down measures restricted face-to-face interactions and any paper-based onboarding was effectively halted. 

Today, despite the relaxation of restrictions, we still see fewer customers at physical locations and fewer face-to-face interactions. 

We have also seen more customers proactively choosing to use digital channels. Digital experiences during lock down have increased confidence in technology channels and most customers now expect fast, seamless and digital onboarding.

THE RISK OF RUSHING

Despite many benefits of digital onboarding, rushing into new technology can expose the firm to risks – particularly if new technology is implemented in haste.

Given the challenging circumstances of remote operations and the need to adopt technology at speed, these risks are heightened.

Network and data risks 

Risks to data and network security are particularly high. The pressure to maintain business continuity during COVID-19 may mean that compromises were made. New technology may have been implemented with quick-fix workarounds outside of the fundamental security principles. With limited time for comprehensive proof-of-concept testing or securing systems-by-design, new technology or its integration may have vulnerabilities and leave the firm exposed.

Financial crime risk 

Risk of exposure to financial crime is also high. COVID-19 has proven to be a fertile ground for fraud and cyber-enabled crime. Confusion, misinformation and fear make customers and firms more vulnerable to fraudsters. Any new onboarding technology must be properly configured to the firm’s specific client base in order to effectively mitigate new fraud risks. 

TIPS FOR SUCCESSFUL DIGITAL IMPLEMENTATION

To overcome these challenges, there are several considerations and top tips for successful digital implementation. Ideally these steps would be taken prior to implementation but also offer areas for reflection and refinement if the digital solution is already in place.

1. Understand the technology you are implementing

Fully understand the technology, data flows, security, configurations and the third-party provider themselves. 

The technology should be assessed and reviewed before implementation, with careful consideration given to secure, seamless integration. If workarounds are implemented to enable integration, these should be properly documented with appropriate debate, governance and oversight. Any workaround should also be reviewed periodically and re-assessed with a view to achieving a more permanent solution.

The third-party provider should also be assessed and subject to checks and screening in line with internal policy requirements. These checks should be documented with appropriate sign-off. If any of these checks were fast tracked during the lockdown period, now is the time to review and verify.

2. Ensure the technology fits within your risk appetite 

To ensure long-term success (not just to meet the needs of COVID-19 lock down), the technology should fit within the firm’s existing risk appetite and wider technology strategy. 

Despite the unprecedented circumstances, the Financial Conduct Authority (‘FCA’) made it clear that firms should not divert from established risk appetite. In their May 2020 publication on financial crime systems and controls, the FCA stated ‘firms should not seek to address operational issues by changing their risk appetite’. The functionality within any new onboarding solution should be reviewed in line with risk appetite, and any risk decisioning should be documented with appropriate governance and oversight. 

Any new digital solutions should also map against the firm’s digital journey in the long-term, instead of being implemented as a quick-fix solution. If there are discrepancies, these should be documented and addressed in the next iteration of the strategy to ensure alignment.

3. Update risk assessments and controls 

Similarly, risk assessments and control frameworks should be updated to reflect the use of new technology. 

Enterprise-wide risk assessments should be reviewed in light of COVID-19 and changing risk scenarios, as well as the implementation of digital solutions. New onboarding solutions may address some of the risk scenarios created by COVID-19 but can also create new risks that may need to be mitigated through other control measures.

For instance, new controls may need to be added to test the platform itself. As part of a digital onboarding solution, a new screening tool may have been integrated for faster sanctions, PEPs and adverse media screening of new customers. The firm must periodically test the screening platform – to verify the outputs and ensure it continues to work as expected, in line with parameters set by the firm’s risk appetite.

4. Ensure proper integration with infrastructure and process

Finally, to get the best out of new digital solutions in the long term, ensure it is fully integrated with both current infrastructure and streamlined processes.

Fully streamlined integration with existing infrastructure often requires comprehensive proof-of-concept testing. With limited time for testing during the COVID-19 lock down period, there may now be opportunities for refinement – both from an operational and security standpoint.

Firms should also take time to review operational processes sitting alongside the use of onboarding technology, to prevent duplication of process steps or error. New digital onboarding solutions offer opportunities for speed and efficiency, but only if old processes are adjusted and refined.

KEY TAKEAWAYS

  • Digital onboarding solutions can benefit user experience, process streamlining and regulatory compliance, but can also expose the firm to further risks

  • Successful implementation depends on fully understanding new technology and the associated risks - and how these sit within established risk appetite

  • Existing risk assessments, control frameworks and processes should be updated to reflect the implementation of new digital solutions

  • If any technology was implemented in haste for COVID-19 lockdown, now is the time to review and close any gaps!


If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch at: contact@fintrail.co.uk

When you should carry out ongoing Due Diligence and how to remediate gaps

The FINTRAIL and Jumio teams have been discussing why regulated businesses are expected to perform ongoing Due Diligence on clients, why it is important to remediate gaps identified, and the approach businesses should consider when performing this remediation.

In this report you will find examples of the different scenarios when you should consider refreshing your Due Diligence. It also highlights why it is important to remediate gaps and how you should seek to operationalise this process.

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch with the team at: contact@fintrail.co.uk

On Demand Webinar: How to Implement eKYC & Keep Online Customers Safe

The recent shift towards digitisation has pushed businesses to review their KYC processes, and implement new strategies to protect their customers online.

In this on demand webinar, Robert Evans Fintrail co-founder and Claire Galbois-Alcaix at Jumio will discuss:

- The impact of digitisation on businesses and their customers
- The latest risks and compliance challenges
- How to implement a successful eKYC
- Tech innovations that help organisations keep their customers engaged
- Changes to the regulatory landscape and the future of eKYC

As people spend more time online, they leave a digital trail of information that can be used against them if put in the wrong hands. The convergence of online and offline has opened up entire new pathways for fraudsters, money launderers, and identity thieves to assume another person’s identity.

KYC (Know Your Customer) refers to the process of verifying the identity of your customers, either before or during the time when they start doing business with your organisation. With eKYC, businesses are able to perform identity verification and due diligence electronically, but must ensure they have the correct end-to-end identity verification strategies in place.

Rob and Claire will share tips and best practices organisations can follow to simplify their eKYC.