Partners Against Crime: FinTech-Banking Partnerships in the GCC

With particular thanks to Banque Saudi Fransi, First Abu Dhabi Bank, Jingle Pay, Rise, Xpence, and Ziina.

Although the FinTech sector in the GCC has developed significantly in recent years, it is still relatively underdeveloped in global terms and has huge potential for future growth.  One major obstacle often cited by FinTech start-ups is the difficulty of establishing partnerships with incumbent banks.  These are essential since FinTechs generally operate under a bank’s licence rather than obtain their own, and rely on the banks’ payment rails.


However, banks in the GCC are often reluctant to onboard FinTech partners, for both commercial and compliance reasons.  Many are creating their own digital product offerings and see FinTechs as competition.  However, another major issue is the banks’ worry around the financial crime risks posed by customer-facing FinTechs.  In a region already recognised by external parties as high-risk, and facing numerous financial crime threats from money laundering and terrorist financing to sanctions evasion, many banks are reluctant to take on new high-risk business and consider FinTechs to be outside their risk appetite.  


While financial crime considerations are clearly relevant in every region, an additional complication in the GCC is the fact regional banks are concerned about their correspondent banking partnerships, which enable them to transact in foreign currencies.  Widespread derisking has caused many global banks to cut ties with their Middle Eastern counterparts, meaning regional banks can’t endanger their remaining partnerships by taking on new business their partners will deem high-risk.  Effectively, regional banks can’t define their own risk appetite and have to follow that of their international partners.


As well as correspondent banking partners, regional banks must also satisfy increasingly strict local regulators.  The introduction of more rigorous regulations and enforcement by GCC regulators to meet international expectations has resulted in significant de-risking within the GCC itself, with banks terminating relationships rather than accepting and managing the associated risks.  In this environment, signing up new, high-risk FinTech businesses is a tough sell.


However, there are clearly major benefits for both banks and FinTech start-ups to successfully form partnerships with the right counterparts.  The key is for the banks to be comfortable with the FinTechs’ compliance frameworks and controls, and to be able to convince their correspondent partners and local regulators that they have suitable systems in place for assessing and managing the risks associated with these partnerships.  


So in practical terms, what do regional banks and FinTechs need to do?  FINTRAIL has looked in a previous blog at FinTech-bank partnerships in the US, and some key ways the two parties can ensure a successful partnership by aligning risk appetites, expectations, and operating practices.  Many of the key takeaways, such as the need for clear roles and responsibilities, a documented escalation process, and regular communication, are clearly of global relevance and just as important for GCC firms as those elsewhere in the world.  


In addition, to address the specific challenges in the GCC, regional banks should ensure they can demonstrate the following:

  1. A clearly defined risk appetite for FinTech partnerships and the type of business and levels of associated risks the bank is happy to accept

  2. Tailored onboarding and customer risk assessment processes for FinTechs, to ensure the bank fully understands the risks of each relationship and manages them accordingly, with the appropriate level of due diligence

  3. Special due diligence controls designed for FinTechs, such as nuanced AML questionnaires, onsite visits, and bespoke transaction monitoring, to give the bank insight into its partner’s compliance controls and activity


Regional banks should also seek to educate their correspondent partners on the local regulatory environment, such as FinTech licensing requirements and local KYC regulations, to help them better understand the true nature of the underlying customers.  This could help dispel misconceptions about the level of risk posed.


Ultimately, there is no doubting the potential of the FinTech sector in the GCC, and the opportunity for all parties to benefit.  Regional banks recognise that FinTechs are shaking up the industry and forcing innovation in terms of product offerings and customer service.  Digitising their own offerings will only go so far towards meeting this challenge, and partnering with the right start-ups will offer them the chance to benefit themselves from this innovation.  Especially given the current economic situation in the region, the prospect of new revenue streams is not easy to dismiss.  Banks who can think creatively about how to manage the compliance risks associated with FinTech partnerships and can demonstrate a rigorous programme to their own internal stakeholders and to external partners stand to make tremendous gains.


FINTRAIL has experience working on both sides of the table helping FinTechs and their partner banks manage financial crime risks. We can assist by helping banks determine their risk appetite and design robust onboarding and ongoing monitoring programmes for FinTech partners, and by performing assessments of FinTechs’ financial crime exposure and compliance programmes and controls.

If you’d like to learn more, please contact Maya Braine, MD for Middle East and Africa, or email us at: contact@fintrail.co.uk.

FINTRAIL Monthly REG-CAP Oct 2020

FINTRAIL is producing a monthly regulatory summary of any FinCrime changes that may be occurring in Europe and beyond.

This one pager will cover:

  1. Key updates from global and local regulators

  2. Key updates from industry guidelines

  3. Additional insights identified from financial intelligence units

October 2020

In October’s issue, we cover FATF’s response to Weapons of Mass Destruction proliferation financing.


Other highlights include the INTERPOL-EUROPOL 8th cybercrime conference and the removal of Sudan from the US sanctions list.

What other regulations changes caught your eye in October?

If you are interested in speaking to the FINTRAIL team about any of the items in the REG-CAP, have any ideas for inclusion or want to discuss any other financial crime topic please get in touch at: contact@fintrail.co.uk

Case Study: Digitisation Support

Designing Financial Crime Compliance Programme for Africa-Focused Digital Product

A case study of how FINTRAIL helped an international banking group launch a new digital product, by designing an innovative, tech-focused financial crime compliance programme.

See how FINTRAIL designed bespoke policies and procedures, processes for customer onboarding and ongoing monitoring, to ensure full regulatory compliance, effective risk mitigation, and great customer experience.

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch with the team at: contact@fintrail.co.uk

COVID-19 and the rush to Digital Onboarding

By Jessica Cath (Senior Consultant, FINTRAIL)

In July 2020, FINTRAIL wrote about the hot topic of digital onboarding and how to use Compliance as an enabler to necessary digital transformation.  With much of the world living life from their sofas and managing their day-to-day financial needs from home, COVID-19 had kickstarted a rush for digital onboarding. 

Three months later, as we settle into the new normal, we have an opportunity to reflect on the potential risks of implementing new technologies in challenging circumstances, as well as the opportunity to refine the digital journey going forward.

Successful digital implementation in the long term depends on fully understanding the technology and the associated risks – and how these risks fit within your risk assessment and existing control frameworks.

FIRST IMPRESSIONS MATTER

A streamlined onboarding process is vital for both customers and firms. 

Onboarding is the first opportunity to showcase quality relationship management, build trust with new customers, and demonstrate both efficiency and technological prowess. Onboarding is also expensive and scattered with regulatory requirements, so it is vital for firms to get it right first time and in a short timeframe. 

Digital onboarding can offer solutions. Replacing or refining traditional and often paper-based onboarding channels can speed up the process, improve user experience, reduce costs and - if implemented correctly - enhance compliance with regulatory requirements.

COVID-19 AS AN ACCELERATOR

The arrival of COVID-19 meant that digital onboarding capabilities became a matter of priority. Lock down measures restricted face-to-face interactions and any paper-based onboarding was effectively halted. 

Today, despite the relaxation of restrictions, we still see fewer customers at physical locations and fewer face-to-face interactions. 

We have also seen more customers proactively choosing to use digital channels. Digital experiences during lock down have increased confidence in technology channels and most customers now expect fast, seamless and digital onboarding.

THE RISK OF RUSHING

Despite many benefits of digital onboarding, rushing into new technology can expose the firm to risks – particularly if new technology is implemented in haste.

Given the challenging circumstances of remote operations and the need to adopt technology at speed, these risks are heightened.

Network and data risks 

Risks to data and network security are particularly high. The pressure to maintain business continuity during COVID-19 may mean that compromises were made. New technology may have been implemented with quick-fix workarounds outside of the fundamental security principles. With limited time for comprehensive proof-of-concept testing or securing systems-by-design, new technology or its integration may have vulnerabilities and leave the firm exposed.

Financial crime risk 

Risk of exposure to financial crime is also high. COVID-19 has proven to be a fertile ground for fraud and cyber-enabled crime. Confusion, misinformation and fear make customers and firms more vulnerable to fraudsters. Any new onboarding technology must be properly configured to the firm’s specific client base in order to effectively mitigate new fraud risks. 

TIPS FOR SUCCESSFUL DIGITAL IMPLEMENTATION

To overcome these challenges, there are several considerations and top tips for successful digital implementation. Ideally these steps would be taken prior to implementation but also offer areas for reflection and refinement if the digital solution is already in place.

1. Understand the technology you are implementing

Fully understand the technology, data flows, security, configurations and the third-party provider themselves. 

The technology should be assessed and reviewed before implementation, with careful consideration given to secure, seamless integration. If workarounds are implemented to enable integration, these should be properly documented with appropriate debate, governance and oversight. Any workaround should also be reviewed periodically and re-assessed with a view to achieving a more permanent solution.

The third-party provider should also be assessed and subject to checks and screening in line with internal policy requirements. These checks should be documented with appropriate sign-off. If any of these checks were fast tracked during the lockdown period, now is the time to review and verify.

2. Ensure the technology fits within your risk appetite 

To ensure long-term success (not just to meet the needs of COVID-19 lock down), the technology should fit within the firm’s existing risk appetite and wider technology strategy. 

Despite the unprecedented circumstances, the Financial Conduct Authority (‘FCA’) made it clear that firms should not divert from established risk appetite. In their May 2020 publication on financial crime systems and controls, the FCA stated ‘firms should not seek to address operational issues by changing their risk appetite’. The functionality within any new onboarding solution should be reviewed in line with risk appetite, and any risk decisioning should be documented with appropriate governance and oversight. 

Any new digital solutions should also map against the firm’s digital journey in the long-term, instead of being implemented as a quick-fix solution. If there are discrepancies, these should be documented and addressed in the next iteration of the strategy to ensure alignment.

3. Update risk assessments and controls 

Similarly, risk assessments and control frameworks should be updated to reflect the use of new technology. 

Enterprise-wide risk assessments should be reviewed in light of COVID-19 and changing risk scenarios, as well as the implementation of digital solutions. New onboarding solutions may address some of the risk scenarios created by COVID-19 but can also create new risks that may need to be mitigated through other control measures.

For instance, new controls may need to be added to test the platform itself. As part of a digital onboarding solution, a new screening tool may have been integrated for faster sanctions, PEPs and adverse media screening of new customers. The firm must periodically test the screening platform – to verify the outputs and ensure it continues to work as expected, in line with parameters set by the firm’s risk appetite.

4. Ensure proper integration with infrastructure and process

Finally, to get the best out of new digital solutions in the long term, ensure it is fully integrated with both current infrastructure and streamlined processes.

Fully streamlined integration with existing infrastructure often requires comprehensive proof-of-concept testing. With limited time for testing during the COVID-19 lock down period, there may now be opportunities for refinement – both from an operational and security standpoint.

Firms should also take time to review operational processes sitting alongside the use of onboarding technology, to prevent duplication of process steps or error. New digital onboarding solutions offer opportunities for speed and efficiency, but only if old processes are adjusted and refined.

KEY TAKEAWAYS

  • Digital onboarding solutions can benefit user experience, process streamlining and regulatory compliance, but can also expose the firm to further risks

  • Successful implementation depends on fully understanding new technology and the associated risks - and how these sit within established risk appetite

  • Existing risk assessments, control frameworks and processes should be updated to reflect the implementation of new digital solutions

  • If any technology was implemented in haste for COVID-19 lockdown, now is the time to review and close any gaps!


If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch at: contact@fintrail.co.uk

When you should carry out ongoing Due Diligence and how to remediate gaps

The FINTRAIL and Jumio teams have been discussing why regulated businesses are expected to perform ongoing Due Diligence on clients, why it is important to remediate gaps identified, and the approach businesses should consider when performing this remediation.

In this report you will find examples of the different scenarios when you should consider refreshing your Due Diligence. It also highlights why it is important to remediate gaps and how you should seek to operationalise this process.

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch with the team at: contact@fintrail.co.uk

FINTRAIL Monthly REG-CAP Sep 2020

FINTRAIL is producing a monthly regulatory summary of any FinCrime changes that may be occurring in Europe and beyond.

This one pager will cover:

  1. Key updates from global and local regulators

  2. Key updates from industry guidelines

  3. Additional insights identified from financial intelligence units

September 2020

In September’s issue we cover FATF’s report identifying red flag indicators of money laundering and terrorist financing through the use of virtual assets.


Other highlights include new UK sanctions issued against Alexander Lukashenko and his associates following election rigging in Belarus, and some interesting new insights from Companies House on additional controls being brought in to help fight fraud and money laundering.

What other regulations changes caught your eye in September?

If you are interested in speaking to the FINTRAIL team about any of the items in the REG-CAP, have any ideas for inclusion or want to discuss any other financial crime topic please get in touch at: contact@fintrail.co.uk

FinTech Approaches to Sanction Regimes

Announcing Expert Working Groups and Topic 1: Sanctions compliance

The FFE have kicked off a series of topical roundtable discussions among industry leaders, with the aim of connecting senior decision makers to discuss their own internal approaches to common challenges. These Expert Working Groups are under Chatham House Rule, with FINTRAIL acting as secretariat to facilitate discussion amongst experts. Thanks to RDC and RUSI, too, for providing expert insights alongside our FinTech experts.

Our first Expert Working Group focused on FinTech approaches to sanctions regimes, and gathered 18 sanctions experts from 8 different FinTech industries. After just two in-depth sessions, we were able to glean insight on best practices that we hope you find useful when benchmarking your own approach. 

As a sneak peek into some of those insights:

  • Around 30% of the FinTechs we spoke with have a sanctions-specific risk assessment to support their risk-based approach, with several more working to create one.

  • Unanimously, Expert Working Group participants are typically using conservative (or even very conservative) fuzzy matching thresholds ranging from 70%-85%, especially compared to industry averages closer to 85%-92%.  

  • C-Suite and board members are increasingly expected to have sight of the Sanctions program and/or Sanctions-specific policies, vs. just the broader Compliance or Anti-Money Laundering program.

Check out the full report for more, and reach out to us at ffe_admin@fintrail.co.uk to share any insights of your own. And be sure to stay tuned for further Expert Working Group insights!

ON DEMAND: ComplyAdvantage Webinar - The Rise of Money Muling

*** Now available on demand ***

ComplyAdvantage Webinar banner: The Rise of Money Muling, with Charles Delingpole Founder and CEO of ComplyAdvantage, Gemma Rogers, Co-FOunder at FINTRAIL, Tom Keatinge, Director, Centre for Financial Crime and Security Studies (CFCS) at The Royal U…

Due to rapidly changing global circumstances, high unemployment and uncertainty surrounded the future, money muling is tragically on the rise.

It is a crime that often disproportionately affects the most vulnerable and financially illiterate. Criminals involved in money muling often survive by tricking ‘clean’ individuals with no criminal history but who is ultimately responsible for educating and helping to prevent this insidious form of money laundering: individuals, banks, governments, regulators, social media platforms?

Join our expert panel including:

  • Charles Delingpole, Founder & CEO, ComplyAdvantage

  • Gemma Rogers, Co-Founder, FINTRAIL

  • Tom Keatinge, Director, Centre for Financial Crime & Security Studies, RUSI

  • Adam Hadley, Director, Tech Against Terrorism

In this thought-provoking webinar, the panel will be exploring:

  • The role that social media platforms play in recruitment, advertisement, and propagation

  • Why this issue deserves urgent and serious attention now

  • What the financial services sector and the regulator is and should be doing to stop money muling

FINTRAIL Monthly REG-CAP Aug 2020

FINTRAIL is producing a monthly regulatory summary of any FinCrime changes that may be occurring in Europe and beyond.

This one pager will cover:

  1. Key updates from global and local regulators

  2. Key updates from industry guidelines

  3. Additional insights identified from financial intelligence units

If you are interested in speaking to the FINTRAIL team about any of the items in the REG-CAP, have any ideas for inclusion or want to discuss any other financial crime topic please get in touch at: contact@fintrail.co.uk

ON DEMAND: FINTRAIL- Elliptic Cryptoasset Compliance Virtual Bootcamp

***NOW AVAILABLE ON DEMAND***

For financial crime compliance professionals, cryptoassets are one of the hottest topics around. With regulators and global watchdogs like the Financial Action Task Force zeroing in on cryptoassets, any compliance team that isn’t educated on cryptoassets has a major blind spot. 

Cryptoassets are no longer a fringe financial technology: cryptoassets have a total market value of more than $250 million; bitcoin is among the top ten currencies globally in terms of the overall value of banknotes and coins in circulation; and over $500 billion flows between the banking sector and cryptoasset businesses annually. Cryptoassets are now a feature of the financial landscape. This exciting technology presents both compliance challenges and business opportunities for teams not only at cryptoasset businesses, but also for banks and FinTechs who can no longer ignore this burgeoning asset class.  

That’s why we’re partnering with the team at Elliptic to launch our first ever cryptoasset compliance virtual bootcamp. Originally launched on 30 June 2020, this online bootcamp is one we’ve designed to assist banks, FinTechs, and cryptoasset firms alike in identifying strategies for managing financial crime risks in this new phase of cryptoassets. We’ve launched this initiative to help compliance teams in their journey, and to educate and ensure the wider regulated sector understands the cryptoasset industry, how it may affect their business, and how best to practically address the risks while harnessing new opportunities. The bootcamp focuses on how your business can apply an effective risk based approach towards cryptoassets. This ensures the highest risks to your business are the focus of your compliance efforts, with less impactful risks sitting lower down the priority list. 

Led by FINTRAIL’s Danielle Jukes and Elliptic’s David Carlisle, and featuring guest speakers from around the financial crime compliance space, this complementary virtual bootcamp will include three engaging sessions across June and July. Each session will focus on the key pillars that we see as vital to a strong cryptoasset financial crime risk management framework. Content for the sessions will include: 

SESSION 1: CRYPTOASSET RISKS . . . WHAT’S YOUR APPETITE? 

Effective risk management starts by defining your risk appetite. If you are a cryptoasset business, have you articulated to your staff which risks you’re willing to accept? For example, are there certain countries that present especially high cryptoasset risks and with which you won’t do business? And if you are a FinTech or bank, have you clearly defined what degree of interaction your business will or won’t have with cryptoassets, and do your staff understand how to ensure adherence to that risk appetite? Until you’ve defined your risk appetite, you can’t expect your compliance team to develop an effective response. In this session, we’ll provide you with a conceptual framework for defining your cryptoasset risk appetite and using that foundation for effective risk management.

  • Key takeaways: an understanding of how you can develop a risk appetite statement on crypto, and how it can affect your business, relevant examples of statements related to cryptoassets.

SESSION 2: ASSESSING AND GETTING TO GRIPS WITH THE FINCRIME RISKS:

Cryptoassets present specific financial crime risks and feature heavily in some typologies more than others. Understanding these risks and executing a crypto-specific risk assessment is critical to managing risk exposure, whether your platform offers cryptoasset services directly or not. If you are a cryptoasset business, do you understand which fincrime typologies present the highest risks to your platform? Do you offer privacy coins or other services that may present an elevated risk to your profile? If you are a FinTech or bank, while you may not offer cryptoasset services, do you understand crypto-specific typologies that may expose your business to indirect cryptoasset risks that are sometimes very difficult to detect? This session will equip you with the know-how you require to conduct an effective cryptoasset risk assessment for your business. 

  • Key takeaways: an understanding of different types financial crime risks, how they present themselves within cryptoassets, and how your business can assess these risks.

SESSION 3: SYSTEMS AND CONTROLS - MANAGING YOUR CRYPTOASSET RISKS IN PRACTICE 

Managing cryptoasset risks requires access to systems and controls that can detect and protect against bespoke risks. Your compliance team should be working to solve the following questions:.

  • For cryptoasset businesses, do you have access to these bespoke cryptoasset monitoring tools tools, and are they configured appropriately to your business needs? 

  • For banks and fintechs, are you able to detect and assess risks related to counterparties who may be dealing in cryptoassets? Solutions exist that can enable you to do so, but they require expertise your business may not possess. 

  • Filing SARs and undertaking reporting obligations related to cryptoassets can present specific challenges. Are you equipped to navigate these challenges? 

  • Key takeaways: an understanding of what systems and controls are out there, and how they can fit into your wider anti-financial crime framework.

This bootcamp will help your compliance team work through these and other questions, and in doing so, will empower you to execute on a vital component of your financial crime risk management framework. If these three pillars are executed effectively, then your compliance team can confidently tackle the risks associated with cryptoassets. 

You don’t want to miss out on this opportunity to learn from FINTRAIL and Elliptic’s experts in cryptoasset compliance.

How to conduct Customer Risk Profiling in the Gaming Industry

Regulations and Guidance

As part of the regulated sector within the UK, those in the gambling sector classified as remote or non-remote operators, are required to meet their obligations within the Money Laundering Regulations 2017. One of these requirements is to assess the level of risk a client may represent to the business and apply appropriate due diligence to match that risk. 

The Gambling Commission, in its industry guidance for the prevention of money laundering and combating the financing of terrorism under section 6.2, also highlights the need for operators to perform risk profiling against its customers.  

Paragraph 6.2 from the Gambling Commission’s industry guidance for the prevention of money laundering and combating the financing of terrorism.

What does this mean practically?

Having a clear understanding of the inherent financial crime risk within the business is important. This is likely to be already done through a risk assessment process but when thinking about financial crime in the gambling sector the most prevalent risks are probably fraud or traditional money laundering. 

An example could look like:

A table of financial crime inherent risk ratings with levels for the gambling industry

Once the inherent financial crime risk is understood, it allows for better context of what risks the operator may be exposed to and subsequently what needs to be considered when assessing the risk of the customer. 

Consideration can then be made on the data points used which would initially be obtained through the registration process and any due diligence information collected. Whilst data points like country are still important, given that the key financial crime risk may be fraud, operators may wish to consider additional data points such as the email address, phone number or device to be included.

Now the data points have been established, in line with the inherent financial crime risks, an operator can consider how the scoring itself will work. Whilst you may think a complex risk profiling model is best, that may not be the case as it needs to be scalable, easily modifiable and explainable to the regulators.

Finally once the scoring is complete, ensuring you map the output to your due diligence process is the final step. This will enable an operator to offer a lower friction process for lower risk customers whilst still being able to identify higher risk customers allowing the application of enhanced due diligence. 

Dynamic Model

The profiling of an operator’s customers shouldn’t stop at onboarding though. In order to operate an effective customer risk profiling model which meets the regulatory requirements, mitigates the risk of financial crime and protects customers from harm from a responsible gambling perspective, operators should ensure it is dynamic. This means that rather than just using the data collected at onboarding to assess the customers risk, operators should use data collected from how the customer interacts with the product and also any additional due diligence obtained.  

Responsible Gambling

It is no surprise that some of the more recent fines coming from the Gambling Commission relate to operators failure to protect its customers from a responsible gambling perspective alongside failures to have appropriate controls to guard against money laundering.

In May the Gambling Commission published tighter measures to be implemented by operators, as part of their COVID-19 response, to protect their customers during lockdown. These measures include various points on assessing their clients:

  • Review thresholds and triggers for new customers to reflect the operator’s lack of knowledge of that individual’s play and spend patterns

  • Conduct affordability assessments for individuals picked up by existing or new thresholds and triggers which indicate consumers experiencing harm - limiting or blocking further play until those checks have been concluded and supporting evidence obtained, and;

  • Implement processes that ensure the continual monitoring of their customer base – identifying patterns of play, spend or behaviours have changed in recent weeks.

Responsible gambling has strong links to financial crime with various cases documented being linked to those who were using stolen funds to spend. This means that responsible gambling is an important risk factor to be included within any operator's customer risk profiling model alongside the traditional financial crime risks mentioned above. Data points for consideration could be methods of payment, deposits and behavioural patterns.

If operator’s continue to ineffectively implement custom risk assessment models, and choose to not include a responsible gambling aspect, we can only expect more fines to be issued in the near future for both responsible gambling and money laundering failures.


How to approach creating a new customer risk assessment model

Here are FINTRAIL and TruNarrative’s key takeaways when considering a customer risk profiling model:

  • Understand the inherent risk your customers represent to the business

  • Ensure you select the correct data points unique to your clients and product offering

  • Make sure the risk profiling is dynamic and doesn’t just stop once the customer is onboarded

  • Consider the inclusion of responsible gambling within your customer risk profiling 

  • Marry your due diligence process to your customer risk profiling

  • Take into consideration how you would implement your model using technology providers like TruNarrative to ensure if a players risk or behaviour changes, you get an instant alert and action

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch with the team at: contact@fintrail.co.uk

This article is also available via TruNarrative’s website.

How to use Compliance as an enabler in Digital Transformation

Digital transformation for onboarding is a hot topic at the moment, given that much of the world is currently living their life from their sofas and managing their day-to-day financial needs from home. Having worked on transformation projects before with traditional FI’s, alongside assisting various FinTechs in the creation of new digital offerings, we at FINTRAIL thought it would be a good opportunity to move the spotlight onto compliance, and fly the financial crime flag by discussing some of the common misconceptions.

 

Front end change is just the tip of the iceberg

The ‘tip of the iceberg’ cliche has never been more appropriate when it comes to describing common misconceptions towards digital transformation. The main message is that a good user experience isn’t solely dependent on a minimal field registration journey, and that there are other components that need to be considered which the customer can’t see. Getting these components implemented effectively are equally as important and the focal point is our good friend - ‘a risk-based approach’. Having a robust risk-based approach can be the key for a slick user experience and dictate your approach to CDD, custom screening and risk management, enabling you to target your controls on your highest risk areas.

Image of front end change is the tip of the iceberg. Registration depicted above water, while the rest of the compliance processes depicted underwater as the main body of the iceberg

Less is more

It would be logical to assume that the less information you collect from your customer the better, and that allowing a customer to sign up by just inserting an email and password will drive your Trustpilot reviews through the roof. Ignoring the fact that this probably doesn’t actually meet your ID&V requirements, we would like to suggest that less isn’t always more. By creating a shortened registration process you may well get more sign ups, but if you subsequently need to perform downstream due diligence to address gaps, you could be creating a poor user experience further down the line, perhaps even in a critical situation when dealing with a vulnerable customer whose account has been frozen and they need urgent access to funds.  We don’t necessarily mean your registration process should be 100 fields deep across 10 pages but there is certainly a happy medium. 


Business enabling Anti-Financial Crime (AFC)

A common misconception is that financial crime compliance can be the blocker when it comes to innovation in these projects. It probably comes as no surprise that we at FINTRAIL would offer a healthy challenge to those naysayers. 

So, you are 6 months into your digital transformation project, it’s all on JIRA (other platforms are available) or you have a lovely Gantt chart. You have lined up all your sprints and it suddenly occurs to you that you should speak to your compliance team. After 45 minutes debriefing your compliance team, they have a bunch of questions and recommendations before you can move the project forward, resulting in you putting a big red “Stuck” against it. While you may have translated this into a no, these recommendations do not necessarily mean no, and even if it is a no, is that really surprising considering you have only introduced them as stakeholders so late on? Obviously we are focusing on the negatives here to emphasise our point and the above is certainly not a reflection on most businesses’ these days.

Some of the most successful projects we have been part of are the ones where AFC stakeholders have been included as part of the journey rather than just at sign off. There is a new breed of financial crime professionals who want to be viewed as business enablers and able to offer a great user experience as much as the next product owner.

A RACI (responsible, accountable, consulted, informed) matrix is often used in project delivery to divvy up people’s roles. With that in mind your approach may have been previously to assign compliance a consulted duty, but we would encourage you to increase their involvement in order to reduce blockers downstream and increase compliant innovation.

RACI project management chart with Compliance/financial crime function moved from consulted to responsible/accountable

Being a Compliance Champion

Equally it is not just the business that needs to take ownership of transformation, it can also be the fincrime function itself. Embracing change has never been more important in a digital enabled world and as fincrime professionals we should be just as excited by these new developments. Whether it is the implementation of a new due diligence process or screening programme, don’t be afraid to rip up the policy and start again. There is no reason why the financial crime team cannot be the driver for change.

Build, Buy or Both?

Like the ‘tip of the iceberg’, ‘build or buy’ is also becoming a bit of a cliche. What we do know is that you will likely need to partner with some technology providers in order to achieve your future state goals. Equally, even if you partner with someone, there will be an element of building that goes hand in hand. There are a variety of great providers available with a range of capabilities but we would like to reposition the ‘build or buy’ question. No single provider will solve all of your needs, and equally, to build everything in house isn’t logical when there are specialist systems available. This potentially means that the ‘build or buy’ question is a goose chase and in fact an amalgamation of the two is the best approach to adopt. 

Takeaways

Here are our top takeaways to be a compliance champion when it comes to digital transformation:

  • User experience does not stop on the physical registration page; it continues throughout the customer lifecycle

  • Less is not always more when it comes to identification programmes

  • Treat your compliance/ fincrime team as business enablers, engaging them in discussions earlier

  • Answer your build, buy or both question

  • A risk-based approach marries itself perfectly with transformation projects

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic please get in touch at: contact@fintrail.co.uk

Partners Against Crime: Building Strong Partnerships on the AML Frontlines

It is safe to say that the US FinTech market has hit its stride. Global FinTech funding soared past $34 billion last year, and the US makes up around half of the global FinTech market. More and more consumers are turning to FinTech products to transform the way they manage their finances, paychecks, loans and insurance. With COVID-19 keeping us all socially distanced for the time being, the move toward digital finance is only going to pick up more steam. 


But the FinTech sector isn’t built on standalone infrastructure. As Banks attempt to stay on the forefront of innovation and as FinTechs seek the regulatory and compliance infrastructure they require, FinTech/Bank partnerships have become the new normal. This has been particularly important for the growing internationalization of FinTechs - as successful European FinTechs seek to cross the pond, having a legacy partner helps them gain a foothold.


These partnerships can take a variety of different forms - though for the sake of this piece, we’re going to focus on community banks that handle the banking back end of FinTech products, such as holding FinTech customer deposits and ensuring they are FDIC-insured or offering for benefit of (FBO) accounts to FinTech MSBs. As part of these relationships, FinTechs end up not directly regulated, and it’s up to the partner to ensure the FinTech remains compliant with BSA regulations. This means that banks have to be careful to select the right possible FinTech partners, and the same goes for FinTechs! Wirecard’s recent collapse, which has sent FinTechs all over the world scrambling for new partners, particularly highlights the level of overall due diligence and care that is needed when forming and sustaining a banking partner relationship.


What Happens When It Doesn’t Work Out?

We’ve seen first hand how FinTechs and their partners are pushing forward to innovate not just on customer-driven financial services, but also on financial crime prevention. However, the risks of getting partnerships wrong still need to be taken seriously and inform a firm’s approach to stakeholder management. 


So what does it look like when things go wrong? 

For some FinTechs, it means not getting very far. US partner banks tend to have steep compliance requirements and expectations - that means being able to demonstrate your BSA/AML compliance capability up front through risk assessments, policies and procedures, training, and effective control integration. Partner banks like Cross River weed out the majority of prospective FinTech partners due to the amount of compliance required. For FinTechs, failing to get a partner bank relationship set up can mean the difference between a successful funding round and going back to the drawing board. For European FinTechs and other international players with their eyes set on the US market, failing to obtain a banking partner due to compliance reasons could potentially shut off millions of new customers and dramatically set back scaling plans. 


A few bad actors could also risk the current environment of strong partnerships. Across-the-board de-risking of correspondent banking illustrates what can happen when the difficulties managing AML/CTF controls within a partner relationship cannot be prudently resolved.


The picture isn’t great for partner institutions either. Building out relationships with the FinTech sector is becoming a profitable lifeline for institutions looking for ways to innovate and reach new client segments outside of their traditional stomping grounds; turning off the taps can obviously have an impact. And on the compliance side, as FinCEN expects financial institutions to ensure the compliance of their FinTech partners, failure to do so could risk steep fines and penalties. 


In fact, one of the most frustrating obstacles to successful partner bank/FinTech relationships can be the current regulatory landscape, according to Robin Garrison, VP of Compliance at MainStreet Bank, who presented on making the most of partner bank relationships at the FinTech FinCrime Exchange (FFE). Certain regulators can hold traditional and sometimes out-of-date perspectives on risk and financial crime - and the absence of a unified approach between different US regulators (the Office of the Comptroller of Currency (OCC), for instance, has been much more proactive in supporting FinTech innovation than some of their counterparts), can only add complication. To really get the regulator onboard, Robin added, it’s important for FinTechs and their partner banks to work together to ensure appropriate testing has been done to evidence to the regulator that any financial crime risks are being appropriately mitigated.


Even if a FinTech and partnering bank do succeed in getting a relationship off the ground, poor relationship management can hinder positive efforts to prevent financial crime. High volumes of manual work, a lack of knowledge on how the other party is operating, and long delays in communication can mean that even if a partnership looks successful on the outside, it may still be struggling with balancing financial crime compliance and customer experience. 

How Do You Make It Work?

Looking at the risks involved with setting up a successful partnership, it’s no wonder that it can be difficult for a startup to break into the FinTech space or for a legacy institution to take the leap into a new relationship in a digital world. But there are plenty of examples of where partnerships have taken off. What are they getting right? 


1. They set a strong foundation. 

This is something that features in all of the industry reading on how to make the most of a partner bank relationship. And that really is relevant here too! If you don’t have a strong, open, and transparent partnership in other parts of the business - such as making sure your financials are sorted and growth strategies are aligned - then it’s going to be difficult to build a relationship that allows you to successfully fight financial crime. In fact the best approach to building a positive relationship is to ensure that BSA/AML compliance isn’t segregated. From day one, compliance should be considered as an integral building block in wider relationship management efforts. This will ensure it doesn’t come back to bite once the relationship progresses on the commercial side.


Strong, positive foundations also go beyond shared values. Robin left FFE members with an important message about selecting the best banking partner. “Don’t go with the first partner bank willing to accept you. It can be very difficult to ensure that your data can be fed into and processed by your partner bank, so think about how well your technical systems will integrate when picking your banking partner.” Without aligned systems, anti-financial crime processes become a greater operational burden, and it becomes far more difficult for the partner bank to have the information they need in order to conduct robust assurance on the activity of their FinTech partners.


2. They establish clear roles and responsibilities.

Establishing clear roles and responsibilities is important for any business relationship, but it’s especially important from a financial crime perspective. When laying out the contractual arrangement, FinTechs and partner banks should try to agree up front and in writing who will be responsible for which part of the BSA/AML control framework and who the key points of contact are. 


For example, does the partner bank need to review all KYC files on a FinTech’s new customers before they onboard, or will the partner bank perform assurance on the KYC process through periodic (e.g. quarterly) spot checks? If the FinTech is managing KYC, who should they talk to about trialling a new ID verification provider? Who will be responsible for OFAC screening at onboarding, throughout the business relationship, and for customer screening? To what extent should the FinTech establish their own transaction monitoring tool? Or will they be able to rely on the TM system offered by the partner bank?


There may be circumstances where the partner bank and FinTech relationship is so intertwined that setting rigidly defined roles and responsibilities just isn’t feasible. Anthony Jerkovic, Head of Data & Risk at Bank Novo, explained that, in Bank Novo’s partner banking relationship, roles and responsibilities often require a certain level of flexibility in order to effectively address the dynamic problems faced day-to-day. “If everyone touches a case, it is hard to precisely draw the lines of responsibility. Instead, we focus on close communication and working together and try to see them as an extension of our own team.”


If partnering firms aren’t able to develop a close working relationship or meaningfully outline roles and responsibilities, problems will inevitably arise. At best, it may take longer for both parties to process financial crime-related tasks, such as the investigation of unusual or suspicious activity, but at worst, serious financial crime cases could go undetected, as no one was formally designated as being responsible for identifying red flags.



3. They have a clear escalation process.

As part of laying out a clear delineation of roles and responsibilities, partner banks and FinTechs should also work together to establish clear escalation paths. The goal is to determine when the hand off happens and how. A lot of this will come down to the partner bank’s risk appetite, as they are the ones ultimately liable for any financial crime activity that occurs. But depending on the relationship, there may be certain activities that the FinTech can respond to without immediately escalating to their partner bank.


For example, one partner bank may be comfortable with a FinTech making a decision on whether to accept a customer with an adverse media finding against them, while another partner bank may require all adverse media hits to be escalated to their compliance team for review. 


Let’s look at another example, which illustrates how escalation and communication paths work both ways. For instance, if a FinTech is doing their own customer screening, they may be expected to escalate all confirmed PEPs to the partner bank for approval prior to the start of any business relationship but only do so after clearing the alert and requesting necessary due diligence documents on source of wealth and source of funds. By contrast, if the partner bank does the customer screening, they may have to reach out to the FinTech to communicate with the customer to obtain EDD documentation.


Without getting the escalation process right, FinTechs and partner banks will run into the same problems as with roles and responsibilities - difficulty maintaining BSA/AML compliance and operating effectively. 

4. They regularly communicate on all things fincrime. 

The whole goal of outlining roles and responsibilities as well as escalation paths is to ensure that communication on financial crime issues remains robust throughout the partnership. This is especially important when both parties are closely involved in day to day financial crime operations. Without close communication, unusual customer activity can’t be investigated quickly, leaving funds suspended in a way that can damage a customer’s experience if they’re innocent. Given how quickly funds can move in and out of a FinTech account, without close cooperation, a partnership may fail to stop significant volumes being laundered through an account. 


Samuel Peters, BSA Manager at Middlesex Federal, Bank Novo’s partner bank, highlighted that “especially when dealing with those in traditional banking, communication is key.” Depending on the nature of the relationship, frequent and regular touchpoints may be needed, even multiple times per week. Though, Samuel also flagged that it was important to ensure that both FinTechs and their partner banks understood that there would always be some level of risk involved in the arrangement. “Traditional banks and FinTechs are going to have different risk appetites; regular and open communication is the best way to help close the gap.”


Of course, there are also regulatory expectations with regards to reporting. Partner banks are currently expected to file a suspicious activity report (“SAR”) within 30 days of the initial detection of the suspicious activity, provided there’s a suspect. This means that the FinTech has to move quickly to escalate any unusual activity and work closely to support any investigation from the partner bank in order to meet the deadline. 


Even in cases where FinTechs are given a good degree of autonomy, they should still work closely with their partner bank to ensure that both remain on the same page in terms of risk appetite. This means keeping the partner bank up to date on any new product developments, target customer segments, and geographic expansion plans, as all of these would impact the FinTech’s financial crime risk profile. 


What Next?

FinTech relationships with partner banks aren’t going away and do come with their share of risks. But through successful stakeholder management efforts taken with a fincrime focus, both parties can work together to stop criminals exploiting the US financial ecosystem.

We have experience working on both sides of the table to help FinTechs and their partner banks manage financial crime risks. If you’d like to discuss this more, please contact our US team or email us at: contact@fintrail.co.uk

The Payment Services Act - A unique risk based approach to regulation or an overly complicated set of standards?

In January 2020 the anticipated Payments Services Act (‘PSA’) came into force in Singapore. According to the Monetary Authority of Singapore (‘MAS’) the act is:

 

“A forward looking and flexible framework for the regulation of payment systems and payment service providers in Singapore. It provides for regulatory certainty and consumer safeguards, while encouraging innovation and growth of payment services and FinTech.”

 

In this paper we look to understand:

  • the genesis of the PSA

  • what approach has been taken to licensing new payment methods

  • what are the differences to the approach taken in Europe, and

  • whether the implementation of the PSA in Singapore will succeed in promoting innovation

Why Virtual Asset Service Providers in South Korea Must Act Now

South Korea remains the third-largest market for virtual currency, behind the United States and Japan. During the Bitcoin bull run of 2017, an estimated 1 in 3 office workers owned cryptocurrencies.

This crypto gold rush existed alongside limited regulatory oversight which created a fertile breeding ground for exploitation. This is evidenced through numerous controversies including  exit scams, exchange hacks, price manipulation, and fake trading volume. Data from the Korean Ministry of Justice indicates that South Koreans lost $2.7 billion USD in cryptocurrency scams between July 2017 and June 2019. The ministry also said it has indicted and detained 132 individuals accused of cryptocurrency fraud and indicted another 288 individuals without detaining them.

In March this year,  South Korea’s National Assembly passed an important new legislative amendment to their Financial Information Act that effectively legitimizes virtual asset ownership and trading and aligning the country requirements with international anti-money laundering and counter-terrorism funding (AML/CFT) standards. All Korean Virtual Asset Service Providers (‘VASPs’) must be fully compliant with the Act no later than September 2021.

Whilst formally bringing crypto exchanges into the regulatory fold, these requirements are not without their challenges. All Korean exchanges are now legally required to establish a verified real-name individual account with an authorized Korean bank. The exchange’s designated individual account holder will be responsible for withdrawing and depositing fiat currency between the exchange and the bank by way of a single bank account. South Korea introduced the real-name verification system in January 2018. Although not a requirement, crypto exchanges were encouraged to partner with approved banks to use the system. However, so far, only the largest exchanges — Bithumb, Upbit, Coinone, and Korbit — have been able to use this system, as banks have been reluctant to provide this service to small and medium-sized exchanges.  Under the new Act the VASP  is required to report their business and real-name bank account before September 2021, or else potentially face a 5-year prison sentence or 50 million Korean Won fine.

In addition, each Korean VASP must apply for an Information Security Management System (ISMS) certificate from the Korea Internet & Security Agency (KISA) in order to do business. To receive ISMS certification, they’ll need to implement new AML/KYC measures such as Recommendation 16 travel rule which requires VASPs to exchange customers’ personally identifiable information.

As crypto exchanges look to build / enhance their AML programme to meet regulatory requirements and also  secure banking partnerships, what should they be focusing on?

  • Know Your Customer:

    • This goes beyond simply to collation of ID documents - which is just one piece ( arguably the easiest piece) of the puzzle. 

    • Think about proportionality. Perhaps you do not need to collect ID when your customer registers, but only when they start actively trading. The amount of KYC you collect can be tailored to your clients activity and wallet caps included to limit exposure. 

    • VASPs may also consider using some more enhanced data points to better understand their customer such 

  • Transaction monitoring:

    • Whilst companies are able to apply a risk based approach to the collection of documentation at onboarding, the key to understanding your customers behaviour is to have robust monitoring in place. 

    • The monitoring of both fiat transactions, and the crypto transactions is very important. A customer's transaction profile should be considered by looking at both of these elements. 

    • An increasingly popular request from banks is that they require a look back on the VASPs transactions over a set period of time. This usually forms a report, and is facilitated by the bank by either asking the VASP directly, or requesting this information through a third party blockchain analysis provider. 

  • Governance:

    • The usual governance applies, however this should also be extended to include an audit and regular reviews of the crypto transaction monitoring systems, as well as a review of the crypto-assets themselves that the VASPs are listing. 

  • Sanctions:

    • OFAC have now started including cryptocurrency addresses as part of their sanctions regime. This is an extremely important area to focus on, and something that is vital for your transaction monitoring. When liaising with vendors for blockchain analysis, a key question should be around how they deal with sanctioned addresses, and how often those lists are updated. 

The newly passed law forces any non-compliant VASPs to either quickly reform their AML/KYC programme or cease their operations. While a handful of the biggest Korean exchanges already comply with most of these measures, there is a real chance that many of the other VASPs that have not adequately considered AML protocols as they have built and scaled, will struggle to implement these new regulations.  Some may even be forced to cease operations all together. 

FINTRAIL are currently working with crypto exchanges globally to build, scale and test their AML and CTF programmes  to not only meet regulatory requirements, but also to secure banking partnerships and help them proactively manage their financial crime risks, thereby helping to strengthen the AML health and wellbeing of the sector.

If you are interested in speaking to the FINTRAIL team about the issues discussed in this article or any other financial crime topic please get in touch via contact@fintrail.co.uk.

FINTRAIL- Elliptic Cryptoasset Compliance Virtual Bootcamp

For financial crime compliance professionals, cryptoassets are one of the hottest topics around. With regulators and global watchdogs like the Financial Action Task Force zeroing in on cryptoassets, any compliance team that isn’t educated on cryptoassets has a major blind spot. 

Cryptoassets are no longer a fringe financial technology: cryptoassets have a total market value of more than $250 million; bitcoin is among the top ten currencies globally in terms of the overall value of banknotes and coins in circulation; and over $500 billion flows between the banking sector and cryptoasset businesses annually. Cryptoassets are now a feature of the financial landscape. This exciting technology presents both compliance challenges and business opportunities for teams not only at cryptoasset businesses, but also for banks and FinTechs who can no longer ignore this burgeoning asset class.  

That’s why we’re partnering with the team at Elliptic to launch our first ever cryptoasset compliance virtual bootcamp. Launching on June 30, this online bootcamp is one we’ve designed to assist banks, FinTechs, and cryptoasset firms alike in identifying strategies for managing financial crime risks in this new phase of cryptoassets. We’ve launched this initiative to help compliance teams in their journey, and to educate and ensure the wider regulated sector understands the cryptoasset industry, how it may affect their business, and how best to practically address the risks while harnessing new opportunities. The bootcamp focuses on how your business can apply an effective risk based approach towards cryptoassets. This ensures the highest risks to your business are the focus of your compliance efforts, with less impactful risks sitting lower down the priority list. 

Led by FINTRAIL’s Danielle Jukes and Elliptic’s David Carlisle, and featuring guest speakers from around the financial crime compliance space, this complementary virtual bootcamp will include three engaging sessions across June and July. Each session will focus on the key pillars that we see as vital to a strong cryptoasset financial crime risk management framework. Content for the sessions will include: 

Session 1: Cryptoasset risks . . . What’s your appetite? 

Effective risk management starts by defining your risk appetite. If you are a cryptoasset business, have you articulated to your staff which risks you’re willing to accept? For example, are there certain countries that present especially high cryptoasset risks and with which you won’t do business? And if you are a FinTech or bank, have you clearly defined what degree of interaction your business will or won’t have with cryptoassets, and do your staff understand how to ensure adherence to that risk appetite? Until you’ve defined your risk appetite, you can’t expect your compliance team to develop an effective response. In this session, we’ll provide you with a conceptual framework for defining your cryptoasset risk appetite and using that foundation for effective risk management.

  • Key takeaways: an understanding of how you can develop a risk appetite statement on crypto, and how it can affect your business, relevant examples of statements related to cryptoassets.

Session 2: Assessing and Getting to Grips with the FinCrime Risks:

Cryptoassets present specific financial crime risks and feature heavily in some typologies more than others. Understanding these risks and executing a crypto-specific risk assessment is critical to managing risk exposure, whether your platform offers cryptoasset services directly or not. If you are a cryptoasset business, do you understand which fincrime typologies present the highest risks to your platform? Do you offer privacy coins or other services that may present an elevated risk to your profile? If you are a FinTech or bank, while you may not offer cryptoasset services, do you understand crypto-specific typologies that may expose your business to indirect cryptoasset risks that are sometimes very difficult to detect? This session will equip you with the know-how you require to conduct an effective cryptoasset risk assessment for your business. 

  • Key takeaways: an understanding of different types financial crime risks, how they present themselves within cryptoassets, and how your business can assess these risks.

Session 3: Systems and Controls - Managing Your Cryptoasset Risks in Practice 

Managing cryptoasset risks requires access to systems and controls that can detect and protect against bespoke risks. Your compliance team should be working to solve the following questions:.

  • For cryptoasset businesses, do you have access to these bespoke cryptoasset monitoring tools tools, and are they configured appropriately to your business needs? 

  • For banks and fintechs, are you able to detect and assess risks related to counterparties who may be dealing in cryptoassets? Solutions exist that can enable you to do so, but they require expertise your business may not possess. 

  • Filing SARs and undertaking reporting obligations related to cryptoassets can present specific challenges. Are you equipped to navigate these challenges? 

  • Key takeaways: an understanding of what systems and controls are out there, and how they can fit into your wider anti-financial crime framework.

This bootcamp will help your compliance team work through these and other questions, and in doing so, will empower you to execute on a vital component of your financial crime risk management framework. If these three pillars are executed effectively, then your compliance team can confidently tackle the risks associated with cryptoassets. 

You don’t want to miss out on this opportunity to learn from FINTRAIL and Elliptic’s experts in cryptoasset compliance. You will also be awarded a certificate of attendance after attending all three sessions. 

Active Anti-Racism in Anti-Financial Crime: Our Next Steps for Combatting Discrimination

At FINTRAIL, our US and global teams have been closely watching the swell of protests unfolding in response to the shocking deaths of George Floyd and Breonna Taylor - the latest victims of ongoing and unjustifiable police brutality against black people. However, racism isn’t just the existence of bad actors engaging in criminal acts of violence; police brutality emerges from systematic and deep-rooted racism that has infected justice systems in the US and around the world for centuries. And unfortunately, the anti-financial crime sector, integral for feeding information on suspected money launderers and terrorist financiers to police, has been complicit in this institutional racism. At FINTRAIL, we are constantly working to do more to promote diversity within our ranks and to support and learn from black voices. But we can do more as a firm to not just avoid racism but actively reject it, particularly through our work supporting anti-financial crime teams. Together, as consultants and as community leaders in the FinTech FinCrime Exchange (FFE), we can help make meaningful change to improve the treatment of black customers and to hold ourselves accountable when we get it wrong. 

  1. We promise to help champion and support non-white perspectives within our own team and the teams we work with. Implicit biases exist not only in day-to-day anti-financial crime activity, but also in senior level decision-making. People can unfortunately be prone to ignoring or undermining opinions given by black people in the room - and this is even more so the case for black women. In the worst cases - the room may be entirely white, eliminating the chance for non-white voices and perspectives to influence decisions on financial crime. How else can we be held accountable and understand the impact of our processes and decisions across all areas of financial crime risk management without ensuring black people are involved in the work and have the space to make constructive challenges? Thus, as FINTRAIL, we will make sure that we use our privilege to ensure there is always diversity in the room and that we listen to any and all challenges to our approach, especially from black people.

  2. We promise to work with clients to take extreme caution in the consideration of demographic factors when evaluating customer risk.  Firms building out their customer risk assessment (CRA) models may choose to include demographic factors, including nationality. While under very specific circumstances, demographics may be strongly correlated with risk (e.g. cheaply purchased nationalities), we will not advise or support the inclusion of demographic risk factors into a CRA methodology in a way that could unfairly lead to the application of enhanced due diligence (EDD) measures to a customer solely based on their racial, ethnic or socioeconomic background. In practice, this means strongly questioning whether such a factor is necessary in a CRA model in the first place and, if included, ensuring that only specific risks to the business are targeted and that there is no undue bias in the weighting of such a risk factor.

  3. We promise to be aware of racial biases that may exist within ourselves and our clients when it comes to clearing and investigating screening or monitoring alerts. Even when demographic factors have not been included in the calculation of a customer’s risk, racial biases can still cloud our judgment when evaluating one customer’s financial activity versus another’s. It is well documented that people are prone to more negative perceptions of those with darker skin, often without even realizing they are doing it. This can have dangerous effects for a customer, leading to their account being frozen or offboarded and their activity being reported to police. To help mitigate implicit and explicit bias in alert clearing, we will seek to support internal and external anti-racism bias training in the context of alert clearance and will push for the provision of clear decision trees to help analysts more objectively work through potential suspicious activity.

  4. We promise to do more to recognise and help mitigate the racial biases that can exist within European and American identity verification RegTech platforms. Within the US and Europe, we are really lucky to have a variety of robust identity verification tools to suggest to our clients that help automate the onboarding process. Innovative solutions allow for FinTechs to match customer selfies, live selfies or videos to a verified ID document - allowing them to onboard the customer within only a couple minutes. However, some solutions can struggle with non-white faces as their facial recognition technology hasn’t been adequately trained in correctly matching non-white faces to IDs. This can lead to serious negative consequences - non-white victims of identity fraud may have their documents stolen and used to open financial accounts without being spotted, or alternatively, genuine customers may be routed through a laborious manual review process simply because they aren’t white. We will work closely with FinTechs and RegTechs in the community to identify practical solutions to ensure that identity verification tools can more effectively verify non-white customers.

  5. We promise to take more initiative to build out innovative onboarding solutions for non-standard non-face-to-face situations. Under some circumstances, customers may not have the typical documentation needed to onboard - they may not have a passport or driving licence, or they may have recently moved country and have no address history. The good news is that more and more regulators expect financial institutions to have onboarding processes in place for customers who may be unable to provide traditional documentation - though some regulators go farther than others in their guidance. The bad news is that, in the absence of meaningful guidance, firms may end up with extremely manual onboarding processes, which require robust sensitivity training for front-line staff and which can delay financial access for those most in need of it. Some firms may even inadvertently avoid establishing a written approach to non-standard identity verification cases. We will do more to work with clients to help them establish more innovative approaches to non-standard onboarding and ensure that the approach is well-documented and that necessary training has been given to the front-line.

By working with the community on these practical steps, we hope to help inspire greater change within anti-financial crime best practice. No one should have a worse banking experience or be treated as a criminal solely based on the color of their skin, and we are committed to actively fighting for an actively anti-racist approach to financial crime.

On Demand Webinar: How to Implement eKYC & Keep Online Customers Safe

The recent shift towards digitisation has pushed businesses to review their KYC processes, and implement new strategies to protect their customers online.

In this on demand webinar, Robert Evans Fintrail co-founder and Claire Galbois-Alcaix at Jumio will discuss:

- The impact of digitisation on businesses and their customers
- The latest risks and compliance challenges
- How to implement a successful eKYC
- Tech innovations that help organisations keep their customers engaged
- Changes to the regulatory landscape and the future of eKYC

As people spend more time online, they leave a digital trail of information that can be used against them if put in the wrong hands. The convergence of online and offline has opened up entire new pathways for fraudsters, money launderers, and identity thieves to assume another person’s identity.

KYC (Know Your Customer) refers to the process of verifying the identity of your customers, either before or during the time when they start doing business with your organisation. With eKYC, businesses are able to perform identity verification and due diligence electronically, but must ensure they have the correct end-to-end identity verification strategies in place.

Rob and Claire will share tips and best practices organisations can follow to simplify their eKYC.

Islamic FinTech and Financial Crime: A different risk profile?

With particular thanks to insha, Kestrl, MyAhmed and Niyah.

Just like every other sector of the global financial industry, Islamic finance is increasingly going digital.  There is a growing number of start-ups positioning themselves to benefit from the rapid global development of the FinTech market, coupled with the booming growth of Islamic finance.  Islamic finance is sometimes considered a niche area, but this ignores the actual size of the sector, with a consumer base of 1.8 billion Muslims globally and an estimated market value of $2.5 trillion in 2018, forecast to grow 40% by 2024.  These start-ups sit at the convergence of these two growth areas, and believe that young Muslims in particular will be drawn to products designed to facilitate integrating their faith and ethics with all aspects of their daily life, plus the ease and superior design features of a digital product.  

Most growth in Islamic finance in recent years has been rooted in traditional banking services, but change and dynamism in the sector is translating more and more into digital offerings and FinTech startups.  In 2019 there were an estimated 93 Islamic FinTech startups globally, including challenger banks for retail and SMEs (e.g. Kestrl, MyAhmed and Niyah in the UK and insha in Germany) as well as wealth management (e.g. US-based Wahed Invest), crowdfunding (e.g. Ethis Ventures in Malaysia and Indonesia) and crypto (e.g. Dubai-based trading platform Huulk).  P2P finance and InsureTech are cited as top sectors for growth in 2020.  Existing Islamic banks have also jumped on the digital bandwagon, especially in the Gulf, such as Bahrain Islamic Bank which launched the first fully-fledged Islamic digital bank in 2019.  The largest market for Islamic FinTech startups is Indonesia, followed by the US, the UAE and the UK. 

It’s interesting to note that many shariah-compliant FinTechs are keen to reach out to potential customers beyond the Muslim population in recognition of many people’s dislike and distrust of conventional financial services and desire for a more ethical, partnership-based approach.  To this end, many Europe-based FinTechs in particular notably focus on the ethical dimensions of their product rather than just guaranteeing shariah-compliance, and market themselves as ‘ethical’ or ‘values driven’ rather than explicitly as Islamic, halal or sharia-compliant.  This is also reportedly popular with Muslim customers, especially the young, who are more interested in services that focus on ethical considerations rather than “tick-box” shariah compliance.

Islamic Finance and FinCrime 

Islamic and conventional finance most obviously differ in terms of the products offered and the target client base.  But what of the risks they face, specifically financial crime?  Are there certain financial crime risks which Islamic finance institutions are more exposed to, or conversely where the specificities of Islamic finance help protect them?  And are there particular things Islamic FinTechs should be thinking about as they design and build their financial crime programmes?

This piece isn’t going to get into the complexities of Islamic finance and how transactions are structured.  However, there are a couple of key concepts that are useful to set out here.  Firstly, Islamic finance prohibits earning or paying interest, with a focus instead of profit (and risk) sharing.  This results in a model where banks and their customers act as ‘partners’, which differs from the usual client relationship.  Islamic finance also prohibits business in sectors considered forbidden or haram, such as alcohol, gambling, pork or adult entertainment.  And finally, Islamic finance does not condone excessive uncertainty or speculation.

On an academic level, relatively little attention has been paid to financial crime risks in relation to Islamic finance and there have been few, if any, studies on relevant money laundering/terrorist financing methods and trends.  International standards for AML/CTF regimes (such as those issued by FATF) make no provisions for Islamic finance, and are adopted wholesale even by countries with sizeable Islamic finance sectors without any adjustments.  The papers which have been published (e.g. by ACAMS) tend to conclude there’s no evidence the ML/TF risks in Islamic finance are different from those in conventional finance, or that it faces unique typologies or methods.  If anything, they conclude certain features of Islamic finance are likely to lower the ML/TF risks, such as the ‘partnership’ relationship between the financial institution and the borrower/lender, and the fact transactions are structured around the purchase/sale of underlying assets, which ties them to real-world valuations and makes it harder to disguise illicit flows.  

FinCrime for Islamic Fintechs

So what does this mean for Islamic FinTechs in particular?  Given the relatively scant attention paid to the topic by regulators and external bodies, and the prevailing tendency of conventional Islamic banks to treat financial crime the same way as everyone else, it is hardly surprising we’ve yet to see Islamic FinTechs formulate a specific approach to financial crime.  And nor is it clear that they need one, given the current state of the market and the product types that most existing Islamic FinTechs offer.  Where the academic studies do identify differences between conventional and Islamic finance, it is generally in relation to complex products such as trade finance and investment banking.  These are areas which have yet to be targeted by Islamic FinTechs, which so far are mostly focused on P2P lending / crowdfunding and retail banking.  In these areas, it is hard to see many ways in which the shariah-compliant aspects of the products could affect the AML/CTF risks.  The one concrete example is almost a coincidental positive for Islamic finance - several of the sectors considered prohibited are also ones recognised as high risk for financial crime, such as gambling, adult entertainment and arms/defence.  However the lack of any other discernible differences is borne out by a number of Islamic FinTech start-ups consulted by FINTRAIL, who confirmed that they don’t approach financial crime risk differently to their conventional counterparts and aren’t aware of any nuances or differences in the risks they face.  For instance, one European challenger bank confirmed it uses a banking-as-a-platform provider to manage compliance, meaning it is comfortable using an off-the-shelf solution designed initially for non-Islamic institutions.  

So, looking at the products and business models of Islamic FinTechs on paper indicates no real distinction.  However there is one real-world factor which does make a difference - customer base.  One standout issue is the provision of services to mosques and religious charities, which collect huge amounts of zakat donations, and can find conventional financial institutions reluctant to deal with them (and often Islamic institutions too).  Charities, especially religious charities, are recognised as a high risk sector for AML/CTF risks, and coupled with payment corridors to high-risk countries where Islamic charities are likely to operate, places them outside of risk appetite for many conventional banks.  Specialist Islamic FinTechs may be more prepared to find ways to mitigate the risks and serve these clients, as part of their ethical mission.  

In Europe, concentration risk and the makeup of the target client base may also pose particular challenges (but also opportunities) for Islamic FinTechs.  Their customers will be particularly homogenous, which may make them more vulnerable if a fraudster can work out a successful way to target this group.  This would involve knowing how to mimic real customers’ identities and activities, as well as frauds designed to exploit religious sentiment, e.g. by using fake charity appeals during Ramadan.  Beyond fraud, while many customers will be UK/EEA nationals, those who are foreign nationals are more likely to come from countries deemed high risk for ML/TF, and popular payment corridors for cross-border payments are also likely to involve such countries.  This will all result in a high level of declined applications, high-risk clients, and transaction monitoring alerts, especially if companies use generic risk appetites and customer risk assessments or off-the-shelf monitoring solutions, or outsource their compliance programmes to banking-as-a-platform companies.  

Conventional indicators and methodologies may thus not enable Islamic FinTechs to assess their client bases intelligently, and to work out if there are ways to mitigate any inherent  risks in line with their own risk appetites.  If they choose to accept these risks, they’ll need to ensure they can identify the most high-risk activity on their books, and dedicate their attention and resources appropriately.  And if done right, they are uniquely well-placed to do so - they can use their greater familiarity with these client groups and any existing data to benchmark usual, unconcerning behaviour vs. activity they deem suspicious.  For instance, huge cash deposits from a mosque during the last ten days of Ramadan would be immediately understood and contextualised.  And while a conventional retail bank may see all payments marked as ‘zakat’ as high risk, an Islamic FinTech can use their richer datasets and contextual understanding to refine their monitoring systems and investigate hits to identify the most high-risk of these payments, to make sure they are allocating their time and resources effectively. In doing so, they have the potential to play a positive social role by ensuring inclusion - enabling fair and affordable access to financial services to those frequently excluded or disadvantaged by conventional financial institutions.

So to summarise, the distinctive financial crime concerns of Islamic FinTechs lie not in the theoretical nature of how they operate or the mechanics of their product offering, but in the real-life nature of their client bases.  This idea is not unique to Islamic entities; in the increasingly crowded FinTech sphere, more and more firms are seeking a niche and are catering to specific client groups that pose a heightened financial crime risk on paper, such as expatriates sending remittances to specific high-risk countries, or sectors such as gambling or crypto that struggle to open accounts with conventional banks.  The lesson for all these companies is that, while they must recognise the inherent risks posed by their client bases, they can and should tailor their financial crime programmes to adopt a risk-based approach, identify their own top risks, and allocate their resources appropriately.

If you are interested in speaking to the FINTRAIL team about this or any other financial crime topic, or any other elements of building or refining a customised financial crime programme, please get in touch with contact@fintrail.co.uk or maya.braine@fintrail.co.uk

There is also further guidance available on the FINTRAIL website, including on defining a risk appetite, using data to drive a financial crime programme, and promoting financial inclusion.

Remote Delivery: NuBank Financial Crime Compliance Project

In the current climate the notion of ‘working from home’ has become the new norm. This means that some businesses have had to rapidly adapt how they work, how they deliver their products and services to their clients, and how they remain top of their game. Whilst FINTRAIL do have physical offices in London, Singapore, the US, we operate flexible working for our employees, and have also conducted fully remote projects in the past. We feel that these projects and our working set up has allowed us to quickly adapt to this new normal and we thought we would share some of our insights with the wider community. 

One of our most recent fully remote projects involved working with NuBank on a Financial Crime Compliance project. NuBank is a Latin American neobank and they have one of the largest customer bases in the region and sector, and in January 2020 confirmed they hit the 20 million customer target. NuBank was a completely new client for FINTRAIL, and also one of our largest projects where there would be no face-to-face, or in person element at all.

The project spanned three jurisdictions; Brazil, Mexico, and the UK. This involved assessing, and analysing regulation from Brazil and Mexico, as well as scheduling calls to accommodate for two quite different time zones! After the project had been completed, we had a feedback session with NuBank to discuss what worked, and maybe what didn’t, when conducting a remote project. NuBank was very pleased with our work. They commented that we were aligned with them as a business, and the project results were above and beyond what was expected. We are confident that our work can be delivered in a fully remote nature, and this project only helped to solidify that confidence.

Infographic highlighting the key takeaways from the NuBank remote project and what the client liked.

Key learnings:

  • Get the basics right. This may sound simple, but the client should be clear on the project timelines and deliverables. Having this understanding at the start and throughout helps to ease both sides of any unnecessary stress, and improves time management and control of the project. When a project involves no face-to-face aspect, all communication becomes much more scheduled, and therefore understanding the scope and nature of the project is key. This extends to us as FINTRAIL too, we always ensure that we understand a company and its products to the best of our ability when conducting a project.

  • Communicate, communicate, communicate (with the relevant people). Ensuring that the correct people are involved in the conversation is very important, especially during a remote project. With often already packed diaries, no one wants to sit on a video call that they cannot contribute to, or that they are not needed for.  By inviting the correct and relevant stakeholders only to meetings where they are needed prevents video call fatigue within the project, helping for each conversation to be meaningful and for people to remain engaged. 

  • Leverage technology.  Tools such as Slack can really help with interim communication between larger video meetings. Slack allowed for timely access to key pieces of information, and to lay the groundwork for more in depth meetings. It was also crucial to have this kind of communication due to multiple time zones. Emails felt a bit stiff and formal, and could get lost in a pile, whereas the Slack messages could be picked up whenever suited, and answered quickly and easily.

Get in Touch

If you are interested in speaking to the FINTRAIL team about the topics discussed here or how we are working remotely with clients globally today on all aspects of their financial crime programme, please feel free to get in touch with one of our team or at contact@fintrail.co.uk.