Speaking in front of experts in their field and alongside distinguished panelists as I did yesterday can be a daunting thought, however my feelings on completing the panel discussion was there is so much still to learn, create and harmonise within the field of risk of compliance.
As the CEO of a RegTech startup, I certainly feel that the potential impact of RegTech on industry is only beginning to be felt. As technology continues to progress while requirements for regulation become more stringent, regulatory technology will play a major part in assisting financial services and other regulated sectors in meeting their risk and compliance requirements.
The Thomson Reuters Risk & Compliance Summit 2017 was an excellent conference, and it was thoroughly enjoyable to hear the views of so many experts, as well as make new connections and catch-up with some old ones. Thanks to Steve Pulley for the invitation to take part on the panel. Steve is a recognised leader in the Risk and compliance industry and one of the few making a significant impact. It was an honour to be among other panel members Colin Hall (Credit Suisse), Suzanne Hammond (Thomson Reuters) and Christian Hunt (UBS) whose experience and expertise shed enormous light on the challenges that the industry is facing.
[bctt tweet=”Considerations on the #TRRisk summit from a #RegTech perspective” username=”EncompassCorp”]
Here, for clarity, I would like to offer some depth and breadth to some of the points I made yesterday:
We understand that for the customers we work with, there are very real and developing challenges and requirements that need to be met. We understand that in the UK, 2017 sees the single largest overhaul of money laundering regulations in a decade. The biggest challenge is the very clear focus today on a Risk Based Approach to Money Laundering & Terrorism Financing risks. The draft MLR 2017 regulations and revised JMLSG Guidance reflect the fact that one size does not fit all, and firms must be prepared for this. Each firm must conduct, document and maintain its own risk assessment and in turn develop, document and maintain its own risk based approach policies and procedures which reflect the risks identified within the firm’s risk assessment. For some sectors, this is par for the course, albeit with changes to some of the rules, however for other sectors; e.g. legal and professional services, this is largely a new model of working.
In 2017, we are well aware how imperative it is to work with high quality data. From experience I can say that knowing that fact and realising it are not always the same thing however. Regulated firms need high quality, diverse data from multiple sources – internal and external – to assist compliance with regulations.
Today, there is no magic data management bullet to solve this problem. Modern approaches to Master Data Management within institutions are a step in the right direction, but the challenge is always going to be the quality of reliable third party data sources to augment these internal approaches.
Traditionally, this has been achieved by customised data set integration by in house development teams. This is a risky and expensive approach. That’s why the emergence of solutions with pre-built integrations with global trusted sources of data and intelligence is taking place. Modern SaaS applications allow a single integration – based on a single data model – to be ingested into core systems. This cut costs, removes data quality issues and gives compliance professional access to the highest quality, trusted data available, not just the small sub-set their in-house technology team managed to build in the last quarter.
The FCA and PRA have already introduced a range of policy changes (the Senior Managers Regime) that aimed to increase individual accountability. The rules make it easier for firms and regulators to be clear about where responsibility lies. Clear individual accountability should focus minds, drive up standards, and make firms easier to run and supervise. And if things go wrong, it will allow senior managers to be held to account where they are at fault for misconduct that falls within their area of responsibility.
When the regime went live, most senior managers felt comfortable that they understood their responsibilities and were taking reasonable steps to discharge them. As issues have occurred however, they have thought about how external observers, including Regulators, might perceive the actions they have taken. Were the actions reasonable? Did they support the desired outcomes in a proportionate way? Would they stand up to scrutiny? Some have concluded that perhaps they do indeed need to do more.
This has resulted in work being carried out to ensure senior manager’s responsibilities are properly allocated and understood in firms, while there have also been changes at Board level also. The FCA recognises that culture change takes time and there is still more to do, though as evidence of firms taking their responsibilities more seriously has filtered through, it illustrates that firms are making progress in adopting a culture of individual accountability.
Firms need to find ways to embrace new innovations and implement them into their culture and systems in order to mitigate the effects of the new regulations. There are three key facets that can help accomplish this: the first is to create a culture of compliance; the second is to recognise the potential benefits offered by FinTech and RegTech companies; and the third – and perhaps biggest hindrance – is solving the disconnect the currently exists between an aspiration to use new technology and the legacy systems and workloads of employees currently occupied with delivering core services.
The standards that have given us MLR 2017, are set by the Financial Action Task Force (FATF). FATF maintains a set of recommendations aimed at assisting its member countries understand, assess and design laws to combat the global and national threat of Money Laundering and terrorist financing. FATF works with its member countries to conduct regular National Risk Assessments as part of an ongoing cycle of assessment, recommendations, implementation, and further assessment.
This ongoing cycle of assessment is now embedded within UK law, under the (soon to be in force) MLR 2017. The UK, Supervisory bodies, and regulated firms need to conduct regular risk assessments. In turn, these risk assessments at a national level are used to inform future changes to the money laundering regime. As a result, there is a feedback loop built-in to the national approach to AML/CTF laws, and they will continually change at a national, global and resultant firm level.
Moreover, on March 15, HM Treasury announced its plans to create a new UK watchdog, the “Office for Professional Body Anti-Money Laundering Supervision” (OPBAS) which aims to harmonise supervision over the accountancy and legal sectors. OPBAS will operate under the auspices of the Financial Conduct Authority and will be in operation by the start of 2018. The creation of OPBAS will mean increased scrutiny of professional AML supervisory bodies and ultimately a tightening of the compliance standards that law firms and accountancy firms are expected to adhere to.
The changes as recommended by FATF have necessarily meant compliance officers becoming more proactive by identifying the need to periodically evaluate their existing compliance frameworks, keeping staff trained and up to date with the latest regulatory developments and increasingly investing in technology to leverage the capabilities of automation and reduce the administrative burden of compliance teams. While it can be argued that they were once removed from business units, they are now viewed as being far more ingrained.
The work carried out by compliance officers can be, as we have discussed, greatly assisted by the use of technology. The maturing and commoditisation of computing power as a service – cloud computing, allows vendors to enter the compliance market at a lower price point and with a quicker time to deploy changes to software. This agility is vital in a space where the rules of the game, legislation and criminals, are changing constantly.
Complex, tightly integrated solutions at a low technical level within institutions are not transparent as to their operation e.g. a mainframe application integrating with an on-premises deployment is expensive, opaque and costly to change. This results in compliance being at the mercy of technology or developers to uncover rules and conditions for processing data and making decisions. Modern SaaS applications put the user first by definition. The user controls the operation and understands rule sets and how decisions are made, allowing for an agile and swift response to queries.
This then leads us on to how automation of the process can allow us to ever really know our customers? The answer is by using the right combination of data, at the right time for each type of customer. By collating it and creating a dynamic profile for that customer, one that lives through the life of your business relationship. This always has to be tied back to risk policy, which is focused on the risk associated with particular types of customers, jurisdictions, industries and products.
From a customer or client perspective, the big challenge for RegTech firms will be to illustrate that the customer is always adhering to policy in a manner that is provable.
The second big challenge we face is that for years there has been too much tolerance of poor standards of risk within organisations. Many are highly dominated by a culture of “that’s the way we do things here”. These low standards are a surefire way of ensuring that something will go wrong. Effecting solution to this could be a culture of challenge to all significant decisions, ensuring employees constantly ask whether “can this be improved upon?”
It was a superb platform at the Thomson Reuters Risk & Compliance Summit to discuss some of these issues with industry experts and those from other fields alike.
Here, I have tried to offer a little context to some of the points I made yesterday about how the compliance field is a constantly evolving and shifting platform on which Compliance Professionals must always consider what is likely to happen in the future as well as what has already happened. The growth in external vendors, such as Encompass, who can support compliance teams has also transformed the way that compliance is executed.
Wayne co-founded encompass in Sydney and took the product to the Australian market in 2012. Since then, as CEO he has led the international expansion of the company, including the UK launch in 2015 and recognition as one of the UK’s most influential RegTech firms. Prior to encompass Wayne was co-founder and CEO of Software Associates, until the company’s successful exit to a Hong Kong listed Company. Connect with Wayne on LinkedIn.
Our whitepaper investigates the business process of KYC to suggest that identifying activities that are candidates for digitisation and automation offers a way forward for financial services and other firms looking to improve outcomes for all involved in KYC processing.