How should fintech stay compliant? What are the challenges and opportunities? How high is the compliance threshold? Oftentimes, while building fintech products, entrepreneurs tend to focus on the business and overlook regulations.
The digital-first nature of today’s financial and banking services and the exponential growth of fintech companies require a shift in the compliance culture from a top-down approach to a new mindset, which should be spread within the whole organization. As part of the launched earlier this year Visa Innovation Program, which aims to help fintech startups reach pilots with financial corporations, Eleven Ventures teamed up with the European Compliance Center and the Bulgarian Fintech Association to outline the regulatory risks and opportunities for fintech companies in Europe.
Basically, there are six regulations, which financial sector disruptors should keep an eye on (see the graph below). But there’s a whole ocean of details within those frameworks that new players in the financial sector shouldn’t overlook. We reached out to Elina Karpacheva, PhD, who is a lawyer and academic researcher, to give us the context and structure some best practices and learned lessons. Karpacheva is the founder of the European Compliance Center – an international network of compliance experts in the CEE region and the first NGO in Bulgaria with a specific focus on corporate compliance, and also the Bulgarian Editor in Chief of the Risk & Compliance Platform Europe.
How great is the risk of financial crime, such as money laundering to FinTech companies? Which are the recent trends shaping the financial crime landscape?
FinTech makes access to finance fast, easy and accessible which is of great benefit to individuals, households and businesses. But the same factors make these companies attractive targets for criminals. The increased speed of initiating transactions, the borderless movement of money flows, and anonymity may be exploited for ill-gotten gains. There are also concerns about the risks introduced by the new untested business models and high degree of automation in FinTech products and services. From this angle, FinTech companies have enormous responsibility towards society to prevent fraudulent behaviour. Governments around the world have started recognizing risks associated with technologically enabled financial innovation. In effect, we see the increased level of regulation with enforcement against the FinTech, being one of the priorities.
Why financial crime compliance is important for FinTech businesses? At which stage financial crime risks become material to FinTechs?
Businesses are subject to ever stricter and more complex regulatory requirements of how to behave. Cases of non-compliance bring not only severe penalties to corporates and individuals, but most importantly affect negatively the most valuable asset of every organisation – reputation. Ultimately customers need to trust financial firms. Bad behaviour of one player affects the trust in all the industry.
FinTech founders must take into account compliance risks since the very outset of their business activity. Setting the right controls and procedures during upscaling is far too late. Focusing on superior customer experience is surely a good thing, but resources and people should be devoted to AML/financial crime prevention. While such focus is difficult, companies that adapt effectively their internal systems, will be the ones successful in a long term.
What is the biggest challenge for Fintechs when it comes to financial crime prevention?
The biggest challenge is the lack of understanding and training in financial crime across the organisation. Usually, the focus of the entrepreneurs is on the business site and regulatory demands are overlooked. Another challenge is building an experienced compliance team. Attracting people with the right skills might be difficult, especially in the crypto industry where “old-fashioned” compliance professionals might not be the best match. Last, but not least, many companies are struggling to keep-up with the sophisticated and changing legal and regulatory regime. Compliance NGOs, such as the European Compliance Center, can help FinTech companies deal with the challenges and meet the compliance requirements in the most effective way.
What can be done?
FinTech founders must set the right tone from the top and culture of compliance since the early stage of the business. Early risk assessment of the product/business model will prove beneficial in longer term and save unnecessary struggles with regulators. Start-ups must devote resources to build effective internal systems for detection, prevention and response. This, however, can be done in a smart and cost-effective way. The future of FinTech compliance is in using technology and minimizing manual processes and human input. In this area start-ups can avoid the mistakes of traditional financial institutions, being agile, flexible and without path-dependent systems to deal with.
How banks view financial crime risks inherent to the FinTech industry?
It is beneficial for the whole financial industry if banks act more as friends, then as rivals. The Open banking requirement is an opportunity. Established financial institutions have a long history of compliance expertise of what might go wrong. They can provide valuable know-how and help innovative FinTechs keep-up with the compliance standard via partnerships and common projects. The key compliance principles are the same for both parties: know your risks, know your product, know your customer. However, banks tend to engage themselves in de-risking, especially when it comes to virtual currency operators.
In your experience what are the main types of financial crime that organizations are encountering? Can you provide examples?
Money laundering and terrorist financing are the most prominent ones, but FinTechs might be subject to broader set of financial crimes, depending on their business activities, such as fraud and dishonesty, cybercrime, market manipulation, tax evasion, bribery and corruption. There are serious risks coming with the onboarding process. The electronic-only relationship with the client brings the threat of identity theft. A criminal might open many accounts under false identities and use them for laundering the proceeds of crime. Or, without proper screening tool, a FinTech company might find itself in violation of the Office of Foreign Assets Control and the US Department of the Treasury sanction lists. “Mule accounts” and the use of foreign student to launder money in retail banking are as well a consideration.
Which international best practices/standards do you endorse in the area of financial crime prevention?
Effective financial crime prevention is based on recognized international standards. Compliance only with national legal provisions is not enough. The Financial Action Task Force (FATF) as a “policy-making intragovernmental body” promotes regulatory and operational measures for combating money laundering, terrorist financing and other related threats. Thus, every FinTech should be familiar with the FATF Guidelines. European Supervisory authorities as well issue Guidelines in the area. Regulatory initiatives, guidance, and decisions by enforcement authorities, such as FinCEN or BaFin are as well useful source of standards and best practices.
What are AML/financial crimes controls that every FinTech must employ?
Implementation of effective procedures and controls start with proper risk assessment. The basis is customer onboarding – every FinTech must implement KYC process for identification and verification of clients and business partners (including beneficial owners) through analysis of different informational sources (both public and private) in different languages. Then, every firm must conduct ongoing real-time transaction monitoring, blocking and reporting of suspicious behavior. That means scrutinising transactions to ensure that they are consistent with what the firm knows about the customer, and taking due diligence measures to ensure that the firm’s knowledge about the business relationship remains current.
What we can learn from the recent bank AML scandals?
Bank AML scandals have shown what might go wrong even in organizations that already have expertise in financial crime detection and prevention. The ING Bank was fined $900 million because it failed to properly examine and verify the ultimate beneficial owners of client accounts. UBS was fined $15 million for failing to identify and monitor suspicious high-risk client transactions. Danske bank case showed total disregard of AML and financial crime risks by the senior management. US Bancorp was fined $600 million, because it failed to adopt automation solutions.
How new technology can help to address shortcomings in financial crime prevention?
As part of the ongoing movement to prevent financial crime, an entirely new industry has sprung up. RegTech is born from the combination of enhanced technology and the need of financial institutions to stay complaint with the regulation. RegTech provides solutions for customer onboarding, transactions monitoring, and for sharing customer-related documents. Artificial intelligence and machine-learning applications are also coming to help. They ensure quick discovery of trends and anomalies and suspicious individuals/transactions. Some solutions apply Neuro-Linguistic Programming for the process of enhanced due diligence and adverse media search. Even, some AI solutions are flagging whether the applicant is lying and thereby speeding up the process of identity verification. However, companies must be cautious. Buying technology does not automatically mean effective compliance. The RegTech solutions must be customized in accordance with the FinTech’s product, delivery channels and clients. The human factor remains indispensable.
Do you see in the future data sharing between Fintechs and between banks and FinTechs?
Data-sharing is the future of financial crime prevention. Private sector has an important role in financial crime prevention – to share actively data between industry players and with FIUs and supervisors. Public sector is lagging behind when it comes to data sharing and adoption of new technologies. For example, Financial Conduct Authority (FCA) organizes AML & Financial Crime TechSprints where participants come together to develop solutions for: codifying topologies of crime which can be shared and readily implemented by others, or for reviewing financial transactions stored in databases within institutions to identify anomalous patterns and suspicious behavior without compromising data privacy legislation.