How CCOs Can Skill Up for an Unpredictable Future
This September, the International Netherlands Group (ING), the largest bank in the Netherlands, was fined €775 million (approx. $900 million) for compliance failures that allowed a handful of companies to allegedly launder hundreds of millions of dollars. According to Bloomberg, the compliance failures were, essentially, lapses in the bank’s Customer Due Diligence (CDD) operation, despite the fact that the bank had increased its investment in this area — including tripling its headcount towards improving its Know Your Customer (KYC) and transaction monitoring capabilities.
Incidentally, Accenture released its annual Compliance Risk Study for Financial Services only a few months before ING made the headlines at financial and business dailies across Europe. In light of the fines levied on ING, the report’s central theme seems almost prescient: even as they face mounting pressure from the rapid pace of regulatory change and disruptive technologies, compliance departments can no longer just rely on adding headcount — because hiring more people does not, in and of itself, lead to desirable business outcomes.
Accenture’s 2018 report takes a behind-the-scenes look at the challenges and obstacles faced by over 150 chief compliance officers (CCOs) in the financial services sector. For your consideration, we have condensed the report down to its major takeaways; for context, we have added relevant examples for each of these takeaways.
Here are the major takeaways from the report:
Hiring alone is not the answer; compliance officers need to skill up
Compliance spending is slated to increase, and more than 50 percent of departmental expenditure would be on technology. Over the next three years, compliance departments will move “towards deploying technology rather than people to fulfill its mandate.”
To what extent will technology bring compliance closer to fulfilling its mandate, however, is another question. In order to effectively deploy the vast suite of tech solutions at their disposal, compliance professionals need to be re-trained. To quote the Dutch prosecuting agency that charged ING (in our previous example), the bank’s compliance staff was “inadequately trained”, and the system to monitor transactions was set up in such a way that only a “limited number of money laundering signals were generated”.
Compliance officers need to develop a fuller understanding of the risk ecosystem
Compliance officers’ engagement with technology needs to extend beyond just the automation of manual processes; compliance professionals need to proactively engage with the full spectrum of risks posed by emerging technologies such as virtual currencies, quantum computing etc.
These risks do not apply to traditional financial institutions alone: even alternative financial services remain susceptible to such risks. For example, as cyber security researchers recently demonstrated, one-time passwords (one of the most crucial components in multi-factor authorization) can easily be intercepted by exploiting signalling system no. 7 (SS7) — a major security flaw that currently exists in major telecom networks around the world. In this case, the researchers used the one-time password to prove that they could easily pilfer funds from an unsuspecting user’s bitcoin wallet.
Compliance officers will increasingly rely on RegTech to match the sophistication of bad actors
One of the most exploited gaps of transaction monitoring systems is that their “detective capabilities” are limited. For too long, bad actors have been exploiting such weaknesses.
As an example, let’s consider eCommerce where money launderers can often find free rein. Given how anyone, from any part of the world, can set up an online store in a matter of minutes, it is becoming increasingly common to see fake merchants setting up online businesses as a front for money laundering.
In such cases, their modus operandi is based on a sophisticated understanding of how transaction monitoring works, and, indeed, how its two crucial shortcomings can work to their advantage. They know that: these systems are looking for illicit transactions, and that they are able to detect fraud only after the fact (or after fraud has been committed).
Knowing this, they adopt subtler means of diverting funds, such as small changes in invoices, double invoicing, or carousel transactions, to fly under the radar of monitoring systems. More often than not, by the time the monitoring system raises red flags and investigations ensue, the fraudsters have already cleaned their ill-gotten proceeds, and moved on.
In contrast, RegTech solutions will enable a more proactive and preventative approach to tackling fraud. For example, identity verification and authentication systems can be deployed during the merchant onboarding process itself so that bad actors can be nipped in the bud.
“Exogenous shocks” to the industry will call for more resilience
In the last ten years alone, the landscape of financial services has been subject to rapid and dramatic change, with multiple “exogenous shocks” in the form of the rise of cryptocurrencies, and open banking, to name a few. The advent of such disruptive technologies has brought with it the enactment of far-reaching regulatory changes.
Consider the EU’s Second Payment Service Directive (PSD2) or its open banking, which is poised to be a paradigmatic shift in the arena of financial services. The directive, among other things, calls for incumbent financial institutions (FIs) to share their customers’ transaction data with third-party services like fintech startups, payment providers, provided the customer consents to such data sharing. Concerns around the security of this data will have important ramifications for compliance departments, and will call for greater resilience amongst compliance professionals as they navigate a climate of great uncertainty.