The more things change, the more they stay the same. In 2019, there have been numerous developments in RegTech, but the trends and conclusions are the same as they were last year; there are more regulatory requirements, there’s more need for technological and organizational harmonization, and it’s imperative to ensure that processes are sufficiently quick and reliable, while maintaining compliance.
Big problems on a little planet
For those involved in combatting money laundering, the scope is daunting. Some estimates put the sum of money laundered at $2 trillion annually. Even more staggering, only 1 percent of all the illicit funds are caught. By any measure, the effectiveness of Anti-Money Laundering (AML) as a whole is lacking, and therefore regulators will continue to tighten controls, close loopholes and demand more oversight.
It’s no wonder then that the costs and complexity of compliance in 2019 continue to increase. There are now 220 regulatory alerts per day, with no signs of decreasing. Fortunately, investments in RegTech are starting to bear fruit and, as LexisNexis® states in their 2019 True Cost of AML Compliance Study, “improve compliance processes and reduce the need for bringing on more resources (while keeping those you have) — thus ‘future proofing’ against significant cost increases over the long term.”
For all the good that technology can do, there’s unfortunately a corresponding ability to do wrong. This year saw the scaling up of so-called deep fakes, fake content that is almost indistinguishable from the real thing. Fake news affects the social discourse and even elections, so as the AI, bots and other tools continue to grow in scope, society needs the tools and legal power to better control their impact. In that regard, Canada passed laws regarding political advertising to hold large internet companies more responsible for the content on their platforms.
Regulation reveal parties
As always, a wide array of new regulations came into effect in 2019. Numerous other regulations were passed, although for many of these, actual compliance is not until 2020 or later. But weary compliance officers would rather get in front of changes as soon as practicable . Considering that, in many cases, the rules that came into effect in 2018 were still not properly dealt with, it all makes for a full plate of need-to-dos.
Some of the regulations requiring consideration in 2019:
European regulators continue to lead the charge for tighter regulations as they pass additional AML requirements. During 2019, compliance was focused on 5AMLD, which comes into force on January 10, 2020. However, 6AMLD is not far behind, due to be transposed into member states’ national laws by December 2020. Beyond these directives, various regulatory updates and rulings make it apparent that the EU is doubling down on its AML efforts and will increase scrutiny on all financial institutions (FIs), and it’s vital that compliance programs be especially robust.
The requirement for proper identity verification (IDV) now covers more industry sectors and types of non-person entities. For example, crypto exchanges and crypto wallet providers will be considered “obliged entities” and require the same ID procedures as financial institutions. Collecting beneficial ownership information of trusts and similar legal arrangements and performing due diligence is another stipulation requiring effective IDV.
Another focus of EU compliance teams in 2019 was Strong Customer Authentication (SCA). The SCA establishes online payment authentication requirements and is designed to reduce fraud and enable better security. As part of the EU’s Revised Payment Services Directive (PSD2), the SCA requirement was a cause of much confusion, consternation and even panic. The rollout was originally set for an effective date of September 14, 2019, but the concerted pushback from the payments industry had regulators reconsidering. In an October 16 Opinion, the European Banking Authority (EBA) “recommended” a consistent deadline throughout the EU/EEA of December 31, 2020.
While the General Data Protection Regulation (GDPR) came into effect in 2018, this was the year that started to demonstrate the real effect of the far-reaching privacy law. In early 2019, Google was fined €50 million by France’s data protection watchdog for “infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” Many other investigations into some of the world’s largest companies are underway, and numerous smaller fines have been issued. However, with one study suggesting that approximately 60 percent of companies that have obligations under the GDPR don’t have an effective subject access request (SAR) response, it’s clear that significant work for compliance remains.
The ongoing drama of Brexit continues in the UK. With a Parliamentary election on December 12, perhaps more clarity will come soon. Or, perhaps not.
As the ultimate outcome will have widespread effects on numerous compliance matters, many compliance teams were preparing for a worst-case Hard Brexit scenario, but concerns remain. As Bank of England BOE Governor Mark Carney stated, “There has been progress in preparedness and that reduces the level of the economic shock … To be absolutely clear, we still expect that there would be a material economic shock. Half of the businesses are straight up reporting to us that they’re not prepared for a no-deal Brexit.”
To help ensure a smoother transition to Brexit, it’s crucial to carefully consider how sensitive data, including identity information, is handled. Although the UK has high data privacy standards through adherence to GDPR, free flow of data with the EU would rely on an adequacy decision, which has no definitive timeline or outcome.
The UK gaming sector (gambling) was tasked with rescoping their existing identity and age verification practices due to a change implemented by the UK Gambling Commission. The Gambling Commission’s rules, which came into effect on May 7, were created in order to ensure that operators verify the age and identity of players quickly and robustly, and they apply to all remote betting and gaming operators, as well as a portion of remote lotteries.
The U.S. also saw major changes in the gaming sector, as numerous states passed laws legalizing sports betting. This was an outcome of a May 2018 U.S. Supreme Court ruling reversing the ban on sports betting. At last count, only eight states don’t have any legislation in place, pending or in progress. The industry was busy investigating new opportunities, creating compliance programs and starting up new operations. For any online operations, ensuring proper age verification, geolocation (within state boundaries) and AML processes for player funds is fundamental to avoid issues with regulators.
While only applicable to California, the upcoming (January 1, 2020) California Consumer Privacy Act (CCPA) could have wide-ranging effects on organizations as to how they collect, store, share and manage personal information. As opposed to having one set of processes that apply only to Californians, many organizations will consolidate their U.S. privacy and data handling compliance procedures. There are literally hundreds of different data/privacy/cybersecurity state laws in the works, with privacy laws passing in two states, Nevada and Maine.
Amendments to the Canadian Know Your Customer/Anti-Money Laundering (KYC AML) regulations — the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) — were registered on June 25, 2019. The latest PCMLTFA amendments will hopefully help Canadian KYC AML requirements overcome deficiencies, fight money laundering and offer more clarity for compliance professionals.
While most amendments will not come into force until June 1, 2020, the definition of acceptable documents to ascertain identification has been changed from “original, valid and current” to “authentic, valid and current.” Allowing “authentic” documents enables the use of ID document verification as a fully legal process to help establish identity. Previously, the use of scanned/photocopied ID documents was explicitly prohibited.
Trulioo scaling up
Trulioo had an amazing year in 2019. We added 11 countries to our GlobalGateway Electronic Identity Verification product, continuing in our mission to verify all people on the planet and help provide all citizens with access to financial services, including the unbanked and underserved groups:
- Bahrain, Georgia, Iceland and Qatar
We introduced a new technological capability, EmbedID. A front-end tool, EmbedID enables businesses to query the Trulioo GlobalGateway API and instantly verify customers in multiple markets by embedding a snippet of code in their website, particularly the sign-up or registration form. EmbedID is an extension of our endeavor to make identity verification instant, simple and unwaveringly reliable for today’s digital and borderless economy.
Trulioo announced two major business development achievements. Trulioo raised $70M from Goldman Sachs, Citi, Santander and Amex, including funding from new and previous investors. We also partnered with Refinitiv to fight financial crime and champion financial inclusion. We opened a second office location in Vancouver to accommodate our growth, and we have plans to expand our presence across the globe in 2020.
Trulioo continues to be a market leader in the identity verification space. Our premier identity verification solution, GlobalGateway, won the 2019 Card-Not-Present (CNP) Award in the “Best Identity Verification and Authentication Solution” category. GlobalGateway was also ranked No. 1 in the Verification Tools/Identity Checks category in the 2019 RegTech Supplier Performance Report — for the fourth year in a row!
Focusing on the customer
In the end, the technology and processes are all to serve one person — the person who is in the midst of a purchasing decision. When a prospect is on a website or an app, and at the tipping point of buying a service or product, the experience needs to be relatively quick and seamless. All the hard work in developing the product and building a brand comes down to that click.
Behind the scenes, there need to be compliance and security measures to deliver the necessary trust. Business considerations and objectives must be met. But it is the buyer who has the final say; as we start to say goodbye to 2019 and the decade, focusing on the customer is requirement number one.