The Nordic region has experienced well publicised challenges in financial crime compliance (FCC) lately, and with both the domestic and global regulator crackdown on dirty money, banks, payments organisations, and financial institutions need a giant leap forward in their systems and processes modernisation if they are to outpace increasing risk.
At our event ‘Road to Perpetual Client Risk Assessment (pCRA)’ in Stockholm, hosted by The British Embassy, we brought together experts in realising modernisation in financial crime compliance. Sujata Dasgupta, Global Head of Financial Crime Advisory at Tata Consultancy Services and Sabina Ausfelt, Global Senior Director of Compliance & MLRO at Juni.
Both panellists brought forth their first-hand experiences in taking the many small steps of change in Anti-Money Laundering (AML) teams that combine into a giant transformation leap. As financial crime (fincrime) experts, we know that achieving tangible results can be the hardest part in compliance programmes as you enact step-change across core AML activities.
Read the panel insights below.
The biggest challenges for FCC professionals right now
Despite leading the world in many financial services and payments innovations, the Nordic region is lagging behind the criminals when it comes to combatting the fincrime that rides the coattails of righteous innovation. High-profile failings have brought renewed regulatory scrutiny domestically, with pan-European and global regulatory expectations also coming to bear on compliance teams in the region.
The pace of innovation generally in financial services creates resourcing and prioritisation challenges, as well as introduces new threat vectors and risk profiles. Open banking initiatives have been successful in creating customer choice, but opening up the ecosystem also means lots of participants with immature AML and compliance programmes and processes. These weak links in the chain create additional challenges for established players who are already wrestling with legacy systems that can no longer meet requirements. An added layer of complexity for the Nordic region is the high rate of adoption of digital, alternative, and real-time payments which create new channels and typologies to grapple. But fincrime innovation must happen in parallel with fintech growth.
Starting your transformation – banking versus payments
The starting point on this transformation journey for a large bank with established AML and FCC teams is very different from a fintech startup.
It’s not easy for a fintech from a resources perspective, and the fast-paced environment they operate within. The lack of end-to-end harmonisation globally means that fintechs who passport their license into new markets need to obey all the specific domestic regulations of that country, even if they don’t have an in-market expert. For example, this could be specific monitoring thresholds by volume, but the key is to build processes that can easily implement various directives.
Regulation by region
The approach to regulation varies also by the approach to collaboration. Regulators in the United Kingdom and Singapore are very collaborative with their financial institutions and applications to the market. It really highlights the importance of an open and proactive dialogue between us, the fincrime professionals, and the regulators set apart from investigations.
It is promising to see the Nordics beginning to apply this collaborative model to its own regulatory approach. But open dialogue also means within a financial institution's internal teams too.
Building the business case for AML modernisation
With the tightening of regulations and new requirements comes more costs, and compliance teams must get the wider business on board with their plans. The second line needs to be mindful of costs and work with the first line to create optimal solutions that support the organisation and provide value-based services to customers.
Balancing the costs of new technology within the entire business case means expressing how a holistic view of financial crime risk can secure new products and new markets. It’s a crucial part of the business case, because there is no margin in compliance. The cost of non-compliance for a new product launch is total failure, and the wider business needs to be cognizant of this strict liability.
To ensure that compliance is considered a crucial part of the business case, compliance representatives must be engaged in stakeholder groups for new products and new Go-to-Market plans.
Design and build processes that are not only valuable for compliance, but also create added value times three for the first line of defence and business. Often a fintech will consider this the last step, because the thinking is that processes need to exist first in order to monitor them. But teams should aim to build second line processes in an automated manner that makes it easier for the first line to be compliant. Then they can focus their energies on the low-hanging fruits and have more in-depth efforts in these areas.
We are increasingly seeing regulators specify the need for wider stakeholder engagement on risk assessments, indicating its importance in a holistic approach to risk. Risk controls need to be more aligned with product management; not just as a formal exercise in compliance, but as a part of the living process of product development. This reduces the risk of delays in product launches. But it does require all functions to try and work agile, like product teams, including legal teams. Risk assessments are often produced in waterfall which creates a disconnect. But all teams need the right information at the right time to complete their risk based assessment. Risk assessments must also be broken into iterations to align with the rapidly evolving product definition and ensure compliance in the end product, especially given the highly regulated nature of financial services products.
Perpetual Client Risk Assessment
The way that financial crime occurs has evolved has created the need for continuous risk assessments. Perpetual Know Your Customer (pKYC) emerged against a similar backdrop, and now forward-thinking financial institutions are building towards Perpetual Client Risk Assessment (pCRA). Financial crime does not always occur at the point of onboarding, and a more comprehensive understanding of a client’s financial behaviours and business activities is necessary to meet compliance requirements. Historically, this would be conducted periodically, likely every one to five years. But not every organisation was even meeting this standard. This created vulnerabilities in the financial ecosystem.
In the Nordic region, the cultural norms of our social fabric also created a trust loophole. We are known as an honest society where we trust the word of others, and this was exploited in the Baltics scandal. Our region became caught in the crossfire. pCRA is about ensuring there is no loophole to exploit, and we can trust the client risk assessment because it is real-time. The dynamic nature of financial services demands real-time everything; when the transaction clearance window is just ten seconds, then the relevant data about the customer, beneficiary, transaction etc. all need to be available and applicable in that same window. We are now in an era of managing risk in a real-time way.
Steps to pCRA: data + cloud
For most organisations there is significant work to be done to deliver pCRA. And it often starts with simplification to get the basics right. Many financial institutions have a data challenge: either too much of it, incomplete data, unstructured, or in need of cleansing. But understanding the minimum viable data needed for financial crime compliance can help untangle the data web and release the potential for AML insights. And it’s not all about Artificial Intelligence (AI); the right rules are the foundation of a successful client risk assessment - they must align with the organisation’s risk appetite as well as regulatory requirements. Then AI can be used to recommend new rules and uplift performance. But the basis of all FCC must be strong understanding of the customer.
The shift to the cloud is a natural catalyst for many financial institutions when it comes to AML modernisation. As organisations look to drive new value and efficiencies in their cloud roll-out, they seek new innovations that unlock this rather than recreating their current processes in the new deployment. Transaction monitoring systems are often heavy, legacy, on-premise systems for which the time to value can be long. Shifting to pCRA meets the brief: its foundation is next generation client screening and a robust client risk assessment approach, that can combine to deliver pCRA. But equally, client screening and client risk assessment solutions can be deployed natively in the cloud without the need for large 'rip and replace' projects. The time to value is shortened and the Return on Investment is realised.
The benefits of pCRA
In the future, when the industry has made the leap forward in AML modernisation, and pCRA is the accepted standard, we can expect benefits at the financial institution, customer, and societal levels.
Fewer false positives thanks to more current data means less customer outreach and the resulting friction. Investigations will be concluded much faster driving operational efficiencies, so the cost of compliance will come down. Organisations will be able to further invest in customer experience.
As we have seen from Finansinspektionen, the Swedish financial services regulator, there is an increasing mandate to switch focus to the why, not the how. This means keeping the bigger goal, of fighting financial crime, front and centre in our plans and processes.
There is clearly a desire amongst us to be more effective in our fight against financial crime. And with the right approach to modernisation and the right next gen solutions, we can drive a real change in our organisations and a change in the Nordic’s reputation for cracking down on financial crime.
Navigating regional jurisdictions accurately is crucial in financial crime compliance. As AI continues to evolve and play an increasingly significant role in AML, policymakers should stay informed about the latest technological advancements and adjust their regulatory frameworks to tackle money laundering and other financial crimes effectively.
Find out more: Regulating AI in AML under different jurisdictions