My ‘The Future of Compliance’ interview with Compliance expert Malcolm Wright appeared in the latest edition of InCOMPLIANCE, the International Compliance Association’s bi-monthly magazine for compliance professionals globally. Reproduced with permission.
Shanty Elena van de Sande (SV): In which ways have new technologies changed the modus operandi of financial criminals?
Malcolm Wright (MW): As technology becomes cheaper, smarter and more accessible, today’s criminals have grown far more sophisticated. Advanced technologies and data analysis allow criminal groups to identify weak points, for example detecting organizations with lower anti-money laundering (AML) controls or uncovering which jurisdictions are easiest to penetrate. Moreover, it is now possible to source fake documents for KYC or to buy lists of stolen personal data as easily as performing an internet search. Automation allows large-scale operations – such as hacking sites to steal data or to process stolen credit card data – to be run with minimal effort. Technologies also allow criminals to mask their location, appearing to be in one place when they’re actually in another.
SV: How does the compliance industry benefit from advanced technologies?
MW: To be honest, the industry has been slow to respond to this shift. This is not helped by organizations using older technology and distributed data sets that frequently contain disconnected, outdated, or incomplete information. Data privacy also poses a challenge. Good data governance is important, but it creates an asymmetric battle against criminals who don’t follow the rules. However, things are changing. We are starting to see the successful introduction of technologies such as machine learning and artificial intelligence (AI) link analysis to pull together disparate data sources, content tagging and extraction, and smart automation of previously manual tasks. This, in turn, is allowing real time detection and analysis of suspicious activity. Governments are also starting to adapt to this new reality with both improved datasets but also public / private intelligence sharing initiatives such as the Joint Money Laundering Intelligence Task-force (JMLIT) in the UK.
SV: What measures should firms and governments take in order to get the most out of advanced technologies?
MW: Governments need to support technology initiatives to accelerate public and private research and development, and to provide safe environments such as sandboxes. Work also needs to continue on public / private data sharing initiatives to advance and automate the activity detection process across organizations. Meanwhile, companies need to ensure that their internal cultures are geared towards “the three Ts” of change – Technology, Typology, and Traction. For technology, they need to ensure they have budgets to rapidly upgrade legacy systems and undertake data quality and security projects. But, above all they need well-trained personnel with the right skills to understand the emerging threats through new typologies. For example, training an analyst in cash laundering detection is still important, but with digital money mules and merchant transaction laundering on the rise, analysts must also be qualified to understand these new patterns. Most important of all, however, is traction. Criminals are rapidly exploiting advances in technology and the response to this must be immediate. For example, no sooner is Bitcoin exploited than it is replaced with Monero as the virtual currency of choice.
SV: The payment landscape is rapidly evolving, with the introduction of new rules and regulations. Could you explain the impact of this on compliance?
MW: Everyone is more than aware of the challenges of new regulation in an ever more complex global environment. From the Fourth and Fifth Money Laundering Directives, to the General Data Protection Regulation (GDPR), to the second Payment Services Directive (PSD2), to the New York Department of Financial Services Final rule – all have had an impact on existing KYC processes. But the traditional banking industry is fragmenting as new ways to send value from one country to another are developed. You are no longer bound by high street banks utilizing SWIFT, but can now choose from numerous channels and FinTechs providing interbank FX rates. Then there is the issue of virtual currency. These new e-payment methods require fast detection of suspicious transactions and stringent risk management protocols.
SV: How do recent technological and regulatory changes affect the cost of compliance?
MW: The cost of compliance was recently estimated at around US$8bn annually and growing. At some point this will become unsustainable. Against these challenges we also see a shift in customer behavior. Digital transactions are replacing cash. In Sweden, just 2% of transactions are made in cash. A future generation will regard cash as an out-dated payment method. Exciting new e-payment methods trigger higher transaction volumes with lower average values, driving an acceleration in large data volumes but also triggering more false positives on traditional transaction monitoring systems.
SV: RegTech is a rapidly-expanding area. Could you explain what RegTech currently encompasses?
MW: There are a number of different strands to RegTech, some of which include automation of manual processes such as KYC document collection and verification, big data analytics, cognitive computing (such as AI), distributed ledgers, application programming interfaces (APIs) that allow different systems to connect to one another, and – apparently at the top of the agenda for 2018 – digital identity, or figuring out how to verify that someone is who they say they are, particularly in a non face-to-face relationship.
SV: Are there risks attached to cognitive computing or machine learning?
MW: A self-learning system is a utopian concept and seems to be highly efficient and ultimately cost effective. However, there are risks involved – and not just the Skynet / Terminator kind – when technology is allowed to make independent compliance decisions. The question arises whether we should allow machines to make future “decisions” based on what machines “learned” from their own previous actions. In regulatory compliance, where a human is personally responsible for compliance decisions, the level of reliance on a machine’s actions needs to be evaluated very carefully in order to mitigate risk.
SV: Blockchain was a buzzword in 2017. How does this innovative technology relate to RegTech?
MW: The distributed ledger – or Blockchain – we’ve heard so much about is still nascent but offers real promise. Within the RegTech space I see it largely as a mechanism to guarantee data lineage, ensuring that data is untampered from its source, with full visibility on changes available. This offers greatest value in KYC ID verification processes, as well as protecting payment processing, where we have seen problems in the past.
SV: Our digital world in increasingly built on enhanced platforms and open APIs. How do these developments affect your industry?
MW: It seems everyone has a platform or an API, and with good reason. We are moving towards a world of collaboration and partnership. Driven by a new paradigm of customer experience, the necessity for RegTech firms to collaborate or partner is becoming crucial to deliver the end-to-end solutions businesses need. Complex regulatory requirements mean that a “one-size-fits-all” solution often doesn’t work, and being able to collaborate in new plug-n-play ways ensures the customer meets its regulatory compliance goals.
SV: What do you see as the main challenges within the RegTech space?
MW: I have called them “The Three Ps”: Privacy, Profiling and Perception. Privacy is taking front and center stage at the moment, notably with the introduction of the GDPR. We are seeing a march towards data privacy retrenchment at a jurisdictional level: firms not even being able to share information within firms. Some of this is with good reason. However, when looking at advanced technologies to fight financial crime, conflicts may arise between the technological possibilities and the privacy realities. Customer profiling is another concern. Again, GDPR is clear in this respect about automated decisions based on profiling. There has to be a level of human intervention in the decision-making process, and technologies that might appear to profile customers should be reviewed carefully from both a compliance and a legal perspective. Finally, one of the biggest areas of concern I see emerging is when a RegTech firm doesn’t have in-house compliance subject matter expertise and sells its solution to compliance professionals with little or no technical expertise. The consequences could be disastrous. Imagine: a RegTech firm states that its AI system reduces transaction false positives by an average of 40%. The compliance professional takes it at face value that the system works. But, behind the scenes, the system is learning like a naughty child and over time false negatives sneak in. The compliance professional now has a false perception that the system is watertight. Due diligence is key, along with a shared understanding of compliance and technology. It is therefore crucial for RegTech firms to have compliance experts on board, and for compliance professionals to skill themselves on latest technological advances along with their limitations.
SV: How do you see the role of compliance officers developing?
MW: The first big shift will be a move away from manual data collection towards data analysis. As automated data collection, digital identity verification solutions, and selfserve customer portals remove manual effort from AML processes, the human effort will move further up the value chain. The role will become much more focussed around data interpretation – making sense of the information gathered, or being able to pull analytical reporting in order to determine whether a customer and/or transactions are suspicious. With the ability to gather and connect multiple data sources, roles will develop in a more holistic direction, connecting facts and behaviour into one model. This will require a broader skill set from the role in order to understand the full breadth of data presented, and to work across multiple disciplines through the decision-making process. Ultimately, of course, this will lead to better outcomes including better SAR filing and thus more value for law enforcement in pursuing bad actors.
SV: Does this mean a shift from the compliance officer’s role as a “rule-keeper” towards a role that enables and protects corporate values?
MW: Compliance has sometimes been called the “Business Prevention Unit”, but this perception is changing. We see a shift in awareness. Senior managers are personally accountable and are forced to act responsibly. This is in part because of regulation and in part due to increased pressure from customers who use social media to push organisations to act responsibly. Companies prefer to avoid reputational damage for obvious reasons. As a consequence, the role of compliance is extending and becoming part of a company’s business strategy. Compliance officers help firms in defining how to operate ethically and responsibly. I believe the next couple of years will be a watershed moment of monumental change in our industry. For compliance officers the need to ensure they have appropriate skills and training should start now. This can be formal courses, workshops and seminars, but can equally be through a daily dip into reading relevant content on LinkedIn. If anything, it should be a mix of all of them because one thing is for sure – hoping the job will remain the same is not an option.