Last week, the Financial Times reported that Revolut, a leading European fintech firm, may have “turned off” its transaction monitoring solution. According to the unnamed whistleblower, the system may have been erroneously disabled during a system upgrade. The news about Revolut (who also has a banking license in Lithuania), while surprising, is likely a harbinger for things to come for a fintech sector that is finally growing up. In the end, fintech firms have the same obligations as the banks they seek to disrupt in protecting the international financial system from exploitation by rogue regimes and corrupt individuals and businesses.
In fact, a financial institution’s approach to monitoring, an obligation under the Bank Secrecy Act for example, is often the first place (or one of the very first) that a regulator inspects during a review. Failure to maintain an effective monitoring solution can be extremely costly. For example, just this year, U.S. Bank agreed to a $600+ million settlement with federal regulators for manipulating their transaction monitoring solution by placing a cap on the number of alerts generated.
It can be argued that fintech firms – particularly challenger banks, payment companies, wealth management funds and real estate investment platforms – are the very ones most susceptible to targeting by threats ranging from petty criminals to large, transcontinental criminal organizations which may include terrorist organizations. Severe enforcement action against one of the pre-runners to the fintech boom, Liberty Reserve, demonstrates all too clearly the cost of growth at the expense of good controls. After all, it is no secret that criminals seek out firms who are experiencing rapid client growth, nascent systems and a desire to meet investor expectations, all factors requiring continuous and proactive management. Our recent blog post, for example, highlights a common theme surrounding “deep fakes” that comes directly from a challenger bank we are familiar with.
So, what does this all mean?
It means that fintech firms, the banks who “loan their licenses” to them, the lawyers who advise on compliance and their investors should frankly be asking more questions. And soon. Below we outline some areas to focus on to ensure that your firm (or your investment) remain ahead of the pack in what is certainly the beginning of a robust round of regulatory inquiry.
Some Essential Steps for Safeguarding Your Organization (or Investment)
2) A number of regulatory fines have stemmed from a legacy of “poor culture” within in an organization. The largest sanction and fraud-related fines have almost invariably described a culture of greed, corner-cutting and flouting of the rules. Reporting to the board on compliance culture is critical and can be demonstrated by things like staff churn, whistleblowing reports, alert volume, transaction exceptions and surveys.
3) Test your compliance program regularly. There is a role for internal audit and there is also an important role for independent testing. Going beyond “tick box” reviews is imperative to find and stay ahead of risk.
4) Tune your system and work to improve client data. A system – no matter how good and how much AI you have (or think you have) behind it – is only as good as the data you maintain on your customers and the lists you use for screening.
5) Be proactive on financial crime compliance and document it. How often does the compliance committee meet (assuming there is one)? What do they discuss? Do they consider new products and emerging geopolitical trends that may impact the business (e.g., Venezuela)? They should. And it should be documented.
6) Perform financial crime risk assessments. Where are vulnerabilities? Are you over exposed to a particular client type, jurisdiction or product? How does the company ensure that those risks are well managed and properly resourced to offset the identified inherent risk?
7) Get rated. A rating is an efficient, powerful and independent way to demonstrate to the board, investors and regulators that you take financial crime compliance seriously. Financial institutions, NBFIs and private equity firms across more than ten markets can’t be wrong in getting Sigma Ratings themselves.
Traditional financial institutions, banks and fintech disruptors – all of whom we support and encourage – can benefit from a more active approach. Of course, there are limitations, but done well, compliance should be seen as an investment versus a cost. An investment in ensuring regulatory compliance, as well as protecting shareholder value and ultimately, the international financial system.
Stuart Jones, Jr. is the Chief Executive Officer and Founder of Sigma Ratings, the world’s first AI-driven rating agency for financial crime compliance. Prior to Sigma Ratings, Stuart served as a senior U.S. Treasury official and as a principal at EY. Sigma Ratings is based in New York and operates in the Americas, Europe, Africa, Southeast Asia and the Middle East.