What are Regulatory Compliance & Risk Management?
Regulatory risk is generally defined as the risk of having a 'licence to operate' withdrawn by a regulator or having conditions applied (retrospectively or prospectively) that adversely impact the economic value of an enterprise.
It is essential regulated businesses have a plan in place to steer operations away from compliance breaches. Having a plan is what Regulatory Compliance and Risk Management is all about i.e. firms managing the level of risk in their business so they meet legal requirements; don't incur fines; or (worst of all) lose a licence.
Regulatory risk is obviously taken seriously by FinTechs and it's top of the agenda for any MLRO or head of compliance, but there are still plenty of companies that don't have an integrated approach to managing compliance.
How bad are the penalties for non-compliance in financial services?
Financial penalties for non-compliance with regulation can be severe in the financial services sector. Fines vary widely depending on the country of operation, but in the financial year 2019/2020, the UK Financial Conduct Authority (FCA) issued £224.4m in fines.
Financial crime isn't a localised problem though - it's a global issue and crosses borders without compunction. It is also getting more sophisticated with every day that passes. Regulators are clamping down hard on firms that don't tackle compliance issues robustly, which puts customers at risk and allowing criminals to commit fraud or launder money.
With a quick google search, it's easy to find the latest corporation that failed in its approach to risk management, as well as those who simply didn't have a good enough process in place to protect them from breaches and the subsequent reputational fallout.
Financial penalties are one thing but the backlash and scrutiny that comes after a "slap on the wrist" from a regulator is another. In fact, this is a core element of the FCAs aggressive credible deterrence strategy that sees publicity and the media as legitimate tools for enforcement.
In recent times, public discrediting has become more prevalent such that reputational harm can no longer be contained in the country where the breach happened. As the FCA and international regulators such as the Swiss Financial Market Supervisory Authority and the Department of Justice, along with the US Securities and Exchange Commission, are showing increasing co-operation and co-ordination on these issues. Paying a fine is quick and painful, but reputational damage can be a headache that doesn't go away so easily.
What does best practice look like?
RegTech to the rescue
Working with the right RegTech solutions can drastically reduce the risk of non-compliance in financial services and it provides a robust framework to manage every-day risks.
Financial services is riddled with complex processes and technical solutions that can often require expensive engineering resource to maintain. A SaaS RegTech solution can be embedded in an existing tech stacks and fully interoperable, without the need for additional engineering support to make it run.
“If you are a human, you might have to look at samples of all the events that have occurred to monitor compliance. However, if you have a machine doing the monitoring, it ought to be looking at 100 per cent of events,” says Michael Grecoff, chief executive of regtech firm Bay Street Technologies.
Building 3 lines of defence
A "three lines of defence" model is a tried and tested approach to risk management, it works in AML compliance for example. The model helps firms establish a risk framework to operate is, supports compliance in day to day operation, and enables ongoing review and remediation.
Line one starts with managers and staff who are responsible for risk management as part of their accountability for meeting compliance objectives.
The second line is the process level, driven and underpinned by documentation and automation tools, and it very much underpins line one. The two work in tandem, with the first line leveraging the second to uphold compliance.
Line 3 audits the process, using data to make informed decisions about what has happened and what needs to be improved or reported. It's a necessary step to ensure the efficiency of lines one and two and to make improvements to the process where necessary.
Good data governance
A good risk management process will evolve and change as new audits reveal where enhancements can be made. Critical to this is the data that underpins decisions. Having clear data and dashboards for reporting is the difference between a decision made on a hunch and a well informed decision.
Good data governance is a critical part of how a modern day company needs to operate. Regulators are finely tuned into how businesses hold and use data as part of daily operations. Therefore, the misuse of data can cause real headaches.
A good RegTech provider takes data governance seriously, so always look out for certifications such as ISO27001 which is the international standard for how to manage information security, and SOC2, a US focused equivalent.
How PassFort uses 3 lines of defence
The PassFort platform was built around a three lines of defence model to execute effective customer due diligence and ongoing risk monitoring.
Compliance managers or MLROs define a risk model for their organisation. The policy outlines what constitutes a low, medium or high risk customer profile based on risk appetite. A risk profile is then created for each new applicant based on an automated workflow of KYC and AML checks orchestrated through the solution.
- Line one operated through the compliance team includes using a logic-based automation to achieve straight-through processing (STP). The majority of applications will go through due diligence automatically if they are defined as low-risk, however onboarding teams are brought in to interact with customers to manage exceptions. Staff may need to make a judgement call or carry out online document collection for instance.
- Line two is where escalations and exceptions happen. Collaborating with their teams in an online portal, compliance managers, MRLOs or financial crime managers deal with enhanced due diligence and high-risk cases. Using their experience and specialist skills, managers can handle more complex scenarios and may off-board or reject applications.
- Line three includes audit, risk and reporting, which is where policy reporting, risk management and remediation happen. The dedicated risk and/or audit function makes decisions, reviews compliance processes and owns relationships with regulators.
Get in touch
To discuss how PassFort could help you achieve best practice in regulatory compliance for AML and KYC, please get in touch. Financial institutions around the world trust PassFort to help them:
- automate compliance processes
- orchestrate data checks
- support manual intervention
- and report on performance
Email the team anytime to arrange a chat about your risk management and compliance processes and how we can support best practice through our RegTech solutions!