FinTech solutions for regulatory compliance – beware of the risks
In order to remain compliant to an ever-growing regulatory landscape, a growing number of financial institutions in the Middle East are turning fintech solutions. While such solutions can come with substantial benefits, they at the same time also house a number of inherent risks, write Muthmainur Rahman and Jonny Davies from Ankura.
The UAE is the Middle East’s leading financial center and a global hub for trade, particularly in gold and precious metals. This large presence within the global financial system makes it a target for financial crime, specifically being a transit point for illicit funds.
In the last few years, as part of efforts to further combat this threat, the UAE government has made considerable progress in aligning with global standards on Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF), in large part by improving the robustness of the country’s legislative framework.
Improving compliance programs
With the government’s increased focus on AML and CTF compliance, financial institutions must ensure that they are continually developing and improving their compliance programs. One of the most effective ways to do so is through leveraging the strengths of modern technology disciplines such as advanced analytics and artificial intelligence.
There is a multitude of compliance-related areas in which fintech solutions can improve efficiency and outcomes. Examples being:
Advanced transaction monitoring and network analysis
Traditional transaction monitoring systems use a set of static rules to identify the behavior of money laundering. The challenge with this approach is that complex money laundering patterns may be missed, and a high number of false positive alerts produced which can strain the compliance team’s resources.
Advanced transaction monitoring systems use artificial intelligence, machine learning, and network analysis to uncover and identify complex patterns in both transactions and customer relationships that would otherwise be difficult for human analysts to detect. In addition, advanced monitoring systems produce fewer false positive alerts and can give a risk rating to the alerts generated, enabling compliance professionals to review the most pressing cases first.
Automated customizable sanctions screening
Automated sanctions screening applications allow organizations to screen their customer base and transactions in real time against relevant sanctions lists. This allows compliance professionals to review the alerts generated for possible sanctions hits rather than spend valuable time manually checking each name against each of the chosen sanctions lists.
These automated applications also allow for the underlying algorithms and threshold of similarity to be configured in order to match an organization's risk appetite and reduce the number of false positive alerts produced.
Streamlined customer due diligence
Traditionally customer due diligence is a time-intensive process whereas the adoption of new technology can significantly reduce this. Advanced analytical applications have been developed to streamline the various phases that make up customer due diligence, from ID verification, negative news screening to checking entity connections, allowing compliance professionals’ time to be better spent elsewhere in the organization.
When implemented correctly, modern fintech solutions form an integral part of an effective and efficient compliance program. In the light of clear benefits to adopting advanced technical solutions to combat financial crime and enhanced regulatory scrutiny in this area, financial institutions (including those in the UAE) are increasingly turning to third-party fintech vendors to build their internal monitoring systems.
In the past, it may have been possible for these systems to be built in-house. However, that is no longer the case given the need for specialists in areas such as machine learning and advanced analytics as well as the AML/CTF expertise from compliance professionals.
Third-party tools – mitigate the risks
Whilst third-party applications can undoubtedly assist financial institutions to implement robust compliance programs, there is a risk of costly issues arising if utilized incorrectly, particularly if the vendor and financial institution have failed to communicate effectively.
Across the world, there are numerous examples of violations by financial institutions due to misunderstandings of the scope of utilized solutions supplied by vendors or miscommunication between the parties as to what the solution implemented by the vendor needs to achieve.
Risk management between vendor and financial institution needs to be managed in all phases of the software lifecycle. Relevant considerations for both parties include:
Implementation
Has the application been installed properly? Is the system performing exactly how expected? Has the brief given to the vendor been completely fulfilled by the application installed?
The risk of inadequate implementation can be managed by ensuring a comprehensive brief is provided by the financial institution to ensure the vendor has all relevant knowledge (including an understanding of how the institution operates) in order to develop and implement software that is tailored to meet the institution’s specific needs.
Once implementation is complete, a full audit of the application should be carried out by the institution in conjunction with the vendor in order to identify any issues.
Updates
Are updates vetted before they are applied? Do the updates change the scope of the application?
As above, communication between the organization and vendor is essential. The impact of updates should be fully understood and agreed by both the compliance and IT departments before being applied and the impact confirmed once applied.
Settings
Has the financial institution been made aware of the impact of changing the application’s settings?
Many applications, such as automated sanction screening applications, have settings that can be changed in order to reduce the number of alerts produced. Institutions should ensure that they are aware and understand the impact of changing such settings. For example, increasing the ‘similarity’ threshold in a sanctions screening application has the impact of reducing the number of alerts produced.
However, the downside of doing so is a risk that true positive matches may be missed if the threshold is set too high. The decision to change the settings of a sanctions screening application is dependent on a number of factors including the organization's risk appetite and the specific circumstances under which the sanctions lists are to be screened. Any decision must therefore be assessed in the light of these factors.
The examples listed above are just a few of a multitude of scenarios where vendor supplied software can expose a financial institution to risk. Lapses or oversights in software can often lead to financial institutions paying a heavy price from purchasing additional/replacement software to, in a worst-case scenario, facing enforcement action from regulators as a result of compliance failures arising from improper use of software.
An independent view
One avenue to mitigate the risks outlined above is to engage with independent experts on a regular basis who are experienced in interrogating and assessing the adequacy of compliance applications from an impartial perspective. These experts can identify and advise upon gaps in the functionality of the application and suggest means of improving or adapting the application to suit the individual institution’s specific needs and circumstances.
Utilizing external experts mitigates issues likely to arise if conducting a review in-house, such as bias, the available bandwidth of staff and a lack of specific skills and experience.
In short, when utilized correctly, vendor solutions can improve the ability of financial institutions to fight financial crime in an effective and efficient manner. However, financial institutions should not be oblivious of the inherent risks that present themselves when relying upon vendor solutions. It is imperative that thorough risk assessments and performance testing is conducted throughout the lifetime of using the technology, ideally by an independent expert.
About the authors: Muthmainur Rahman is a Senior Managing Director at Ankura in Dubai, where Jonny Davies is a Senior Associate.