The Evolution Of Compliance And How To Future-proof It

Every compliance expert who was asked "Where do you see compliance five years from now" in 2015 probably got it wrong. Over the past five years, financial institutions across the globe have made considerable progress in building compliance capabilities. However, the progress has not been uniform. Most of them are still not fully compliant and are still struggling with significant deficiencies, especially with technology and data architecture.

Let's look at how compliance in financial services looked five years ago and what has changed. Based on my experience with PayPal, Amazon, and FinTech startups I worked with - compliance tasks, customer onboarding, document reviews were mostly manual, even within companies with great engineering resources. Back then, the main concern and focus were on fraud prevention, cybersecurity, and protecting customers from their careless online behavior, such as using the same weak password across different platforms.

The most significant changes in financial services compliance I've observed between 2015 and 2020 happened in the following areas:

• Customer onboarding automation. By introducing automated document authenticity checks, facial recognition checks, and quicker, more accurate sanctions scanning, it has become possible to register, review, and approve customers within a few minutes.

• Blockchain tracing tools and risk-rating of wallets did not exist five years ago. Crypto was not mainstream yet.

• The perception that human checks and human controls are always needed has shifted. Even banks realized that growing a compliance team and having more compliance reviews and committees does not solve their problems.

• 2-factor authentication has become a norm in Europe, but not in other parts of the world.

• News and adverse media scanning and access to curated news feeds are now used more frequently.

• Progressive companies are relying more and more on social media and other public online sources to assess customers.

• Compliance and risk officers within larger institutions have received more formal powers, more resources, bigger budgets to do their job. Frictions, conflicts, and miscommunications between compliance and business have increased.

• Many banks have become much more conservative and refused to open accounts to FinTech or e-commerce companies due to lower risk appetite. This process has been labeled as "de-risking".

I don't think the global pandemic has accelerated compliance automation or brought some fundamental changes to it. Yes, for traditional companies, working from home, making decisions on Zoom, hiring and firing people remotely was a new experience. But I believe this experience does not address the root cause of the main problems I see in compliance.

Main compliance issues in the financial industry

In my opinion, the financial industry currently has three main compliance pain points: understanding and prioritizing the risks, onboarding of corporate customers, and using technology.

When you ask financial institutions about their risks, their compliance team usually produces a list of 200-300 possible risks. They would rate about half of those as high or extremely high. They document all the risks, describe what may happen and submit these long lists to auditors, regulators, and the board. They assume they are doing a thorough job. In my view, they are doing a total disservice because these long lists are not actionable.

If the compliance or risk team identified 100 high and extremely high risks within a business that exist at any given time, it can't focus on any of them. At the same time, the company keeps functioning, nobody goes to jail, customers are being served, so it creates an impression that all those risks are hypothetical.

Why is this happening? Because people don't want to pick only three risks out of 100. They are afraid to make a mistake and to be blamed for consequences. Strangely enough, listing all 100 risks and doing nothing about them feels safer. It creates a false sense of security since "everyone was aware and warned".

Furthermore, compliance teams often inflate risks deliberately because they expect management to be more accountable and dedicate more resources to compliance if more risks are rated high. In my experience, this strategy never works.

Let's look at how this inflated perception of risks materializes in decisions in onboarding corporate customers by large financial institutions and startups.

On average, onboarding and approving of a corporate customer with a financial service takes several months. Based on my observations, only about 20% of the initial applications will provide all the required information. Imagine how much time and resources are wasted due to the "what if" and "just in case" approach.

Another big issue and friction point within many entities that I observe is an internal decision on how much they can trust the technology and how much they can automate.

For example, within fraud detection or facial recognition space, most decisions are already automated. But with more complex analysis of industry risks, corporate structures or sources of funds, compliance people are still not comfortable to rely on technology. For some reason, they believe that assembling compliance and risk committees is a more reliable strategy.

How to future-proof compliance

Compliance is a support function, so to survive and evolve, it must support organizational goals and help solve problems.

Profitability and scale are currently the main challenges within the financial services industry. It means that compliance needs to adapt, evolve, and contribute to these ultimate goals. Whoever figures out how to scale compliance and make it more efficient and cheaper will have a tremendous competitive advantage.

The only way to prepare compliance for the future is to bring more objectivity and pragmatism into risk assessment processes and automate as many human decisions as possible using machine learning, artificial intelligence, and other technological solutions.