How To Achieve Compliance In an Ever-Changing World?

How Big Data And Industry Trends Impact The Compliance Profession

All businesses must be compliant with some kind of Government regulation. In certain industries, regulation is more complex and thus compliance becomes more complex. For example, financial services and the food industry. How can companies remain compliant, how is compliance evolving, and what is the role of Big Data in this domain?

On Thursday 14 February 2019 I spoke about this topic in an interview of New Business Radio, the digital radio station of the website Financials van Morgen (Finance of Tomorrow; in Dutch). Following up on this radio interview, in today’s blog I’ll elaborate on this topic. For the sake of discussion, I focus on compliance primarily in financial services, however as will become evident in the discussion, the same thoughts are applicable also in other domains. My interview is available as a podcast (in Dutch).

What Is Compliance?

Compliance is the process of adhering to all relevant regulations, and ensuring the ability to demonstrate being compliant (this is not a formal definition). Compliance – as a business area – exists since Government regulation has been introduced. Wherever Government regulates an area, companies that operate in this area need to ensure compliance with the regulations. A simple example is that companies (operating in certain countries) are required to write their VAT number on any invoice that they issue. More complex regulations concern safety and security risks (e.g. food safety) or to tax and auditing regulations.

Preventing Money Laundering And Terrorist Financing

In recent years, within Financial Services there has been a strong focus on compliance with AML (Anti-Money Laundering) regulations, driven by an increasing globally-orchestrated effort to fight the financing of terrorism and organized crime. In its core, this area of compliance requires financial service providers (so-called “obliged entities”) to perform a Customer Due Diligence process, and to report certain “suspicious” (or: “unusual”) cases to the Government. This is well-described in the diagram below (source: European Commission website). The European Commission explains on its website why such regulation is necessary: “Fighting money laundering and terrorist financing contributes to global security, integrity of the financial system and sustainable growth. Laws to combat money laundering and the financing of terrorism are designed to prevent the financial market from being misused for these purposes.”

Trend Impacting Compliance: More Extensive Regulation

As with other regulations, also Anti Money Laundering (AML) regulation is being updated regularly to reflect new insights and changes in the environment. The trend is that regulation only gets more extensive and more complex; not simpler (just like the business environment and the sophistication of terror groups and organized crime). For example, the 5^th AML Directive of the EU now covers exchange platforms for virtual currencies, providers of electronic wallets, rental brokers, freeports and art dealers. Yes, you understood this correctly: an art dealer will be subject to the same AML regulations as large banks. Also in other areas, the European Union introduces new legislation. For example, the latest EU Conflict Minerals regulation imposes supply chain due diligence obligations on EU importers of 3TG minerals if the minerals originate (even potentially) from conflict-affected and high-risk areas. To conclude: the trend is clear, companies have ever-increasing due diligence responsibilities.

Trend Impacting Compliance: The Responsibility Of The Service Provider

Another interesting development is the responsibility that the regulator assigns to a service provider. Thus not knowing that you facilitate wrongdoing does not relieve you from responsibility for the wrongdoing, because you’re expected to ensure that you do not facilitate wrongdoing. A recent example is ING, a large Dutch bank, who agreed to pay 775 million Euro to settle charges for violations of the AML regulations. According to the Dutch prosecutor, the bank did not prevent that bank accounts of ING customers in the Netherlands were used for the laundering of hundreds of millions of Euros. A similar approach is taken by the regulator also in other areas of compliance. In 2017, the Dutch airline KLM had to pay “for having co-committed the intentional transport of military goods without the required transit license”. Although the airline was merely a transporter of the cargo and not its supplier, and although it is the agent (freight forwarder) who typically obtains such a transit license, as a service provider the airline had the responsibility to verify the content of the shipment and to ensure that the shipment does not violate regulations (in this case: a special permit was required). The court ruling used the word “intentional”, which I interpret as reflecting that not making sufficient effort to prevent a violation is equal to an intentional violation.

Trend Impacting Compliance: Compliance Gets Global

Globalization is not new, but have you considered what globalization entails, from a compliance perspective? For example, if a company operates in the U.S., it is subject to U.S. regulations. Nowadays when companies buy other companies and create complex corporate structures, it is enough that one entity in the family tree does business in the U.S., and the corporation already falls under U.S. law. Similarly, many companies set up entities in Luxembourg, Ireland or in The Netherlands for tax reasons; consequently, they are subject to EU regulations, i.e. they need to be compliant with EU law. Take the example of VimpelCom (current name: VEON). The Russian-owned company agreed to pay 835 million USD to settle U.S. and Dutch charges that it paid massive bribes to enter the Uzbekistan telecommunications market. Because VimpelCom stocks are traded in the U.S. (NASDAQ), the company falls under U.S. anti-bribery laws, which were violated in Uzbekistan. Similarly, due to the company’s headquarters in The Netherlands, it was subject to Dutch and EU anti-bribery regulations. In this case there was not necessarily any wrongdoing in the U.S. or in The Netherlands, but the company was still subject to regulations of these jurisdictions. To conclude: compliance is as global as a company’s operations.

KYC: It’s Not Easy To Know Your Customer

KYC – Know Your Customer – is a process of a company verifying the identity of its clients and assessing potential risks of illegal intentions for the business relationship. A thorough KYC process is part of the due diligence that companies are required to perform. However, it’s easier said than done. Criminals and terrorists excel in hiding their illegal activities, and thus just verifying the details that your client (or: supplier) has given you is not enough, because they wouldn’t reveal incriminating details. Instead, they would use shell companies, or complex structures that aim to hide who is the real person (or entity) behind a business transaction. Another complexity is the constant change in business operations: what if your client gave you yesterday’s details, but tomorrow the company will have a new owner who appears on a sanctions list? Even if you did a thorough check upon onboarding the client, by the time that you provide the service, the company may be on a sanctions list. The business environment is under constant change. For example, in the U.S. alone, every 60 minutes 159 businesses open their doors, 182 CEO or business owner changes occur, and 360 businesses have suits, lien or judgment filed against them (source: Dun & Bradstreet).

The Tough Challenge of a Compliance Team

In sum, ensuring compliance is an ever more complex task, from the regulation perspective (increased regulation), due to the global nature of doing business (regulations in other countries are applicable to your business) and from the business environment perspective (the magnitude of change in company information is too massive for most companies to follow). At the same time, more and more responsibility is placed on the service provider (e.g. bank, art dealer or logistics service provider; and the same applies to any service provider). So how can you remain compliant with the need for a thorough KYC process?

Experience From Other Industries

Client contact moments are critical to a service experience. And yet, eCommerce companies typically do not have their own parcel delivery service. Instead, they use an existing courier service to deliver their package to their clients. Why? Because they realize that parcel delivery is not their core business, and they are not likely to excel in doing it, and even more: doing profitably. Therefore, they use an external service provider, and in fact they outsource the delivery task. However, outsourcing the task does not relieve them from the end-responsibility for the delivery. Rather, eCommerce companies remain end-to-end responsible for the full service of their client: if there is a problem with the delivery, the client turns to the eCommerce website who is the vendor.

Three Components In Compliance

The same logic holds also for financial service providers or other companies that are required to perform a thorough KYC process and Customer Due Diligence process for compliance with Government regulations. The compliance task can be de-composed into four components:

Know Your Customer (KYC): understanding who your customer really is.
Screening your customer once you know who the customer is, you screen the customer against all potential relevant risks
Risk assessment: The results of the screening are assessed, to decide whether a significant problem has been found (red light), or whether no problem has been found (green light), or whether a more thorough assessment is required (amber light) in order to classify the case as red light or green light. Red light cases would typically be refused, or reported to the relevant authorities (depending on the risk and the applicable regulations). For green light cases we can continue the business transactions.
An ongoing data analytics process to understand what is “usual”, and what is “unusual”.

KYC Requires Data

In order to perform KYC, you need access to extensive data about businesses (assuming you’re in the B2B business; if you’re in the B2C business, you need data about individuals). As discussed above, it is not feasible for most companies to keep track of the ever-changing business environment, and therefore understanding who your client actually is should rely on external data. Namely, if you cannot excel is maintaining an up-to-date database on all the companies, use the services of a company whose core business this is.

External Data At Your Service

With this external data you establish:

What are the true (official) name and address of your client?
What does your client company actually do? (e.g. if your client’s business with you does not fit their declared activities, this should raise a red flag)
Does your client belong to a larger corporate structure (e.g. does it have a parent company? A daughter company?). If so, who are these other companies in the same family tree? Note that the corporate structure can extend beyond country boundaries, and therefore even if all your clients are local, you need access to global data.
Who are the beneficiary owners of your client (similarly: who are the beneficiary owners of your client’s full family tree)?
What is the identity of key directors within your client organization? Who are key directors within their parent company? Do they hold roles in other companies too? If so, are these companies legitimate?

Screening Requires Data

This enriched understanding of who your Customer (i.e. with answers to the above questions) serves as input for the screening. In the screening process you verify whether there is any information that links your client – enriched with information about beneficial owners, directors, corporate structures and other relevant business links) appears on any black lists, sanctions lists, or any other relevant list. It is up to you how much you extend this screening, depending on your risk appetite. For example, you can decide to screen the company also against involvement in environmental issues and child labor / modern slavery, or screen the directors against involvement in sex offences. Such enhanced screening is often driven by a CSR (corporate social responsibility) policy or by the wish to mitigate brand damage, and not by regulations. Yet the two come together because both external regulations and internal policies are reasons for screening your business partners.

Data-Driven Risk Assessment

Screening your business relations is an important aspect of making an effort (as the law requires) to detect and prevent cases where your business relations are using you to cover illegal activities. But what if this is a “first time criminal”, i.e. there is no known connection to any known criminal or terrorist, or even to a party that is somehow affiliated with a criminal or a terrorist? Such an entity will not appear on any “black list”. Yet, service providers have the obligation to make an effort to detect unusual behavior of their business relations, which may indicate illegal activities. But what is “unusual”? There’s no clear-cut answer. Neither is it possible to define what is unusual, because “usual” keep evolving, as the business environment changes. And therefore the only way to find “unusual” cases is to have a continuous data analytics effort to define what is usual, and what is not. By examining large datasets of historic data, analysts and supporting software tools detect patterns of normal behavior, as well as patterns of illegal activity. Once you know these patterns, you can compare every single transaction to the pattern, to establish a level of risk. Because the business environment keeps changing, these patterns and rules need to be re-evaluated and adapted on a continuous basis.

Data Analytics Within Financial Institutions

Therefore, analytics skills become a core competency for organizations that want to detect and prevent risks in financial transactions. This is not new to large banks though. Large financial institutions have been among the most IT-savvy organizations for many years, and many of them have large IT departments. The same data analytics skills used for creating risk models for financial investments can also be deployed for detecting fraud, money laundering or other illegal activities. Why is this reasoning important? Because it highlights the conclusion that the Compliance practice requires not only Compliance officers, but also Data analysts and analytics experts as a core skillset.

To Outsource, Or Not To Outsource; This Is The Question

Given that KYC and screening both require extensive data, and that this is not the core business of most companies, best practice is to use external data for this purpose. Two common models exist: either a financial service provider performs the whole end-to-end process by itself, using external data; or a financial service provider outsources the process to a third party that has this data and the ability to perform the KYC & screening. Yet also in the latter case it is the financial service provider that remains responsible for the process, and it is the financial service provider who will in most cases do the actual risk assessment based on the results of the KYC and screening using external data. Why? First, because it’s the financial service provider that knows best what its own risk appetite is. And second, because it’s the financial service provider who remains responsible towards the regulator. It is possible to outsource the whole process (including the risk assessment and decisions about risky cases), but even then the financial service provider remains the responsible party towards the regulator. Just like the buyer who orders a package from an eCommerce vendor will hold the eCommerce website responsible if the courier service fails to deliver the package.

Compliance Is A Never-Ending Journey

Catching the “bad guys” and finding the “unusual transactions” is a never-ending undertaking because the business environment keeps changing. If a bank detects attempts to launder money in one area, the criminals will shift their operations to another area. This is no different than any other area of law enforcement, where police, tax agencies, Customs agencies, border agencies and other law enforcement agencies deal daily with the challenge of “finding the needle in the haystack”. We’re not dealing here with a well-defined problem that has a well-defined solution which can be procured as an “off the shelf” product.

Capacity Building

Instead, the approach is to build a capability within organizations, where:

Smart and curious people;
Have access to rich internal data (your data about your clients); and
Have access to rich external data (about your business relations, about other entities and their behavior; about known offenders); and
Use data analytics tools to detect patterns of “good behavior” (i.e. low risk) as well as patterns of “bad behavior” (i.e. high risk); and
Based on the identified patterns, software tools screen transactions in real-time, and pro-actively send alerts to Compliance analysts when potentially high-risk cases are detected

These people, and this process will combine the rigor of data analysis (the “science”) with the creativity of exploring hidden patterns (the “magic”). The combination of science and magic is a key to success.

Why Define Patterns of “Good Behavior”

If we are trying to detect illegal activities, why spend resources on understanding “good behavior”, i.e. behavior that we consider to be legitimate, and very low risk of illegal activity? The answer is simple: efficiency. We consider that most financial transactions are legitimate. Thus if we’re able to to define that these cases are “low risk” (in an automated way), we will not spend any resources on investigating them. We call this “de-risking”.

Businesses Can Learn From Governments

Compliance and fighting fraud go hand in hand, and show great similarities to many areas of law enforcement. Government agencies have a long history of detecting and preventing fraud and other forms of illegal activity. Nowadays, businesses are more and more required to develop similar skills. Thus, experience in implementing such capabilities at Government agencies become highly relevant for Financial institutions. In my own experience – having worked with law enforcement agencies for many years – financial institutions are very well positioned to succeed, because they already are very data- and IT-savvy organizations.

Beyond Compliance: Brand Protection

Digitization is a driver for risk-asymmetry. Information explosion, and even more importantly the ability to easily distribute information to large audiences, created a reality where brands become vulnerable. Negative press or bad customer experience are quickly shared on social media and distributed worldwide. Consequently, brands can be more vulnerable than in the past. Negative press can easily result in loss of share value. Consequently, more and more brands are currently becoming more aware of potential damage to their reputation. As a means to prevent such damage, they perform voluntary Due Diligence checks to their business relations, in a manner that is very similar to checks that regulators impose on financial institutions. Such checks can relate to the business relations’ involvement in environmental crimes, child labor, financial crimes, or even sex offenses of directors within the company. These are different types of risks (compared to AML regulations), but the approach to tackling them is the same.

Where To Start?

Do you recognize these challenges within your own organization, and do you wish to brainstorm about our experiences and about best practices for implementing such capabilities? Get in touch today.

Science And Magic: How To Achieve Compliance In an Ever-Changing World?