The reasons why 21st Century compliance is still broken
By Joanna Jenkins, Compliance Product Manager at Railsbank
Here’s the thing: compliance is well and truly broken.
This is not an opinion which always wins me friends, especially in some of the more traditional banking circles, but for the Fintech community, it’s an opinion which resonates.
I’m going to take you through my arguments and then tell you what we do at Railsbank to cope with this industry-wide problem.
First up is the fact that compliance is typically run by non-digitally native management. A management that is usually born before the digital age, and one that instinctively mistrusts the advances made. They do not always embrace the speed of digital change and almost play a defensive game, one that often pushes back against what’s being developed by the FinTech companies. However, we must be cognisant of also capturing the vast amounts of real-world compliance experience of the existing management.
Now, it’s easy to ridicule this, but consider that the mindset of compliance departments is one of preserving the status quo, of keeping the systems well-oiled and working. They are focussed on keeping the wheels on and spinning, rather than worrying about new wheels and what’s around the corner. So when we criticise compliance, let’s not forget we are criticising something that reflects the system as a whole, and reflects to some degree all of us in the industry.
They are just doing what we’ve asked of them for years and as the system’s sentinels, they are focussed on protect and preserve. The fact that we now need change, that we now need something which matches what is being achieved in other parts of the sector, is a responsibility that rests on all our shoulders, not just the teams sat in the compliance departments. It’s up to all of us to step up to the plate.
Another reason why it is broken is of course that compliance has been slapped on existing processes, squeezed into old IT systems which were never designed with compliance in mind. It’s like building an engine and forgetting the management system. It can work, but not as smoothly as it would with all the widgets and gizmos that enable a smooth power curve.
After the event
And, compliance is usually an ‘after the event’ audit activity which statistically means it will always miss things – if you think about it, it’s inevitable.
But, here’s a radical thought, let’s make compliance a ‘before the event’ audit activity. Whoa!
And let’s not forget the role of lawyers within all this. The area of compliance often crosses over to the legal department, so you also have another set of professionals who have opinions and control of a process that it already slow and lumbering.
Okay, so that’s what’s wrong with the system, but how can we put things right?
And what does Railsbank put in place to elevate compliance up another level, to one where it takes centre stage, and is not left as a bit-part player?
Data at core
Bear in mind that at Railsbank, data is at the very core of what we do. We are a banking and compliance platform that connects together a global network of partner banks with companies who want API access to global banking. Therefore, we see compliance as a problem solved by data science. The answer lies within the data.
There are five core parts to our approach to compliance.
First, we embed our compliance manual into the core Railsbank banking platform. Note the word ‘embed.’ I use that word deliberately, because with us, compliance is not the final part of the jigsaw which we try to squeeze in at the end. It’s right there bang in the middle, right at the start, and it fits snugly with the other pieces.
Second, every transaction is run against the AML and CFT Compliance Manual, which means that all on-boarding and future transactional events are baked-in from day one. This means you are not pushing the problem down the road to be picked up at a later date. Furthermore, KYC is a continual process and not a one-time event revisited every year.
Third, our compliance is based upon a customer’s defined real-time risk assessment. Not an assessment of a vague date in the past, or a projected assessment sometime in the future. But, it’s a ‘real-time’ assessment which carries with it all the advantages you can think of, including cross-referencing with other databases, country risk, nature of business, value chain location and length of establishment. The key here is that dynamic risk assessment allows you to accelerate decision making and suspicious activity reporting, enhancing accuracy in detecting fraudulent behaviour.
Fourth, our system can respond to changes to regulations instantly and we will be adding functionality to back tested historical transactions, and likewise it can also instantly respond to new sanctions. This is crucially important, especially when regulators like to bring in new
rules and sometimes, ask them to be applied retrospectively.
Finally, it’s important to realise that data in the Railsbank platform can be rolled back to ANY point in time. This is fantastic for forensics as all data, including changes, is captured along a timeline. This also helps us hook into machine learning to look for patterns based on revealing timelines.
So, compliance does not have to be a part which gets stuck on at the end. We for one have proven that it can be integral and it can be fully exploited by the platform right from the start. All it needs is a determination to make it a central component of your strategy. At the end of the day, that shouldn’t be seen as mission impossible.