As the world of financial services becomes increasingly digital, cyber criminals are raising their game. But could digitalisation of risk and compliance be the game-changer – as firms turn to tech to protect their businesses?
One of the headline stories of the pandemic period has been the role that technology has played as a huge enabler for consumers – ensuring they can continue to buy, sell and invest during periods of limited movement.
But the pandemic hasn’t been the sole driver of technology’s advance – from internet banking to money transfers and playing global stock markets, technology has for a long time been driving consumer convenience, so all financial services can be accessed by the touch of a screen or click of a mouse.
But there is a trade-off. Alongside the rise of technology, criminals have been working to exploit technology – and the entry points it creates – to devastating effect.
According to a recent research paper from the House of Commons, Economic crime in the UK: A multi-billion pound problem, it is impossible to estimate the precise scale of economic crime in the UK. But it likely runs to tens or even hundreds of billions of pounds per year.
The grim reality is that financial crime remains one of the key risks faced by both the financial services sector and society. So, is enough being invested in detection, prevention and deterrence capabilities?
Martin Keelagher, Chief Executive Officer of Agile Automations, says it is hard to specify the amount of investment required by firms, but they must be alert to the complex nature of fraudsters’ ever-evolving activities.
“It is a difficult sum to quantify,” he says. “But what I would say is that the level of prevention undertaken by an organisation, or indeed individual, should be both prudent and appropriate to the level of sophistication of the adversary.”
As the incidents and sophistication of financial crime continue to escalate, Keelagher says governance and risk are perhaps the fastest growing areas within regulated services in the past decade.
“The reality is that we will need to continue to invest in this essential area to keep pace with the criminals that continue to adapt their own processes and methods.”
Tech leads the way
The financial services sector is having to invest vast amounts of time and money to combat criminal activity and reduce risk. For most, that means an increased focus on digitisation in the risk and compliance process.
Lindsay Fox, Managing Director, Platinum Compliance in Guernsey, says technology is not just a nice-to-have; it’s an essential game-changer.
“One of the key areas of focus for risk and compliance functions now is ensuring sufficient evidence is held,” Fox says. “By using manual systems to undertake such functions, there is a risk that data will easily be deleted or lost for good.
“For example, Excel spreadsheets are commonly used to undertake compliance monitoring programmes, which do not tend to provide an effective audit trail. Where technology is involved, this normally includes a full audit trail to provide an efficient record of changes.”
Stuart Esslemont, Global Head of Compliance at Zedra, agrees that digitising compliance, either via bots or artificial intelligence (AI), is crucial for financial services companies.
There is resistance from some companies to digitise, he says – because they don’t understand or trust the software being offered – but on the whole, most firms are well down the track in terms of investment and implementation.
Technology is clearly growing in importance as a means of enhancing compliance. But Malin Nilsson, Managing Director of Kroll’s compliance and regulation division, says that to effectively gauge whether digitisation will be a game-changer for risk and compliance, we need to take a step back and ask why regulatory failure occurs in firms in the first place.
“Regulatory failure can typically be divided into two broad themes: cultural issues such as governance or risk awareness; and systems and procedural issues such as inadequate processes, non-adherence to such procedures, inadequate data and over-reliance on poor systems,” she says.
“In our view, digitisation can assist with both of these – but care should be taken in viewing digitisation as the panacea to all regulatory woes.”
She adds: “Can the client lifecycle be digitised and automated? Yes, of course it can. However, technology cannot create proper regulatory outcomes without proper adoption by the business.
“Firms need to demonstrate to their regulators that there is embedding of compliance requirements in the technology solutions developed and a culture of compliance when using those solutions.
“This means compliance must be involved in the technology development process to ensure it is compliant with regulatory requirements and also includes controls to help ensure that their requirements are met.”
Benefits of consistency
Keelagher believes the benefits of digitisation are increasingly valued by businesses. “Automation has a huge role to play in enhancing risk, governance and compliance,” he says.
“The ability to have a robotic workforce, strolling and analysing data 24 hours a day, every day, with the same consistency of approach and with human error removed, is incredibly powerful, and something we are continuing to see demand for.”
A robotic workforce performs at the same level on a Monday morning at 9am as it does on a Friday at 5pm, he says – without mistakes and ambiguity.
“This is also incredibly important from a regulator aspect, as they can take comfort that a consistency of approach is maintained throughout,” Keelagher adds. “Quality of training or indeed CPD doesn’t come into it.
“In addition, it allows you to unleash the true potential of your workforce. Rather than having your risk and governance teams scanning data for anomalies, a bot is able to send them a simplified exception report to work through, making far better use of their time and skills and freeing them up to concentrate on cases that really require their knowledge and skills.”
Despite the benefits of automation and digitalisation, Fox believes that caution should be exercised around just how ‘automated’ systems become – they should never fully replace human intervention.
“The human element ensures a risk-based approach is taken along with the skills, knowledge and experience of the individual,” she says.
“There is also a risk that fully automated technology will not quite deliver on expectations, so users must be cognisant of realistic targets.”
No two businesses or clients are the same, Fox stresses, and they shouldn’t be treated as such. “Systems with a bespoke offering are key to providing the right requirements,” she says.
“With the added pressure of personal liability through holding prescribed positions, coupled with the need to engage and build strong relationships with the board of directors and ensure effective governance, face-to-face meetings will continue to play an important part, too.”
Developing good relationships with regulators in different jurisdictions is also important, according to Esslemont at Zedra. “There are different regulatory expectations in different jurisdictions,” he says. “It might be lighter touch in the UK but different in Jersey, Guernsey or Malta.
“Recently, we had to swiftly turn around a huge data request from the regulator in Malta. It was quite a challenge and digitisation was key to us being able to fulfil the request.”
Challenges of complexity
Digitising compliance and regtech ultimately needs individuals who understand both the expectations of a regulator as well as technical expertise to translate the process into an automated one. That brings its own challenges.
Fox says it is of utmost importance not to reduce regulatory standards that are set by the regulator.
However, one of the main challenges with technology is that it can be far too complex and uses algorithms that aren’t fully understood by the user.
“Individuals in the governance, risk and compliance arena have different skill sets – and their knowledge, skills and experience are of utmost importance when automating a process,” she says.
“Where systems are too structured and where they are not adaptable to the client, they can cause errors that are not always identified.
She continues: “Imagine having to implement a manual monitoring programme just to monitor the technology itself, to ensure that it does what it is supposed to. That completely defeats the object of a platform.”
Neil Goradia, Managing Director at Kroll’s data insights and forensics division, echoes the point around skill sets. “The alignment of appropriate stakeholders – compliance, technology, operations – with senior-management buy-in is key.
“Such functions need to work together as a team, striving for a common goal. And firms should remember that digitisation is a means to an end – it does not replace individuals’ responsibilities. Rather, it should complement and support them.”