Francesco Fulcoli, now the chief compliance officer at the digital remittance service TransferGo, spent years working in the private banking industry in a compliance capacity. In this article he shares his experience and views with Compliance Matters.
Fulcoli has been based in London for a long time and remains there today during lockdown. The article is in the form of a question-and-answer session. In it, Fulcoli argues that compliance officers should be involved at every step of the product governance process, or the provision of a service. He extols the efficacy of the ‘three lines of defence,’ which compartmentalises organisations’ efforts between customer-facing people, compliance and risk management and audit. He indicates the right things to do when a governmental agency breathes down the neck of a financial institution to target a suspect. He also argues that HNW people are worried about their privacy in the face of know-your-customer controls and that the only way around this is through good customer relations.
Q: What are the main compliance-related challenges of private banking?
A: The private banking world has many compliance-related challenges. I personally believe that the most relevant one is the way in which private banks have structured the hierarchies in their compliance and AML departments that handle reporting and control. The policy of working behind a Chinese wall and not getting involved in the real life of the customer, or in products and operations, is not working any more. Compliance cannot be a hard stop or a bottleneck; compliance must have a liquid form that surrounds the product and the needs of the customer. Compliance must be involved in every step of the financial environment, end to end, to make sure that the right decision is made before the release of a product. Otherwise, the bank is likely to be sorry later on and have to do endless remediation work every time. Approval, escalation and hierarchy must be faster and more dynamic.
Q: What are the best ways in which private banks should cope with these challenges?
A: We should be honest and brave enough to change our approaches and modernise the compliance and AML environment – and not only in terms of technology but in terms of frameworks and people as well. We ought to streamline banks' hierarchies and processes and give more ownership and responsibility to people who actually have good ideas and want to go that extra mile to impose real changes rather than keep the status quo with people who dwell in the past and feel comfortable nowhere else.
Q: How do compliance officers make mistakes when trying to cope with these challenges?
A: Obviously it is not possible to make the right decision without knowing how the product works in reality. A compliance officer should not make decisions that he bases on his own knowledge of the regulations without knowing how the product in question is built and how the same regulations actually apply to it in real life. If the compliance officer is, instead, involved end-to-end in the building of the service or product, he ought to know what is best in terms of regulation and compliance simply because he knows the product. He will then know how best to protect the company and the client.
Q: How would you deal with the age-old problem of somebody at the top of the organisation asking you, as the compliance officer, to overlook something for the sake of a prize client?
A: This is one of the problems that actually do stem from the old-school structure that I have described above. In an ideal world, AML and compliance in general should be completely untied from any situation of this kind, but of course it can and does happen. Compliance and AML officers must treat all customers in the same way and whatever they decide must be accepted. At TransferGo we have implemented the "three lines of defence," so there is always an ops function and a control function. We work with a cross-functional model, so this is proof that actually this approach works.
Q: What do you think of the role of whistleblowing in compliance?
A: It is definitely something helpful and useful and I hope it will grow more important at all financial institutions, but unfortunately there is still little protection for those brave enough to blow the whistle.
Q: Are private banks constantly frustrated with the regulatory situation in countries from which their clients come?
A: Yes, 100%! In a modern and inter-connected world where people travel widely and are world citizens, it's very difficult. The financial environment should offer services to everyone, should be accessible by everyone without discrimination, easy to understand and multicultural. Coming from a difficult region doesn't make someone difficult, so the risk-based approach that we apply at the know-your-customer or KYC stage cannot be granted as a milestone for that particular customer. It must be something that changes according to the behaviour of the customer. Risks lie in the transactions as well as in the KYC process.
Q: At private banks, are the MLROs usually operating under the compliance directors, or is there some other structure?
A: It depends on how big the environment is and how the financial institution applies the three lines of defence. Personally I think that the AML and MLRO structure should be untied from everything else and have the right level of autonomy and control. Private banking often creates bottlenecks using micromanagement and sometimes it's difficult for the MLRO have the freedom to do his job with ease. I have seen MLROs reporting to heads of legal! You can easily understand that this is something that cannot work! I would say that the best structure in the financial environment is to have a compliance officer and an AML officer, both with the right amounts of knowledge to build the technology that they need and not only to provide advice when required. In this modern world, we cannot pretend only to understand the regulatory rules without knowing how to apply them to the technology, to services and to products. To do otherwise is completely unacceptable.
Q: What are the main AML compliance challenges of payment systems such as SWIFT and others?
A: In an interconnected world where one HNW person might have homes all over the globe, the main challenge is how to control this flow and the how to do live transaction monitoring. Not all the financial institutions today are able to perform a live TM because their systems are monolithic and obsolete and the volume is too high. This is the reason why I started to implement machine learning and AI in the transaction monitoring processes that we are using at TransferGo. The project I am working on with the blessing of the board aims to understand the real risks that pertain to this-or-that specific transaction and to predict what happens next from the behaviour of the customer. The real challenge is prevention.
We cannot pretend to assign a specific risk to a customer and review it only if there is a material change in the information of the customer himself, or during the post-transaction-monitoring stage – at that point it is already too late. With this approach we will be able to stop the transaction upfront and change the risk profile of the customer dynamically and in accordance with his behaviour. This will give us control of the full flow of information and will tell us when something risky is happening – either in real time or near enough.
Q: If the National Crime Agency or Federal Bureau of Investigation or somebody else of that stripe comes to you (without a court order) and says "this man is dirty, keep an eye on him," are you obliged to do that?
A: We always co-operate with law enforcement and, thank God, they help us. Obviously without a deferred prosecution agreement (DPA) or production order, we don't share any information related to our customer, but if somehow we acquire information regarding a specific entity or person that requires our attention, it is our duty to keep an eye on it/him while avoiding any kind of tipping off.
Q: Does that happen often?
A: Luckily not often, but after a request from the law enforcers we always place the account under monitoring.
Q: What recent problems have you noticed banks (or your organisation) having with the USA PATRIOT Act?
A: Definitely it was a good decision at that time after 9/11, even if many think that it violated the constitution, but after 20 years it is time to do more and modernise the US Government's approach. The world is evolving and so the legislation should do the same. It should take account of how crime has changed over the years.
Q: What do you think of the new Anti-Money-Laundering Act which Trump vetoed but Congress then un-vetoed?
A: I think that it will come in anyway with Biden. The Congress decided only that the new administration should approve new measures, but we all definitely hope to see something new there very soon to supplement the USA PATRIOT Act – and not only the part proposed by Trump.
Q: What are the latest KYC-related 'giveaways' that have surfaced in the last year or two that suggest that people are dodgy?
A: The KYC process can hardly tell if someone is dodgy. This is why we are working with AI and machine learning to assess the risks inherent in behaviour as well. KYC is a good starting point if you want to assess the overall risk and calibrate your bank's risk appetite, but it will never tell you with 100% security that a specific person is a real fraudster or whether it's just a feeling. It's his behaviour that gives you reasonable grounds and material proof that something dodgy is happening. TransferGo is moving in that direction, with very good results I have to say. Obviously on the KYB (know-your-business) side it's a bit different. Despite the fact that we apply the same technology, it's easier to spot a clearly dodgy situation upfront with shared addresses, shell companies, not clear core business and so on.
Q: What is your trickiest KYC-related problem at the moment and why?
A: I think HNW people are very worried about their privacy and if they don't fully trust your brand or product, they are hardly keen to share information, regardless of the level of protection that you can give them. Despite having the best product and the best level of protection, they always believe that someone may steal their data somehow and sometimes they just prefer to not actually use the product rather than to give you an ID, for example. The best way to solve this issue, I have to say, is through customer support. The bank's agents must make the client comfortable and help him to realise that he is actually in good hands.
Q: How can cloud computing help KYC?
A: The easiest way would be to have an electronic ID that can be used by all the financial institutions around the world, so that the customer can verify himself once and use the same key to access many services without providing the same information or passport every time. The industry is moving that direction but is very hard without involvement from the governments. I think that in the next five years some good solutions will come out – here at TransferGo we have already tested something similar but we need to do further research.
* Francesco Fulcoli can be reached at email@example.com