As we work from home during the second Guernsey lockdown, many of us have been listening to webinars whilst typing away on our laptops. Occasionally, a topic captures the attention and the eyes shift from the screen as the words from the wise speaker resonates. Tuesday was one such day for me during the panel discussion at the AML & FinCrime Tech Forum hosted by RegTech Analyst and FinTech Global.
The comment – or rather a question – which helped me choose the subject for this blog was “can you explain to the regulator how your new tech works?” As the take-up of RegTech and FinTech increases at speed, this question highlights the need for the finance sector to not only embrace the new ways of working but to understand it too.
The FATF Recommendation which covers this topic is, of course, “Recommendation 15: New technologies”. It sets out the need for businesses to identify and assess the ML and FT risks that may arise with the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products. It also refers specifically to how countries should regulate virtual assets service providers for AML/CFT purposes.
The Interpretative Note concentrates on just this last aspect in some detail. The Guernsey National Risk Assessment 2019 (NRA), in paragraphs 3.81 to 3.86 for money laundering risks and 6.54 to 6.57 for terrorist financing risks, also focuses on this one aspect of the Recommendation by covering “transaction and exchange of virtual assets, initial coin offerings and e-money”. There is also great deal of public discussion on the risks of virtual assets including guidance from the FATF.
However, there is surprisingly little public commentary on the use of new technology by firms in the finance sector specifically referencing the Recommendation 15 requirements. Certainly nothing in the NRA about Regtech or Fintech and their risks when used by the finance industry. Perhaps this is because the requirements are a common-sense statement of what a firm should do when purchasing new technology for their own use? I think not.
The Recommendation requires financial institutions to undertake a risk assessment “prior to the launch of the new products, business practices or the use of new or developing technologies.” In November 2015, the GFSC added the Annex entitled “Using Technology for CDD Purposes” introducing the concept of a “Technology Risk Evaluation”. A firm was required to identify and assess risks – and not just money laundering and financing of terrorism risks – when they utilised an electronic method or system in its due diligence process.
Whilst the 2019 Handbook does not replicate the need for an “evaluation” as such, it does, instead, require the business risk assessments to include an assessment of identified risks arising from the technology’s use or adoption. The Handbook also expands the type of technology that needs to be assessed but reduces the risks that must, as a minimum, be covered to those from money laundering and financing of terrorism.
What it does not do is repeat the useful observation which was included in its 2015 preamble to the introduction to the Annex. The GFSC said “Each annex encompasses new rules stipulating that a firm must understand this technology if it is to use it.” And this is the aspect the speaker on the panel sought to highlight. As with outsourcing, a firm must have the ability in-house to explain to the regulator what the new tech does, how it does it and how it complies with the regulatory requirements.
Whilst a piece of tech cannot solve every problem faced by a firm, it does allow staff to concentrate on more complex and unusual issues whilst the tech deals with the mundane. However, to enable a firm to reap these benefits, it should ensure that they not only understand the tech’s risks but also the firm’s own risks and risk appetite and that the tech can support that risk appetite. One such risk which is obvious but may not be at the top of the list are red flags as these will have been set by the provider of the tech. As they may not include the red flags that the firm has itself highlighted in its business risk assessments, they will need to be updated.
To benefit from the advancements in tech, lack of understanding should not be a barrier to its take-up. Nor should the regulator. In Guernsey, we are very lucky to have a regulator who is pro-active in contributing to this space and long may that last. But, for firms to fully appreciate how the compliance function can use the firm’s data and information to maximise productivity, a thorough understanding of the legal and regulatory obligations and how the tech works is an in-house must.
If anyone has any questions on a particular Recommendation or is looking for compliance support – please do get in touch.
In the meantime, keep well – keep safe.