Written by International Compliance Association on Thursday May 27, 2021
The 2021 edition of the BIG Compliance Festival, the biggest event for compliance professionals globally, attracted over 650 participants from 82 countries worldwide. Attendees enjoyed an array of insightful presentations on a variety of topics. Below we present a summary of some of the event’s highlights and key takeaways from the discussions that took place.
John Flint, former Group Chief Executive, HSBC, delivered the keynote address on day one, challenging attendees to think about how they can maintain the relevance of the compliance function in today’s rapidly changing world. He described the evolution of compliance in two stages. For the first 20 years of his career all large organisations had a compliance function, but compliance was modestly resourced; it didn’t have a seat at the table and was an advisory function with “no teeth”. Over the last ten years that has changed, the first catalyst being the tragic events of September 11. Flint said he believed the world of financial crime risk compliance today has its roots in the work that was done in the US post 9/11, with the US setting the agenda, and the rest of the world catching up. The second catalyst was the global financial crisis of 2008 which reshaped the world of prudential compliance and launched the world of conduct risk compliance.
Three more catalysts for change that are coming up include the transition from an old industrial analogue economy into a new digital economy; ongoing tensions between the two economies and the transition to a low carbon future. He advised compliance leaders to learn from the past but also find the confidence to look into the future. ‘Always try to create the link between the rules and the human impact. As soon as you can do so, you can engage with people’s heads and hearts. Use stories to try to illustrate what you do and to elevate the message,’ he concluded.
Day one of the festival continued with an engaging session on Artificial Intelligence (AI) and ethics led by Janet Adams, Chief Operating Officer, SingularityNET. Many commentators are predicting that we are on the brink of a convergence of major super-technologies. But what is different about this industrial revolution is that all these technological advances are converging at an unprecedented pace. The two supertechnology trends driving this advancement are AI and blockchain/cryptocurrenecies, according to Adams.
The cryptocurrency market has expanded to over $2 trillion this year from $380 billion coming into 2021. There has been a massive increase in individual and institutional investment into crypto. The time is now for compliance professionals to enhance their knowledge and skills in the digital currencies space, said Adams. ‘How can a firm or senior manager be accountable for something that they can’t explain? Explainability and accountability are inextricably [connected],’ she concluded.
It has been argued that “data is the new oil” and the potential for harnessing data in the fight against financial crime is increasingly well understood. However, a recent poll by consulting firm McKinsey&Co. found that fewer than 50% of those polled had a data strategy in place. So, why have a data strategy, Patrick Lord, Commercial Director, Diligencia, and one of the panellists on the third session of the day. The huge availability of data represents an astonishing opportunity for organisations today, especially when you combine it with the technology and AI. It is therefore perhaps surprising that many organisations regard data as a liability. Developing a data strategy will empower organisations to change that, take control of their data and make it work for them as an organisation.
Another panellist Araliya Sammé, Head of Financial Crime, Featurespace, raised the importance of collaboration and the need to establish the question that organisations are seeking to solve. ‘There is almost a pressure and expectation to start utilising data immediately. A data strategy is about how to scope that data and then utilise it,’ added Luma Zitani FICA, Senior Manager, Accenture, and a member of the panel. Sammé went on to highlight the importance of understanding the data: ‘Where there is a data dictionary, and teams have worked with data owners that can make a huge difference on your timelines to get the benefits that you are looking for.’
The current speed of technological change is challenging the ability of both regulators and businesses to keep pace with emerging risks associated with the use (and abuse) of new innovations. In the last session of the day, Christian Broere, Sales Director, EMEA, Wolters Kluwer; Alecia Edwards-Graham, MICA, Group Manager, Risk and Compliance Proven Management Limited; Steve Strickland, FICA, Regional Head, FC operations and Intelligence, Deutsche Bank; Peter Smith, Head of Policy and Strategy, DFSA; and Maria Lukashova, FICA, Controls and Compliance Lead, MS UK, Microsoft, discussed the practical compliance implications of implementing new technologies, platforms and products, and the challenges of managing technological risk.
A poll addressed to the festival audience asked participants to share what they are most concerned about falling behind in. More than (57%) said understanding the technology is their top concern, while a third (32%) said they are most concerned with the criminals (fraudsters and cyber criminals). 9% of respondents said they were most concerned about understanding their own business, and just 2% were worried about new entrants.
Smith remarked: ‘We are living in a digital age where advances in technology are reported as almost a daily occurrence. Yet many of us work in organisations where the deployment of new systems and technology is often implemented via ‘multi-year’ programmes.’
To be able to manage risk within the business and stay ahead on the evolution of technology, Lukashova said compliance professionals must:
Neil Isherwood, Risk and Compliance Specialist, Dunn & Bradstreet, discussed emerging trends in CDD like perpetual KYC and people and network resolution. For most institutions periodic reviews can be a laborious process – the time taken to keep reviewing the higher risk clients means that things start to back up. The problem with periodic reviews, however, is that it both “overdoes it and underdoes it”. According to Isherwood, perpetual KYC takes a different approach. The main outcomes of this approach being that you are “right-sizing” your programme and you can spend the most time on the cases that change and have most risk. Secondly, and most importantly, there are advantages to having data feeds alerting you. Otherwise, a client centric periodic review can miss some issues coming in. ‘If we want high levels of automation then effectively the policy needs to be digitised into a work system or layer. Barriers to [perpetual KYC] can be around beneficial ownership, but there are innovations in this area that can be used. Think about how this can be monitored right at the start and rethink parts that are overly manual,’ he advised.
Panelists at this session included:
Brommer kicked off the session by highlighting the challenges related to outsourcing. Businesses are increasingly moving certain services outside of their organisation with a view to better manage their expenses, but it’s important to note that this comes with a number of risks. When either outsourcing or offshoring to a subsidiary, Brommer said he prefers to engage as early as possible with the relevant risk stewards.
Grech shared her experience form the gaming industry, where she said most outsourcing functions are permissible, in some functions they are not. Companies in the gaming sector are required to have a rigorous process in place. The responsibility still lies with the operator, which means they ned to make sure that the outsourcing partner they are choosing is a reputable one.
Gupta raised the question of data quality and sharing regulations which can vary significantly from jurisdiction to jurisdiction. He gave Turkey as an example of a jurisdiction where rules can be quite restrictive. When a company is outsourcing or offshoring certain functions, compliance officers need to retain strong oversight of the activities and what is being outsourced.
Panellists at this session included:
Thematic sanctions are designed to target individuals and entities. They are a lot less cumbersome than the country sanctions that we have traditionally seen so regulators [can apply them more quickly]. It requires organisations to have really robust upstream risk control processes. As sanctions evolve the onus is on compliance professionals to educate their organisations, so that they can effectively adopt a risk-based approach, Purdie said.
Duchiron’s remarks echoed the sentiment. At UK Finance, we are encouraging and promoting training wherever possible, to promote the importance of having a culture of training within organisations, and sharing of good practice between banks. There is a gap of knowledge between government and how compliance in financial institutions actually works, as well as how implementing sanctions affects financial services, she concluded.
Bill Browder, founder & CEO, Hermitage Capital Management, provided some fascinating insights into the world famous Magnitsky case:
‘I was really irritated at the amount of money that was being stolen from the companies that I was investing in. We were airing the dirty laundry of oligarchs. They expelled me from the country.
‘Sergei Magnitsky discovered that when our documents had been seized by the police (including stamps, seals and certificates for our holding companies) they were handed to a group of criminals who re-registered our companies through ID theft and went to the tax authorities with those stolen companies and applied for a $230 million illegal tax refund which was approved and paid out the next day with no questions asked. This was the largest tax refund in the history of Russia. We thought this must be a rogue operation because Putin surely couldn’t have authorised his officials to steal money from his own government.
‘Sergei Magnitsky was killed in 2009. I made a vow to him, his family, and myself that I would use all the time, resources, and energy I have to go after the people who killed him and achieve justice.
‘Since then 31 countries have passed a Magnitsky Act. We are well on our way to having a global Magnitsky Act.
‘I’m not a human rights activist. I’m not a lawyer. I’m a hedge fund manager. I worked in the world of money and I understood how valuable money was to the bad guys; that they are willing to do anything for their money.
‘What can a compliance officer do? Kick out these bad clients before they are exposed.’
Panellists at this session included:
Terrorism and terrorist financing risks have evolved over the last years, although risk per se is difficult to quantify. In the last five years there have certainly been a decline in terrorist deaths, but if you had to focus on risk, it looms large over all of us, said Sane.
Institutions can often mix up AML and CFT without understanding the finer difference. A terrorist financier can be completely innocent, with no knowledge that the money he/she is donating is going to a terrorist organisation. You require totally different skillsets to combat TF and ML.
‘[To increase CFT awareness across organisations, we] need first to ensure that the ATF squads in the organisation operate in a sterile environment and do not mix up with other functions. Secondly, they need to have regular interaction with law enforcement authorities and keep fully abreast of typologies. There then needs to be a structured proactive engagement between these units and the first line of defence in banks. The knowledge transfer from these squads to the 1LOD at regular intervals is key,’ Sane remarked.
Faudemer added to this: ‘For the larger organisations like banks you can afford the luxury of a terrorism squad. For the smaller institutions it is very challenging. I have noticed an increase in the amount of publicly available info that you can tap into to improve your knowledge. I reinforce Nitin’s comment about engagement with law enforcement.
‘It is so important to have someone in your organisation that lives and breathes this subject, and keeps on top of it. And you need to give them time to upskill and develop their knowledge.’
Dearnley started her presentation by highlighting that the world is not currently winning in the fight against human trafficking because the risk to the trafficker is too low. Business has the power to change this faster than anything else in the world. It’s also important to inoculate our communities so that human traffickers cannot operate, she said.
McGrath added: ‘There is a need for a new understanding of how trafficking interacts with business and society. We need financial institutions to share the results of their investigative activities, when it’s safe to do so. We need to understand the patterns.
‘There are vulnerable people across the world who are subject to trafficking for all kinds of exploitation. You need to go on a journey to learn more about how the issue of trafficking and exploitation actually interacts with your sector, where you need to look more closely, and what sort of patterns you need to look for in transactions.’
The topic of cybersecurity is becoming increasingly relevant to compliance professionals. To provide more insight into the geopolitics of cybersecurity Misha Glenny, Journalist, delivered a presentation in the last session for the day. ‘On one level cybersecurity is about technology, but above all else, cybersecurity is about people,’ he said. ‘From the very beginning the free market and capitalism in Europe was entwined with organised crime. To this day 85% of company breaches are the result of successful phishing attacks. That’s why communication within companies is so important.’ he added.
According to Glenny, to ordinary people most [cybersecurity related] concepts are entirely meaningless. Until you get ordinary people understanding what their role is in a well-designed digital hygiene strategy in a company, cybersecurity breaches gaps in knowledge and compliance will persist. Above all, boards need to start listening to enable further progress on cybersecurity, she concluded.
Hayley Barnard, Managing Director, MIX Diversity Developers, discussed the role of diversity and inclusion in addressing unconscious bias in compliance. ‘There is a real value in diversity of thought and perspective. If we can build inclusion, we can take our individual differences and help that drive excellence in compliance’, Barnard said. Companies that improve their inclusion see greater engagement, better retention, and happier staff.
Addressing unconscious bias requires two approaches: personal actions, and team and organisational actions. It is so important in compliance to get a handle on groupthink. To do so Barnard suggested taking turns to lead the meeting to [counter] leadership bias. Listening is hugely important – ‘We should all seek to be interested before being interesting.’
Paul Eccleson, Governance Risk and Compliance Consultant, Gail Bragg Consulting, discussed the challenges arising from the pandemic on compliance over the last 15 months. ‘To get the speed back into the business, companies have had to remove the normal checks and balances that would have slowed things down. For example, the application for Bounceback (BBL) loan scheme is very superficial. There are no checks, balances, or audit. The impact of that, the government is estimating, is that there will be a minimum of £16 billion of fraud associated with that scheme. This is a direct consequence of not doing due diligence in the way that you normally would,’ Eccleson said.
Working from home as a result of the pandemic has led to about 65-70% of noticed rule breaches going unreported. The reason employees most often do not intervene is that they think someone else will. If something wrong has happened to a customer or in the supply chain and you feel psychologically distant from that, you are less likely to do anything, Eccleson said.
Having the right organizational culture is important. Contrary to what many believe, what sets the cultural tone is the local team that they feel they have an affinity with, and the leader of that team. ‘It doesn’t matter what it says in your compliance policy, if your first line team does not have a leader that buys into that then it doesn’t matter. So, focus on those first line team leaders. Get the message out to them,’ Eccleson said.
Panellists at this session included:
Courage and empathy are key skills for the modern compliance professional which can help them do their job better, panellists agreed. ‘It’s about listening to our people and customers, making bold decisions, and building ethical organisations. Now more than ever before, as leaders we need to be empathetic and to listen,’ said Asare-Archer.
Muir agreed: ‘As a woman who has grown up in financial services, being courageous and empathetic has been part of the journey, to ensure that our voices are heard. Courage is important when it comes to leadership. When growing an organisation, we have had to have tough conversations, particularly as a values-led organisation.’
At the onset of the coronavirus pandemic, leaders were challenged to address challenges related to their business and employees that they’d never anticipated before. ‘Leaders either step forward or step back. I made a conscious decision to step forward. I started to ask my colleagues how they feel. I personally was able to develop skills I didn’t know existed in me,’ Asare-Archer said.
Van den Berg added: ‘One beautiful thing to come out of the pandemic is that we have broken down barriers and become human to each other. Acknowledging your weaknesses is your biggest strength. People around you want to see that you are relatable and that you are facing your own struggles.
‘Not everybody is going to come back the same way you left them. The biggest thing is that we don’t just rush back in and start doing things the way we used to.’
Speaker: Chris Hill, Financial Crime Director and MLRO, Tesco
There is an increasing focus on an outcomes-based approach (OBA) in the UK, which Hill said he believes will follow in other jurisdictions. However, there is as yet no clarity about an OBA, how to implement it, and how it will be regulated.
‘It is important as practitioners that we align our approach with the thinking of the regulators,’ he said.
So, what do we mean by an OBA?
The best way to understand this is to look at the way regulation typically evolves. It normally starts with a rules-based approach – effectively a prescriptive tick box approach. Over time it evolves into a principles-based model. Finally, it moves into an outcomes-based approach. This is basically saying: “Have you defined appropriate outcomes for your FC controls? Is it achieving the outcome that the regulator would expect?”
Why adopt an OBA?
There are real benefits for regulators, the industry and society from moving to an OBA. OBA could either make FC compliance simpler to operate, more effective, or give firms a new defence against non-compliance. If not done properly it could introduce new levels of complexity.
Panellists at this session included:
Key session takeaways:
‘There is a real focus on reporting. In order for us to have credibility and have capital in this space, it has to be controls driven. We need the reporting and claims to be accurate and valid. Controls with purpose as the underlying driver,’
Beth Haddock, Managing Partner, Warburton Advisers
‘Controls are really important, but it is really important that the company has a clear purpose, that is clearly connected to the company’s strategy. But purpose is not enough. It needs to have controls and reporting requirements.’
Pam Shearing, Managing Partner, Fulcrum
‘Business is now seeing a focus on people, planet and profit. Any commercial enterprise is now focused on sustainability. Setting out the policy around ESG is one strategy to achieve that. What is your policy around sustainable investing? How is that implemented in practice?’
Leonie Kelly, Director, Head of ESG and Impact Advisory, Ogier
‘We need to understand what are the kinds of investments that are needed and how can the organisation play a role. It’s about repositioning the organisation in terms of the contributions you can make.
‘Understand your future customers and what their concerns are around sustainability. Understand the reputational impacts of responding well or not responding well in this space. More and more questions are going to be asked not only by investors but by the public.’
Justin Smith, Head of Business Development Unit, WWF South Africa
Key session takeaways:
‘The concept has been around for a very long time as best business practice for coordinating risk management in the organisation. Given the theoretical simplicity, why does it get such a lukewarm response from risk practitioners? Rather than supporting the right risk culture, does the 3LOD actually get in the way?
‘I don’t think the model is something that non-risk and compliance people can [get a handle on]. I’ve been in so many meetings in which there are arguments about whether the second line should pay for a system that monitors the risks that the first line are facing. For me, the question is, does having a 3LOD really help firms to manage risk better than not having it, or having something different?’
Donna Turner, MICA Senior Consultant, Risk Shapes
‘Siloes is where we see problems. The overall objective of the organisation is to provide the right controls to manage risk properly. I see a lot of organisations putting responsibility back to the front line and ensuring a culture of risk awareness. How do you get better collaboration? Organisations look to technology to help facilitate it.’
Robert Luu, Director, Solution Strategy and Customer Success, Galvanize
‘[Think about] the three “E’s” – Education, Empowerment, and Enablement. People must understand WHY you want them to do this. It is not just to be audit ready or to be compliant and keep regulators happy. It’s to understand why you are in the field you are in to play (i.e., the impact of financial crime). If they understand the “why” and you enable them through the proper design and controls, you have empowered them to be the first line.’
Catherine Vaughan, FICA, Partner, Financial Crime Leader, EY
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.
Help and support
Alternatively contact us on: +44(0)121 362 7534 / email@example.com (Course information)
or +44(0)121 362 7533 / firstname.lastname@example.org (Enrolled learners)
or +44(0)121 362 7747 / email@example.com (Membership)
or +44 (0) 121 362 7503 / firstname.lastname@example.org (End Point Assessment)