Banks and other financial services have been buckling under the increasing compliance burden for years. But now there is a genius automated system that helps keep them whiter than white. Aqubix Director Kristoff Zammit Ciantar explains.
The best inventions are always deceptively simple; the ones that have everyone muttering ‘why didn’t I think of that?’ under their breath.
Aqubix’s KYC Portal (KYCP) is one such – and it’s riding the crest of a wave as a result. This automated compliance monitoring and anti-money laundering (ALM) service was launched last November to a rapturous reception from both overworked compliance officers and institutions buckling under the strain of the cost and risk associated with ever-changing regulatory requirements; regulations that they’re finding it increasingly hard to keep pace with.
There have been some high-profile cases recently that have highlighted the flaws and vulnerability in complex manual compliance processes, including Deutsche Bank’s $630million anti-money laundering fine and HSBC’s Moroccan drug lords scandal.
As the challenges around AML increase, PriceWaterhouseCoopers has predicted that the global cost of complying will shoot to more than $8billion this year.
“The biggest challenge at the moment across not just the financial industry, but any organisation that has to conduct compliance and anti-money-laundering (AML) due diligence, is ever-increasing regulation,” says Aqubix director, Kristoff Zammit Ciantar. “I read some research recently that suggested the work companies have to do to keep in line with regulatory requirements is increasing by 18 per cent every year. And at the moment, the processes for all this work are manual, done by human beings.
“Companies have to have compliance officers to process all the applications, all the forms and all the documents, and assess risk. This means the process also depends on the human bias of the compliance officer him or herself – resulting in instances of money laundering not being spotted.”
According to Zammit Ciantar, the majority of fines are as a result of organisations failing to identify suspicious behaviour and act on it in time. And the biggest risk of all is existing customer monitoring.
“When we asked companies at Finovate 2017 – including big named banks from the Netherlands, UK and US – if they are compliant in terms of past vetted subjects, the answer was a resounding ‘no’, says Zammit Ciantar. “This is clearly a major industry issue. Organisations are so focussed on meeting increasing requirements surrounding the onboarding of new customers that legacy risk issues are on the back burner.
“Yet regulations state that companies have to ensure all the past vetted subjects sitting in their database, remain constantly compliant. They have to do ongoing reviews to ensure there are no expired documents and undertake constant screening checks.Yet almost no one that we’ve met so far is compliant on that, because the reality is it’s impossible to keep up with the past vetted subjects as well as onboarding new customers.”
Entering the time warp
The revised Payment Services Directive (PSD2) and ever-more-stringent General Data Protection Regulation (GDPR) are placing additional pressure on already strung-out compliance teams, too.
The more regulators try to standardise processes like these, the more work it creates for compliance officers. Without an automated system to fall back on, the only way they can keep pace is to throw in more resources, but this in turn adds to the potential for error and fraud.
“For example, a friend of mine is the chief financial officer of a hotel business, and even hotels have to conduct compliance. He told me about someone from one of the big banks calling to ask about a transaction that took place in 2013, two years after the event,” continues Zammit Ciantar.
“He couldn’t believe it. This kind of thing happens not because banks’ systems are slow, but because when they identify a possible anomaly a team then needs to work on it. But they are so focussed on onboarding new clients, they can’t get to it quickly enough. This is a typical example of why companies are being fined.”
This is where Zammit Ciantar believes the Aqubix system can help.
“When we created it, we analysed the requirements of banks, and one of the biggest challenges was that, even across the same industry, each organisation operates according to its own risk appetite, and regulations are open to a degree of interpretation,” says Zammit Ciantar.
“For example, without naming names, it has become almost impossible to open a bank account with one of the biggest banks because they ask you for everything and will reject you if your application shows even the slightest element of risk. But then if you go to one of the smaller banks with a higher risk appetite, you’ll open an account easier and faster.
“This meant that one of our biggest challenges was to create a system that allows the client to configure it to their own jurisdiction and unique risk appetite.”
Paradoxically, it is difficult to achieve a harmonious approach when regulations prohibit organisations from sharing customer information. KYCP has to work within these complex layers, to enable banks to both ensure compliance and understand their customers better.
“I think that’s one of the bestselling features of our product. The system is firstly configured by each client to reflect all the regulations they want to handle, both at jurisdiction level, industry level and in keeping with their internal risk appetite. They can then tweak this information as regulations change and new ones emerge,” says Zammit Ciantar.
Back to the future
By far the Aqubix programme’s biggest selling point, though, is the ability to look backwards as well as forwards, dramatically reducing firms’ risk of exposure.
“Our system automatically goes through all of a company’s past vetted subjects and updates the risk assessment for each subject, based on the latest regulation – something which is virtually impossible to do manually,” explains Zammit Ciantar.
“And if re-screening someone against the updated regulations results in them going from, say, green to amber, the system will flag this up as something the physical team needs to act on straightaway.”
So how does this highly sophisticated tool score an individual’s risk level?
“The system comes as a shell. There is no scoring in it, there are no predefined rules. We built it this way so that we could tailor it across different industries and because we understood that firms work very differently from each other, even within the letter of the regulation.
“We created what we’re calling a risk scoring engine, which allows the client to input all the risk they currently check for. It then scores customers against an automated version of the risk registers currently used in organisations. Risk registers are the constantly updated checklists, usually in printed formalt, like Excel, that are used by most compliance officers to vet customer applications. They use these to check which boxes a person ticked in their application and come up with a score.
“Our system allows any client to input that risk register using our scoring engine, and then automatically calculates the level of risk, across all the subjects – new and past – instantly.”
As well as helping to protect banks from risk, it saves them a mind-boggling amount of time.
“Recently, I was approached by a representative of a major bank, who asked me how much time it could save her compliance team. I asked her how many of the cases her compliance team currently look at are green, and her answer was 60 per cent. So, my answer to her was ‘that’s 60 per cent automatically saved by the system, because once you input the risk register, populating its fields as you go along, it automatically highlights these as green – things you don’t even need to look at’.
“So, as well as relieving the workload of the compliance team, our system enables them to focus more on the ones that are a problem, rather than the ones who are green.”
Aqubix already has an impressive list of takers of its technology across sectors including banking, insurance, gaming, law and even real estate. Initial installation takes around two weeks, followed by an extended period of between two and three months to upload a company’s information.
“We start by sending new customers a list of all the things they need to collect together. This is a lengthy process because most of their existing information will be on Excel spreadsheets, or printed forms. Some data will be sitting in document management systems,” explains Zammit Ciantar.
“We then show them how it all needs to be inputted and configured. This process, if a company puts someone full-time on it, inputting eight hours a day, will take a maximum of two weeks. Most companies can only give it a few hours a week and so it typically takes longer. However, they’re taking advantage of this analysis period to fix any existing gaps and make sure they are catering for all regulatory requirements, so that when they input their information into KYCP, it’s all sorted once and for all.
“It’s therefore a relatively small amount of short term pain, for huge longer term gain.”
Astounded by the level of interest the product is attracting, Malta-based Aqubix is starting to roll it out, faster than planned, to other EU countries this year… to the sound of a million sighs of relief from compliance officers everywhere.