This is a transcript of the podcast episode ComplyAdvantage’s Alia Mahmud on why compliance needs technology to scale between GRIP Senior Reporter Carmen Cracknell and Regulatory Affairs Practice Lead Alia Mahmud.
[INTRO]
Carmen Cracknell: So today I’m joined by Alia Mahmoud. She’s a regulatory affairs practice lead at ComplyAdvantage, a leader in the regulatory tech space providing a range of services to help firms comply with sanctions, AML, CTF, and other regulations. She is a lawyer and qualified risk and compliance professional with over 12 years experience advising on legal risk, compliance and business governance for financial institutions and fintechs. She’s worked for major names in the industry including HSBC, Qatar National Bank and Revolut, among others. Very interesting to read over your state of financial crime report for this year so let’s delve straight into that. I’d be really interested to know what you have seen as the major changes over the past 12 months in comparison to your last report. You know it’s been nearly an exact year since the Ukraine invasion so how did your findings differ?
Alia Mahmud: So our findings really talk about how the industry and also compliance professionals within the industry have faced a lot of challenges and pains with the evolving sanctions regime, different sanctions requirements related to Ukraine and Russia and how different organizations in different geographical areas are responding to those sanctions threats and are then being agile enough to adapt their sanction screening processes and other transaction monitoring and customer screening processes to be able to identify not just sanctioned individuals but also close associates of those who are sanctioned or even sanction individuals that are beneficial owners of property or entities that that business is dealing with.
The rise and the kind of advancement of technology is something that we saw last year so the introduction of virtual assets, the kind of regulatory changes around virtual assets but what we’re now seeing is a greater need for organizations to have regulatory and industry body guidelines around that and it is something that governments and regulators are taking note of. So for example in the EU the European Union is going to pass a bill in May around the digital euro and they have expressly talked about the fact that for that digital euro to be legal tender there would need to be anti-money laundering and CF counter-terrorist financing controls around that and how it operates but one of the main pain points that we did see in the survey that we issued and it went to 800 C-suite executives was that the biggest pain point is around cyber security and that makes absolute sense when you think about how open finance, open banking is evolving, the use of decentralized finance. It’s super critical with ransomware attacks and all these other kind of attacks on virtual assets that we saw with the use of deadbolt last year that cyber security takes focus amongst organizations not only in terms of their own cyber security defences but also when you think of open banking and open finance it’s the sharing of customer personal data and financial data with multiple parties.
So you really need to be aware of well, who are you partnering with, what third party banks will have access to your customer’s information and actually what cyber security controls do they have on their end to keep your customer’s data secure and it was around I think 56% of respondents said cyber security was a pain point. Another area that was quite surprising was when we asked for the first time ever a very direct question whether decentralized finance is being used for extremist financing and 87% of respondents said that they have seen that happen and 31% said that that is going to increase significantly and those statistics are very scary because it’s recognizing the fact that not only terrorist but extremist organizations are going to exploit decentralized finance which actually offers us a lot of benefits and a lot of ease in our day-to-day kind of financial management and the way we manage our money to carry out their own criminal agendas. Really interesting and so much there to expand on. How are companies handling this kind of the knowledge that they do need to ramp up things and that what I think quite a few of them quite a high percentage of respondents said they didn’t feel they were doing enough.
Carmen Cracknell: Is it just a question of hiring more compliance professionals? What are companies actively doing?
Alia Mahmud: So 67% of our respondents did say that they’re looking to increase the hiring and their compliance functions and I think a lot of organizations are now recognizing the need for a strong compliance function but also the value that that adds within the organization when it comes to scaling and growing and also entering new markets because without that compliance function and the collaboration between your compliance professionals and your product, your data, your security teams, you’re never going to know for sure whether your procedures and your processes align to what the regulators expect but whether they’re actually effective enough to mitigate the risks that that company is being exposed to depending on what services they offer. So hiring is definitely going to boom going forward. We’ve already seen that in our global survey and in addition to that we’re seeing how the economic downturn is putting a lot of pressure on organizations because they don’t have a lot of liquid capital to spend to then hire talent. They need to offer competitive salaries in order to retain that talent so it’s not just about bringing in the right people with the right skill set. It’s about keeping them within that organization for the long term and things that organizations have been doing that I’ve seen and that they can do more of is being more creative and strategic with regards to how they go about recruiting. So for example, you know, a decade ago when I started off in compliance, the main skill sets you needed was that subject matter expertise and that technical knowledge about compliance but things have vastly changed even in myself like when I think back to where I started and where I am now, I’ve had to develop the ability to be agile, to be assertive, but also be collaborative and draw people in and have them, you know, follow that compliance agenda of wanting to create a strong compliance culture. But I also now need to have technical skills and analytical skills to deal with all of the data that is coming through that helps us identify and mitigate the risks that that we’re facing and also know how to use all the regulatory technology that’s out there because you really need technology in order to scale and machine learning and artificial intelligence were concepts that were, you know, kind of a utopic vision, you know, a decade ago, which is now the reality. So in order to be creative and strategic, companies can look at a wider range of talent pools. It’s not just financial services that they necessarily need to look into. They can recruit talent from different backgrounds in different industries who can learn about the subject matter and build on that technical knowledge. They also need to have a really strong employee value proposition. What about that company makes it unique for a compliance person? It’s not necessarily going to be the fantastic products you offer or how many customers love you or how many customers you have. It’s going to be that compliance culture that you’ve built and embedded internally. So compliance people and professionals, they want to see that the company is not only doing the right thing, but they’re talking about doing the right thing and they want to do the right thing. And that’s how you draw people in. And then to retain them, you really need to have that competitive salary so that they want to join you, especially if you’re a fintech or a startup that’s just come into the market. The risk there is that, well, compliance people don’t know if it’s going to be a long time stint. Let’s be honest, not all startups make it. Some don’t. So again, you really need to be able to draw them in with that value proposition and a competitive salary. Yeah. And I have heard people in the industry who’ve been around for longer than me talk about a real scarcity of talent.
Carmen Cracknell: Do you think we’ll see a lot of people switching sort of more generalist lawyers and tech people to compliance because of this huge demand?
Alia Mahmud: Absolutely. Absolutely. You know, I’ll tell you a little personal story of mine. My parents, when they moved to the UK as immigrants, they were professionals. So my dad was an engineer and my mom’s a doctor. And when we were growing up, they kept telling us, you need to work in a profession which is always going to be there. There’s always going to be a job. And traditionally, that was accountants, lawyers, doctors, nurses, teachers. And I now tell them it’s actually compliance. It’s your engineers that are actually moving into compliance and your lawyers that are moving into the compliance field. So absolutely, I think looking at those talent pools is a great way to draw people in. But again, those individuals need to have the ability to be agile, to adapt to the evolving regulatory changes, to be able to take a process that works today and change it to work for the upcoming regulation for tomorrow and ensuring that that process is efficient and can be scaled. And then they do need those technical skills. They also need the ability to translate regulations into clear language for your product teams, for your engineers and techies to understand how to build that and translate that into real world products.
Carmen Cracknell: And is it, do you think, is it more tech or politics that’s kind of, let’s say, can’t find the word, driving this demand? Is it the pace of change in technology or is it all the political instability that we’re seeing? Is it a combination of both or is it something else?
Alia Mahmud: I’d say it’s a combination of both. I think from the political standpoint, that political conflicts, new sanctions being implemented, that all translates to new regulatory requirements and the evolving regulatory landscape. And it’s the same for technology. As technology advances in the payments and finance industry, not only with regulatory technology advance in order to help control those risks, but also regulations are going to start coming in to actually regulate the technology that’s being used to identify and mitigate all of these risks. So I feel like it’s a bit of both.
From our global survey, an interesting statistic, which actually surprised me, was we asked the C-suite executives what one area of compliance would be at risk during an audit. And 47% said it would be their knowledge of regulations and kind of their regulatory acumen. And I found that surprising because if you look at the vast array of regulations, aside from financial crime, you’re looking at things like data protection, consumer protection, how we treat vulnerable customers, all these other types of regulations that just add on top of your financial crime. And the more global you are as an organization, the more jurisdictions that you have to satisfy, the more regulators you need to keep comfortable.
Carmen Cracknell: Do you think the regulatory bodies, FINRA and the FCA, etc., they’re constantly publishing these huge, massive documents and I think people get lost in them. Do you think they could be simplifying it and sort of narrowing it down to make it just easier for people to, like you say, fill in those gaps that they have in their compliance knowledge?
Alia Mahmud: I think, especially in jurisdictions like Europe and the US, where you have federal and state regulations, it is really important that they align what they require in the different areas so that people can just, like you say, be able to translate those requirements into their actual policies and procedures. Europe are thinking about the single rule book, which actually would be fantastic because it’s an EU directive at the European Parliament level, which then countries have to transpose into local law. So why not just have a single rule book? And if you think about the impact that this will have or the benefits this will have in day-to-day life of compliance professionals, it means that their horizon scanning processes and regulatory mapping processes can be made a whole lot easier. It also removes the risk of actually not meeting a specific country’s requirements, which is all part of EU, or for example, not meeting a state’s requirements when you’re in the US.
Carmen Cracknell: And just like sticking on the topic of sort of the pace of change in tech, I was really interested to read in your report about the metaverse and financial crime. How do you think increasing use of the metaverse is going to impact compliance and regulation?
Alia Mahmud: I am so excited about the metaverse personally, and it’s inevitable that as more and more companies and individuals move into the metaverse, criminals are going to follow. Current statistics, current forecasts show that 25% of the population will be spending at least an hour in the metaverse every day in the next three years. So when I look at that figure in conjunction with the increase in revenue that e-commerce is expected to generate around the region of 8.1 trillion, and then what the UN have stated is the amount of money lost to financial crimes in the region of 5 trillion, that really worries me. Because although the metaverse is opening up opportunities for legitimate businesses in order to sell goods and services in this virtual world, it’s also allowing criminals to also permeate this virtual world to do exactly what they’re doing in the real world, but using virtual assets to launder funds, commit fraud, and do all other sorts of financial crimes. So for example, one of the typologies for laundering money is to buy really expensive real estate and have that money sit there for a bit before you layer and integrate it. They can do that with virtual real estate, and we’ve already seen virtual real estate being sold. Similarly, with high-end fashion and designer goods, virtual watches, virtual supercars, where are the lines? Where will it stop? It’s a world of opportunities for criminals.
Carmen Cracknell: Do you think the regulators are doing enough to kind of anticipate this andpreempt what might happen?
Alia Mahmud: I think they’re doing the best that they can. The World Economic Forum is working with Interpol and other technology companies because they want to be ahead of the financial crime that they know is coming. But in addition to that, you hear the European Union talking about regulating or how virtual worlds would be regulated. But I think the traction will build and the push will come when we see central banks start to issue central bank digital currencies and then inject those into virtual worlds because then they’ll have their own kind of personal agenda to make sure that this is regulated. So essentially, virtual worlds need a regulatory regime for them, similar to how in the real world we have regulatory regimes. But it’s a question of when will that happen and will it happen quick enough to prevent an onset of financial crisis?
Carmen Cracknell: Yeah, I was going to ask about CBDCs. So we all know kind of the risks of crypto and the exchanges and all the stuff that’s happened recently, especially. What are the compliance risks with CBDCs? Are there any? How is that? How do you?
Alia Mahmud: They will be essentially the same as crypto assets, but without the high volatility because digital currencies will be pegged to the fiat currency. So we’re not going to see that much volatility when it comes to potential investment activities with these digital currencies. But the risks of digital currencies being misused by criminals, being, what would the word be? Well, criminals hacking or getting access to other people’s accounts, which has digital assets from central banks, those risks will be the same.
Carmen Cracknell: How can organizations stay compliant with the fintech and crypto spaces? Obviously, those are two quite different but converging industries with those constantly evolving and all these scandals coming up. Yeah, how can firms stay compliant?
Alia Mahmud: So the most important thing for firms to understand is what are those regulations? What is required from us and what changes are on the horizon? And they can respond to that by having really effective horizon scanning and regulatory mapping processes. Now, horizon scanning is essentially where you will scan global jurisdictions for changes to existing regulations and then upcoming laws. And regulatory mapping is where you’ll take specific requirements that apply to your business and map it back to your actual policy documents and procedural documents to make sure you’ve covered everything. And if done manually, it’s a really time consuming process. So I’d always recommend that where possible, organizations automate these processes, use technology to do so. Another way that organizations can respond specifically to the crypto space and kind of virtual assets is to re-look at how they do business wide risk assessments. Now, a business wide risk assessment is essentially done on an annual basis to meet the minimum standards required by regulators. And it’s where you look across your organization, at your customers, at your products. So over here, it would be like the crypto products that they’re offering, jurisdictions they operate in and the delivery channels they use. So for crypto, again, it’s like the blockchain decentralized finance methods and assess how many risks have arisen and what risks might arise. When you’re doing that on an annual basis, you’re always on a back foot because you’re reacting to risks that have already happened and have already arisen. So I think that needs to be more dynamic in nature as and when new jurisdictions are entered into, new products offered, new customer types onboarded. Companies need to re-look at their business wide risk assessments and on an ongoing basis keep updating it because that’s the only way they’re going to identify kind of risk hotspots for them. If it’s crypto, they’ll be able to see that it’s very specific and specific jurisdictions they’re seeing these risks come about. And then they can be very strategic in terms of how much compliance resources needed to mitigate that risk or again, what kind of technology would be needed to improve processes that might be not that efficient.
Carmen Cracknell: And what in your view are the main challenges of open banking and open finance?
Alia Mahmud: There are a few challenges of open banking and open finance. Top of the list for me would be data protection and cybersecurity. Because when you allow customers to open their financial world to you, you need to make sure that when you’re sharing that information with third parties and other banking partners, it’s secure. And it’s not secure from the basis of what that third party deems to be adequate, but that data is being protected and secure from what your standards are as a company. So performing effective third party due diligence is very important. Ensuring that the data privacy and the data protection procedures that are in place within your own organization and third parties that you work with are up to a very good standard. Checking security certificates that they have, ensuring that within apps or any other applications that are being used, there’s security protocols that have been built in. Another challenge with open banking and open finance is around the interoperability because you’re essentially sharing data with multiple parties, but that data needs to be in a standard format for those parties to use. And I mean, organizations are helped a lot by the regulations in the open finance and open banking space because they’re quite stringent in terms of requirements there. Another challenge is around consumer protection. So that’s something that we’re already seeing in the UK. The FCA is very much, you know, keyed in on with the consumer duty coming. And in addition to that, it’s how do you protect consumers who are using open banking and open finance from becoming victims of fraud or any other hacking attempts? And how do you keep them safe from financial crime whilst they’re using this?
Carmen Cracknell: Crowdfunding and extremism. Is that a new thing? Has it kind of boomed in the last year? And how can companies stay vigilant about that?
Alia Mahmud: It’s not a new thing, but I think it’s something that is now coming to the surface and there’s more visibility on how extremists can use crowdfunding platforms to not only promote propaganda, but also raise funds for extremist activities under the guise of legitimate projects and campaigns. So if you provide access to a bank account for someone, which is essentially what you get as a user when you sign up to a crowdfunding platform, you have access to funds that are being submitted by donors who you do not know who they are because you’re not screening those donors. So you don’t know if a donor is on a sanctions list, if they’re on a watch list or a terrorist list, as you would do a typical bank account that you open. Without those financial crime controls, crowdfunding is open to be exploited, but there are now regulations in that space and requirements around effective anti-money laundering controls, identification and verification of customers, for example. And there’s a whole lot of work that crowdfunding platform providers are doing, specifically in Europe, because of the advent of a new regulation in that space for crowdfunding service providers. And it seems like there is quite a lot of overhaul of AML regulations, especially coming up in Europe.
Carmen Cracknell: Do you think that is going to help combat this issue?
Alia Mahmud: It definitely will, because although you think companies should do it until you’re told to do it, you won’t do it. So having regulations actually arms compliance teams when they do suggest these types of financial crime controls to senior executives in the business. It’s, “Hey, we’re not telling you to do it. The regulator is telling us to do it.” And if it’s a new piece of regulation, it’s because regulators are identifying risks in that area. And there are risks that not only do you have a moral imperative to mitigate, but also you’ve got customers to protect in the process.
Carmen Cracknell: And environmental crime, that came up as well quite a bit as something that’s become more of an issue in the past year. Could you just talk a bit more about what that is and how firms can deal with it?
Alia Mahmud: Yeah. So wildlife trafficking, typologies around wildlife trafficking vary. Environmental crimes actually vary. So within environmental crimes, you have wildlife trafficking, you have illegal foresting, you have trafficking of endangered species. Those are financial crimes that we are losing a lot of revenue, but is generating a lot of revenue for criminals. And we’re seeing an increase in it, especially when it comes to companies being under pressure for ESG, environmental, social governance, responsibility, because it’s giving rise to a lot of carbon offsetting projects, other types of environmental projects. They’d even expand into the crowdfunding space where I could set up a project saying I’m going to plant trees in a rainforest. Who actually knows if I’m doing it? Who’s checking that these trees are actually being planted? So whilst the crime itself is continuing to happen and it will continue to happen, we’re also seeing other typologies crop up where actual really positive regulatory agendas such as ESG are being misused.
Carmen Cracknell: And on the topic of ESG, it certainly has its critics and a lot of people who say it’s not working, it’s greenwashing, and people saying that maybe the acronyms should be divided because these are three very different issues. What do you think about that?
Alia Mahmud: I agree. I think the governance is kind of the umbrella for everything. If you don’t have strong governance, it doesn’t matter how ethical you want to be, how good you want to be in terms of protecting the society and the environment. Without the governance, nothing’s going to happen. So I’d say governance is the overarching requirement and kind of the focal point and beneath that should come the the ENS factors. For those who haven’t read our state of financial crime report, do give it a read because it has some really interesting statistics and also information in terms of what the year ahead is going to look like that can really help compliance professionals strategize their compliance program for the year.
Carmen Cracknell: Lastly, my final question, can regulation ever keep up with tech? That is a question that I keep wondering about.
Alia Mahmud: It is a great question. Personally, I don’t think it can. I don’t think it can because technology is just advancing at rocket speed. There’s not a lot of kind of red tape or governance you need to go through to get technology out there or come up with new payment methods. Whereas there’s a lot of politics around regulations. What kind of regulations should we put out there? How would that impact other countries’ regulations? How would that impact other regulatory regimes? There’s a lot of talk when it comes to change of regulations as there should be because they have such an impact. But I think regulators sometimes tend to see how the technology plays out, how it works, and they also need to understand it. Because again, we need to remember regulators are not tech experts. They’re experts in their own field and they also need to come to grasp with how technology is actually working in order to understand what are the risks in that technology and actually what are the requirements that organizations need to embed in order to mitigate those risks. And it would be quite reckless for it to be the other way around for regulators, for regulations to come out before the technology. Because until you know the technology, you can’t regulate it.
Carmen Cracknell: How much do you think the industry going forward will rely on AI and machines rather than humans and lawyers to do the work?
Alia Mahmud: For financial crime controls, AI machine learning are critical. They’re critical to automate very simple filtering processes and kind of triage processes. But when it comes to the actual investigations that go into, for example, investigating a suspicious activity alert or a screening alert that I don’t see AI doing, and I don’t even think regulators would want AI to do that because it has an impact on an actual individual at the end of the day, it’s a customer.
And we’ve actually seen machine learning kind of exclude certain groups of customers because of the way algorithms have been set up, specifically when it comes to customer screening and specific types of names, which always trigger alerts and those customers then end up being excluded from the financial sector. What I do think would help or not necessarily help, but what will never change is the need to have that human lens on a specific risk, on identifying what those risks are, and then putting in place processes and procedures. Now, some of those processes can be automated through machine learning and AI, but it’s never going to take you all the way. So I think lawyers and compliance professionals are safe.
Carmen Cracknell: They’re safe for now.
Alia Mahmud: Yeah, they’re safe.
Carmen Cracknell: Even 10, 20 years down the line, you don’t think that’ll change?
Alia Mahmud: I don’t think it’ll change. I believe certain functions like customer support can definitely be replaced by AI, such as like chat GPT. If you ask it loads of questions, it comes out with great answers and you could actually train it.
Carmen Cracknell: Scary.
Alia Mahmud: Yeah, it is. It’s scary. And then other certain initial filtering triage processes that are just very manual and time consuming and are not worth the time of an analyst to do. Those will be taken over by machines and AI. And then again, when it comes to screening and improving the quality of your screening results to reduce that noise of false positives, that again is where machine learning and AI needs to step in to help organizations deal with the large volumes of alerts that they’re seeing so that they can actually focus on the risk and the suspicious activity as opposed to just going through a whole bunch of false positive alerts.
Carmen Cracknell: It was great to talk to you. Thank you for coming in and hopefully we’ll have you back on another occasion to talk more about things.
Alia Mahmud: Thank you for having me Carmen. This was fantastic.
Carmen Cracknell: Thank you.
Alia Mahmud: Thank you.