Speed read: 2020 has barely started, and it is already proving to be the year of RegTech as Regulatory bodies increase their push for comprehensive technology solutions to Anti-Money Laundering and Counter Terrorist Financing. The 5th Anti-Money Laundering and Counter Terrorist Financing Directive (AMLD) heightened the responsibility for reporting and preventing AML and CTF, as well as escalating the penalties for failing to meet the new criteria. The new demands require vigilance, transparency, open communication and strict data protection. The UK’s answer to the Directive, HM Treasury’s Transposition of the Fifth Money Laundering Directive Consultation Paper, demands more from UK financial institutions. Obliged entities must incorporate and invest in RegTech that goes beyond the necessary levels of KYC and CDD that worked in the past.
The 5AMLD’s approach to RegTech
The 5th Directive bolstered requirements such as Enhanced Customer Due Diligence (ECDD) and data sharing across the Member States to assist with investigations. However, these changes are impossible without significant developments in the way regulatory information is processed, investigated, shared and stored. Obliged entities may struggle to have the technological framework to facilitate the standards enforced. Many bodies have a diverse range of technology in use but might not seamlessly communicate or work with other bodies within the United Kingdom and abroad. The Institute of International Finance stated,
“the requirements imposed on FI’s IT infrastructures are not necessarily consistent or compatible across regulations. Definitions, granularity requirements, formats, and the like vary from regulation to regulation, even within the same jurisdiction.”
The Directive, however, demands “unfettered access to information” especially between obliged entities and their regulators and encourages data sharing between financial institutions. The Directive makes mention of a centralised, automated mechanism, which would provide a challenge to financial institutions already struggling to find secure ways to handle their customer’s data.
The FCA’s reaction to RegTech
As a regulator, the FCA appears ready for the new wave of technology and has spent the last few years supporting new advancements. The FCA is leading by example by piloting their Digital Regulatory Reporting (DRR) which recently provided feedback on its second phase of the programme. Successful implementation of the DRR would digitalise and streamline the regulatory reporting process. Moreover, it has partnered with international regulatory bodies to create Global Financial Innovation Network and supported RegTech start-ups through its TechSprints and Sandboxes. The FCA’s commitment is positive for RegTech’s next wave, 3.0, as a forward-thinking regulatory body is what it needs to continue to grow. It also sends a strong message to obliged entities in the UK that a failure to not incorporating RegTech into their AML and CTF is not only out of touch but also a potential liability.
Fortunately, much of the technology needed to bring obliged entities into focus are currently available. Start-ups such as ClauseMatch, a product of Barclays Bank PLC and Techstar’s Accelerator program, have emerged to assist financial institutions with meeting their regulatory requirements. Reportedly, Airbnb has obtained a patent for a technology that screens the online profiles of users to determine who is desirable or involved in illegal activity (after acquiring start-up Trooly in 2017 which focused on this exact concept). The use of such technology through Airbnb, and the UK start-up Onifdo, show how easy KYC and customer onboarding could with the help of AI, biometrics and adverse media searching. Under the 4th Money Laundering Directive, KYCC was brought into the forefront and strengthened by the transparency offered through blockchain transactions. Machine learning could clear up some of the false reports for Suspicious Activity Reporting. Down the line, digital identities will become a mainstay in the financial and regulatory sectors, due to their ability to protect data by keeping confidential information out of a centralised storage database. However, the jump to digital identities would require a full clearance over current data protection regulations, which the Directive itself is unclear on how it will manage. While there is mention of using personal data and information in the 5AMLD it is limited at this stage to ‘the minimum data necessary for the carrying out of AML/CFT investigations should be held in centralised, automated mechanisms for bank and payment accounts, such as registers or data retrieval systems.’ The Directive then leaves the implementation of what data is needed and how long retrieval would last, open for the Member States to implement. RegTech is a viable option to enforce and organise GDPR compliance but still must develop around the regulations within it.
The Impact on Smaller Obliged Entities
For smaller organisations, the rush to incorporate RegTech might not seem possible due to the cost of technology. However, with large institutions investing in the technology, large firms such as KPMG suspect the cost of the technology will reduce over time. Further, with the FCA’s Sandboxes and other start-up havens offering support to start-ups, the savings incurred by the firms might trickle down to consumers. Finally, as argued by Patrick Conroy in the Financial Times Advisor, the overall savings to small businesses both in fines to regulators and reputational damage might be worth the costs of the technology. RegTech such as would help small operations by enabling them to meet regulatory requirements in less time and with far less risk.
The technology is there for the implementation and Regulators, and legislative bodies have taken notice. The EU Parliament, in its 6th Directive, expressly mentioned the importance of having technology in place to meet the threshold for AML and CTF compliance. While the use of RegTech for AML and CTF procedures has not been made mandatory, the 5AMLD does not shy away from giving examples on implementation. Specifically, when it comes to customer onboarding, the 5AMLD amended Article 13 and in Article 1 mentions obtaining CDD “identifying the customer and verifying the customer’s identity based on documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means.” Expecting obliged entities, especially larger operations, to use electronic ID for CDD is not an unrealistic expectation, as the digital bank and Fintech unicorn, Monzo, has incorporated electronic ID as a mandatory step in its account opening procedures. It requires new account openers to provide a photo ID (such as a passport) and a ‘selfie video’ of the person. Of course, move to electronic ID carries with it heightened threats to data security and costs to obliged entities, which might be the reason both the EU and the UK have not opted not to make the procedure mandatory.
To keep up with the current and future demands of regulators, organisations will have to do more than pay policy lip service to RegTech, and fully commit to involving it in their firms.