Digital banking is evolving from being simply online bank-account management to encompass offering a variety of financial products and services. Multi-national banking operations now must expend significant resources to maintain compliance with the regulations in many jurisdictions.
Mistakes that create a compliance failure can be extremely costly with record fines being imposed on many major banks for illegal practices, money laundering, and other regulatory violations.
Digital Banking Compliance
Digital banking compliance has the added risk exposure of needing to maintain strict compliance in multiple countries for cross-border transactions along with the increased risk of losses due to cyber-attacks and fraud.
The key compliance issues facing the banking industry, as reported by McKinsey, include:
- More Active Compliance Department — There is a change in the role of the compliance department from being in solely an advisory position to now taking on an active role to directly participate in risk management.
- Focus on Residual Risk — Instead of monitoring and documenting all risks and all controls, there is more focus on the management of residual risk by using breakpoints in the critical processes. This helps to ensure that any material risk is noticed. The goal is to have the breakpoints trigger a response that is risk-based with enough oversight and remediation efforts made before a problem gets out of control.
- Integration: The governance of risk management with regulations is achieved by a risk management framework that is fully integrated to work with a bank’s operational-risk protocols and procedures.
Bank fraud remains a major concern for banking compliance and risk management. The numbers are staggering. In the United States, bank fraud exceeds $2.2 billion per year and is increasing.
KPMG Global Bank Fraud Survey (2019) reports that the types of fraud are:
- Credit and Debit Card Fraud — Bank card fraud accounts for 53% of the total, which is about $1.3 billion annually in America. Another $17 billion in fraud attempts are blocked each year.
- Social Engineering Fraud — The FBI reports that business email spoofing of American companies resulted in $12 billion in losses from 2013 to 2018, which averages to over $2 billion per year.
- Scams — There were 152,595 scams reported by victims from July 2015 to April 2019. There are romance scams, lottery scams, tax payment scams, and “too good to be true” financial scams. Banks are often blamed for the losses from these scams even though the account holders are the ones usually making the mistake of giving account information to criminals. Elderly people are targeted frequently. Push payment scams are used to gain a customer’s trust, then access personal information, and then take over their bank accounts.
- Cyber and Online Fraud — Identity theft continues to be a major problem with billions of users’ account information breached by hacking attacks. Some of the biggest breaches in the past decade were Yahoo (3.5 billion accounts), Marriott Hotel (500 million records), Adult Friend Finder (412 million accounts), eBay (148 million accounts), Equifax (148 million people), Target (110 million people), and Facebook (50 million accounts).
Compliance with regulatory issues related to fraud are serious concerns and whether a bank, a merchant, or a customer is responsible can become a matter of significant dispute and this matter settled differently depending on the laws of a specific location that has jurisdiction.
Money laundering compliance failures caused banks to pay many billions of dollars in fines. HSBC ($1.9 billion), Standard Chartered Bank ($1.1 billion fine), Deutsche Bank ($12.5 billion in fines since 2000), and UBS ($5.1 billion fine) are just some banks fined huge amounts.
Banks are required to file suspicious activity reports with various government organizations that monitor financial crimes like FinCEN in the United States and other regulatory bodies in the EU and the UK, which passed the Sanction and Anti-Money Laundering Act in 2018.
‘Know Your Customer’ Rules
Digital banking has more money laundering risk because of the opportunity for banking transactions to occur without ever having seen the person who owns or controls the account. Billions of dollars move through the international banking system in a day.
The real ownership of an account and the source of funds can be hidden from the bank. False identification documents and shell corporations are frequently used to open bank accounts for illicit transactions.
When banks fail to file suspicious activity reports and fail to take appropriate actions to stop money laundering, they are subject to severe prosecution and enormous fines This is why banks are spending billions of dollars to try to stay in compliance with anti-money-laundering regulations. Digital banking further complicates this issue.
Banks typically have many cross-border issues. Even if there are no branches in a country, the use of a bank card by a customer, to buy something or get cash from an ATM, can trigger local compliance issues. The biggest challenge is the massive amount of complex regulations that continually change. Thomas Reuters reports that there were more than 56,000 regulatory changes in 2017 related to banking.
Compliance with regulations is made more challenging with the innovations happening in digital banking. It makes it more difficult when regulations have not yet caught up with the technological advancements in mobile apps, trading systems, cryptocurrencies, advisory systems, and digital assets.
Many times, the technology runs ahead of the regulations, such as the use of encryption for the messaging system called WhatsApp that is now owned by Facebook. When laws come into being that regulates an innovation, it may be a long time after some service is already in use by millions and quite popular.
An example of these challenges is the recently passed Australian data encryption law. The law requires online companies that use encryption to have a “back-door” key to give the Australian government access.
This means if Facebook wants to be available to Australians, it must break its product WhatsApp to create a way for the Australian government to be able to read everyone’s encrypted messages. That destroys one of WhatsApp’s main features. This is extremely difficult for Facebook to do. It would cost a fortune and Facebook could lose millions of customers for WhatsApp in the rest of the world.
The new Australian regulations are severe for any company doing business in Australia. The definition of what it means to do business in Australia is very broad. Outsourcing work to companies that have some workers in Australia may be enough to trigger the need for compliance with Australian law. What will companies like Facebook do in response to this new Australian encryption law? That remains to be seen.
Open-Banking is a tremendous innovation. However, it is also creating significant risk, new challenges, and in some countries increased compliance issues where Open-Banking is a regulatory requirement. Open-Banking is a system for banks to give third parties access to customer data. It started in the UK and now it is becoming the standard in Australia, Canada, Hong Kong, Japan, Israel, Mexico New Zealand, and Singapore.
The challenge for Open-Banking is the reliance on third-party controls. However, Open-Banking is meant to create a more accurate and detailed master customer database across all banking and fintech systems to help prevent and detect fraud and to make it easier to recover losses.
Another major legislative and regulatory change is the General Data Protection Regulation (GDPR) that is now the part of the compliance requirements for doing business in or with European Union nations and their populace.
GDPR rules, which have been in effect since 2018, influences digital banking in five important ways, which are:
- Improved Standards and Consumer Confidence — GDPR improved the already high standards of how European institutions handle personal, confidential, financial information. This increased consumer confidence in these institutions.
- GDPR and Open-Banking — GDPR works well with the implementation of the EU version of the Open-Banking system. Open-Banking allows third-party companies to gain access to banking information along with customer control over who gets to use their information.
- GDPR Stimulates Innovation — The data security and privacy controls, which are the standards across Europe, allow bold innovations that see this as a strategic advantage rather than a regulatory hindrance. European consumers now can share their financial banking information with other non-traditional fintech companies that offer innovative products and services.
- Increased Ethical Standards are Good for Business — Banking customers, especially millennials, now can consider corporate ethics when making a purchase decision or choosing fintech services. Companies that embrace the GDPR standards and publish their ethical standards are discovering powerful marketing niches of extremely loyal customers.
- Improved Cyber Security — GDPR improved the compliance requirements for banks that experience a data breach with stronger and definitive procedures to follow for handling a breach and notifying customers about it. GDPR combined with Open-Banking increase the ability for fintech institutions to detect fraud and reduce the risk of data breaches.
Digital Transformation and Blockchain
Digital banking is undergoing a continual digital transformation that may see even further disruption by innovation with blockchain technology and the applications using blockchain technology created by fintech companies.
Blockchain technology is disruptive in digital banking and fintech because it can securely archive a ledger of any digital asset of value. It could be any type of financial transaction, legal documents, contracts, investment records, and so on.
Digital banking needs a robust compliance framework to operate safely and effectively. A regulatory compliance framework is a set of policy guidelines for the structured ways that a company or organization keeps its processes in alignment with laws, regulations, and standards that are required for banking according to the locations where the bank has operations. With digital banking, the range of locations can extend globally.
The compliance framework is driven by the business strategy of the organization that is then guided by the ongoing changes in regulations and monitored for compliance with said regulations.
Digital banking is using artificial intelligence for many purposes and there are software applications that help find compliance problems. The most challenging problem is that there may not be any regulations for a certain type of innovation and the regulations are suddenly applied, or worse, applied retroactively.
C-level compliance officers need to be proactive in making investments in systems that regularly update compliance rules and monitor activities for violations according to risk-based, AI-driven data analytics.