Let's dig in...
When asked why anyone would want to take on such a big responsibility as being the Head of a financial crime unit where one must manage big measures of risk, Nic responded that he enjoys the concept of a risk discipline. He explains that it is live 24/7 and changes regularly, which also means it requires the deployment of a lot of technology, tools, techniques, and data management in order to provide risk management from a proper risk-based approach. This is a vast improvement from the old systems which may have involved scenarios where organisations would have been considered compliant by simply ticking all the boxes, and yet fail to eliminate the actual risk.
Although our function sits in compliance, it is not about complying to a set of rules and regulations as the objective, it's actually by looking at how we can understand, quantify, and mitigate the risks that we're facing in the firm, and mitigate them to a level that's acceptable, but also doing it in a way that we will comply.
Absa Head of Financial Crime
Understand, Quantify, and Mitigate.
Nic goes on to say that there is no perfection when it comes to risk and that it is a messy business that needs to be managed to the best of one's ability. It's easy for someone to question the obvious five years later with the benefit of hindsight, but one needs to have a thick skin and be able to move fast in this business.
Continuing the topic of a risk-based approach, Nic talked about the struggles of getting organisations to adapt to this new method and abandon their legacy mindset since it is an ongoing battle to root out unnecessary processes and procedures from the traditional systems. Organisations used to have numerous touchpoints whereas the new approach can scale it down by as much as 70% - and yet many of these unnecessary touchpoints are still left in place because of tradition.
Colin asked Nic if he ever gets the feeling that sometimes he might be burdened by the level of regulatory control that he is trying to put in place compared to some of the FinTechs that are out there. Nic acknowledged that the playing field isn't level - and the problem is that the peripheral players also want access to the banking system, but they don't have to comply with the same requirements. He then suggests that the idea of a 'same risk, same rules' principal is needed - which is again mentioned later in the session when talking about the crypto players.
Continuing the discussion with the devastation caused by state capture in South Africa and how a lot of that money has been going through the banking system, the question was asked about how that was allowed to happen and what needs to change. According to Nic, the banks have fulfilled their role in reporting suspicious activity, the real question should rather be how this was disseminated and acted upon. He pointed out that the banks were also the first to exit their services from these criminals and their associated companies, which then kicked off a much broader level of awareness.
The topic from the previous Game Changers session on Self-Sovereign Identity (SSI) was also briefly discussed - where it was mentioned how it could revolutionise the industry in the future by removing friction for customers and reduce risk for financial institutions since the current forms of physical identification such as ID books or cards are subject to significant amounts of fraud.
It's good that we're going to see some logical practices coming into the domain and discipline of financial crime and risk management. One of our passions and purposes at Sybrin is to contribute to financial inclusion across the continent - and we're looking for ways to make it easier, cheaper, and safer.
Sybrin Group CEO
Here are some of the questions from the audience that were discussed during the session:
Do you agree that there are aspects that are rules-based, and that high risk requires more intensive due diligence?
Absolutely, the additional requirement to perform enhanced due diligence on higher risk is actually a risk-based approach, it should allow us to spend more time on the high-risk aspects and less time on the low-risk aspects - which enables you to apply your resources to the priority areas.
Do you see the SA government helping to make access to trust information easier? In relation to Ultimate Beneficial Ownership (UBO), do you see this changing regulation? How do you think this will impact your practices and procedures?
For large banks that are linked to the international financial community, we have to provide a level of control, governance, and a risk profile on an international level, not just to the local regulators. It is a requirement in the new act for all banks to provide UBOs. SA is currently lacking in its recording of UBOs and needs to implement a register.
What's your take on using AI? Do you have the datasets out there to go and train your models? How do you remove the bias and understand whether it's working?
We have to be specific and focused on how we deploy AI, the deployments that we've done aren't necessarily models that just run on datasets - or self-learning and unsupervised. We also have to provide a level of transparency so that what we put into that model is a reflection and a depiction of the decisions our analysts would have made. We do significantly high-quality assurance on the outputs of that. There is also a full audit trail, so you can see exactly how every decision was made.