Last month, Protiviti sponsored and participated as a panelist at the 11th Annual APAC ACAMS Conference, which took place on April 8-9 in Singapore. Carol Beaumier is a Senior Managing Director with Protiviti. She oversees the Protiviti Asia-Pacific Financial Services practice, and attended the conference along with Nigel Robinson, Managing Director and Singapore Country Market Lead, and Ronita Dutta, Director in Protiviti’s Singapore Internal Audit practice. Following the conference, the three of them sat down to discuss some of the key takeaways from the conference and share important insights from the activities of financial institutions and regulatory bodies in the APAC region. We present this conversation below, along with a full transcript.
APAC ACAMS Podcast transcript
April 25, 2019 at 8:00 AM
Carol Beaumier: Hello. This is Carol Beaumier, Senior Managing Director of Protiviti and leader of our Asia-Pac Financial Services Practice. Today I’m joined by Nigel Robinson, Managing Director and Country Market Leader for our Singapore office, and Ronita Dutta, a Director in our Risk and Compliance Practice, also out of our Singapore office. Recently, Protiviti was a sponsor of the 11th Annual ACAMS APAC Conference, which was attended by more than 600 people from across the region. Today, we’re going to discuss some of our key takeaways from that conference and how we think these may impact the organizations with which we work. Welcome, Nigel and Ronita.
Nigel Robinson and Ronita Dutta: Thank you, Carol.
Carol Beaumier: All right, Ronita. The first question I have is for you. Assistant Managing Director Ho Shin of the Monetary Authority of Singapore set the stage for the conference by discussing the four pillars on which the Monetary Authority anchors its activities. Clearly, Singapore is a very important financial services market. For the benefit of any financial institution that operates in Singapore, Ronita, can you explain the four pillars and some of the current MAS initiatives under those pillars?
Ronita Dutta: Sure, Carol. Yes, indeed, there are four elements in the MAS’ AML and CFT framework, Anti-Money Laundering and Countering the Financing of Terrorism framework. These are progressive regulations in terms of supervision, rigorous enforcement, and effective partnership. Let me take a moment to cover each of these in a little bit more detail. I’ll start with progressive regulation. The MAS recently passed the Payment Services Act, or PS Act, which looks to enlarge the scope of payment activities covered under MAS’ AML and CFT regulation by providing a risk-sensitive and forward-looking framework for the regulation of money laundering and terrorist financing within the payment ecosystem. The PS Act will also introduce a regulatory framework for digital payment token services. These two initiatives will allow legitimate and well-run payment services entities to innovate and grow. Essentially, the objective is to allow the flourishing of the payment services sector.
The next pillar I’d like to cover is intensive supervision. The MAS conducted targeted supervision of financial institutions in key money laundering and terrorist financing risk areas over the past two years. Thematic inspections looked at the effectiveness of combating proliferation financing, transaction monitoring, and detecting the abuse of legal persons, amongst other areas. Going forward, combating proliferation financing will remain a priority risk for Singapore because, as you may be aware from the press, sanctions evasion methods continue to rise in sophistication and complexity and financial institutions must evolve their detection capabilities in tandem.
Next stop is rigorous enforcement. Like any other regulator, an effective regulatory and supervision regime needs to have effective and rigorous enforcement. Recently published inaugural enforcement report outlines MAS’ enforcement priorities to keep the financial system clean and trusted. You may want to have a look at that report if you haven’t done so already.
Finally, the fourth pillar is effective partnership. The AML CFT Industry Partnership, or ACIP as it’s called, is a private/public partnership that was established about two years ago now. The purpose of the partnership is to bring together the financial sector, regulators, law enforcement agencies and other government entities to collaborate in identifying, assessing and mitigating key risks in money laundering and terrorist financing that Singapore faces. It seems to have established itself as an effective platform for open discussion between the industry, law enforcement agencies and the regulator. They share typologies, risk areas and possible solutions. After that, the insights from these discussions are shared with the broader industry and based on feedback so far, it’s working really well. The ACIP has issued two best practice papers for this purpose – one about a year ago which looked at trade-based money laundering and the misuse of company structures, and the second towards the end of last year, and that looks at encouraging greater adoption of data analytics and higher use of analytics in private/public sector collaboration. That about summarizes the four pillars.
Carol Beaumier: Thanks, Ronita. That was a very helpful overview. Nigel, let’s move beyond Singapore into the region more broadly. A number of Asian countries have recently or are about to undergo Financial Action Task Force mutual evaluation reviews. There was a very interesting panel I thought at the conference with representatives from Japan, Macao, the Philippines and Taiwan who talked about their country’s experiences in preparing for these onsite reviews. I wonder what your key takeaways were from this discussion.
Nigel Robinson: Hi Carol, a great question. Thank you for having me on your podcast. It was very interesting to hear from the representatives in other APAC regions that were also subject to Financial Action Task Force evaluations recently. To understand some of the collaborative efforts between the regulators and financial institutions in these regions, some key takeaways and common themes I’ve identified: The regulators performed thematic reviews of financial institutions successfully affecting the business of the AML compliance program and identify systematic risks. They also reached out to foreign competent authorities to share and exchange supervisory views, organized regular industry briefings. The regulators also performed mock evaluations to prepare for the FATF evaluations. Guidance papers issued by industry associations help banks benchmark against industry best practice and improve existing controls.
Carol Beaumier: Follow-up question, Nigel. What advice would you have for a financial institution that expects to be interviewed as part of the onsite mutual evaluation review?
Nigel Robinson: Well, first and foremost, it’s important to start with a solid foundation. Financial institutions should have a well-calibrated risk governance framework in place and adopt a risk-based approach in mitigating AML and CFT risks. Following on from that, the financial institutions’ risk assessment methodology should take the national risk assessment report into consideration. The methodology for the risk assessment should include both quantitative and qualitative factors. Once these are set, the effectiveness of the AML program and the model to use should be tested by an independent third party. Finally, I would focus on communication. One, communication internally: Senior management should be made aware of the key risks, control gaps and remediation efforts, and a clear trend of compliance culture should be set at the very top. Two, communication externally: regulators should be notified on a timely basis about the deficiencies and key risks that a financial institution may be exposed to.
Carol Beaumier: Thanks. I think a really important point here that you’ve emphasized is this really is a collaborative effort between regulators and the industry where both the technical compliance and the measures of effectiveness of the compliance are equally important, so definitely an interesting time for a number of countries within the region. Let’s switch gears a little bit, Ronita. There was a lot of discussion at the conference about trade-based money laundering. Why is this such a hot topic for the region, first of all? What can or should financial institutions be doing to address the risks of their trade activities?
Ronita Dutta: Trade-based money laundering does seem to be on everyone’s radar, which actually is not that surprising considering the sheer scale of trade activity in APAC, especially in Singapore and Hong Kong, and the high TBML risks associated with that. To address such risks and build a resilient TBML program around that, I think some of the key considerations that financial institutions need to put in place would be primarily to take an integrated approach between the compliance function and the trade operations function. An FI’s AML program needs to incorporate trade aspects such as the information on customer trade profiles, for example, the location and profile of counterparties, the nature of goods traded, countries involved. TBML risk assessment is another very important consideration. The risk assessments need to identify various trade products offered by the bank as well as the controls to identify and mitigate those risks. As always, policies and procedures play an important role, so well-documented P&Ps related to trade-based money laundering red flags, typologies, and escalation channels would be very helpful to the team. Training, again, is a must. Comprehensive training which includes case studies, relevant red flags, and typologies based on the products and services offered by that FI would again be very helpful for the stuff. Last but not least, independent testing of those controls to validate that they are actually operating effectively. All the usual components of a robust controlled framework.
Carol Beaumier: Thanks, Ronita. I think a couple of other takeaways that I had from the trade-based discussions were around being aware of front companies that may be parts of larger networks, so being able to do link analysis to identify those relationships. I also thought it was really interesting to hear some of the speakers talk about geolocation software that actually can be used to track vessel routing. There are some interesting tools out there I think that the industry can avail itself to help in managing its trade risks.
Not surprisingly since we were in Singapore which is known for its FinTech/RegTech activity, we heard a lot about the use of technology but also about the risks that are posed by new technologies. I have a two-part question here. What did you hear about some of the improvements that are being made to transaction monitoring using technology and data analytics, and then focusing on the new technologies, what recommendations did you hear or what recommendations have come from our own work about how financial institutions can effectively manage the risks posed by artificial intelligence, robotics, and other innovative RegTech solutions? Ronita, again, I’ll turn to you for this.
Ronita Dutta: Sure, Carol. Let me address each of those individually then. If we start off with improvements to transaction monitoring, data analytics as well as new technologies such as artificial intelligence and machine learning have helped in significantly reducing false positives, improving alert quality, developing typology-driven scenarios, and identifying hidden links that may be difficult or even impossible to identify from legacy systems. Here are just some of the ways in which these technologies can be used in transaction monitoring. Link analysis, which you mentioned earlier, is used to identify suspicious relationships and detect hidden connections. Using action-centric detection rules and models based on access rather than transaction is a new way to reduce false positives as well. The focus here is on identifying crime groups and how they collaborate in networks. Finally, combined detection strategies have been implemented in some banks in the region. This involves statistical models, patent-based intelligence rules, and advanced machine learning algorithms to generate useful alerts. It’s a quite exciting stuff I’d say, and much more to come.
For your second question which is around managing the risks of AI and robotics, I think it’s important to remember some key considerations. First and foremost is around culture and leadership. AI efforts are led by senior technical and technological executives in most companies. However, many experts believe that it should be the domain of the CEO or the business side head to ensure AI applications are tied closely to specific business outcomes. The second point is around ensuring the validation of AI programs. AI programs need to be implemented with proper end-to-end validation program. Deepening the understanding across the enterprise and eliminating the fear of the unknown to improve proper communication and transparency is important for the success of any such program, and then building a structure that brings IT and business together is also key to the success because personalities tend to be different. They tend to work in silos, and really there is quite a bit of a cultural difference required to get teams to work together in this new era of technological advancement. Then it comes to the question of talent and whether to develop that in-house or partner with a number of third-parties, which brings its own risks, and of course ensuring senior executives understand how these sophisticated technologies work to some extent or understand some of the risks that they bring is very important. We’ve seen from several financial crises in the past how important it is for any black box models or technologies to be understood. I think that sums up the two aspects of your question.
Nigel Robinson: I was going to add, Ronita, and I think you’ve covered a lot of really good points there. Singapore is a good example. In the last three years, I’ve seen the explosion of activity in the space, even with the MAS providing funding for initiatives to allow, first, FIs to do a number of different things. You could see that whether it’s in banking or insurance or another space, that there’s a lot of activity. That’s really changed in the last years as I said. The talent issue is a huge one. The government here has established a need and a plan to grow a digital talent pool of the country to help service all the stuff that’s going on. Again, a lot of the banks are piloting various solutions. The cycles are long but I think they’re finding that it is extremely helpful to the business and to fight financial crime generally. Back to you, Carol.
Carol Beaumier: Thanks, both of you, for your comments. I think definitely this is a large-scale transformation for the industry that really will require new talents or retooling of existing talents. It would be exciting to see how it develops.
Nigel, at the conference, you were on a panel that discussed lessons learned from recent enforcement actions. What do you think the key takeaways from that discussion were?
Nigel Robinson: The panel said – we had a lot of views and the themes seemed to echo over the last few years that the ACAMS event has taken place. I guess there are five plus consistent themes, one around sound governance structure, which is always a key backbone to any organization on taking financial crime responsibilities. This should be backed by a strong and consistent message from the top emphasizing corporate values and culture. Individual accountability across the board with clear indication of roles and responsibilities is a must.
Last but not least, a robust trade lines defense model, one that aligns process and effectiveness between business and operations, compliance and all of that. Without these three, you will not get control effectiveness. I think I just want to add one more observation. There was a question I asked to the audience around learnings, and consistently scored high was that learnings weren’t really conducted for all the lapses or issues that were identified, which was quite astounding. I think if you have a large issue that consistently arises again and again, you need to take action. I think that was one of the things that really stuck out to me that seemed to be an ongoing set of challenges to various FIs but not really tackling the root causes of it. If you were to invest the money spent on fines on actually resolving the problem, you might actually cause and create a longer-term remedy.
Carol Beaumier: Maybe picking up a little bit on the discussion we had earlier around technology and innovation, I think there’s a general consensus that the AML compliance officer of the future will need to have different skills and experiences than maybe has been the case historically. Nigel, what do you think will be necessary for an AML compliance officer to be successful in the future? A follow-up to that, what steps do you think financial institutions need to take to prepare their personnel broadly for the future?
Nigel Robinson: Yes, another great question, Carol. What’s the role of a compliance officer? In the old days, it was half hidden in the back room a little bit and they would come out when there were issues surfacing. But now, every month, there is something in the press, and compliance is critical to the business function. I’ve seen compliance roles change significantly since I’ve been in Singapore, and I’m sure the same is true elsewhere. The compliance role, and again, different levels, morphing rapidly due to a number of factors. We’ve got a changing regulatory environment, emergence of new technologies, and the constant work on large data sets to identify patterns and typologies which were previously unknown. Harking back to the technology solutions, this is where the compliance officer’s role will really be supported and changed. Going forward, the role is going to become more and more data-orientated. Again, we’ve got more systems being engaged and placed online, and you’d really do need to mine that data to identify the issues at hand. The compliance role also requires to be able to interpolate regulations and understand how that technology works and needs to be used. It’s very important, again, that organizations look after their compliance officers in that function, to build up the competencies within those teams. It may include things like special training on data mining analytics, taking the step and being bold to look at new technologies and see how that may change the existing function, looking at a training that supports that, and a continuous improvement mindset, I think going back to the earlier observation on learnings and acting upon them. That’s very important. The role of a compliance officer will change, but it needs to change quicker than financial crime actors are able to adapt to. Again, I mentioned Singapore’s initiatives. They’ve worked with a number of cross-country, cross-market initiatives to support compliance operations and to share learnings across the industry, which I think is great and that will continue. A compliance officer is in high demand. There’s a lot of turnover between the various institutions as compliance officer skills are unmet to meet new demands and aspirations for each institution concerned.
Carol Beaumier: Yes. I think as you mentioned before, some of the training, the training around technology and data analytics really will have to be rolled out broadly through organizations, not just obviously for compliance. Our whole world is changing pretty dramatically.
Nigel Robinson: I think one element that is missed out for this is the change challenge. What we are asking for is a compliance function to fundamentally look at the way they do business today, and to change it whilst they’re trying to keep the business-as-usual activities going, which is no mean feat. It also may be to take some efficiency changes which may require a reduction in head count, a change in process and technology, which obviously comes with its own change pain, but I would say to any institution out there that it’s worth doing. The benefits, the savings, the effectiveness, and more importantly, reducing the risk of compliance failure is increased. That surely must pay something worth pursuing.
Carol Beaumier: Absolutely. Nigel, I’m going to give you the last word. If I were to ask you for the top five priorities that financial institutions in the region should be focusing on based on what we heard at the conference, what would you say?
Nigel Robinson: Okay. Well, it’s a broad subject and many areas need to be addressed but I would say probably just to narrow it down to five, it would be one, closer collaboration with regulators and other financial institutions so really private/public partnerships; two, leverage technology capabilities, so data analytics, machine learning, artificial intelligence to optimize existing screening and monitoring capabilities; three, adopt a risk-based approach supported by data, and a number of clients here are not necessarily comfortable with doing that, but again, it’s a trend that is increasing; four, raise customer awareness on financial institutions’ sanctions obligations; and finally, ensure accountability for banking executives to ensure individuals are held responsible for any misdoings.
Carol Beaumier: If I were going to summarize what I just heard you say, I would say, “Innovate responsibly.” Would that be an accurate representation?
Nigel Robinson: Innovate responsibly but actively.
Carol Beaumier: Perfect. Ronita and Nigel, I want to thank you both for joining me today to discuss these key takeaways from the ACAMS Conference, and I would encourage anyone who would like to hear more about how we can work together to address some of these issues to email either Ronita or Nigel.