Compliance
Developments In Private Bank RegTech – Views From The Experts
Regulatory technology – software that a private bank has to use in order to produce information and analyse it at the behest of regulators – is evolving by leaps and bounds.
Regulatory technology – software that a private bank has to use in order to produce information and analyse it at the behest of regulators – is evolving by leaps and bounds. It not only results in disclosures to wealthy customers on which the regulators insist – especially when they are enforcing such legislation as the European Union's second Markets in Financial Instruments Directive or MiFID II – but it is also a valuable generator of other information that those customers would like to use when deciding how to manage their investments. In this article we speak to Tom Pfister, the managing director of compliance, 'regulatory' and reporting at Confluence, the compliance software vendor which gives advice regularly at meetings with the US Securities and Exchange Commission, about the interplay between those two use cases, among other things.
Advances on all fronts
Pfister began with a look at the disparity between the
disclosures of data that private banking customers obtain as
opposed to those that others obtain.
"There have been plenty of advancements in technology. Both law and regulation are getting conquered by technology and the advance in technology is trickling into the wealth management space. It's a very competitive environment. Wealth management firms are not as technically-minded as firms in investment disclosure or [commercial or investment] banking or fund management. However, data-centric information [data stored independently of a bank's applications, which allows the bank to upgrade it without slow and costly data migration] is coming.
"If you have a wealth management account, what you get in the way of service is nothing like the exposure that an institutional investor gets to the data and its attributes. There's not a lot you can gather, [whereas] if you are an institutional investor, you can demand transparency of your portfolios, information about the frequency of various things that you can expect and analytics against [i.e. number-crunching analyses of] those portfolios. You can demand information about your liquidity risk. You can demand information about any sort of transaction-based risk."
WealthBriefing asked whether private investors wanted those disclosures also.
"Yes. The lack of that is driving change in the wealth management space. The technology is there already. Investors are demanding it – they know that it is the kind of information that they want – so RegTech in the wealth management space is playing catch-up for that reason.
"The data that you gather through RegTech and the data that you gather from the customer are from the same data sets. They're not exactly one and the same, but they largely are.
"There are wealth managers that are exploiting ways to disclose other information and other levels of data. It's decision-making data. These investments you have are impacting your risk in certain ways and you have to look at it. MiFID says that this must happen, but it's not really being done. We see wealth managers coming in [to Confluence in its capacity as a RegTech vendor] and asking us to let them look at investment performance. They want to use RegTech to let clients know that this is what is happening, that this is contributing (or not) to their investment chances. People [i.e. wealthy investors] are coming into their offices and saying 'I know that it [the necessary IT] exists’.”
RegTech = DataTech?
WealthBriefing asked Pfister what he thought of a new
phenomenon – DataTech – and its relationship with RegTech.
Regulatory information is another term for information that a
regulator obliges this-or-that firm to send to the regulator, or
to the customer, or to the public, or to all three. DataTech,
according to Onaudience.com, is a market sector that develops
technological products that use Big Data analysis, artificial
intelligence and machine-learning algorithms to improve various
market sectors, such as digital marketing or business analysis.
"They're one and the same thing, in all honesty. Requests from regulators for regulatory information and data that regulators ask for are not individual system queries. They are not just from the accounting software...they come from a number of different systems that are needed to answer the regulatory ask [i.e. answer the regulator's questions]. I don't think there's a soft wall between the two. You need a robust infrastucture.
"The key thing is open architecture. Applications [must be] able to interact and speak to one another to make these questions easier to answer. If you are a private bank, you have siloed applications. Going between them is very difficult. You need something that lets them speak to each other. You may have to build something much 'lighter' to let them answer the question. 'Lighter' means cheaper, not as robust.
"If a regulator says 'give me your data and put it in XML format,' you've got two options. [XML or Extensible Mark-up Language is a simple text-based format for representing structured information.] If your systems are already connected and you can produce a quality data set, you buy a workflow-and-XML-generator piece of software. You can either build or buy that. That is on the lighter side.
"If you have systems that are in silos and don't talk all that well to one another, then you – and these things can coexist at the same time – you need software that amalgamates the information and then you need your XML on top of that."
The crossover with SupTech
WealthBriefing asked Pfister about SupTech or
supervisory technology – a term with which he was not familiar.
SupTech allows regulators to monitor the activities of
businesses. The Bank for International Settlements, the "central
bankers' bank," defines it as the use of innovative technology by
supervisory agencies to support supervision. It helps regulators
to digitise reporting and regulatory processes.
Pfister commented: "There are regulators that are – it's not happened yet...the UK's Financial Conduct Authority (FCA) attempted this but it has not gone anywhere as far as I know – they said they are thinking of demanding formulated data sets of all firms. They want to say: 'put your data in a queriable set and I will query what I want to query.' Then the regulator can self-serve. We're talking about SupTech a little bit. But just as technology is enabling asset managers and clients to access regulation, the regulator is upping their game to do systemic risk analysis faster and look at it faster. The regulator is now asking itself: 'how can I get access to find the data I need to ask the questions that I might want to ask tomorrow?' They want to see a super-set of regulation without needing the right regulations. If they have subsequent questions, they can then ask [probe] that data themselves without auditing the firm and having to send it a letter first. That goes back to systems having to interact together."
When regulators dabble in a bank’s systems
A few financial firms on both sides of the Atlantic began giving
their regulators direct, if partial, access to their own systems,
the better to hand them the information that they wanted quickly,
in the days before Covid-19. WealthBriefing asked
Pfister whether this was still the case.
"To local regulators yes, to cross-jurisdictional regulators no. They've been doing it for years, but people do not want to talk about that. No bank wants to talk about any time when a regulator has asked it a clarifying question. The reputational consequence of saying that is [to imply] that something is amiss.
"The regulators are getting better at cross-questioning. No regulator has a single query. There are dozens, if not hundreds, of submissions that go through.
"They are getting better at looking across all these submissions. They often say "hey, you said x over here but you said y over there...why the disparity? I expected blah blah." [They are now] better at rationalising the total data that they get from the company. Is it creating risk to the investor/the capital markets/cross-border transfers? That's the thing that the regulators are working on right now with technology."
Whom to put in charge?
Pfister had wise words for any private bank that is looking for
someone to head up its RegTech initiatives.
"The expectation is that you need in-house or serviced regulatory expertise to understand what you're being asked. The worst thing in the world is to take somebody who already has a job at your private bank and put him in charge. I'd rather not comment on whether banks actually do that.
"The second thing that they can do is to find tech vendors or create internal teams who can imbue their expertise into fulfilling their investments. It's a low-risk investment to have a team that's looking for regulatory change – it's easy. You're not going to negatively impact alpha [i.e. the return that a tracker fund might achieve above the benchmark/index that it is tracking]."
Pfister had not heard of the term "horizon scanning," which Cube Financial, the software vendor, defines as "the means of looking to the future to ascertain what challenges it might hold" in regulation. This, however, was the process to which he was referring. He commented further.
"Stabilising yourself for regulatory change is far easier if you have a professional team. Then the second thing that you would imbue in your design of your systems is investing in applications and investing in [bits of] that open architecture that are easily exportable or queriable or interactive with other applications, which means that the regulator's question comes from 10 systems, not one. So if you have 10 systems that talk to each other, it's far easier than if you have one."
WealthBriefing asked Pfister whether it was the eternal lot of private banks to have 60 to 70 systems that cannot talk to each other and therefore require software to bridge the gap, in both their compliance efforts and their other endeavours. This was certainly the case 20 years ago and nothing seems to have changed.
On the whole, Pfister agreed.
"That's a good question. [Banks have inherited this problem from the past.] You don't see pop-up private banks! They often do have 60 to 70 systems that are mired in the past. It's hard to do an overhaul."
He added that banks are also creating new stand-alone systems all the time because "you're still going to get new products, new investors. It's a trajectory, not an end state."
The Venn Diagram
When RegTech works well, one set of records goes one way – to the
regulator – and another goes the other way – to the client. Most
of the information in them is typically the same. Pfister was
adamant that the bank in question should not be two-faced enough
(or disorganised enough) to send off sets of data that contradict
one another.
"They should not disagree. You should not keep two books of records. There are regulations [here he meant packets of regulatory information] that are 90 per cent [going to] the public and 10 per cent going to private individuals. There are regulations that are vice versa. The regulator often asks for a list of investors who own this-or-that product, but you wouldn't want to tell their names to other investors. You [also] wouldn't want to tell the investors the name of whoever owns most of this-or-that product. Many regulators recognise this. Many regulations are already split up between what goes to the public and what goes to the regulator. The latest ESG [environmental/social/governance-related] proposal in the UK – the SDR one – requires consumer-facing reports and regulator-facing reports."
'SDR' is the FCA's shorthand for sustainability disclosure requirements.
Green flags and happy customers
One large subset of FinTech is FinCrimeTech, or financial crime technology. This includes software that supports the statutory "know your customer" rules which the British Joint Money Laundering Steering Group and the US Financial Crimes Enforcement Network help to impose on financial institutions. Between 150 and 200 software vendors operate in this area and their customers are also calling for access to information that they find commercially useful. This is the province of Dermot Corrigan, the CEO of SmartKYC, who spoke to WealthBriefing recently.
"What we're hearing from customers, on a positive note, is that knowing your customer as best you can is actually a good thing – not just in terms of whether there are any red flags, but also whether there are any green flags. Can commercial opportunities arise as a consequence of knowing some of this stuff, of knowing who's in that person's network? They certainly can. If you're targeting that potential customer over there and your software establishes the fact that he has a relationship with one of your happy clients over here, you call the happy client first for an introduction.
"This idea of relationship intelligence, I think, is becoming increasingly effective for banks. We've got 'use cases' where it's actually the relationship manager who is using SmartKYC, not the compliance people, because 'source of wealth' and some of this other contextual intelligence, as we call it, can be used to good effect. Lifestyle, hobbies, interests, back-story, origin of wealth, the extent of his wealth, the assets that he may have, such as luxury goods or collectables, relationships that he has – perhaps with his family, perhaps through company directorships, shares that he holds and business associates – can all be used to pulling effect. So knowing your customer isn't the exclusive preserve of compliance, because back in the day it was what we were all told to do in sales. It all has an influence on risk but it's also useful in developing business.
"We've got two or three clients now who have spotted this and said 'ah, actually I'd like to use that – this can give me the advantage that I need,' and I don't think it's because they feel they need to offset the compliance cost."
Adverse media
The Financial Action Task Force's famous '40 recommendations' do
not explicitly refer to negative news searches, but in 2014 that
international body issued some guidelines for a risk-based
approach to money laundering in the banking sector. It said that
Enhanced Due Diligence or EDD – which occurs at the onboarding
stage at private banks – entails "verifiable adverse media
searches to inform the individual customer risk assessment." Of
course, banks and other financial institutions have been
searching for 'bad press' about their prospects at least since
the passage of the US Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act 2001, which coined the term EDD. When this
author asked the US Treasury at the time how EDD regarding
customers should work, the official helpfully replied: “Look ‘em
up on Google.” Things have come a very long way since then.
In recent years, AML software companies have been looking for more and more adverse information that has nothing to do with money laundering. This, too, has led private banks to ask for such peripheral information in growing numbers, as Corrigan explained.
“What is 'adverse'? The term has moved 'way beyond what it was two decades ago. It's gone from evidence of financial criminality into toxic association, ESG, reputational trouble and lesser offences for non-financial-crime things.
"One of the things we do is called Toxic Associations. This came from private banks. The private banks we work with all had this idea – hey, can your software watch to see whether the person we deal with, or might be dealing with, is associated with any of these things? So what they've got is this list of verboten subjects or people that they don't want to have any dealings with.
"Kanye West was offboarded by JPMorgan. Did he commit a financial crime? No, he didn't. It was to do with his views, which are objectionable, but the law doesn't require you to offboard someone for that. It shows how reputation has bled into the KYC decisions that banks make and will increasingly do so."
Horizon scanning...but for AML-related risks
RegTech "scans the horizon" (see above) for AML risks as well as
for fresh rules in the making. Increasingly, according to
Corrigan, it does so at the behest of the banks themselves.
"The evolution that is coming from the private banks is this idea of 'we have to have our eyes always open.' In the past, the regulators said 'do your KYC better while onboarding.' You said: all right, tick. Then they said 'you've got to do it more periodically at intervals, just to make sure that nothing's happened.' And now there is this idea of risk vigilance – permanent vigilance. It's watching the world for these risks as they emerge. We are launching a tool called smartEYE exactly to that end. It enables you to watch mainly your very high risk, so that you can respond immediately to a risk event happening, whether that's reported in the Dutch media, on a Malaysian blog or via Baidu in China [a search engine, not to be confused with BeiDou, the Chinese version of GPS]. That's the degree of sophistication that the compliance world has reached."
* Dermot Corrigan can be reached at dermot.corrigan@smartkyc.com