Volume 6 (2022-23)

Each volume of Journal of Financial Compliance consists of four 100-page issues published in both print and online.

The articles and case studies confirmed for Volume 6 are listed below:

Volume 6 Number 4

Editorial
Mario DiFiore, PhD, Editor, Journal of Financial Compliance
Practice papers
Challenges of sanctions lists screening and the impact of sanctions triggered by conflict zones
Szilvia Andriasik, Senior Compliance Manager, Bilfinger

This paper emphasises the importance of sanctions policy and the role of different sanctions regimes triggered by various conflict zones today and in past decades. Based on examples of sanctions against Iraq, the Russian Federation and Venezuela, it highlights the difference between traditional embargo-style sanctions and recently introduced sectoral sanctions specifically targeting specific economic sectors. The paper also discusses coordination efforts between different sanctions regimes towards a global sanctions policy through the experience of the sanctions against the Russian Federation, as well as a new human rights sanctions regime. On the other hand, different political considerations can also lead to a clash of sanctions regimes. The paper discusses the impact of divergent international relations with Iran on sanctions when the United States withdrew from the Iran nuclear deal in 2018, reinstating secondary sanctions against Iran and causing legal and economic challenges for companies within the European Union (EU). Based on the recent preliminary ruling of the Court of Justice of the EU in the Bank Melli v Telekom Deutschland GmbH case, the paper points out the main considerations regarding the blocking statute activated by the EU in order to protect enterprises within the EU from the extraterritorial effect of foreign sanctions laws. In addition, the paper features the possible criminal as well as civil law liability for sanctions violations in different jurisdictions, highlighting some examples such as sanctions law offences by BNP Paribas. In the light of the possible penalties and financial losses caused for companies, the paper sets out a comprehensive decision matrix for experts and decision makers who want to evaluate whether another entity is sanctioned or has sanctioned ownership in a certain jurisdiction. Finally, it elaborates which technical add-on features a sanctions list screening software should possess in order to detect and manage sanctioned entities.
Keywords: sanctions; extraterritoriality; Consolidated Financial Sanctions (CFSP) list; UK sanction list; Office of Foreign Assets Control (OFAC); sanctions diplomacy
Driving a strong risk culture and managing conduct risk
Cara Williams, Principal, Risk Management & Regulatory Compliance, Spinnaker Consulting Group

It has been over seven years since the Financial Conduct Authority (FCA) first introduced their 5 Conduct Questions Programme as part of their strategy for supervising banks. Other regulatory bodies have subsequently voiced their expectations regarding conduct risk. While there certainly appears to be much higher awareness of conduct risk within the industry in recent years, the true understanding of and skills to identify this risk type have room to grow. The ability to adequately factor for conduct risk throughout the risk management life cycle is more crucial than ever, given the game-changing years just experienced. This paper explores ways in which banks can foster consistency and awareness to promote a risk-aware culture and mitigate conduct risk.
Keywords: culture; conduct risk; risk management; governance; operational risk
Designing technology systems to detect and prevent financial crime
Jas Randhawa, Managing Partner, StrategyBRIX and Suraj Swaminathan, Compliance Technology Professional

Almost all early-stage financial services businesses are motivated to have a comprehensive compliance programme. However, they often need help knowing where to begin. There is much literature on enhancing existing compliance programmes and specific topics such as know your customer or transaction monitoring systems (TMS). This paper delves into the critical components required to build a functioning compliance programme and the fundamental building blocks that will set up a FinTech for long-term success. This paper is comprehensive enough to allow any company focused on financial services to pick and apply key concepts explained in the paper to build a compliance programme. At the same time, it is specific enough to help explain each component in detail so that companies can use this as a guiding principle to set up a compliance programme.
Keywords: AML; KYC; transaction monitoring; compliance technology; machine learning; FinTech
Economic sanctions on the rise: The ever-increasing importance of sanctions screening in a compliance programme
Amir Fadavi, Senior Director, K2 Integrity

With the ever-increasing use of economic sanctions by multiple governments across the world, sanctions compliance has become a complex topic that requires the use of tools and technologies in assisting an organisation to stay compliant. Sanctions screening is one such tool. The question of whether to screen or not cannot be answered in vacuum and it has not been specifically prescribed by sanctions laws. As such, this paper suggests a system (a three-step approach) for organisations to tackle the questions of sanctions screening. This paper offers some fundamental sanctions-related information and then delves into the details of screening. It introduces a three-step approach in which the first question is whether sanctions screening is the right control for an organisation or not. Then, in the second step, it talks about the specifics of sanctions screening systems and technical factors to consider. In the last step, it covers the actions that should be done when a screening system detects a potential sanction hit. After reading this paper, in addition to being introduced to the three-step approach, the reader will be informed about several technical aspects of screening, the role of sanctions risk assessments and how the output of sanctions screening can improve the quality of an organisation's sanctions compliance programme.
Keywords: screening; risk assessment; sanctions list; tuning and threshold; OFAC; block or reject; data quality
Operation Spring: How Swedish authorities took out Sweden’s biggest narco bank
Magnus Sohlén, Head of Unit, Action Groups, Section, Investigations Division, Stockholm Region, Swedish Police Authority

This paper is a case study of a multi-agency investigation of a currency exchange office that served as a bank for organised crime. The paper describes how the investigation was carried out, with inter-agency cooperation being a key factor in its success. The purpose of the paper is to inspire other law enforcement agencies to initiate this type of investigation, as exchange offices and hawala brokers act as facilitators for organised crime to transfer their criminal profits into new crimes, making it extremely important to combat them. The paper also highlights the need for supervisory authorities to be more effective in controlling these types of business activities as it is naïve to think that only criminal investigations will stop them. To achieve this, new legislation and better cooperation between authorities are needed.
Keywords: organised crime; hawala; money laundering; Sweden; the Financial Supervisory Authority
The ongoing challenge of conduct risk management
Rocky Hirst, Head of Commercial Bank Compliance for Europe, Middle East and Africa (EMEA), Citibank

This paper begins by discussing the foundations for conduct risk regulation, particularly in the UK and the challenges the financial sector has faced in implementing these requirements internally. There follows a discussion on typical conduct-related breaches seen in the commercial banking sector and the challenges of ensuring appropriate mitigation for such breaches. Hybrid/remote working since the COVID-19 pandemic has required a keener focus by banks on managing additional and exacerbated conduct risks, and in considering various theories of ethical decision making, parallels can be drawn with the difficulties relating to more contemporary, wider socio-political issues. However, there are practical steps that firms and employees can take to ensure decision making in this area continues to operate effectively, even in times where there seems to be little consensus of what is in fact the right decision to make.
Keywords: conduct; ethics; breach; framework; misconduct; mitigation
Understanding the human factor in financial crime compliance
Gizem Tansu, Global AML and Sanctions Manager, Worldline

Financial crime compliance (FCC) is a complex and multifaceted field that requires a thorough understanding of various risks, including those related to human behaviour. In risk management, it is common to assume that the human factor is a source of risk without fully understanding the root causes or finding solutions that are widely understood. This paper aims to shed light on the concept of human risk in FCC by examining both the compliance perspective and the cognitive psychology of human behaviour. Numerous examples are provided to illustrate different types of risks and categorises them as errors or violations based on various factors such as knowledge and skills. By analysing the psychological factors that contribute to human risk, the paper seeks to provide a more comprehensive understanding of this important issue and suggests ways to mitigate it, focusing on the role of compliance culture, identifying red flags and providing a formula for reducing or eliminating human risk. Given the increasing pressure on financial institutions to comply with complex regulations and prevent financial crime, it is crucial to consider the human factor and its impact on FCC. By understanding the underlying causes of human risk, financial institutions can take steps to mitigate this risk and better protect themselves and their customers.
Keywords: financial crime compliance; risk management; human risk; cognitive psychology; compliance culture; robust compliance programme; feedback culture
Strengthening US financial institutions’ sanctions compliance through better data and continuous monitoring
Jim Dinkins, President, Thomson Reuters Special Services

The Russian invasion of Ukraine in February 2022, and the subsequent slew of sanctions imposed by the United States (USA), European Union (EU) and other lawmaking bodies, illustrated current challenges in financial institutions' sanctions compliance programmes. These challenges evolve as economies continue to become more intertwined and sanctions continue to be imposed at a global scale. New sanctions regimes, evolving regulations, increased transactional volumes and rapidly changing geopolitical situations create a complex regulating environment to operate in and comply with. The challenges of this complex regulating environment fall into three broad categories: the global reach of sanctions when large multi-state bodies like the EU or United Nations (UN) impose them and when the target is a large economy with vital economic relationships with many other countries; the timing of various sanctions (eg when the EU imposes sanctions, then an individual European country imposes separate sanctions and then various countries begin adding individuals or entities `ad hoc` to their sanctions); and identity resolution in terms of the sanctioned entities and individuals. These challenges are a major complication for financial institutions since getting compliance wrong could lead to heavy fines and even criminal prosecution.1 This paper will illustrate the global issues with sanctions programmes that were acutely revealed when governments enacted large and unprecedented sanctions on the 11th largest economy in the world, how the current approach to sanctions compliance is inadequate to address such a complex and ever-changing sanctions environment, and, finally, how to strengthen sanctions compliance and manage risk with better data, proactive network building, continuous monitoring and adverse media screening.
Keywords: global sanctions; Russia sanctions; banking; compliance; adverse media screening; data

Volume 6 Number 3

Editorial
Mario DiFiore, PhD, Editor, Journal of Financial Compliance
Practice papers
China’s cross-border data sharing requirements: Compliance challenges for global institutions
Eugenie Shen, Managing Director, Head of Asset Management Group, Asia Securities Industry & Financial Markets Association (ASIFMA) and Alex Roberts, Counsel, Linklaters

To protect public and societal interest, ensure network security and safeguard national security, China has passed a series of data security and data protection laws in the past few years which, due to the cross-border data transfer or sharing restrictions under these laws, pose particular challenges for global institutions, especially financial institutions, which need information from their subsidiaries or counterparts in China. This paper summarises the three principal laws that govern the collection, storage, transfer and use of data within China and what global institutions with connections to China need to know.
Keywords: data security; data privacy; data transfer; personal information; Cyberspace Administration of China (CAC); China Securities and Regulatory Commission (CSRC)
ESG ratings: How to undertake a proactive review to minimise any hidden fraud and corruption and improve a company’s governance rating
Duncan Smith, Deputy Head of Investigations, European Investment Bank

This paper describes a framework used by the European Investment Bank (EIB) — that would be transferable to interested compliance and investigation teams of corporate entities — to undertake proactive fraud reviews. These processes (at EIB known as Proactive Integrity Reviews but by other names at other multilateral development banks (MDBs), such as Detailed Implementation Reviews at World Bank) assess the weaknesses and gaps that may have been (or in the future could be) exploited by fraudsters. A key part of the review is to make remedial recommendations that, if implemented, would minimise fraud and corruption in corporate supply chains and other key processes. Conducting such reviews can be time consuming and costly but, when undertaken in high-risk processes where there is no actual allegation of fraud or corruption having occurred, can identify a number of fraud risks. Among the benefits of these reviews are (i) maintaining (or even improving) the company's environmental, social and governance (ESG) rating and share price; (ii) minimising fraud and corruption risk; and (iii) limiting the danger of: (a) related and potentially expensive litigation; (b) significant negative publicity; and/or (c) a law enforcement agency's criminal investigation and prosecution.
Keywords: proactive reviews; weaknesses; fraud; corruption; detection
It’s not the algorithm, it’s the ethics
Gary M. Shiffman, Giant Oak, Consilient and Christopher Wall

Machine learning and artificial intelligence (ML/AI) technologies have transformed nearly every industry, helping to realise unprecedented efficiency and effectiveness in a variety of tasks once thought the exclusive domain of humans. The financial compliance industry, however, lags its peers in adopting ML/AI tools in spite it being readily available and promising to reduce costs for financial institutions. This paper argues that the reason for delay in adoption is not ignorance of the technology but the lack of a moral consensus around its use in financial compliance. The ethics and morality behind the adoption of ML/AI tools and why compliance professionals are discouraged from adopting it in their compliance programmes are explored. The paper introduces the trolley car problem and how this explains the lack of a moral consensus of the use of ML/AI in compliance. It then explores why, even though machines today can pass the Turing test, machines are not capable of making moral judgments, meaning humans remain responsible for the actions taken by ML/AI. This creates an unprecedented burden about making moral decisions without any real benefit to compliance officials who want to do good. The argument is that if regulators change the incentive structure away from conformity to saving lives, and making this the moral regime guiding the use of ML/AI, technology adoption would increase and allow the compliance industry to change the world for the better.
Keywords: machine learning; artificial intelligence; ethics; moral philosophy; Turing test; financial compliance
The synergy between the UK senior manager regime area of ‘reasonable steps’ and diversity and inclusion
Ramita Dhillon, Head of Compliance, British Arab Commercial Bank

Regulators were somewhat late to the game when identifying the true value of diversity, especially given the global nature of financial services. Only in the past few years have they managed to focus on the benefits of diversity and inclusion in all its forms and at every level of an organisation. The paper aims to offer some insight into the diversity and inclusion journey that both the financial industry and the regulator have been on, and continue to be on. This has accelerated during the past few years and is driven by an overwhelming need to raise standards within the industry, but also to provide insights into the positive benefits of diversity by allowing the breadth of experience, knowledge and insights to thrive in an effective, all-encompassing and forward-looking business strategy.
Keywords: senior managers regime; diversity; inclusion; reasonable steps; healthy corporate culture; good conduct; accountability; fitness and propriety; governance; risk management
Getting controls under control
Jamila Piracci, Senior Advisor and Christopher Beckmann, Senior Analyst, Patomak Global Partners

Organisational decision making related to compliance programmes often centres around the costs of compliance. Instead, compliance leaders within organisations should reframe the discussion around value. This paper discusses mechanisms to measure and capture the value of compliance through a tailored set of controls. It seeks to define compliance controls, discuss the consequences of ineffective controls, and describe examples of effective controls related to staffing, testing and technology, which can guide compliance leaders in updating their compliance programmes. Further, the paper proposes the development of a return-on-investment metric for compliance controls and considers how this may materialise in practice.
Keywords: controls; processes; ROI; swap dealers; reputation; effectiveness
Potential applications of emerging technologies to anti-money laundering compliance programmes
Barrie VanBrackle, Partner, Parag Patel, Partner and Victor Razon, Associate, Latham & Watkins

The potential applications of emerging technologies to anti-money laundering (AML) compliance programmes present a variety of benefits and challenges to financial institutions. Recently, technologies such as machine learning and natural language processing, biometrics, geolocation, and blockchain and smart contracts have shown tremendous potential to bolster the AML compliance efforts of financial institutions. However, the use of these technologies in AML compliance programmes of financial institutions present a number of challenges. This paper discusses these emerging technologies, the potential applications of such technologies to AML compliance programmes of financial institutions, and the associated benefits and challenges of these potential applications. This discussion is particularly important given increased regulatory scrutiny of financial institutions and their AML efforts in recent years.
Keywords: anti-money laundering; blockchain, artificial intelligence; biometrics; geolocation
Keys to a successful compliance testing programme
Ellen Rose, Managing Director, Treliant

Building a successful compliance testing programme is a crucial component of a financial institution's risk management programme. Regulatory requirements and industry best practices dictate that the three lines of defence model be built and implemented to manage risk through policies, processes, procedures, systems, testing and documentation. This paper will explore the fundamentals of each of the lines of defence, testing within the lines of defence, and foundational elements that assist in developing, implementing and improving a compliance testing programme. It is important to note that testing should be conducted in all three lines of defence including, but not limited to, peer reviews, quality control, quality assurance, business risk and controls testing, compliance testing, transaction testing and testing by internal audit. The best way to be assured as to whether controls are working is through testing. Testing across the three lines of defence should be developed and implemented in accordance with the size and complexity of each financial institution. Testing should be risk-based and result in reporting and action performed by the institution. There is little point in testing if results are not acted upon.
Keywords: test; testing; defence; risk; control; monitor; monitoring; RCSA; quality
Action–reaction: US financial regulation meets ESG considerations
Jeffrey P. Naimon, Partner, Caroline M. Stapleton, Senior Counsel and Benjamin M. Litchfield, Associate, Buckley

In this paper recent legislative trends in the United States in response to environmental, social and governance (ESG) measures adopted by financial institutions are discussed. The paper explores new sources of potential compliance risk associated with states enacting and enforcing so-called anti-ESG laws, which are designed to protect firms such as fossil fuel companies and gun manufacturers from the expected detrimental impact of socially responsible banking and investment policies. It refers to existing anti-discrimination compliance paradigms to provide insights regarding how financial institutions may minimise the compliance risk associated with these anti-ESG measures.
Keywords: environment; social; governance; ESG; banks; anti-discrimination
Navigating state data privacy laws: A guide for SEC-registered investment advisers
William Nelson, Associate General Counsel, Investment Adviser Association

This paper focuses on prominent issues surrounding state data privacy laws, specifically looking at the California Consumer Privacy Act (CCPA), which was amended and expanded by the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA) and the Virginia Consumer Data Privacy Act (VCDPA). Due to the lack of a comprehensive federal privacy law, state data privacy laws have recently raised several issues for Securities and Exchange Commission (SEC)-registered investment advisers as they try to navigate through new markets and new industry practices. As such, this paper addresses the similarities and differences between the CPRA, CPA and VCDPA. The paper also provides compliance guidance for investment advisers to address the varying obligation under these laws.
Keywords: SEC; investment adviser; compliance; data privacy

Volume 6 Number 2

Editorial
Mario J. DiFiore, Editor, Journal of Financial Compliance
Practice papers
AI model risk: What the current model risk management framework can teach us about managing the risks of AI models
Catarina Souza, Head of Model Development and Review Division, Bank of England

The rapid adoption of Artificial Intelligence (AI) among financial institutions in recent years creates several opportunities, but also presents significant risks that require adequate risk management. Despite advances in recent years, AI regulation remains fragmented. This creates a challenge for financial institutions when looking for guidance on how to address the emerging risks presented by the use of AI. Given the complexity and speed of revision, AI models tend to propagate and amplify existing model risk. This grants them the potential to be more harmful, and raises important model ethics concerns. This paper discusses how the existing model risk management framework can offer important lessons for financial institutions on how to tackle these emerging risks. Additionally, the paper explores possible enhancements to the model risk management framework in order to address the unique challenges posed by AI models. These include adapting governance and policies, including model ethics considerations; enhancing model risk identification and classification; and updating model life cycles, with an emphasis on data management, model development, validation and monitoring. While the author agrees that AI risks are diverse in nature, the focus of the paper is on the risks derived from the use and development of AI models.
Keywords: model risk; SR 11-7; artificial intelligence (AI); machine learning (ML); model risk management; model life cycle; model ethics
Combatting market abuse within algorithmic trading in the financial and physical markets
Jerry De Leeuw, CEO, Entrima

The objective of this paper is to provide an overview of the challenges regarding algorithmic trading for traders, trading venues and regulators. The complexity of algorithmic trading is set out, as well as the implications for markets. The paper gives insight into the uncertainty arising from this complexity, and sets out what compliance measures are useful and what a governance framework should look like when considering algorithmic trading. It also provides details of the types of market manipulation that relate to algorithmic trading, what can be done against it and to what extent these measures and controls work.
Keywords: algorithmic trading; market manipulation; pre-trade and post-trade controls; kill switch; order-to-trade ratio; direct electronic access; governance framework
Application of the Certified Persons Regime: Evolving best practice and potential pitfalls
Louise Gowland, Head of UK Legal Entity Compliance Oversight, Senior Vice President, Northern Trust

The primary impetus for the birth of the Senior Managers and Certification Regime (SMCR) was to improve accountability throughout financial services following the 2013 Parliamentary Commission report on Banking Standards report, ‘Changing Banking for Good’. A particular focus of the regime has been to those performing senior manager functions (SMF), which are subject to a statutory ‘duty of responsibility’. Under this statute, SMF role holders can be held personally accountable if it is proved that they did not take ‘reasonable steps' to prevent or stop a breach occurring within their area of responsibility. Throughout the consultation of the regime, the regulators made it clear that firms were not required to necessarily change how they organised themselves, did business or, indeed, hire additional staff as a result; they intended a clarification and reinforcement of governance structures of in-scope firms. Prescribed Responsibility (b) outlined in SYSC 24.2.6(2)R denotes ‘Responsibility for the firm's performance of its obligation under the certification regime’. This prescribed responsibility is demonstrative of the regulator's view of how a firm is structured and organised being the responsibility of a senior manager within the in-scope legal entity. This paper considers the best practice approaches taken to meet the certification requirements of the regime, some of the key challenges and potential pitfalls firms face in this regard and reflects on what could be considered best practice.
Keywords: fitness and propriety; accountability; responsibility; methodology; technology
UK MiFIR transaction reporting: Fundamental, crucial, a common good — but typically wrong
Charlotte Longman, Director, ACA Group

The FCA repeatedly states that complete and accurate data is crucial to transaction reporting. Errors across multiple reports could not only lead to undetected market abuse, but pose significant financial, reputational and compliance risk for firms. Research and analysis conducted by ACA Group has identified persistent and significant problems in submitted transaction reports, including more than six million transaction reporting errors, and that 97 per cent of reports under MiFIR/EMIR contain inaccuracies. Furthermore, analysis suggests that many investment firms are not performing adequate reviews of the quality of submissions. Findings indicate that firms' processes here remain underdeveloped or are otherwise hindered by a misplaced confidence. Such errors and inaccuracies undermine the FCA's ability to identify market abuse and, thereby, erodes the regulator's ability to meet its statutory objective to protect and enhance the integrity of the UK financial system. It is clear that significant errors are still being made four years after implementation. The FCA has hinted it will be combating persistent reporting failings, so it is becoming a question of ‘when’ and not ‘if’ we start hearing about firms being fined or censured. This paper seeks to highlight some of the root causes for those errors and suggests best practices for firms to adopt to begin to prevent and/or remedy mistakes.
Keywords: MiFID/MiFIR; transaction reporting; FCA reporting; reporting errors; data quality; regulatory technology; monitoring and review
The use of RegTech in fighting financial crime
Igor Sumkovski, Senior Manager, Sanctions Policy & Complex Advisory, Legal & Regulatory, Santander

The fast pace of technological change and the ever-evolving regulatory landscape create a unique environment in which the financial institutions (FIs) are expected to perform at their maximum while remaining compliant with complex regulations. The compliance complexity ultimately results in higher costs for FIs and banks specifically, as this often means increased numbers of compliance staff and investing in new technologies. However, while investing in a sophisticated RegTech solution may seem a viable option for addressing the complex compliance requirements, in practice the situation is much more complicated. Implementing the latest RegTech solution in a traditional bank, particularly in one with a history of mergers and acquisitions where the legacy systems may still be in use, and where the data is held on different and sometimes incompatible platforms, is a good example of the complexities that arise in the decision-making process. This paper focuses on the practical challenges faced by a traditional bank when considering the implementation of a RegTech solution and also explores how RegTechs and banks can work together in order to overcome these challenges by better understanding each others' perspectives.
Keywords: financial crime; AML; sanctions; compliance; screening; RegTech; machine learning; AI
Pan-European regimes: A pathway to mitigate lack of trust and complexity in insurance
Ana Teresa Moutinho, Head, Supervisory Processes Department and Andres Lehtmets, Expert, InsurTech, European Insurance and Occupational Pensions Authority

Over past years the insurance market has pursued a consistent and integrated approach in order to address well-known problems such as the overall complexity of insurance products, the lack of consumer confidence and, consequently, the detachment from, and reduced feeling of loyalty towards, insurers. Regulators across different sectors globally are turning to increasingly innovative approaches to disclosure and have placed greater focus on regulating product design. Yet, in the area of EU insurance services regulation, these approaches have not been implemented effectively. Most insurance products remain highly complex for average EU consumers. Hence, it is time to reflect the digital zeitgeist in EU disclosure and distribution rules, and to achieve the maximum level of consumer protection and facilitate the single market in the digital world. Consumer-centric product design, digital distribution and disclosures will help meet consumers' expectations, facilitate understanding of the financial market and support a sufficiently high and consistent level of consumer protection throughout Europe. A regulatory Pan-European regime has the potential to cut through regulatory challenges and build trust in cross-border financial services, contributing to the Capital Market Union objectives. It facilitates the use of digitalisation and provides a strong basis for supervision, which will foster trust and confidence in European citizens. European coordination will allow the EU to compete at international level, and enable European consumers to reap the benefits of the single market.
Keywords: insurance; InsurTech; disclosures; consumer protection; supervision; financial regulation; digitalisation
Does decentralised finance equal deregulated finance?
Daniel J. Davis, Partner, Financial Markets and Funds and Sheehan H. Band, Associate — Financial Markets Litigation & Enforcement, Katten Muchin Rosenman

DeFi is a fast-growing sector of the blockchain ecosystem. In this paper, readers are introduced to key concepts in DeFi, including use cases for the technology, differences between permissionless and permissioned DeFi, and the respective advantages of participating in DeFi vs. CeFi platforms. Unlike CeFi, in which a central platform or party acts as an intermediary to facilitate crypto asset transactions, DeFi protocols and platforms rely on self-executing smart contracts to perform their functions and do not custody their users' assets. Accordingly, there are open questions as to how DeFi can be regulated. Indeed, some declare that DeFi should not be regulated. This paper analyses the key arguments in favour of and against regulation of DeFi in the context of the recent crypto asset market instability, including a breakdown of various theories of liability under which regulators seek to identify bad actors and penalise harmful activity. It then synthesises recent statements and enforcement activity by US regulators, including the Commodity Futures Trading Commission, Securities and Exchange Commission, Department of Justice, Financial Crimes Enforcement Network and legislative activity, including President Biden's recent executive order, and the Lummis–Gillibrand Responsive Financial Innovation Act. To date, US lawmakers and regulators have viewed the label ‘decentralised’ with scepticism, applying a functional analysis to identify participants exerting various degrees of control over DeFi protocols in order to enforce regulations.
Keywords: DeFi; blockchain; crypto; regulation; SEC; CFTC
International regulatory and oversight trends in financial consumer protection: What can be gleaned from the UK, Portuguese, Irish and Canadian experiences?
Lucie Tedesco, Strategic Advisor & Counsel, Financial Services, McCarthy Tétrault

Political and economic events with global ramifications continue to afflict new regulatory regimes. These regimes are being developed to address events such as COVID-19 and climate change, and developments in areas such as diversity and inclusion, cybersecurity, ESG (Environmental, Social, and Governance), cryptocurrency, etc. These developments have forced organisations and regulators alike, including financial sector regulators, to assess their impact on the way regulators perform their work. This paper describes some of the trends related to financial conduct oversight that have emerged recently in the UK, Portugal, Ireland and Canada and how conduct authorities in these countries have responded to address these trends. It endeavours to shine a light on initiatives that have been taken by some regulators to advance conduct oversight and the protection of consumers in their respective countries. It is meant to sensitise and inform jurisdictions (whose conduct frameworks may not be as developed as those studied for this paper) to the progress that is being made in the area of conduct policy and supervision. It is hoped that it could also serve as a potential preparatory tool for compliance practitioners whose conduct authorities may be contemplating similar changes to their frameworks.
Keywords: conduct oversight; conduct regulation; conduct compliance; regulatory trends; regulatory compliance; conduct regulation
Book review
Trading at the Speed of Light: How Ultrafast Algorithms Are Transforming Financial Markets
Reviewed by Alexander Culley, CEO and Founder, C&G Regulatory Solutions

Volume 6 Number 1

Editorial
Mario J. DiFiore, Editor, Journal of Financial Compliance
Practice papers
Managing trade and communications surveillance in the new world of work
Yasmine Li, Head of EMEA Surveillance, Global Head of Commodities Surveillance, Macquarie Group

The COVID-19 pandemic has introduced changes in technology and the working environment which have ultimately changed the risk profile and risk manifestation within financial organisations. Alongside the ever-increasing conduct-focused regulations globally, surveillance has never been so important. As a control, surveillance frameworks and programmes must adapt to stay effective and relevant to the changing times. This paper describes the challenges and steps that can be taken to uplift surveillance practices in response to regulatory scrutiny, technology advancements and culture shifts as firms embrace hybrid and remote working set-ups.
Keywords: artificial intelligence; AI; human trafficking; model risk management; compliance
Can implementing classic management theories in the KYC process help achieve high regulatory compliance?
Sabina Ausfelt, Head of Financial Crime Prevention, JAK Medlemsbank

Banks and other financial institutions (FIs) today face completely different challenges than they did 20 years ago. Since the Fourth Money Laundering Directive (EU 2015/849) came into force in 2014, the aim was to counter money laundering and terrorist financing. FIs have had to change their priorities and spend large sums on regulatory compliance in this area. The legal requirements found in national legislations across the EU which are based on the implementation of the EU Money Laundering Directive and associated regulations, are one of the FIs biggest challenges today. The ‘know your customer’ (KYC) process is a costly and complicated process that includes administration and alternating contacts with the customer. The process places high demands on regulatory compliance as the KYC process is governed by national legislation, directives, and regulations. The requirement for a risk-based and holistic view on the money laundering and terrorist financing (ML/TF) risks also requires that the process adapts to the outside world. This is difficult for the middle and larger financial institutions to comply with without automation. Despite the complexity of the process, the literature review conducted by the author shows that the main research focus is on technology, cost efficiency and customer satisfaction. Only a few raise the issue from a compliance perspective, and even fewer highlight both technology and compliance in the same research. With research focused on developing strategies for enhanced customer satisfaction and cost and time efficiency, what strategies are there to succeed implementing a KYC process with all attributes above at the same time as it is fully compliant with regulations, ie risk-based and holistic? By applying and implementing classic management theories into the anti-money laundering regulatory control environment, the author believes that it is possible to have a KYC process that is cost and time effective, has a high level of customer satisfaction, and at the same time is highly compliant with AML/CTF regulations.
Keywords: KYC process; organisational learning; compliance; anti-money laundering; financial institution; AML/CTF
Preventing and addressing AML/CFT risks of digital finance: The European regulatory and supervisory perspective
Joana Neto, AML/CFT Data Specialist, European Banking Authority (EBA)

Digital finance is not a new phenomenon, yet the impact of new technologies in the financial services industry has escalated over the past years. Despite bringing disruption of products and services on both front and back end, its opportunities involve inherent risks. The ones of money laundering and terrorist financing require special attention as they can have an impact on the integrity and stability of the financial markets. This paper focuses on the interlinks between these two worlds from a regulatory and supervisory perspective, based on the recent work developed by the European Banking Authority — that currently holds the statutory objective to prevent the use of the EU's financial system for money laundering and terrorist financing (ML/TF) purposes. For that purpose, this paper analyses: the main opportunities and challenges; the causes of the identified challenges; the role of regulation and supervision in the fight against the ML/TF risks that arise from these emergent business models, services and products, in the European market; and the future of digitalisation.
Keywords: AML/CFT; money laundering; terrorist financing; digital finance; platformisation; regulation; supervision
How can misconduct behaviours and abuse of position be better identified, and what are the drivers for committing fraud and theft?
Tracey Carpenter, Insider Threat Manager, Cifas

This paper explains the threats that the COVID-19 pandemic poses to the security of organisations from an insider threat perspective, as well as summarising some of the drivers of dishonesty and discovering how employees may be presented with the opportunity to commit fraud and theft, have an underlying motivation or be in a position to rationalise their behaviour. The paper also examines how the insider threat has evolved over time, focusing on how attitudes, greed and technology have enabled employees to defraud their employers. It also looks at how blurred lines and white lies can lead to fraudulent behaviour, as well as recommendations on how to keep your company safe from insider threats.
Keywords: Taxonomy; compliance risk; stakeholders; strategy; objectives; value
Data risks and security in the financial sector: Adapting to a new environment
Claudia Guagliano, Head of Innovation, Products and Technology Unit, Risk Analysis and Economics Department, and Alexander Harris, Senior Risk Analysis Officer, European Securities and Markets Authority

Huge increases in data generation and storage volumes in recent years, coupled with technological innovations, are changing the nature of data risks in the financial sector. Several factors determine the nature of data risks: (a) the way technology is used; (b) the profile of financial sector entities and their interconnections; (c) the cyberthreat landscape; and (d) awareness and practices among legitimate users of data. How these factors are evolving in an increasingly complex digital environment is described. To manage the changing data risk profile, the EU regulatory framework is adapting. Key regulatory developments in the financial sector include the Digital Operational Resilience Act (DORA) proposal and the recent advice from the European Supervisory Authorities in relation to digital finance. More broadly, the Digital Services Act and the Digital Markets Act aim to create a safer digital space for EU citizens.
Keywords: cybersecurity; data security; digital finance; operational risk
The regulatory leap into big data and machine learning: Practical advice for compliance officers
Bo Howell, Cofounder and CEO, Joot

The domain of big data encompasses several buzzwords, including artificial intelligence, machine learning, emerging technologies and big data itself. Across industries, new technology generates both fascination and fear, but factors that drive innovation vary widely from industry to industry. The financial services industry is characterised by an ambivalence toward innovative technology, with many financial services firms embracing it and many more regulatory compliance professionals resisting it. This paper is divided into two parts: Part 1 describes the state of regulatory technology in financial services and Part 2 offers practical advice for compliance officers seeking to implement innovative technology projects at their firms, particularly using machine learning applications. The paper concludes with suggestions for future research and practice.
Keywords: big data; data analytics; artificial intelligence; machine learning; RegTech; Securities and Exchange Commission (SEC); small and middle-sized businesses (SMBs)
The effect of organisational leaders on employee voice and employee silence
Manon de Zwart-van der Ham and Marjo van den Broek

Employee silence has been identified as a contributor to a host of detrimental outcomes for an organisation. Employee voice is seen to contribute to an organisation's effectiveness, eg by making better decisions possible. Four main drivers play a role in a decision to speak up or stay silent. They play a role in speaking up both inside and outside the organisation. These drivers are attitude, capability, safety and social cues. Factors that play a role are role modelling, trust, the feeling ‘it is easy’ and ‘it must be worth it’. Organisational leaders play a critical role in improving the culture to speak up and increasing the number of employees who speak up. Getting employees to speak up is important for every company, whether to make the right decisions, take a stance on societal issues or to detect misconduct. This research reveals that more needs to be done than just provide reporting channels and communicate where to find the information. The recommendation is that companies work on all four drivers to battle employee silence in an organisation.
Keywords: employee voice; employee silence; leadership; diversity of thought; speak up; culture
Adopting RegTech: A practical guide
Harpreet Singh, Global Lead, Post-Trade Solutions, BCM, Luxoft Financial Services

As the regulatory burden increased over the last decade, financial institutions aimed to consolidate their regulatory solution to improve efficiency and enhance compliance. RegTech grew as a segment with multiple vendors, financial institutions and regulators all working together to find solutions that would enable adherence to the rules. Newer technologies such as cloud, artificial intelligence (AI) and data analytics began to dominate, with further innovations making regulatory systems more foolproof. Underpinning these advancements is the ability of the RegTech system to improve data management. In return, data quality enhancements provide reliable AI and more trustworthy RegTech systems. This paper analyses insights from global regulators on RegTech and underlying technologies, and provides practical guidance for implementation.
Keywords: RegTech; SupTech; cloud; artificial intelligence (AI); banking and capital markets; digital technology; regulatory systems; regulation; compliance; data quality; financial services; DaaS; IaaS; PaaS; SaaS