Skip to main content
Category

Blog

Mar 25
Love0

What makes a good RegTech partner: fit and scalability

By Blog

Finding the right RegTech partner can be difficult. So we sat down with an industry expert to get his take on how he evaluates vendors.

As an expert in regulatory change management, Vincent Schultinge has seen the evolution and impact of regulation on financial firms firsthand. So, naturally, he has also been drawn to the niche industry that emerged to try to solve these RCM challenges—RegTech. 

Now, in his current role as a senior RegTech consultant at ING, he is responsible for defining, developing and implementing RegTech innovation throughout the ING organization. During his sit-down with Ascent, Vincent shares:

  • His perspective on what makes a good RegTech partner
  • What methodology ING follows when looking to implement a RegTech partner
  • How making machine readable regulation will open doors for the future of RegTech

Editor’s note: This interview has been lightly edited for clarity.

Using RegTech Maturity as an Evaluation Benchmark

To Vincent, managing regulation is a task that’s too fluid and too risky to put into the hands of new-to-the-market solutions. Here’s how he considers the maturity of RegTech.

When assessing a RegTech provider, you want to make sure it fits your business’s demands. I have a firm belief that we should strive for market standard solutions. Therefore I look to see whether a RegTech has the potential to become a market standard for their solution or offering. Once we have measurable results from a Proof of Concept (PoC), then we can decide if a RegTech is suitable for our purpose or not.

The way we assess RegTechs differs from the way we look at other vendors. Due to constant regulatory oversight as a bank, we have less freedom to experiment. For many business cases we will look for parties that are more mature and that have, for example, delivered the equivalent product to our peers or are engaging in sandboxes with regulators.

 

Being Able to Audit RegTech’s Black Box

Vincent believes that “auditability” is a key factor that firms should also consider when determining whether or not to work with a RegTech provider.

Providers should always be able to explain and demonstrate how their machine learning works. For risk and compliance teams, auditability of machine learning is absolutely key. If you can’t audit a technology solution properly, especially a machine learning solution, it becomes Pandora’s box. Not to mention that regulators won’t accept anything less than full transparency.

 

Aligning Around a RegTech Provider

At ING, Vincent’s team relies on what they call “PACE” methodology when considering what RegTech solution to implement.

Whatever methodology you are using to implement RegTech, you have to be consistent, thorough, and constantly verify that you are doing the right thing. 

At ING, we use our in-house PACE methodology for the delivery of innovation. This applies to our delivery of RegTech as well. With PACE, we combine Design Thinking, Lean Startup and Agile Scrum into a single process. PACE consists of five stages being: discover, problem fit, solution fit, market fit and scaling. 

For us this works really well and we gained a lot of traction with this in the organization. On top of PACE methodology at the whole of ING we practice an agile way of working. This helps accelerate the way we set up PoCs as well as other partnerships. 

 

Unlocking the Value of RegTech

For RegTech to truly be effective, Vincent has learned that it’s important to first have a culture of innovation prior to implementing a solution.

It is essential that you have business owners with the right mandate and budget who are convinced by the usage of technology. Business and innovation teams have to be able to establish the demand and create strong use cases for the application of RegTech. Teams should collaborate in such a way that the business demand and the premise of the solutions are a true match. This will help with validating and demonstrating the benefit of using certain RegTech solutions along the way. Regardless of the size of the firm, you need the right innovative culture and the right appetite from business owners; otherwise, it just won’t work.

 

Using RegTech to Manage Pandemic Woes

According to Vincent, the pandemic has only amplified the need for RegTech.

Regulatory changes keep coming, especially considering that people are working remote and are having to align virtually due to the pandemic. Regulators demand that banks remain in control. So, firms need to be able to monitor upcoming changes in the regulatory landscape by scanning the regulatory horizon as well as assessing obligations and potential risks. This is where having proper tooling in place for horizon scanning and risk assessment will definitely help firms to maintain control in these difficult times.

 

Pioneering the Next Frontier of RegTech

What’s next for RegTech? Vincent believes that making regulation machine readable will open incredible opportunities for financial firms to unlock the true potential of RegTech.

In order for RegTech to play an even bigger role in the industry, we first need to look into a few things— machine readable regulations, data and format standardization, and global harmonization of regulations. If regulations, updates and guidelines become machine readable and ingestible globally, it will become easier for firms to demonstrate compliance and adhere to rules and guidelines more efficiently. It will open a whole range of possibilities for the adoption of RegTech within financial institutions.

The same applies to data and format standardization. If we can agree on common data and format standards, adherence to regulations becomes more efficient. With the financial system being a truly global system nowadays, it allows institutions to act across jurisdictions in a safer and more compliant manner. Together, with harmonizing regulations globally, this could translate into a much broader usage of RegTech within the financial system. This end goal is something that I believe will contribute to the overall safety and stability within the financial industry.

ING is a global bank that aims to empower people to stay a step ahead in life and in business. Visit ING’s website. 

For more content like this, subscribe to our email updates.

Subscribe


Mar 24
Love0

Press Release | Ascent’s AI Supports Global Financial Regulations

By Blog

Ascent’s solution ensures global financial firms can comply better and more cost-effectively in light of increasing regulatory burden.

Chicago IL (March 24, 2021) — Ascent announced today that its AI-driven platform is now capable of supporting financial regulators around the world, providing a clear path for businesses trying to make sense of complex regulation.

“Ascent is a technology company that has productized regulatory knowledge. That means that customers don’t have to keep paying more for service engagements, because ultimately Ascent delivers regulatory knowledge as a product.” —Brian Clark, President and Founder

Ascent generates a complete set of obligations targeted to each customer, which automatically stays up-to-date with changing regulation. Ascent’s obligations are both targeted to the customer and granular i.e. the individual requirements imposed on the firm, not an entire rule or large block of text that must be further analyzed by compliance personnel. Ascent’s offering of targeted regulatory knowledge is unique in the market and is a groundbreaking new way for firms to keep up with regulation without increasing costs. 

“Ascent is a technology company that has productized regulatory knowledge,” said Brian Clark, President and Founder. “That means that customers don’t have to keep paying more for service engagements, because ultimately Ascent delivers regulatory knowledge as a product. Once a regulator is in our system, obligations can be accurately mapped to any customer within minutes.”

Ascent has no implementation fees, no hidden API or user fees, and no service costs. Unlike legacy compliance system implementations or more traditional service engagements, customers can get up and running on the Ascent platform within days. Customers can access their obligations directly on Ascent’s cloud-based platform or connect it to downstream workflows or internal documentation in a GRC or other compliance management system via API. 

“Business leaders have realized that compliance is a necessary cost to lowering their risk,” said CEO Jon Leitner. “But if approached properly with the right technology, they now are beginning to understand that they can lower their cost and risk at the same time, which is a significant competitive advantage.”

Ascent’s targeted regulatory knowledge is flexible and can be leveraged by customers in a number of ways including creating and maintaining an always-current obligations register or rule inventory, automating regulatory change management, evidencing compliance to the Board or regulators, remediation, and more. Now with the capability to support global regulators at the product level, Ascent helps financial institutions reduce their regulatory and reputational risks while lowering their overall cost to comply. 

For press or media inquiries, please email press@ascentregtech.com.  

 

Interested in learning more? Contact us to request a demo or talk to our Sales team.

 

Subscribe below to get helpful articles and thought leadership that helps you stay at the forefront of compliance and technology.

Subscribe



Mar 11
Love0

Solution Highlight: Traceability of Obligations in Ascent

By Blog

Can you trace your regulatory obligations back to their source? Here we explain how Ascent helps you do exactly that.

Ascent offers targeted regulatory knowledge — in other words, the granular obligations that are relevant for your firm so you know exactly what you need to do to stay in compliance.

READ MORE: What are granular regulatory obligations?

 

As important as it is to have your granular obligations (i.e. the individual actions imposed on your business) in hand, it’s just as important to be able to trace every obligation back to its source. Traceability (or lineage) of your obligations ensures you have complete visibility into the exact rules and regulations your obligations originated from, allowing you to report on your compliance program with confidence.

It all starts with the regulatory texts themselves.

As part of our process, Ascent ingests complete regulatory texts and makes them easy to find, search, and consume — right in Ascent’s Rule Inventory. Having the regulatory texts themselves centralized on Ascent makes it possible to easily trace back where your obligations came from. 

Next, Ascent maps regulations to your firm.

When you get set up on Ascent, you answer a number of questions about your business — for example, what type of financial firm you are, where you operate, and what products or services you offer.

Based on your responses, Ascent automatically identifies which specific rules (or sections of a regulation) contain an obligation that is relevant to your business. You can then review the pertinent sections and confirm they are accurate.

Go to your obligations.

Ascent then generates the specific obligations that your firm needs to comply with. Your obligations are provided in an easy-to-read digital register, each displayed with a breadcrumb trail that shows clearly how the obligation can be traced back to a specific rule or section. Clicking on any parts of the breadcrumb trail will take you straight to that part of the regulatory text housed in Ascent’s Rule Library.

Never a black box.

Not only do regulators expect firms to know their regulatory obligations, they also expect firms to be able to demonstrate clear understanding of how those obligations were derived. 

Ascent..

  • Houses full regulatory texts for simpler, more centralized research
  • Uses AI-driven technology to map granular obligations to your firm
  • Provides a breadcrumb trail with every obligation so you understand exactly where your obligations came from

Interested in learning more? Contact us to request a demo or talk to our Sales team.

 

Subscribe below to get helpful articles and thought leadership that helps you stay at the forefront of compliance and technology.

Subscribe



Feb 16
Love0

Suspicious Activity Reports [Part 1/2]: Big Leaks, Tighter Controls

By Blog, Featured

SARs have been in the media a lot recently, dragging these reports into the limelight. Here we discuss how financial firms are expected to respond.

Suspicious Activity Reports (SARs) are undoubtedly the most sacrosanct of all anti-money laundering (AML) work product. Beyond confidential, these reports cannot be disclosed even at grand jury proceedings. Years ago the Financial Crimes Enforcement Network (“FinCEN”) issued a set of final rules on SAR confidentiality, expanding that secrecy from the SAR itself to disclosing the underlying transactions behind the report. By extension this rule has been further interpreted to include the rationale for filing, as well as any discussions on whether or not to file a SAR at all. Still, despite this secrecy, SARs have been referenced in the media a lot in the past few years, bringing the reports begrudgingly into the limelight. 

READ MORE: A New Dawn for AML Compliance + 7 Questions You Should be Asking

 

A Slow Crescendo: SARs in the Limelight

In 2008, there was a reference to a now-former state politician’s implication in a prostitution ring. At the heart of one article was the mention of how investigators were clued into the politician’s alleged misconduct thanks to a SAR filed by the bank where the politician went, trying to send unusual round-dollar transactions to the ring’s operator. Years later, the public was likely unaware of another “leak” event.

This leak was brought to light by an investigator at a bank who had actually reached out to the subject of a SAR to solicit a bribe in exchange for information on the case. It wasn’t until years later that SARs not only reemerged, but they did so with a bang. A major publication had been given in-depth details of SARs filed from multiple banks in regards to Michael Cohen, and his reported misuse of a shell company, as well as Paul Manafort, and a foreign agent named Maria Butina. The SARs were reportedly leaked from within the Treasury, and several guilty pleas have since been proffered.

Thankfully for both global and financial institutions, there were no indications that any banks had done anything unsound to cause or exacerbate the leak. Still, the articles and related activity should serve as a trigger event for financial institutions to review their SAR-related procedures to reinforce a framework of confidentiality. 

SAR Trigger Events: Financial Firms Expected to Respond

In part 2 of this article, we will talk about some of the institutional concerns regarding the “FinCEN Files”exposé from September 2020. Even though the majority of the recent SAR leak events have been sourced in the public sector, they should serve as a major trigger event for financial institutions to review their own policies and procedures regarding SAR confidentiality. 

Employees with any exposure to or knowledge of any area of AML compliance should be acutely aware that they should:

1) Never disclose the existence of (or contemplation of filing of) a SAR,

2) Immediately report any suspected breaches of SAR confidentiality.

In addition, when considering IT or information security testing, financial services firms should consider whether there are controls in place to limit access to case management tools, investigators’ case journals, and supporting documents.

These controls should focus both on internal privacy (i.e., need to know access only) and data tagging (i.e. confidential, classified, etc. for all SAR materials), as well as outward screening tools to ensure that SAR-sensitive documents are not sent out of the bank by email, external drive, or other file transfer methods.

Similarly, all SAR filing staff should have enhanced procedures and likely training to reiterate the need to store SAR-sensitive documents and communications in those secure platforms.

While financial services firms cannot anticipate all misconduct related to SAR leaks, it is guaranteed that they will need to demonstrate to their regulators that they have taken these recent leak events under consideration, and confirmed that all of their identifiable leaks have been plugged. This process starts by first identifying what your regulatory obligations are in regards to SARs and other FinCEN rules.

READ MORE: Broker-Dealer automates SEC, FINRA, and NFA obligations with Ascent

 

Know Your FinCEN Obligations

When it comes to identifying your requirements and obligations for FinCEN and other regulators, automation can create massive efficiencies. 

The process of collecting regulatory updates across multiple sources is time-consuming and at high risk for gaps. Conducting impact analysis to determine which of those updates are actually applicable to your firm adds another layer of manual work and complexity. 

Ascent is a regulatory knowledge automation solution that generates your firm’s obligations keeps them updated as rules change. Ascent helps compliance teams zero in on the regulatory information that is relevant to the firm, freeing up time and resources to focus on higher-value activities such as maintaining policies and procedures and executing compliance throughout the organization.

INFOGRAPHIC: Regulatory Knowledge Automation, Explained

 

For more on regulatory knowledge automation and how it can play a role in your compliance framework, check out this blog. To stay up to date on all things compliance and technology, subscribe to our email series Cliff Notes below.

 

Subscribe



Feb 09
Love0

To Outsource or Not to Outsource Compliance?

By Blog

For years, the basic underlying approach to compliance has been to avoid a one-size-fits-all approach, tailoring controls and resources to your company’s own, unique risk profile.

In 2020, a few pieces of crucial guidance that didn’t just hint at, but flat out clarified regulatory expectations were:

»  The updated FFIEC BSA/AML Exam Manual

»  The re-issuance of the Evaluation of Corporate Compliance Programs, a piece of guidance that was reissued for the third time in four years, giving observers an idea of the weight of its implications

What these pieces of guidance don’t promote or rule out is the use of staff augmentation, consultants, and other support services to outsource compliance responsibilities.

With the ebb and flow of challenges in the past year, these guidances can be useful to firms trying to look for cost-savings while not increasing their compliance risk. 

Answering the Outsourcing Question

The biggest questions that should be answered by Chief Compliance and Risk Officers are:

What’s the highest risk area (i.e., in need of the most attention the most quickly) that cannot be supported by the current infrastructure (e.g., a new team would need to be built, taking 12-18 months to get off the ground)?

Those high-risk areas — whether it’s a system that needs to be onboarded and implemented, a BAU process that the company doesn’t have capacity for in-house, or a specific project (e.g., a look-back that leads to a policy/procedure refresh) — these are the areas that can potentially be outsourced. 

How Far Can You Go?

Undoubtedly, the safest area of compliance to outsource is training, with a wealth of service providers out there to build an LMS, create content, and even provide the training.

But moving into deeper compliance waters, how far out can a company go? 

The reality is that there are no limits to what can be outsourced for the FFIEC Manual and other sources of guidance. While the Manual and the DOJ’s guidance talk about “appropriate resources”, neither say it has to be internal resources per se, rather enough resources to ensure that a company’s risk stays in line with its RAS or other parameters.

Can you outsource the function of board-level oversight?  No, probably not.

But it’s likely that you can outsource all of the other levels leading up to that level. For example, the customer onboarding process for banks is ripe for managed services, whether its Customer or Enhanced Due Diligence. Transaction Monitoring and SAR filing are routinely supported through staff augmentation, whether in the short term for projects such as look-backs or the long term.

The reality is that there is no shortage of firms that will provide independent testing or model validation. It’s all, relatively speaking, safe to rely on outside sources up to a certain limit.

Checks and Balances

The limit of any involvement of managed services, projects, or other outsourced services is the amount, depth, and quality of the oversight provided by the hosting firm. What regulators look for is that the outsourcing that’s being done is rooted in the company’s risk assessment, and that—while the service provider may have some autonomy—there is sufficient oversight by the company.  

»  For example, can independent testing be outsourced on a needs basis? Yes. 

»  Should it be outsourced in whole, and in perpetuity? No. 

»  Should the managed services/outsourced services adhere to the hosting firm’s policies and procedures? Absolutely.  

»  Should there be internally-driven QA over the methodology used? Always.  

From the Regulator’s POV

To be quite frank, regulators have never specifically called out a company for the use of managed services. It has always been more about the underlying issues that caused firms to use outsourced companies in the first place that have raised any concerns versus the methodologies used by the outsourced companies to solve the issues.

In reality, most regulators understand the need to outsource, and are somewhere between sympathetic and encouraging when it comes to outsourcing. What they look for, and what financial firms should be looking for, is balance.

Are you outsourcing certain areas of compliance, so that that function, business, etc. can be sustainable going forward? If the answer is yes, it’s likely that you’re on the right path.

When it comes to outsourcing, the industry is seeing that balance and sustainability take time, and that relying on the bench strength of managed services is not only viable, but seems to be the way forward.

READ MORE: What Recent OCC Enforcements Signal for Firms

 

First, Know Your Obligations

As you consider whether or not to outsource parts of your compliance program, it’s important to remember that your regulatory obligations are the first and most fundamental step in determining what your compliance framework should be. As a regulatory knowledge solution, Ascent is a powerful tool for both in-house compliance teams and third-party legal advisors and consultants. 

By providing a constantly-updating register of obligations targeted to your firm, Ascent serves as the single source of regulatory truth for all parties involved in your compliance program, ensuring that everyone is on the same page, working off the same data. 

INFOGRAPHIC: Regulatory Knowledge Automation, Explained

 

To see a demo of our AI-driven regulatory technology, contact us. To stay up to date on all things compliance and technology, subscribe to our email series Cliff Notes below.

 

Subscribe



Feb 01
Love0

A New Dawn for AML Compliance + 7 Questions You Should be Asking

By Blog, Featured

To those in the anti-money laundering practice, Nina Simone’s memorable singing that it’s a “new dawn” and “a new day” may be best suited to the recently-passed Anti-Money Laundering Act (AMLA) of 2020. Passed as part of a broader National Defense Authorization Act (NDAA), the AMLA is likely the most sweeping financial crime-related law update in the U.S. since the USA PATRIOT Act almost two decades ago.

There are, of course, some appropriately-hyped provisions within the AMLA, as well as a few that are related to it, that bear a little bit more attention from compliance practitioners. 

WATCH: [Compliance Over Coffee] Preparing for the Next Wave of U.S. Regulatory Changes 

There’s Risk, then there’s Risk

The AMLA is clearly written, with no in-between-the-lines review needed. As a result, the Secretary of the Treasury will review components of current BSA/AML requirements to see where “adjustments” are necessary. From there, a report that will effectively de-prioritize what the AMLA calls “noncomplex” reporting will be issued, perhaps such as Suspicious Activity Reports (SARs) that deal with run-of-the-mill structuring. 

SARs as a Strategic Priority

The big shift with the AMLA is that there will be yet another report on “strategic priorities,” meaning that SAR reporting is going back to its roots as an information gathering tool for law enforcement and intelligence agencies. Still, what the AMLA hasn’t clarified is whether financial institutions will be able to forgo the “simple” SARs to focus on the more “valuable” SARs, or whether banks will be on double duty to report both. Risk assessments will be put in the same boat as SARs; having to review for those strategic priorities while still looking for the risks unique to their bank’s profile.  

READ MORE: How Bad is PPP Fraud in Financial Services?

 

Anonymously Speaking

Maybe the most lauded of the AMLA’s provisions is the Corporate Transparency Act (CTA), which doesn’t criminalize or ban shell companies as a structure, but requires that most incorporated entities fall in line with beneficial ownership requirements. The biggest change is that the CTA requires FIs to collect historical information that was exempt from the 2018 regulation’s requirements. FinCEN will then create a registry, with certain exceptions, and will allow FIs to scrub KYC data for their due diligence processes against that list. The mechanics of the list, collection, and verification process aren’t known, meaning that FIs will have to continue to take a risk-based approach to business types. 

READ MORE: SEC Priorities and a Changing of the Guard in 2021

 

Corruption in Politics and Art

What should get special attention, tying into the NDAA, is the emphasis on the risk related to corrupt political leaders (see the “Kleptocracy Asset Recovery Reward Act”) as well as arts and antiquities dealers. The NDAA goes further here by expanding the foreign bank account records held by a U.S. affiliate, such as KYC information, making those records fair game for subpoena.  

READ MORE: What Recent OCC Enforcements Signal for Firms

 

7 Questions You Should be Asking

While we wait for the underlying regulations from the AMLA, a few lingering questions remain. First of all, where the AMLA references the intention to streamline and automate, will firms be held accountable if they don’t find ways to do so? Not very likely.  

However, as FIs are required to automate more processes and reporting, will there be a risk of over-automation while regulators challenge the insufficiency of a BSA/AML compliance program’s human touch?  

There is still time before the one-year window for the Treasury to issue supporting regulations kicks in. In the meantime, here are a few questions that FIs should be asking:

1. Are we asking enough questions? Or, minimally, are we asking the right questions for LLP/LLC-type customers? Are we prepared to retroactively work towards data collection beyond the 2018 Customer Due Diligence (CDD) rule’s requirements?

2. What are we doing in terms of Politically Exposed Persons screening? Are we looking for stolen government funds? 

3. How will we risk-rate art/antiquity dealers going forward?

4. What’s the status and strength of our risk assessment process? Have we kicked the tires on the methodology recently? Will we be ready when new priorities emerge? Or will we be behind and at risk of missing critical requirements ?

5. Are our SARs “highly” useful to law enforcement? Or do we need to reinvent our processes with a closer eye on crime and intelligence?

6. If we are going to revamp our SAR processes, what are the best ways to make sure that second-line testing and audit are on board?

7. What should we automate? Where can we innovate? What processes are the most vulnerable to regulatory gaps?

Automate Regulatory Knowledge for AML Compliance

When it comes to identifying your requirements and obligations for AMLA and other regulations, automation can be especially helpful. 

The process of collecting regulatory updates across multiple sources is time-consuming—and it’s only step one of a multi-step process. The next step of determining which updates will actually impact your firm is even more of a challenge.

Ascent is a regulatory knowledge solution, which automatically surfaces the right information and pinpoints your firm’s obligations. Ascent helps compliance teams zero in on the regulation that is relevant to the firm, freeing up time and resources to focus on higher-value activities such as maintaining policies and procedures and executing compliance throughout the firm.

INFOGRAPHIC: Regulatory Knowledge Automation, Explained