Podcast - Unlearning to run a success FCC program at a Fintech
Protiviti’s Greater China risk and compliance lead Josh Heiliczer delves into why Tencent’s Group Head of Sanctions and International Anti-Money Laundering, Henry Chan, transitioned from a career in Corporate Banking to Compliance and how the tech giant manage financial crime risks.
Hi, how are you doing? Good day, this is Josh Heiliczer. I’m the managing director here at Protiviti in Hong Kong, in Greater China. I lead the risk and compliance practice over here, and I’m glad to have you on my podcast again. I have Henry Chan over here from Tencent. He is the global head of sanctions and anti-money laundering controls over at Tencent, and I really appreciate him joining us today. Thank you.
Okay. So, in terms of my career journey, I spent the first 10 years of my career as a corporate banker at HSBC before I made the transition into financial crime compliance. So, I found my experience has a lot of impacts for me as a compliance specialist because I could really analyse each circumstance from both sides of the coin. So, I’m able to picture how every recommendations the FCC department makes will impact the business as well as the customer. So, with that mindset, I was able to build very good working relationships with the business stakeholders, and that’s one of the top assets that any FCC practitioner could have. Not on the line, HSBC has been an amazing platform for me to hone my skillsets as a FCC specialist. I was given the opportunity to lead the monitoring and testing division, and I also lead the AML functions for the bank in Hong Kong. So, for those roles, I oversee the role of the good financial crime global standards, the large-scale FCC remediation exercises, the revamp of the TM investigations and STR processes, and also to set the golden standards for FCC testing across the APEC region. So, in 2019, I left HSBC to join Tencent and became the group head of sanctions and international AML. Overseeing the FCC matters for Tencent across all the international businesses, and that includes both the FinTech as well as the non-financial internet-based businesses in over 50 countries. So far, it has been a wonderful, yet challenging journey as the company is aggressively expanding more and more into the international markets through the globalisation of this very strong existing [Audio Gap]
Yes. I get that question a lot from both my team members and people I’ve spoken to, and people I work with. Of course, when I started my career, I did not plan to spend, say, 10 years in corporate banking and then switch on to FCC. When I started banking, FCC did not even exist. So, I think I’ve had that transition at one point, when I had this project where I was sent to New York, in fact, as a corporate banker to work on the designing of the STR investigation process for our corporate banking relationships. So, at the point, I thought, “Okay, people I worked with were really good compliance specialists; they’re lawyers, they’re accountants, they’re auditors.” But one thing I realised; they had no clue about the business itself. So, I saw there’s actually a lot of value that someone coming from business with the experience of the customers and the products to work in the compliance space. So, that’s where I drew my interest and thought, “Okay, I think I have leverage going into compliance and do a really good job there.” So, that’s where it triggered my transition thought.
Look, it’s definitely something that broadens your mindset when you’re looking at compliance issues and risks, particularly if you understand how the business works, you understand what’s normal activity and what’s not normal activity, how you really get in contact with a client as opposed to sending them an email that ends up in their spam folder. So, those are really key, I think. So, now, you’re working with global remit around virtual payment channels and WeChat Pay; how many people are using that internationally; it’s an amazing product for gaming. How do you go about understanding the risks for all of the areas that you’re operating in from gaming to virtual payment channels and all the different jurisdictions you’re operating in?
Yes, that’s a very big question. It’s something that I need to tackle on a daily basis right now, and sometimes it keeps me awake at night. Well, on the surface, it’s really daunting to imagine how any team could go about understanding and localising the financial crime risk associated with over 50 countries. Without revealing any trade secrets, of course, I could share with everyone the approach that I’ve taken in managing the financial crime risk of this massive portfolio. So, at the group level, I maintain a set of AML inspection standards that will be used as guiding principle to all the group activities globally. The standards are fairly universal and based on rules and regulations standards across major jurisdictions such as China, Hong Kong, EU, America, etcetera, etcetera. So, on top of that, we also have a methodology on how to risk rates all the 250 plus countries in the world. So, that gives us a good idea on where we need to avoid doing businesses with from a risk management standpoint. In terms of the countries that we have business exposures in, I would broadly categorise them into three buckets, each with a unique approach to risk management. So, the first bucket is markets where we have an actual presence in. So, it could mean that we have a physical office on the ground, financial licenses acquired, or material business operations in the local markets. So for these markets, I would have actual compliance officers on the ground to support the AML activities. These would be individuals who have good knowledge of the local risk and good relationship with the local regulators. So, we are constantly on top of the landscape. A second type of market we have is where we have indirect business participations in, and we do not have an actual office or financial licenses locally. So, for example, in some markets where we have standards or payment services to the local markets, but we rely on local third-party institutions to facilitate transactions. While our exposure to these markets is indirect, we still need to manage the financial crime exposures through understanding and managing our local institutional partners. So, we have a set of stringent standards for the selection of these local institutional partners, as well as a robust systematic approach to continuously monitor their activities to ensure that the risk that we’re exposed to do not exceed our [appetite] in each of these markets. The third and final type of market that we have exposure in is those that we don’t have any local participations in. As an internet company, it’s inevitable that our customers and end users are located all over the world. So, for these markets we have to – first and foremost, I’m sure that users from comprehensive sanctioned countries are not allowed access to our products and services. This is technically achieved through IP blocking technologies. On the other hand, we also need to have monitoring controls in place to detect irregular activities coming from pockets of IPs or countries where we think we’re in suspicion. So, in conclusion, above all these measures and controls in place, it is critical that we have good understanding of the risk profiles of our products, sufficient transparency to our customer’s profiles, awareness of the latest financial crime pathologies, and then distilling all of those into appropriate controls.
Okay. Let me address the second part of the question first. I think it’s an important learning point I had and actually something I could share with everyone. Making the transition from a traditional bank to an internet company, although doing seemingly the same job in compliance, financial crime compliance in specific. I think coming into Tencent, I had this mindset being a lifetime banker, I thought, “Okay, things should happen just like how the bank should. Oh, we should have this control in place. We should have this policy in place. Oh, things don’t work like that from the bank.” I used to say that a lot in meetings. “Oh, things at HSBC works this way.” But then I realised the longer I spent in this company, the more I realised that they're actually a completely different organisation. One thing that I have to do and consciously remind myself is I have to unlearn everything that I’ve learnt in HSBC. [Laughter] Once you get through that point, you unlearnt everything, then it’s distills down to your understanding of risk. The true nature of risk doesn’t change wherever you go. Which organisation, financial, law financial, banks, internet company, any corporate; risk is risk. Once you have that appreciation, understanding, and the skillset to analyse risk, that is actually universal, and it’s applicable in any place you go to. So, I went through that process of unlearning, and then realise I still have the skillset with me, and then learnt the entire new process again with that skillset in mind.
Right. Right. So, yes, it would be a major flaw if you try to run or manage a financial crime programme of, say, a virtual bank or a non-bank institution, just like if you were running it as a bank, especially a very large and traditional one.
That took me a while to get adapted to, and it’s one major learning for anyone who’s going to make these types of transitions.
Thank you, Josh. [Music]