Podcast - Unlearning to run a success FCC program at a Fintech

Podcast - Unlearning to run a success FCC program at a Fintech
Protiviti Risk & Compliance Podcast

 

Protiviti’s Greater China risk and compliance lead Josh Heiliczer delves into why Tencent’s Group Head of Sanctions and International Anti-Money Laundering, Henry Chan, transitioned from a career in Corporate Banking to Compliance and how the tech giant manage financial crime risks.

Protiviti Podcast Transcript Transcript

Josh

Hi, how are you doing? Good day, this is Josh Heiliczer. I’m the managing director here at Protiviti in Hong Kong, in Greater China. I lead the risk and compliance practice over here, and I’m glad to have you on my podcast again. I have Henry Chan over here from Tencent. He is the global head of sanctions and anti-money laundering controls over at Tencent, and I really appreciate him joining us today. Thank you.

Henry Chan
Henry
Thank you for having me in this podcast. It’s my privilege to be speaking here.
Josh
Excellent, Henry. Great to see you. So, we have a lot of compliance professionals listening to the podcast. Would you be able to discuss your current journey going from particularly HSBC in the banking world to Tencent, which is clearly - that has payment operations, not a bank?
Henry Chan
Henry

Okay. So, in terms of my career journey, I spent the first 10 years of my career as a corporate banker at HSBC before I made the transition into financial crime compliance. So, I found my experience has a lot of impacts for me as a compliance specialist because I could really analyse each circumstance from both sides of the coin. So, I’m able to picture how every recommendations the FCC department makes will impact the business as well as the customer. So, with that mindset, I was able to build very good working relationships with the business stakeholders, and that’s one of the top assets that any FCC practitioner could have. Not on the line, HSBC has been an amazing platform for me to hone my skillsets as a FCC specialist. I was given the opportunity to lead the monitoring and testing division, and I also lead the AML functions for the bank in Hong Kong. So, for those roles, I oversee the role of the good financial crime global standards, the large-scale FCC remediation exercises, the revamp of the TM investigations and STR processes, and also to set the golden standards for FCC testing across the APEC region. So, in 2019, I left HSBC to join Tencent and became the group head of sanctions and international AML. Overseeing the FCC matters for Tencent across all the international businesses, and that includes both the FinTech as well as the non-financial internet-based businesses in over 50 countries. So far, it has been a wonderful, yet challenging journey as the company is aggressively expanding more and more into the international markets through the globalisation of this very strong existing [Audio Gap]

Josh
You make a really good point. A really interesting point for people in our podcast of your career journey – how do you go from being a corporate banker to working in the AML space? When you started out as a corporate banker, I’m sure you didn’t say, “Wow, I’m going to compliance at some point in time.” I know when I was starting out, a lot of the bankers used to view the compliance department and financial crime as the business prevention union.
Henry Chan
Henry

Yes. I get that question a lot from both my team members and people I’ve spoken to, and people I work with. Of course, when I started my career, I did not plan to spend, say, 10 years in corporate banking and then switch on to FCC. When I started banking, FCC did not even exist. So, I think I’ve had that transition at one point, when I had this project where I was sent to New York, in fact, as a corporate banker to work on the designing of the STR investigation process for our corporate banking relationships. So, at the point, I thought, “Okay, people I worked with were really good compliance specialists; they’re lawyers, they’re accountants, they’re auditors.” But one thing I realised; they had no clue about the business itself. So, I saw there’s actually a lot of value that someone coming from business with the experience of the customers and the products to work in the compliance space. So, that’s where I drew my interest and thought, “Okay, I think I have leverage going into compliance and do a really good job there.” So, that’s where it triggered my transition thought.

Josh

Look, it’s definitely something that broadens your mindset when you’re looking at compliance issues and risks, particularly if you understand how the business works, you understand what’s normal activity and what’s not normal activity, how you really get in contact with a client as opposed to sending them an email that ends up in their spam folder. So, those are really key, I think. So, now, you’re working with global remit around virtual payment channels and WeChat Pay; how many people are using that internationally; it’s an amazing product for gaming. How do you go about understanding the risks for all of the areas that you’re operating in from gaming to virtual payment channels and all the different jurisdictions you’re operating in?

Henry Chan
Henry

Yes, that’s a very big question. It’s something that I need to tackle on a daily basis right now, and sometimes it keeps me awake at night. Well, on the surface, it’s really daunting to imagine how any team could go about understanding and localising the financial crime risk associated with over 50 countries. Without revealing any trade secrets, of course, I could share with everyone the approach that I’ve taken in managing the financial crime risk of this massive portfolio. So, at the group level, I maintain a set of AML inspection standards that will be used as guiding principle to all the group activities globally. The standards are fairly universal and based on rules and regulations standards across major jurisdictions such as China, Hong Kong, EU, America, etcetera, etcetera. So, on top of that, we also have a methodology on how to risk rates all the 250 plus countries in the world. So, that gives us a good idea on where we need to avoid doing businesses with from a risk management standpoint. In terms of the countries that we have business exposures in, I would broadly categorise them into three buckets, each with a unique approach to risk management. So, the first bucket is markets where we have an actual presence in. So, it could mean that we have a physical office on the ground, financial licenses acquired, or material business operations in the local markets. So for these markets, I would have actual compliance officers on the ground to support the AML activities. These would be individuals who have good knowledge of the local risk and good relationship with the local regulators. So, we are constantly on top of the landscape. A second type of market we have is where we have indirect business participations in, and we do not have an actual office or financial licenses locally. So, for example, in some markets where we have standards or payment services to the local markets, but we rely on local third-party institutions to facilitate transactions. While our exposure to these markets is indirect, we still need to manage the financial crime exposures through understanding and managing our local institutional partners. So, we have a set of stringent standards for the selection of these local institutional partners, as well as a robust systematic approach to continuously monitor their activities to ensure that the risk that we’re exposed to do not exceed our [appetite] in each of these markets. The third and final type of market that we have exposure in is those that we don’t have any local participations in. As an internet company, it’s inevitable that our customers and end users are located all over the world. So, for these markets we have to – first and foremost, I’m sure that users from comprehensive sanctioned countries are not allowed access to our products and services. This is technically achieved through IP blocking technologies. On the other hand, we also need to have monitoring controls in place to detect irregular activities coming from pockets of IPs or countries where we think we’re in suspicion. So, in conclusion, above all these measures and controls in place, it is critical that we have good understanding of the risk profiles of our products, sufficient transparency to our customer’s profiles, awareness of the latest financial crime pathologies, and then distilling all of those into appropriate controls.

Josh
Yes. Look, it’s a vast new universe clearly from the time you got into banking to now working at a company like Tencent. It’s clearly a completely different type of offering, risk profile in countries that you’re operating in links back in to maybe your experience in HSBC as well where you ran the monitoring and testing programme over there. How do you run a good monitoring and testing programme, and how does that change now, maybe that you’re at a place that is operating in so many different markets?
Henry Chan
Henry

Okay. Let me address the second part of the question first. I think it’s an important learning point I had and actually something I could share with everyone. Making the transition from a traditional bank to an internet company, although doing seemingly the same job in compliance, financial crime compliance in specific. I think coming into Tencent, I had this mindset being a lifetime banker, I thought, “Okay, things should happen just like how the bank should. Oh, we should have this control in place. We should have this policy in place. Oh, things don’t work like that from the bank.” I used to say that a lot in meetings. “Oh, things at HSBC works this way.” But then I realised the longer I spent in this company, the more I realised that they're actually a completely different organisation. One thing that I have to do and consciously remind myself is I have to unlearn everything that I’ve learnt in HSBC. [Laughter] Once you get through that point, you unlearnt everything, then it’s distills down to your understanding of risk. The true nature of risk doesn’t change wherever you go. Which organisation, financial, law financial, banks, internet company, any corporate; risk is risk. Once you have that appreciation, understanding, and the skillset to analyse risk, that is actually universal, and it’s applicable in any place you go to. So, I went through that process of unlearning, and then realise I still have the skillset with me, and then learnt the entire new process again with that skillset in mind.

Josh
It’s really interesting you mentioned the unlearning point because you look at a lot of the ways that traditional financial institutions are now trying to set up virtual banks, digital banks, whether it’s HSBC, or now Standard Chartered or any other virtual banks in Hong Kong. A lot of times, you see them trying to separate from the rest of the bank because they don’t want to have that legacy of knowledge around how the bank was operating. It’s interesting to hear you say how that extends to financial crime risk, sanctions risks, a number of different risks because you’re right; you got to spot the risk, obviously. That issue spotting, that risk assessment, that knowledge is always going to be key. However, it’s going to take a different form at an internet company, a FinTech, or a gaming company as well.
Henry Chan
Henry

Right. Right. So, yes, it would be a major flaw if you try to run or manage a financial crime programme of, say, a virtual bank or a non-bank institution, just like if you were running it as a bank, especially a very large and traditional one.

Josh

Sure.

Henry Chan
Henry

That took me a while to get adapted to, and it’s one major learning for anyone who’s going to make these types of transitions.

Josh
Yes, that’s great. Henry, I really appreciate your time. It’s been really great catching up with you. Thank you for joining us here on the risk and compliance podcast of Protiviti. This is Josh Heiliczer, and I hope you will be with us next time as well.
Henry Chan
Henry

Thank you, Josh. [Music]

 

Ready to work with us?

Josh Heiliczer
Joshua Heiliczer
Managing Director
+852 2238 0400
Linked