Article by Perry Huijgen, Protiviti, Business & Risk Management
Regulatory initiatives around open banking (PSD2) have opened up a whole new playing field for financial technology companies (fintechs). The possibilities for innovation around payments are countless: direct payments processing from platforms or applications, split payment technology, data analytics on aggregated bank accounts or enhanced credit risk modelling. However, as promising as it all may sound, you should keep in mind that there are no easy shortcuts to open banking glory.
As open banking allows organisations to be ‘in the money flow’, it presents fintechs with an array of regulatory requirements related to anti-money laundering (AML) and combating the financing of terrorism (CFT). Together with our technology partner BusinessForensics, Protiviti has supported fintechs to overcome these challenges by implementing transaction monitoring and customer due diligence solutions.
In this blogpost, we are sharing our learnings on how fintechs can overcome the challenges related to becoming PSD2 compliant.
Are we even making money?
Many fintechs are underestimating the actual cost of being PSD2 compliant. Especially with high-volume, low margin business models, the cost of compliance can easily cannibalise your profitability. Moreover, many technologies and data companies providing solutions in this space are used to dealing with larger financial institutions, with deeper pockets. In other words, don’t be surprised if the standard list prices for transaction monitoring or customer due diligence solutions equal your first funding round.
In practice, fintech companies start exploring possible solutions for customer due diligence or transaction monitoring during or after the PSD2 application process with the regulator. However, it is recommended to prioritise the discovery of possible solutions in this space to the inception phase, to ensure the validity of your business case. In this process, external experts can help you to:
- Identify and select relevant and cost-efficient solutions and technology.
- Validate the assumptions in your business case.
Defeat the Paper Tiger
During the PSD2 application process there is a lot of focus on performing risk assessments and creating or updating policies and procedures. Having the right documentation in place is critical if you want to obtain the PSD2 licence. However, it is even more important to actually implement the policies and procedures into daily operations if your organisation wants to keep its license in good standing. This is exactly the area where many fintechs struggle. Policies and procedures are often too generic, which makes it hard to understand what needs to be implemented. In other cases, we see that fintechs adopt standard configuration templates designed by technology companies, resulting in a mismatch between the policy and their daily operation. In some worst cases, policies are in place but in practice nothing is implemented at all.
To overcome the risk of creating a paper tiger, the following is key when developing policies:
- Write policies from a practical point of view as much as possible. This may include adding practical guidance on the types of screenings, customer risk assessment methodology, relevant data points and types of monitoring scenarios.
- Ensure that your policies are written by someone who not only understands the regulatory and business context, but also the implications for successful technical implementation.
Defeating the paper tiger is also a particular strength of the Protiviti — BusinessForensics partnership. By leveraging Protiviti’s expertise in risk management and BusinessForensics’ expertise in digital risk analysis technology, we can help fintechs:
- Identify the desired level of maturity of financial economic crime prevention within your organisation.
- Create policies, procedures and controls in line with the desired level of maturity.
- Implement and automate policies, procedures and controls into the BusinessForensics software.
- Embed policies and procedures into your organisation’s daily operations.
Bursting the Fintech Bubble
Ask a typical fintech employee what they find energising in their field of work and don’t be surprised by the answers: developing cool stuff, working on the go-live of the launching customer or growing the business by searching for partnerships in the market. Ask the same fintech employee if their heart beats faster when working on regulatory compliance related projects and you can expect a less enthusiastic reaction. Still, there are many fintech companies that decide to develop their customer due diligence or transaction monitoring solutions in-house. And why wouldn’t they? Many fintechs have highly skilled developers working for them.
However, in practice we see that the in-house development of regulatory compliance solutions doesn’t always work out for the best. Fintech companies are quite dynamic, especially in the early stages, and their goals and even entire business models can change overnight. Combined with the ever-present work pressure, the fluidity often results in delaying or postponing regulatory compliance projects. Also, consider the human factor, where people tend to prioritise the importance of work that is considered as an ‘energy gain’ over work that is considered as an ‘energy drain’. Given these challenges, fintechs should consider engaging external experts to work on regulatory compliance projects. These experts can help fintechs:
- Free-up internal resources.
- Break through the FinTech boundaries by sharing best practices.
- Expand their network and create new partnerships as consultancies often have deeper roots in the market.
How Protiviti Can Help
Want to know more about this topic or learn how Protiviti can help your organisation overcome regulatory compliance challenges? Please contact Perry Huijgen.