How Financial Institutions Deal With Compliance in a Post-Covid World
Changes brought on by the COVID-19 pandemic have made the already complex world of compliance even more challenging, Leslie Bailey, vice president of Financial Crime Compliance for LexisNexis Risk Solutions said.
Ms. Bailey said the COVID-19 pandemic accelerated digital adoption, as traditional business and commercial environments were quickly disrupted. But it also raised compliance costs in Canada and the United States by 33 per cent to $42 billion.
“What we found was compliance departments had to pivot as workforces shifted,” Ms. Bailey said.
When people interact with their financial institutions in person, verification processes, for example are straightforward. Then the personal and business banking which was done in person immediately shifted online at the same time as financial institutions were tasked with administering PPP loans and other aid. Customers, especially those not prepared with their own cloud systems or with remote employees, faced challenges as their work became more complex.
Compliance practices are complex at the best of times, but as employees shifted to remote work they became more challenging. Companies had to establish systems which accommodated staff in dozens of locations, while maintaining the same security. Not everyone was up to the task and more gaps opened up.
These new environments and their impact on KYC, sanctions screening and even onboarding have changed how companies look at their risk exposure, Ms. Bailey explained. They want to deliver a more real-time response.
“Where we think about customer due diligence and compliance tools, we think about how to leverage them to be more strategic across verticals,” Ms. Bailey explained. “We want to break down silos by leveraging tools.”
That more holistic approach is needed as the environment converges into a blend of compliance tasks, fraud prevention and financial crime, Ms. Bailey said. Compliance teams must also monitor cybersecurity practices, which must constantly adjust to changing criminal behavior. Teamwork is key.
“To the extent organizations create a framework where verticals can collaborate and share information regularly in a more structured environment and deliver results, those are the institutions that will prevail in a time like this,” Ms. Bailey said.
LexisNexis Risk Solutions proactively worked with clients early in the pandemic in anticipation of PPP rollouts, Ms. Bailey said. Some financial institutions had the goal of converting PPP applicants who were regular customers into clients but that had to be done delicately as people were in need. Institutions needed the proper tools and controls to interact with them in the right way as fraudsters are lurking.
“Criminals see this as an opportunity to execute fraud and they look for an institution’s vulnerabilities,” Ms. Bailey said. “We have to work proactively to have the tools in place. Risk detection models and advanced analytics go a long way and most institutions have the resources to pivot that way. But when you’re looking at enhanced due diligence they only go so far. You have to make sure you layer on capabilities beyond the surface level.”
Imagine a college student with a limited credit history opens an account at a financial institution. Someone steals their credentials to either access that account or open multiple accounts with a non-digital device. The person opening the new accounts is not associated with the original individual. Those are red flags, Ms. Bailey said, as are discrepancies in where they are accessing accounts from and where they hope to move the money to.
There were plenty of gaps companies had to watch for as they quickly switched to remote environments, Ms. Bailey said. That included the potential for fraudsters to take information from an employee who used their personal device which was not linked to the company security system but was used in a pinch. In some systems that would allow someone to enter a company’s system and move about untracked.
Companies address this in several ways, she explained. Some limit employees to conducting company business on a single device with the proper security. Many are re-evaluating their risk exposure with a granularity that hasn’t been used before. Internal audits have become more preventative in nature as companies proactively try to identify risks to the system.
Does everyone need the level of access they currently have?
How much time are employees spending on the system and why?
Are they taking their mandatory vacation time?
These are all questions being asked, Ms. Bailey said.