The Fintech Week Lithuania spoke to Federica Taccogna, a Senior Managing Director at FTI Consulting about compliance, money laundering and current risks in the financial ecosystem. Federica leads a team of regulatory compliance; financial crime and analytics experts who conduct investigations on behalf of regulators (including the UK FCA, the Malta Financial Services Authority and the Malta FIAU) into complex financial crime schemes. She and her team are experts in illicit use of shell companies, complex ownership structures, cryptocurrencies, hacking incidents, ransom ware scams, identity theft schemes, bribery and corruption. She also advises firms in developing Anti Money Laundering and Counter Terrorism Financing controls. She has led regulatory and criminal investigations involving a wide range of jurisdictions, including Lithuania, Estonia, Latvia, Malta, Cyprus, United Kingdom, the U.S, Sweden, Italy, Libya, Hong Kong, the BVI, Panama, Bermuda and Curacao. Ms Taccogna is a strategic advisor on financial crime to the Malta Financial Services Authority and Malta Financial Intelligence Analysis Unit.
What is your view about how the economy is affected by the Covid- 19 crisis?
- I think that the economy has suffered and will continue to suffer in the foreseeable future. The recovery will be slow and there will be a longer run to rebuild to where we were. My worry is that when the clean economies started to be troubled, the darker economies flourish much more. All the people that are unemployed, businesses that are distresses will need funding, borrowing- all of the sudden they will be redirected to darker economies that are fuelled by organised crime. I fear that not only we are going to face few months or years of economic uncertainty, but we will also face a new wave of financial crime.
So you see an increase in shady economy, shady lending? The businesses are suffering right now, and although the governments and the EU have announced about various programmes, perhaps many will not be able to qualify
- Yes the businesses become more vulnerable, and this is how the financial crime thrives- on the weaker elements of the society. For instance, in Italy betting shops and supermarkets are amongst the primary conduits for financial crime. The Italian government has spent a lot of time and effort to clean the sector, to make sure that the betting shops are licensed and that supermarkets do not have any mafia infiltration. However now that these shops and supermarkets had to be closed for some time, they will be more in need of support once again much more vulnerable for the mafia.
You have mentioned Italy- it is often on everyone’s mind when speaking about the mafia, but do you notice the same trends in other countries across Europe- UK, Germany?
- Absolutely, these trends are everywhere. If you look at the biggest scandals that happened in recent times (Danske, Swedbank), you can see that the the UK was amongst the main points of failure. Many of the shell companies that were used to launder the illicit funds concerned were Scottish Limited Partnerships. This shows that the smaller jurisdictions are not the only weak link in the chain- the larger jurisdictions are equally responsible.
So, we could say that in light of economic downturn, countries, businesses and people are more likely to engage in illicit activities to prop up the property market or the financial market?
- Yes, for instance, the gambling industry might want to regain the income lost during the lockdown. Also, the cryptocurrencies: now, I am not against the cryptocurrencies, I think they are good thing if well controlled and well managed.
- Fraudsters and criminals in general taking advance of increased fear, uncertainty and changed or weakened control environments. All features of a pandemic and the economic downturn that naturally ensues. And they strike in those areas that are already more vulnerable and higher risk, such as gambling or cryptocurrencies.
- On the topic of cryptocurrencies specifically, the greater risk in relation to them is the unevenness of global regulatory regimes around them, and the lack of familiarity that users and the industry (including regulators and enforcement agencies) have with them, not the ‘currencies’ or the technology on their own. For example, the lack of awareness on a consumer’s part may mean that he might fail to identify that a cryptoexchange is a fraudulent one and lose his funds in it. Or, a legitimate cryptoexchange may put in place weak AML controls (for example, due diligence) and become exploited by criminals (we have seen this happen already extensively!). And regulators who are not familiar with the technology and the operations of a cryptobusiness might not spot critical flaws in their control frameworks when supervising them.
Do you think that better clarity and information would help?
- People tend to think that, because they include the word ‘crypto’, cryptocurrencies are somehow hidden, mysterious or anonymous (which is a problem from a financial crime point of view) but this is not the case.
- One of the biggest problems is that regulators around the world take rather divergent approaches as to how they regulated them. And criminals take advantage of this by ‘setting up shop’ in jurisdictions that have a more favourable regime or a weaker approach to supervision (this is known as regulatory arbitrage).
- Similary, when I speak to individuals who own or work at cryptobusiess, I find it that sometimes, they do not understand how their businesses could be exploited from a financial crime point of view.
- For example, a cryptoexchange that does not conduct robust due diligence on their clients runs an incredibly high risk that individuals associated with organised crime will use it to transform cash into cryptocurrencies. In a world in which with cryptocurrencies it is possible to buy virtually everything (including luxury properties in London), that exposes the entire financial services to a huge risk. Many believe that conducting robust due diligence means seeing a passport and a copy of a bill and it absolutely it does not mean that!
- So yes, to answer your question, greater clarity and information would greatly benefit the industry as whole.
But there are cryptocurrency exchanges that verify the identity and go through verification checks; do you think that this is a more secure way then?
- Some cryptoexchanges do conduct robust due diligence, verification and ongoing monitoring. They are not the problem. Those who don’t, or those who are maliciously set up by criminals as vehicles for financial crime are.
- And returing to the point of uneven regulation this often happens because of the unevenness of regulatory approach globally.
What jurisdictions would you identify as risky ones for crypto? In Europe, for instance, we do have AMLD5 and it has pretty advanced requirements such as transaction reporting, etc.
- In Europe, with AMLD5 the regulatory and legislative framework is robust enough. The challenge is the implementation at country level. Specifically, the challenge that regulators have supervising the industry. And the challenge is, arguably, greater for smaller jurisdictions that have access to a more limited resources pool.
Therefore, do you see that Europe and the U.S. are moving towards a good direction; perhaps we need more education, more resources and attention dedicated to this topic, to increasing knowledge about compliance and regulation, which is so important?
- Developing knowledge is absolutely critical. And it is extremely important that businesses understand that being compliant is not the job of the Compliance function, it is a responsibility that everyone who works in a regulated industry (such as financial services) has.
- In the UK and other jurisdictions we have a regulatory concept called the ‘the lines of defence’.
- The first line of defence its business, the second line is compliance and the third line is audit. That means that the job of being compliant is not just for the compliance function. The first people that have to be compliant are the business.
- When I conduct reviews or investigations on behaf of regulator,s I am interested in how the business understands and deals with the risks. I expect to see, for example, that they are themselves involved in the KYC process.
- So certainly, there is a need for education. Part of it can happen through coureses – such as those that ACAMS provide – but also there is a need to learn and apply the theory in practice, on the job, every day. The business needs to become involved in managing compliance.
What do you see as differences among the risks that banks and Fintechs face- or there are no differences
- There is a difference in risk profile. The smaller outfits have the potential to be less compliant: they tend to have fewer resources and budgets and might underinvest in compliance . Nevertheless, financial technologies create plenty of opportunities for the Fintech companies. And they are leaner. If you want to implement a new process in a big bank- it takes time, they need to change many legacy systems. A new startup does not have all these things, therefore, there is an opportunity. A clever thing is to think about compliance as you build the firm, not to add it on top once you have built it. Also, the regulators have to look at the fintech industry critically and differentiate between good guys and bad guys.
Let’s go back to the cryptocurrencies. I have a question- lets say a cryptocurrency firm is based in a reputable, European jurisdiction, all the processes are compliant, the on boarding is good, there is on boarding process description, everything is done by the book etcetera. What is the problem then for the banks to open bank accounts for such businesses?
- Unfortunately we have to go back to the topic of knowledge. Banks often feel that they do not understand the world of cryptocurrencies. In other words, they might not be able to evaluate whether a firm is good or bad, high risk or low risk. As a result, they consider everything in their space outside their risk appetite.
You said that you have been in Lithuania, what is your impression about Lithuania’s fintech ecosystem?
- If I had to compare the fintech environment of that to other countries, I would say that it is more real; it has a lot of substance behind it. What the fintechs and startups are doing in Lithuania has a lot of weight to them. It is also a pleasure to work with them, because they are genuinely trying to innovate. Those who are trying to apply innovative thinking process to the world of compliance are succeeding. I can see a lot of potential
Do you see that there is a big gap in the market, an opportunity to provide compliance optimization products, to help with optimisation of processes?
- Absolutely, I think also that banks can learn from fintechs. They could apply same thought processes, and technologies as fintechs are applying.
- I think the biggest challenge is with regulators the fintech markets need to be nurtured and regulated. At times regulators don’t want to intervene in the market, because they think they would scare investment away. But if they don’t intervene, they would attract a lot of bad actors and suffer reputational damage. So regulators need to intervene in a meaningful, but not to scare away- like they do with cryptocurrencies and then everyone runs away- they need to take bad actors out and leave the good people in. but to do that they need skills, people and to understand industry.
So you think even a department could be expanded, people working doubled or tripled and crucial attention should be paid?
- I agree because the last thing we want is to let it grow exponentially and then there is a scandal of some sort and the entire market has to take a hit. Because reputation works this way- the negative reputation goes across. Better to invest in this before- educating people and dedicating resources.
Perhaps, it is time to put the necessary regulations not only on paper, but to change the whole mind-set and approach towards it?
- Yes, and I fang that a lot of jurisdictions are now changing this from compliance approach. Compliance was very much paper based exercise just ticking a box, but now a lot of firms are trying to adjust their compliance processes and this is where I think the fintech can be better because they are leaner. When you look at firms that are built in this way, then you can see that it is so much safer to operate.
Do you have some examples of companies that you are impressed of with regards to their attitude towards compliance?
- I was impressed by Swedbank- its CEO have made a statement a few days ago, saying that the company has made a mistake and now want to become a standard for others how to operate in compliant way. It is an extremely good example to show honesty and admit that there was a problem, and we will fix it. Trying to hide things does not pay off in the long run
These days, it is not enough for compliance officers to know the law, you have to know technology, even understand some of the cryptography.
- Oh yes. Some companies they see compliance officers as a cost to the business. But actually the job of being a compliance officer is a very interesting one, and you have to understand the business, technology, and the law. Perhaps some people don’t go into this job because they don’t want to be feeling as a cost, but it is a very interesting and important job.