Bitesize Payments

Compliance, KYC, and All That Stuff

Paul Thomalla Season 1 Episode 29

Welcome back to Bite-Size Payments, where we dive into their history, how they work, and, of course, who does what.  
 
Today, we’re tackling compliance—yes, that lovely, complex topic that often seems like it gets in the way. But it’s essential, and we’ll explain why. Yes, it’s complex, but it’s also the backbone of a secure financial system. 

Today, I am joined by the rock star that is Susan Hall to walk you through it...... 
 
Here we go…  
 
 

Send us a text









Payments Industry Insights

History of Payments

Payment System Explained

Corporate Payments Strategy

Payment Regulations Impact

ISO20022 Standard

Digital Payments Evolution

CBDC Advancements

Cryptocurrency in Payments

Financial Technology Education


SPEAKER_01:

Welcome back to Bite Size Payments, where we delve into their history, how they work, and of course, who does what. Today, we're going to be tackling compliance. And yes, it's a tough subject. Yes, it's complex. And it can be lovely too. Well, that's a bit harsh. But it is something that is really important in our industry. It is essential, and we'll explain why. Yes, it is complex. but it is the backbone of a secure financial system, both in-country and, of course, internationally. So, here we go. Hold on to your hats. You'll understand why KYC is important after this. Today, I'm joined by my good friend, Susan, who was here to discuss cross-border payments just in the last episode. So welcome back, Susan.

SPEAKER_00:

Good to be back. Thanks for the invite.

SPEAKER_01:

You're more than welcome. Now, compliance may sound dull, and it is a little bit, but it is unfortunately one of the most crucial aspects of banking. So what exactly is compliance? It refers to adhering to laws, regulations, and standards to ensure financial institutions operate safely, ethically, and transparently. It's a safeguard, frankly, against illegal activities like money laundering, fraud, terrorism financing, while protecting consumers with fair practices. Now, Susan, you have some context here too, don't you?

SPEAKER_00:

I certainly do. I took a sidestep out of the payments industry after many years working for banks in the international payments space, where this is obviously a thing. I went to work for an ESG ratings company. Really interesting work, really a whole new field. But they just did not get payments, which for somebody with a payments background, it's... Really odd, after all, you know, making sure that your customer is going to pay you is an important thing. I kept having to explain why KYC really was a thing, something that people had to pay attention to. After a while, I realized I just had to get back to working with people who understood that. So here I am.

SPEAKER_01:

Well, I'm glad you're here. I have to say, KYC is one of those things that you end up talking about a lot. I, not that long ago, moved houses, I think I mentioned to you. And I had so many estate agents and lawyers telling me they need to do the KYC, need to do the KYC, oh, need to do my KYC. And it's quite frustrating because they sit behind their processes in some cases. But the truth of the matter, it is important. So let's have a little bit of a quick history. Compliance requirements really date back to the 70s. with the US Banking Secrecy Act targeting money laundering. Fast forward to 1989, the Financial Action Task Force, FAFT, established global standards. Post 9-11, the US Patriot Act expanded compliance to include anti-terrorism measures. Today, compliance spans multiple areas like KYC, AML, sanctions checking, anti-terrorism measures, with the technology playing a huge part in trying to get this under control.

SPEAKER_00:

So let's look at the four pillars of compliance. Number one, know your customer, or if you're in the banking world, I hear my colleagues saying, know your bank. That's verifying the customer identity and assessing the risks, which includes customer due diligence. And we'll come back later to the difference between those two. There's anti-money laundering, AML, which identifies and prevents illicit money flows. There's sanctions checking, which is ensuring banks don't work with blacklisted individuals or entities. And there's anti-terrorism measures, ATM, which disrupts terrorist financing networks. Compliance is more than just a regulatory requirement. It's a safeguard for the integrity of the financial system. Without these measures, the risk of criminal activity influences trading, the financial sector would grow exponentially, jeopardising trust, stability and security. Every year, financial institutions face billions in fines for noncompliance, a clear reminder of the stakes involved. But it's not just about penalties. Compliance also fosters trust and accountability, ensuring the financial system works for everybody. And let me just put a few big numbers on that. We'll talk about the more detailed numbers later. But$4.6 billion of global penalties for AML-related fines And enforcement actions related to transaction monitoring showed a year-on-year 100% increase in the number of penalties, which exceeded$3.3 billion. It's not chump change that we're talking about.

SPEAKER_01:

No, it certainly isn't. But let's now pivot away and try and get into a little bit more and understand a little bit more about what is being done by compliance teams to make sure that our financial systems are secure. Oh, spoiler alert, watch out for the acronyms. Let's start by exploring the challenges banks face in staying compliant. Regulations are constantly changing with governments and regulatory bodies updating rules to keep pace with evolving threats. For banks, this means adapting to a growing web of requirements from KYC and AML and sanctions checking and, of course, anti-terrorism protocols. But there's a lot here, isn't there, Susan?

SPEAKER_00:

There certainly is. So let's break it down a little bit further. So KYC is the cornerstone of compliance. So when you go to open an account, the bank will verify your identity, relevant for both consumers and for companies and indeed payment service providers or banks. Many countries legally require specific industries, such as cryptocurrency exchanges or gambling companies, to meet certain additional KYC compliance standards because it is known that those industries may be a little bit... more likely to be involved in those areas. The ultimate aim is reducing fraud and financial crime. So CDD, customer due diligence, is the companion to KYC. Why KYC happens when the account is set up or at regular intervals thereafter, CDD covers the continuous monitoring of the customer's interactions in order to assess the customer's customer risk. A risk profile for each customer, identifying verification, transaction records and wealth sources can be created. These checks are ongoing and may occur at any time during the transaction process. There are, of course, different levels of CDD. You've got the simplified due diligence, which applies to those considered to be low risk, for example, a public authority. Standard due diligence for those who don't fall under the simplified. It's aimed at giving a level of confidence that you know who your customer is and that your product or services aren't being used as a tool to launder money or any other criminal activity. This includes collection and verification of basic customer information, such as full name and address. And then we have enhanced due diligence, which is applied to high-risk transactions and individuals. And under this includes the high-risk individuals known as the PEPs, the politically exposed persons. Checks would include additional identity documentation, such as location, occupation, type of transactions, etc. conduct, expected patterns of activity in terms of transaction type, value frequency, expected methods of payments. So you get the idea, get a full rounded picture of what this person or this company is about in the payments world. It's worth adding, of course, this isn't something that just banks have to do. Businesses need to do this as well. Hence my conversation with my old ESG colleagues about KYC and CDD being a thing. Businesses can be exposed to fraud and fines for noncompliance. So of all of the penalties in this area, 80% were banks, but logically 20% were non-banks getting fined for offending here. It should also be mentioned that a personal company can change their status over time.

SPEAKER_01:

Okay, so let's talk a little about anti-money laundering. And of course, that's been in the press not so long ago for geopolitical reasons, but effectively, AML goes hand in hand with KYC. This involves monitoring transactions, identifying suspicious patterns, and reporting them to authorities. Criminals constantly adapt their methods, using everything from shell companies to cryptocurrencies to move illicit funds. For banks, the challenges lie in spotting these activities without disrupting the legitimate transactions.

SPEAKER_00:

That's a big issue. And that last point about without disrupting legitimate transactions is a really important one. But let's start at the beginning. AML and sanctions, they're not the same thing, even though people talk about them in the same sentence. A bit like people talk about clearing and settlement without realising they're actually two separate things. Always good to get a bit of payments back in here.

SPEAKER_01:

Good stuff. Exactly right.

SPEAKER_00:

Sanctions compliance focuses on enforcing economic and trade restrictions imposed by governments or international organizations on specific targets, such as terrorist, human rights violators, or rogue states. It requires adherence to multiple and unfortunately often conflicting regimes, such as the United Nations or OFAC, the Office of Foreign Assets Control in the US. Banks must screen their customers and transactions against these lists to ensure they're not facilitating prohibited activities. Process is complex. Sanctions lists are updated frequently. The sanctions list may not be aligned when they're being updated, as we've seen in recent years. And missing even a single match can lead to hefty fines and reputational damage. On the flip side, as we just touched on earlier, overzealous screening can block legitimate transactions, causing frictions with customers and can inadvertently cause real harm to people or to companies. AML, anti-money laundering, it focuses on detecting and preventing the movement of illicit funds derived from the criminal activities. such as drug trafficking, fraud, or tax evasion. It requires implementing a risk-based approach to customer due diligence, transaction monitoring, and record keeping. There are also reporting obligations, such as suspicious activity reports, SARS, or Foreign Account Tax Compliance Act, FATCA, reports.

SPEAKER_01:

Unfortunately, a lot of this stuff is into three-letter and now five-letter acronyms. But it is really important stuff. And while we can't get too carried away, one of the things we do have to say, it is a balancing act between doing the right thing and doing the right thing. And A lot of this work is finally balanced for the banks and the people that are doing it on their behalf. But banks play a critical role in identifying and freezing funds linked to terrorist networks. This requires global collaboration, as many can cross borders in seconds. Transaction screening, checking whether a customer or transactions are linked to a blacklisted individual or entities is another key element. But it's easier said than done. Errors can lead to blocked, legitimate transactions, or worse, missed threats.

SPEAKER_00:

Indeed. And let's not forget the role of technology in this. Artificial intelligence and machine learning are transforming compliance. These tools analyze vast amounts of data to detect patterns humans might miss. But technology isn't a magic bullet. It must be paired with human expertise to ensure accuracy and fairness. After all, AI is also being used by bad actors. So we're in the odd situation of AI fighting AI. I wonder who's going to win. I

SPEAKER_01:

think that's an excellent, excellent point. AI is fighting AI. I hear too much of people, of institutions saying, oh, we're going to use AI to fix this. And it's like, Yeah, well, you're not alone, unfortunately. There will be the bad actors, as you say. They've got AI too.

SPEAKER_00:

They will be ahead of the game, so yes.

SPEAKER_01:

I think that's exactly right. So let's bridge now to who does what in this area. So who is doing... What here? Well, as ever, governments and their regulators, national authorities like the Financial Conduct Authority, FCA in the UK, the Securities Exchange Commission, SEC in the US, the European Central Bank, the ECB, define the what that banks must adhere to. But who defines the rules? Well, external authorities. Government and regulators like the Financial Conduct Authority, the FCA, the SEC or the central banks, they generate the legal framework. International bodies like FATFA set global anti-money laundering standards while the Basel Committee focuses on banking risk management. The EU issues directives like GDPR and AMLD Industry groups, organisations like SWIFT or ISDA develop standards for security, financial messaging and derivatives compromising.

SPEAKER_00:

We've had three-letter acronyms and five-letter acronyms and now we're going for the four-letter. On FATF, it's worth mentioning a report has just been published for final consultation with the aim of being put into the FATF plenary in June 2025. The special recommendation 16, which looks at wire transfers, was originally planned to be updated, just taking into account ISO 20022. But they quickly realized there'd been an enormous drift since the last changes, which has made it a far bigger process. There's payment types that didn't really even exist when the last revisions were done. So the intention is to ensure a level playing field between different payment types. But for those who are in this area, you've got some fun coming up once that document is published and you need to start actioning it.

SPEAKER_01:

Okay, so who implements these rules? Well, inside of the banks, we have a compliance team. We have many compliance teams in reality. They translate the regulations into policies and ensure the bank adheres to them. We have legal teams, and they interpret the law and guide how, in fact, they are applied. Then we have risk management teams. They assess and mitigate compliance risk by embedding controls into their organization. And of course, we have technology teams. They develop tools for transaction monitoring, sanction screening, and reporting. There's another section here, which is, frankly, who manages and oversees all this compliant? Well, we have compliant. No, we don't. We have compliancy officers responsible for monitoring and adhering to these internal policies and external regulation. They, as you might expect, conduct audits and report breaches. Now we have operations teams. These handle the day-to-day compliance tasks like onboarding customers and monitoring activities. And we have the internal audit teams independently reviewing compliance systems to identify gaps. Of course, we have senior management and their boards leading to the compliance culture. and identifying adequate resources that are allocated to compliance functions. And that shouldn't be underestimated. This is a huge deal for the senior management of any major institution. By defining and implementing and managing these layers of compliance, banks maintain trust, mitigate risk, and avoid penalties. Let's not forget, we've seen recently that when this doesn't go well, It makes a big spell. It makes a big smell, I'm afraid. And there is a lot of tainting that goes around when mistakes are made.

SPEAKER_00:

Indeed. Before we go on to what's next in compliance, let's put some facts and figures out there against this big smell. So in the first half of 2024 alone, global financial regulators levered 263 billion worth of fines for non-compliance with AML, including KYC, SARS, the reporting, and transaction monitoring violations. So let's just name a few names who have offended in this space. And apologies to anybody who might be working for these companies. I'm sure you've now got your house in order. So Deutsche Bank, 186 million fine due to inadequate AML controls. Despite receiving warnings from the regulators, they hadn't taken steps to address the problems. Starling Bank in the UK, fined by the UK Financial Conduct Authority, 29 million sterling for inadequate crime controls. Digital Asset Platforms in the UK were fined 762.9 million in 2024. The biggie, of course, is TD Bank, which was fined$3 billion by US regulators for AML failures. This was made up of 1.7 billion criminal fine and 1.3 billion civil fines. And to quote the Attorney General, if the business case for compliance wasn't clear before, it should be now. Price Waterhouse in the UK fined 15 million sterling for failing to report to regulators their belief that a customer might be involved in fraudulent activity. Australia gambling and entertainment company ordered to pay 70 million for allowing high-risk customers to use its casinos to obscure their source of funds and for failing to apply risk-based controls to customers. The problem, if we can call it that, is often that these failures happen over a long period. In the case of TD Bank, it was over a decade that they'd failed to update their money laundering compliance program. In 2021, a TD Bank employee took advantage of this to facilitate the laundering of narcotic proceeds on a large scale in exchange for bribes. I'm not sure if he's the one or he, she, they is the one who actually got the bribe in prepaid cards, but there were a number who did get that as a bribe. TD Bank knew this type of activity wasn't subject to appropriate controls and failed to mitigate the risk. They failed to do their reporting. Up to 1.5 billion worth of SARs weren't submitted but should have. I think the TD case gives, it's maybe the extreme, but it gives you a good feel for what the damage can be done by a failure to do what is necessary in this space.

SPEAKER_01:

I think that's right. And there may be many things that banks don't want to be in the news for, but this is, I think, very much at the top of the don't-do list. But as you've mentioned, these things do happen. But it's not an area that stays still, like all of payments. It moves forward and frankly it moves forward extraordinarily rapidly as the point you're making before Susan the bad guys you know get their AI and they go after different things and they you know very clever if that's the right way to put it so what's next in compliance a financial crime becomes much more sophisticated and the future of compliance lies in innovation and Being able to adapt. We don't necessarily like to think about it in those positive descriptions, but that's the truth of the matter. They do think about innovation and they do try and adapt. We have a whole new world. We have RegTech, the regulation technology. Technology. We have AI, we have blockchain, we have advanced analytical streamline, compliance processes, reduced costs, enhanced accuracy, etc. We now have such things as biometric verification that can speed up the KYC process. Blockchain. And, you know, we've heard a lot about blockchain, but it has its place here. In compliance, the transparency and immutable makes it a promising tool for transaction tracking and ensuring data integrity. Environmental, social and government, as you were talking about before, the ESG compliance, regulators are increasingly focusing on sustainability, adding a new dimension to compliance frameworks. For banks and for fintechs, the focus should be on Investing to be scalable, enhancing customer experience and fostering collaboration with regulators to stay ahead and perhaps more importantly, stay out of the news.

SPEAKER_00:

It used to be a test for a bank I worked for that would what has happened play well on the front page of the local press or the national press? the down market version. On the ESG, by the way, apparently the number of fines in that area is also growing immeasurably because of the failure to do the reporting. But in general, this is an area, the financial crime area, where many companies, including Mastercard, who I now work for, are focusing their attention, using cutting-edge data science techniques to trace potentially fraudulent transaction patterns across a payments network, as well as providing proactive alerts to banks about suspicious accounts. So there's things happening out there. We just have to hope that we in the payments world can run faster than the criminal can do.

SPEAKER_01:

Yeah. Look... As you know, I've been putting off doing this podcast for quite some time because it's quite hard to do it justice. And I think you've laid it out extraordinarily well, Susan. It is a detailed area. It is a complex area and moves very, very rapidly. Are there any final comments you want to leave us with on this important area?

SPEAKER_00:

I would just say next time your bank or the company you work for tells you you need to do your compliance mandatory training, pay more attention to it. It is critical for the future of your company and also for your wellbeing to avoid being hit by any kind of fraud.

SPEAKER_01:

Yeah. I think every time you get asked for your KYC credentials, it's a bit galling, but hopefully we've identified some of the reasons why it's really important. And as ever, Susan, Thank you so very much for your help and guidance walking us through this, frankly, complex area, but a critical area. Thanks so much.

SPEAKER_00:

Happy to be here.

SPEAKER_01:

Well, there you go. Everything you wanted to know about three letter acronyms, four letter acronyms, and in some cases, five letter acronyms around compliance. We talk quite glibly about KYC, AML, sanctions, checking, etc. But actually, when you get down to it, it's a very, very complex subject. It moves extraordinarily quickly. And I've been putting off doing this podcast because I think it's a tough one to try and get into. And frankly, a tough one to make interesting. I hope, however, that we have gone through enough of the detail to get you up to speed. Super thanks to Susan for all the heavy lifting she's done in getting this topic across to you. As ever, if it's interesting, please let me know. Tell a friend. And if you've got any insight that you want me to work on, please drop me an email at bitesizepayments at gmail.com. Cheers for now. Bye.