FinTech Compliance Solutions in the UAE. Revolutionary or risky?

The UAE is the Middle East’s leading financial center and a global hub for trade, particularly in gold and precious metals. This large presence in the global financial system makes it a target for financial crime, especially being a transit point for illicit funds. Over the past few years, as part of efforts to further combat this threat, the UAE government has made significant progress in aligning with global Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) standards, largely by improving the robustness of the country’s legislation. The government issued Federal Decree Law No. 20 of 2018 designed to improve the UAE’s effectiveness in identifying and preventing money laundering and terrorist financing, established an executive office to oversee the implementation of the UAE’s national AML/CTF strategy, and established courts which specializes in money laundering crimes [1]. With more than AED 41 million ($11 million) in fines issued by the UAE’s AML Task Force in the first six months of 2022, the UAE is taking significant steps through both legislation and enforcement to combat financial crime [2].

Improve compliance programs

With the government’s increased focus on AML/CTF compliance, financial institutions must ensure that they continuously develop and improve their compliance programs. One of the most effective ways to do that is to leverage the strengths of modern technology disciplines such as advanced analytics and artificial intelligence. There are a number of compliance-related areas where fintech solutions can improve efficiency and results. Examples are:

  • Advanced transaction monitoring and network analysis. Traditional transaction monitoring systems use a set of static rules to identify money laundering behavior. The challenge with this approach is that complex money laundering patterns can be missed and a high number of false positives are produced which can strain the compliance team’s resources. Advanced transaction monitoring systems use artificial intelligence, machine learning and network analytics to uncover and identify complex patterns in both transactions and customer relationships that would otherwise be difficult for human analysts to detect. In addition, advanced monitoring systems produce fewer false positive alerts and can provide a risk rating to the alerts generated, allowing professionals to review the most urgent cases first.
  • Automated customizable sanctions screening. Automated sanctions screening applications allow organizations to screen their customer base and transactions in real time against relevant sanctions lists. This allows compliance professionals to review the alerts generated for potential sanctions hits rather than spending valuable time manually checking each name against each of the selected sanctions lists. These automated applications also make it possible to configure the underlying algorithms and similarity threshold to match an organization’s risk appetite and reduce the number of false positive alerts produced.
  • Streamlined customer due diligence. Traditionally, customer due diligence is a time-consuming process, while the introduction of new technology can significantly reduce this. Advanced analytics applications are designed to streamline the various phases that make up customer due diligence, from ID verification, negative news screening to checking device connections, so compliance professionals’ time can be better spent elsewhere in the organization.

When properly implemented, modern fintech solutions form an integral part of an effective compliance program. In light of the clear benefits of adopting advanced technical solutions to combat financial crime and improved regulatory control in this area, financial institutions (including those in the UAE) are increasingly turning to third-party fintech providers to build their internal monitoring systems. In the past, it may have been possible for these systems to be built in-house. However, that is no longer the case given the need for specialists in areas such as machine learning and advanced analytics as well as the AML/CTF expertise of compliance professionals.

Third Party Tools – Reduce Risk

While third-party applications can undoubtedly help financial institutions implement robust compliance programs, there is a risk that costly problems can arise if used incorrectly, especially if the provider and financial institution have failed to communicate effectively.

A recent example is the finding of violations against MidFirst Bank by the US Treasury Department’s Office of Foreign Assets Control (OFAC) [3]. The violations identified by OFAC ultimately stemmed from miscommunication between MidFirst and a vendor that provided its sanctions screening software. On September 21, 2020, OFAC designated two individuals as subject to US sanctions by being included on OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List). The software used by MidFirst failed to alert that these individuals were in the bank’s existing customer base. As a result, MidFirst processed 34 transactions totaling more than $600,000 on behalf of these individuals before the accounts were blocked, 14 days after the individuals were added to the SDN list. These individuals were not flagged earlier because MidFirst misunderstood the scope of the contract it had with its supplier. MidFirst mistakenly believed that the provider would screen its entire customer base daily for changes to the SDN list. The supplier was contracted to carry out daily screenings for new customers and existing customers with updated personal information. The decisive factor was that the supplier was only contracted to screen the entire customer base once a month. This misunderstanding left a gap in the bank’s compliance procedures. An account for a sanctioned customer can be maintained for up to 30 days before it will be flagged as part of the monthly customer base screening.

This is an example of one of many breaches by financial institutions around the world due to misunderstandings of the scope of used solutions provided by suppliers or miscommunication between the parties about what the solution implemented by the supplier must achieve. Risk management between supplier and financial institution must be managed in all phases of the software life cycle. Relevant considerations for both parties include:

Implementation. Has the application been installed correctly? Does the system work exactly as expected? Has the assignment given to the supplier been fully fulfilled by the application installed?

  • The risk of inadequate implementation can be managed by ensuring that the financial institution provides a comprehensive overview to ensure that the supplier has all the relevant knowledge (including an understanding of how the institution operates) to develop and implement software that is tailored to meet the institution’s specific needs. Once the implementation is complete, a full audit of the application should be performed by the institution in collaboration with the provider to identify any issues.

Updates. Are updates checked before they are deployed? Do the updates change the scope of the application?

  • As above, communication between the organization and the supplier is important. The impact of updates should be fully understood and accepted by both the compliance and IT departments before they are deployed, and the impact confirmed once deployed.

Settings. Has the financial institution been made aware of the impact of changing the application’s settings?

  • Many applications, such as applications for automated sanction checks, have settings that can be changed to reduce the number of alerts produced. Institutions should ensure that they are aware of and understand the impact of changing such settings. For example, increasing the threshold for ‘similarity’ in an application for sanctions control will reduce the number of alerts produced. But the downside of doing so is a risk that true positive matches may be missed if the threshold is set too high. The decision to change the settings for a sanction screening application depends on a number of factors, including the organization’s risk appetite and the specific circumstances under which the sanctions lists will be examined. Any decision must therefore be assessed in the light of these factors.

The examples above are just a few of a number of scenarios where vendor-supplied software can expose a financial institution to risk. Omissions or oversights in software can often result in financial institutions paying a high price from purchasing additional/replacement software to, in the worst case scenario, being subject to enforcement by regulators as a result of compliance failures resulting from misuse of software.

One way to mitigate the risks outlined above is to engage with independent experts on a regular basis who are experienced in interrogating and assessing the suitability of compliance applications from an impartial perspective. These experts can identify and advise on shortcomings in the functionality of the application and suggest ways to improve or adapt the application to suit the individual institution’s specific needs and circumstances. Using external experts reduces problems likely to arise if you conduct a review in-house, such as bias, available staff bandwidth, and lack of specific skills and experience.

In short, when used correctly, vendor solutions can improve financial institutions’ ability to effectively and efficiently combat financial crime. However, financial institutions should not be unaware of the inherent risks that arise when they rely on vendor solutions. It is essential that thorough risk assessments and performance testing are carried out throughout the life cycle of the technology, ideally by an independent expert.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *