Sybrins Game Changers - The Future Of Financial Crime - Absa s Head Of Financial Crime Nic Swingler

Show video

Colin Iles: It's great to see. So I'm just going to jump straight in and actually do it a bit oddly, compared to how other people run these things. We'll do an intro for you. But I don't want to start with that. I want to start with a bigger question,

not who is Nic Swingler? What is financial crime? Because I need to frame that for the next question, which is going to become clear why in a minute. Nic Swingler: I guess I have to frame it properly for you. I think in the in the general sense Colin. So financial crime is when a crime has been committed. And that could be any particular thing. So it could be bribery, corruption, it could be the proceeds of of illegal activity, and then using the financial system to basically move, keep launder, etc. The

proceeds of crime. So crimes are committed, there are many of them that are committed, when the proceeds of crime flows through or enters the financial services industry, that's when we need to, or there's an expectation that we would be able to pick that up track that report that and that us as a firm, we will take whatever measures we can to mitigate our risk and exposure to those types of activities. Colin Iles: Okay, so basically, it you know, in simplified terms, it could be anything, you know, as long as there's crime, which could be anything and there's a financial aspect to it, whether it's the crime itself or moving the benefits that they've received from the crime it's going to touch the Financial Crime Unit in Absa and all the other banks not just Absa, obviously, yeah. So my second question is why on earth

would you want to go and become the Head of Financial Crime for any organization, because it feels like you've got this much risk to try to manage across 1000s, hundreds of 1000s of people around the world who are committing crimes. And it's almost feels as a starting point, it's, it's virtually impossible to capture all these people, you're heading towards a situation where at some point, someone's going to turn around and set the financial crime unit have not done what they should be doing. Why on earth did you get into this? Nic Swingler: It is a good question. And I'm not crazy. The the reason why I got in is because, yes, there's a lot of downside risk here. We will never be claiming that we can reduce the risk to zero for the firm, we can never deliver something that will say that crime will never enter into the firm or will catch it. So we have to basically do the things

that we can do to optimize the impact we can have either in detecting and reporting or disrupting this activity. While I entered into it personally is that, I enjoy the concept of a risk discipline. So this is alive 24/7 This happens every day around us. It changes regularly, so we have to stay up to speed with that and then also the aspects of risk management in this specific discipline requires the deployment of a lot of technology and tools and techniques, the use of data etc, to actually provide the risk management tool. So although our

function sits in compliance, it is not about complying to a set of rules and regulations as the objective, it's actually by looking at how we can understand, quantify and mitigate the risks that we're facing in the firm, and mitigating to a level that's acceptable, but doing it in a way that we will comply. So that for me was the the move away from the old style, tick 10 boxes, and we've done because we comply with the act. And that's a guaranteed recipe for failure in terms of our risk that we're taking in the firm, so the the transformation of that into something that is a real risk management capability. And yes, risk comes with, with judgmental conclusions or subjectivity. And we do make mistakes, but we learn from that. And in the world of risk, the there is no real nirvana or perfection. It's a messy business, and we need

to, to get through that as best we can. So those are the things that personally appeal to me. Yes, we still get many questions about why did you not see this? Or why didn't you pick up this? Five years later, someone has the benefit of hindsight, and it looks so obvious, but five years ago, we've made it look that obvious to us. So yes, it is a you have to have a thick skin and be able to, to move fast in this business. Colin Iles: Okay, so huge scale in terms of the size of the problem that you're trying to go and resolve. You're telling us you're not crazy for moving into this, it's actually an interesting area, especially as it's moved from kind of ticky box exercises to a risk based approach. We want to go into

that in a bit in terms of where that's taken the future of managing financial crime and preventing financial crime. What did you do before you went into it just the last part of the backdrop, because I think that's also important that the experiences that you had prior to that, I think were really good grounds for you to actually get the appreciation of financial crime before moving into it, because it touched many of the roles you had beforehand. Nic Swingler: Correct it. So I was the chief operating officer

for the corporate investment bank, and that did actually expose me to the technology that we had in that system. And in that business, the the type of transactions, the business that exposed me to the aspects of data. So there was a lot of operational and technology experience a lot of product understanding, those things are a lot more beneficial and critical to succeeding in the space than having a degree in law, for example, the other bit that I'm saying, am I crazy, but there's never was part of my career planning. And so it came as quite a surprise when I was approached to see if I wanted to do this job. But as we got into the discussion, the things that appeal to me were exactly those ones that I can actually leverage off my technology operational product experience as the chief operating officer for the corporate investment bank, and then basically apply that, or those principles and apply those skills to rebuild a function that is very different to what it was five years ago.

Colin Iles: So can you give people an idea about just how much you actually have to cover I think a simple hate to introduce it, is just going through some of the acronyms. That exists. You know, we've got ABC KYC, Edd, overseen and reporting into the, you know, the FCA with AML. And we've got PIP and PEP, and STR, and I'm probably missing out on a huge number. So why don't we go into every single one of those, but

can you give people an idea about just how expansive it is across the bank in terms of trying to deal with financial crimes, such as every single person basically? Nic Swingler: Correct. Absolutely. And there are many acronyms, and actually, they sometimes baffled me as well, but they expansive. This is basically across all our locations, all our products, all our customers. So every transaction that comes through the bank, needs to be understood and looked at, on many angles, and then from a behavioral point of view from actual transaction points of view. So yes, it is very expansive in that sense. And then also, if you look at the expectation of the supervisors and the regulators, there are numerous acts and requirements that we have to meet as you. You said, we've got suspicious transaction

reporting, we've got the Financial Intelligence Center act in South Africa, we've got the equivalent of that in all the other jurisdictions that we operate within. So then, if you layer on top of that, we have basically our executive committee and our board, where the appetite for certain risks are not there or with appetite for certain levels of risk are just basically much lower. So there's, there's a big angle of reputational risk linked to financial crime risk appetite as well. So you've got those three aspects playing In terms of, I need to comply with a lot of requirements and legislation, I need to comply with ensuring that we deliver the appropriate risk appetite and residual risk for the firm. And then we have

to cover everything that we do within the firm. So those three axes probably working, but the way to do that is to unpack them, understand the threats and the risks in the first instance. And then we will build that in a way that we that we meet the expectations of both our exco and our board and our regulators and supervisors. Colin Iles: Alright, so if we think about that as a starting point, just a couple of years ago, perhaps and in many ways, perhaps it's still, you know, prevalent in a lot of organizations, I've always seen the risk management framework, being rather procedural, rather ticky box, you know, so if you take KYC as an example, there's lots of questions and thoughts, you could look at it, but actually, this rather formulaic, if he falls into this category, then you have to do this, if it's that category, we have to review it, you know, in 12 months time, if it's coming from this jurisdiction, it's on this list for sanctions, then we just don't touch that entity or that particular person. Can you give us a sense of how that's changing, because you keep talking about this risk based approach. And everything I ever saw was extremely procedural, very black and white and binary. And the approach to go and deal

with it, Nic Swingler: That you understand correctly is probably one of the biggest challenges. You can change everything to a risk based approach. But what happens in a large firm is that when you execute and operate, that people want to know, what should I do, and the more you get into the detail, the more it is, show me the 10 steps before onboard a customer, what which pieces of paper or which data points do I have to collect, the person then runs a process and executes. That's a natural kind of tendency of how these things are run, if the challenge there is to do to get people to understand what they are doing a very good example would be companies, for example, are coming to South African banks and asking them for foreign currency accounts. But the companies are not based in South

Africa, and they haven't got any business yet. So then they will have reasons as to why they try and explain why they should be banked here. But from onboarding point of view, if that team is collecting the company or age number, the address, the directors, the whatever, you screen and test all of those things, that is all fine, that no one's asking the question as to what business does this company have in South Africa? And why should we, therefore bank them in South Africa. So

that will be that that ability to understand what we're doing versus trying to break things up into a process is a real challenge. So what we do is, we start off with the risk in the trades. And then we try and put in place approaches and standards in terms of how to do that, but not trying to dictate that it's this or this or that. So if I have to identify a client, we have to identify the client. Now, I can do that through a identity card, or I can do that through your fingerprint and then sent to the Home Affairs and get confirmation. But there are options of doing that, as

opposed to you must only do 12345. But it's an ongoing battle Colin. And I can't say that, that the whole firm is now flicked from a process driven to a risk management. And also, in certain areas where you do detail execution, you want people to follow a certain level of quality. So there is some form of process, but it's ensuring that is not driven to the point where we forget about what are we doing? What are the real questions around risk, etc, that we have to ask? Colin Iles: Yeah, I mean, how much progress you make. And I

was think, though a lot of the questions that were coming through, didn't make much sense to me. I mean, one of the ones just practically that everyone on the call will be used to is, when they've been KYC. And they're asked questions, you know, can you prove your home address, your residential address? I never fully understand what the point of that from a risk management perspective is. But is it

useful? Or is it just one of those legacy form based approaches which you just have to comply? Nic Swingler: That's a very good example. And that one actually stemmed from the previous act that the Financial Intelligence Center had out there, where the act was quite prescriptive, and he said, you will collect a RD documents, proof of address and and whatever so that when when the FIC Act was changed and amended, probably about we effected maybe about three years ago, that requirement has been removed, because it is a very prescriptive requirement. So the banks not don't have to collect proof of address. And many of the banks don't do that anymore, because we couldn't understand the link between Colins risk if he lives in Johannesburg versus next risk if he lives in Bloem, or Durban or wherever it may be. So, yes, there may be some

aspects of client service you would want to derive off the location. And there could be some aspects of crime hotspots that happen in certain areas, but because Colin lives in Joburg because it means a criminal and we can't bring the two together. So address actually isn't a prerequisite for onboarding a large portion of the customers where it may come in is if you're a politically exposed person. And the address is helpful to understand where the person is based, understand associates and close connections and relationships and stuff. But that is a very good example of

something that in the prescriptive rule was there and had to be done. But now we have the option not to do it. And we have, and so have, many of the other banks moved away from that being a a requirement for onboarding Colin Iles: That bodes well that you're getting support for making these changes, Do you- what's the psychology here, I always found that if there is something in place as a procedure in a large organization, it is incredibly hard to get people to buy into, remove that procedure or that particular control. They will- their natural tendency is to say, no, it must be there for a reason, I can't think of it but someone thought about this before me, therefore, we're going to keep it. So as you're going to this risk based approach and stopping some of these more procedural controls, are you finding it difficult to get the organization to go with you? Nic Swingler: Oh massively, and I think it's a, it's an ongoing battle that every organization, especially the larger ones, will fight for the foreseeable future. And probably for a long

time after that. There are many examples when we were sort of looking, for example, at our business banking, customer base, there were probably 50 prescriptive fields that had to be collected. And it made the customer experience quite horrible. When we went through why that has been done many of

the comments coming back, yeah, but this is all for audit point from five years ago, or I don't know, but we just do it in this way. So that the set of data fields that were required, we reduce that by probably 70%, in terms of none of them are financial requirements, you somehow have built things into your system that that is just left over time, to your point that the next person who takes on the job just does it because the previous person did it. So it's that battle of, of pushing hard to say, why are you doing it, and we don't have a problem driving for that. Because ultimately, the the sweet spot is being able to get the things we need to manage the customer in terms of the risk they pose, but also to service the customer. And lastly, to provide a customer experience that is acceptable or enjoyable, maybe as an aspiration for the customer. So we have to get that right. And it's not just a a financial crime request. It's actually a combination of those

together. But yes, it's a it's an ongoing battle to root out those procedures and processes that don't add any value, but have found a way to live just over the years of them being Colin Iles: And are we actually seeing much financial crime in South Africa or across Africa?Because if I was using, for example, the amount of fines that have been pushed out globally as a benchmark, there's very few that seems to have been pushed out to the financial sector in South Africa. But you know, we think Goldman Sachs 5 billion for their one MDB you know, saga, Wells Fargo 3 billion JP Morgan, 1 billion Westpac 1 billion city, you can just basically say any fine now, particularly for the US banks, if it's not a billion or more, the regulator isn't doing their their job, but we've not seen those types of pressures from the regulator, or at least I haven't seen that type of pressure from the regulators in South Africa, is that because we don't have a huge amount of financial crime? Nic Swingler: And there is not, so you're right and center, we haven't seen across the continent, the the magnitude of fines that have been issued, especially by by the US, and then followed probably by by the UK and Europe. But it doesn't mean that there isn't financial crime. So we absolutely have significant amounts of financial crime across the continent in South Africa. We can talk about the recent aspects of state capture, we can talk about with its wildlife trafficking or secret smuggling there there are there are many, there are many crimes being committed which find their way into the financial services industry. The the reason why the fines are

there could be because the banks have discharged their obligation so and that will be picking it up and reporting that. And the reason why you may not see that in the public is because those reports are consumed by the authorities and the public sector institutions, law enforcement, etc, to then act upon. We aren't seeing significant action and that's the conclusion of a recent FATF a mutual evaluation that was finalized probably two months ago on South Africa where we do have deficiencies in our end to end chain of fighting financial crime. Having said that, I can't think that the banks are

perfect. I mean, I've done, I sit in this spot for one of the large banks, we always are looking to improve, and we always have to change and do things better. And the key things for that I would watch out for is, do I pass the reasonable person test in terms of did I apply my mind? Did I do what can be expected of me? Those are the, I think the benchmarks for, for being fined. I think some of the fines that were dished out in the respective activity in South America, for example, there were some explicit circumvention of rules, etc, by some of the banks that were fined. We haven't seen that in South Africa. But there is a valid question mark around all the banks as effective as they can be. And it's for each

of us to basically become better and make sure that we are as effective as we, as we should be. Maybe the last point on that is, in the absence of anything being done, the bank is sitting with a risk, so I can see that Colin Iles is a is definitely a problem for us, and he continues to behave inappropriately. I have reported Colin Iles, many times through a suspicious transaction report, this is not real Colin, this is- Colin Iles: I am just sitting there thinking this feels very realistic, I'm just going on down, they've caught me.

Nic Swingler: But we say that nothing happens in terms of any action against Colin, at the end of the day, as a bank, we're gonna have to make a decision. Here's the reputational risk for the bank of continuing with Colin, more significant are larger than exiting Colin, and then at that point, you may find that the banks will choose to exit risk that they can't mitigate, or reduce, or there's no action around the activity they see. And that's where you see bank exits as a kind of like a, a, not a last step. But we have to mitigate the risk. And that is one of the magic things that are available. Colin Iles: That's quite interesting, because you go from a form based approach to risk based approach. And now you end up in a very, very human sort of discussion, it's very emotional discussion where the facts kind of start to fall away, and it becomes an you know, I just use an example. Let's talk about

politically exposed people. So there's an onboarding process there a significant player, you'd love to have their account that they have multiple business interests, which if you look after them, both personally, you're hoping to pick up the business and the corporate side of pieces that they're doing. They are politically exposed, you do want that account, you're now running it through the structures to assess what reputational risk you could be taking. That must be really hard to keep the balance because often when you get to those senior levels of leadership in the banks, they are working in the politically exposed realms themselves. They know those

people and actually sometimes they are politically exposed, just as the individuals who are monitoring what's happening. So how do you sort of deal with these, to try to make sure that you get the correct arguments and emotions in the discussions for what is a very grey discussion. Nic Swingler: The what we do in the best way to go off it is to do as much as you can recall, enhanced due diligence. So gather as much data points and facts on the person or the entity, or whatever you're looking at so that you, you're best able to understand the risk. And also you have some way of quantifying that. You're trying to move away from

emotional discussion. There they are. I mean, if you took a talk about a politically exposed person, we have a, an approach to them in terms of risk identification, quantification, acceptance of that risk. There is nothing wrong with banking exposed person, there's a problem if that person starts to misbehave. But that's the same problem as banking Colin Iles. And there's nothing wrong in banking you. But if you start to misbehave, then I should be able to pick that up and your risk profile as the insignificantly changed. If I have a politically

exposed person that wants to onboard with me, and they already are misbehaving based upon the data points I'm collecting, then the risk that they pose to the firm will really be significantly elevated. And those are decisions that have to be made. But with with assessing risk, I think the best way is to not leave it to any major decision or a judgmental decision only, but during the enhanced due diligence, collating as much as possible to understand what it is, and then make a better informed decision. Colin Iles: Oh, Greg, are you there? Greg McCormick,: Yeah, I'm here. Can you hear me

Colin Iles: Yeah, we can hear it loud and clear. So UBO’s is ultimate beneficial ownership? I'm excited about this on the Panama Papers. Shoot, you're on? Greg McCormick,: Yeah, I actually made a slight typo there. I meant to say, with the release of the paradise papers

recently, and in the Panama Papers before and obviously all the other dumps of information on hidden corporate entities, hidden money. It seems there really is a lot of inner inner energy around the concept of resolving ultimate beneficial owner. I'm sure you're more than aware that FinCEN is as is earmarked about half a billion dollars to create an assistant to help that with that in the US because they were pretty embarrassed, embarrassed by the stuff in the in the last drop of information. So what I'm curious about is, is a couple of things. Do you see the SA government helping to make access to like trust information easier? Because trust information is very difficult to get it's not timely at all. It's pretty opaque, as well as like shareholdership on corporations, I mean, we can find out who the directors are pretty easily and stuff like that. And then these are all kind of put together. And then in relationship to the UDO side of things. Do you see

all of this changing regulation in the area or the region? And then finally, how does all that do? How do you think it's going to impact your practices and procedures related to that? So yeah, sorry, sorry, it was fairly complicated. Colin Iles: Yeah, yeah. Go, go. Go Nic Swingler: Thanks, Gregor, those are all very good questions. So and maybe a bit of background, when I talk about the legislation, what we find in Africa, and SA specifically, that the large banks that have a footprint outside of the base country, and are linked into the international financial community, we have to provide a level of control and governance and therefore a risk profile join international providers that are acceptable. So we were part of boxes in the past that we were operating as a, all at the same level that any national bank would be operating at. Since the sell down Barclays, we spent a lot of time with, for example, our dollar tiers is our hard currency clearing banks to take through what we do, and how we actually meet the expectations of the international financial industry. And not just the local

reg requirements. Absolutely. In the US. The drive is there. And we've been unpacking UBO without clearing banks for a long time to take them through how we go about doing that the levels we go down to it is now in the new act requirement that all banks have to do a ultimate beneficial ownership, analysis up to the warm body. So the concept is there and that that concept is good. Like I said, we've been doing it probably for the last

10 years, we really have struggled by being initially the only bank out there asking companies all these questions and trust where the beneficiaries don't want to know us to know who they are, but you just can't bank companies or entities if you don't understand that. So that's the first point. The second one is the the FATF mission evaluation report that's come out and that I refer to earlier has been quite explicit that the country is lacking in its It's recording of beneficial ownership. And it needs to implement some form of a register, with allotted as a bank for that, because we've been driving for that for quite a while, the register doesn't solve everything for us. And we still have to go through the work and unpack it. But it provides a credible, timely source of information that we can tap into to understand shareholding all through up until we get to the actual warm body. So that is one of the key recommendations and needs to be

significantly advanced, if not kind of live by 18 months from now. So we really had some discussions with the regulator around that as a banking industry and we have committed that we will we will continue to, to help and drive that with them. So I would expect some form of register to to be in place. The trust is very interesting, because the we don't share or we don't retain our information in South Africa, in the same registry. So you've got to a company registry, but the trust deeds are all in the Masters office and in the different courts. So and that was a discussion, we had a differential con symposium about two weeks ago, if you want that someone has to go 2 levels in the basement, get some file, get some document, it's a real problem. So there's also a

commitment to see how best to store those records, for consumption by the appropriate institutions, etc. Going forward. So I would hope that as a country, we are significantly advanced in this within the next 12 to 18 months, it is a requirement for the banks to do appropriate and beneficial ownership analysis, it is critical for us to be able to to rely on a credible source. So hopefully the register will be

something that that we can get pretty soon. Hopefully that answers the question. Thanks. Colin Iles: Thanks, Nick. I want to take a slight pivot, but it's not totally because you sort of mentioned it again, as a theme, you are spending a lot of time in terms of UVO trying to implement processes where you're looking for that warm body, you know, quite progressive in that area, as opposed to some of the procedures that other organizations have been doing and it makes absolute sense. Do you get the feeling sometimes that you are burdened by the level of regulatory control that you're trying to put in place compared to some of the fintechs particularly that are out there, this is something that Jamie Dimon, you know, said Was it last year and actually had it written in there, JP Morgan's annual results, they have a uncompetitive- they have a competitive disadvantage compared to the FinTechs because of the regulatory burden that they're having to try to apply. And also their own internal risk perceptions about what they're trying to do. Because any

FinTech can come along basically sets up an online onboarding process. And wam bam, there you go. You've got your account. It happened in five minutes. But he's implying they've got very few controls in place. Do you? Do you believe that's a little

bit true? Nic Swingler: It's not in respect, if UBO do, but but it absolutely is, I think that the playing field isn't level, which always creates a problem. And the problem he creates for for ourselves is that those FinTechs, or whichever peripheral players that they are, they want to also access the banking system, but they're doing it in a way that they haven't got a banking license, so they don't have to comply with the requirements that we have. So there's a point where the, the two don't connect nicely, if it gives something to me, that's of equivalent quality, then I can plug it in, and we can play and we all at the same at the same level. But if you're plugging in something that is of a significantly inferior quality, it becomes a real challenge for us. And it's not that the banks don't want to play in that space. It's not that the banks don't want to provide services. It's more a

question of how fast can the regulation catch up to ensure and this is a concept that is, is also using that will spread forum and discussions amongst the larger banks is same risk, same rules. If that principle can apply, then I think everyone can play because if you are posing in whichever business you are, if you're a FinTech, if you are a capture virtual, virtual asset provider, etc. If it's the same risks, it should abide by the same rules. What we're finding is the rules are well established and defined for the risk in for that specific risk in the banking industry, but that same risk that operates elsewhere, the rules aren't defined for it. So how quickly we get the same risk, same rules principle from a regulation and from a supervision point of view, to be to be applied, but I absolutely agree that there is a disadvantage. It doesn't mean that, that everything we do in the regulations we have are inappropriate. But a lot of that's actually very

appropriate. And it provides the appropriate risk mitigations to make sure that we don't actually become a systemic problem for the country or that we have an issue in terms of customers, etc. But the same rules shouldn't apply to the players who pose the same risk. And we don't see that yet. And it's not

difficult, not as fast as, as we would like to see that. Colin Iles: Yeah, I get the feeling. It's really difficult though, because all those different sectors have got different regulators. So if I'm the GSE, if I'm a TelCo if I'm an insurance provider, if I'm a bank, if I'm a FinTech, not even using, not without, you know, not using a banking license and underwritten by a particular bank, it feels like it's always it goes to go and get multiple different regulators to actually come together to go and get this same risk, same approach model in place. Nic Swingler: Correct. And I think that also what's happening

with some of those companies that don't fall into the space of only a single regulator, but at the moment, they are still regulated by a single regulator. So if you look at the TelCos, many of them want to be banks. But okay, this is quite a different approach to to apply for banking license. But if you remain as a telco under your telco regulation, but you are doing things that look like a bank, those are the aspects that we when when do you flick over and when should you then start to say, Okay, well, the things I'm doing just on plain voice and data on a on a mobile device, they are actually peripheral services, which are looking like and have the risks of something that is more banking, or whatever it may be that the services that those guys offer, Colin Iles: when we look at the criminals, and think back to what you said earlier, I mean, state capture has obviously been a massive thing in South Africa, without question, a lot of that money has been going through the South African banking system.

And I'm sure there's lots of analysis on that now, what's your assessment of how that was able to happen, you know, at the different points on the process, whether it's onboarding, the company's, you know, lending to those specific companies going and dealing with the specific transactions that they're passing through often cross border to their their colleagues, let's call them colleagues, you know, but that's we're talking really billions of rand, that they've managed to maneuver through the financial system. What's your take on how this has occurred? And what needs to change? If anything? Nic Swingler: It's again, a very good question. So I can't speak for for the industry, but the the depth of our bank and if you look at some of the stuff we're doing across the Banking Association, the banks have fulfilled a role in terms of reporting suspicious activity, there are 1000s of reports that get submitted, how they were then disseminated and acted upon is a is a is a different question. We had to the factor of evaluation and through the Zonda commission, quite a few questions asked across the end to end. So with all of this, why didn't nothing else happen? We can't deny the fact that there was a lot of maybe the word capture of other institutions as well, which stopped the the issue or the flow of things in terms of getting to a conclusion, some conviction, some some aspects of, of closure on that. So definitely that that

is a is a is an issue, because if it doesn't happen, it's difficult for the banks to, to kind of again, mitigate some of the rest, what you did see is that the banks were the first ones to start to, to exit some of the customers we think created a big problem because they were, and it's on record and public record that we were actually the first bank to exit the the group tiers and the protected companies quickly followed by some of the other banks, which which then kicked off a much broader level of awareness. But if I look back again, on some of the things, maybe five, seven years ago, with hind sight, yeah, we could have done more. The question is, Did we pass a reasonable person test? That's probably the one I it's difficult to answer. I think the banks all fold and

discharge their reporting obligations, as far as they aware how much more? It is a fair question. Yes, a lot of the money did flow to the banking system. And maybe the last comment is, it's very difficult or not very difficult,is more difficult to pick up bribery and corruption on the transaction, the transaction could look like a purely commercial transaction, the fact that someone is paying 500 ran for a widget as opposed to 50 cents. You can't really see from the transaction in terms of the company's paying a supplier so there's a little kind of The second layer or another step you have to take before you can uncover that So, and the banks aren't able to call for some of those contracts, etc, and shouldn't be, because that's not the business of a bank. But it's a

little bit more obscure in terms of finding it. But that doesn't mean that we, we shouldn't be top of our game in picking it up. Colin Iles: Would it help me if the banks were able to collaborate with each other more to go and deal with these issues, I feel sorry for the decision makers in certain in a certain way, we're dealing with this client, we're not 100% comfortable with them. But we're kind of on our own, we can talk

amongst ourselves. And there's a lot of pressure to maintain that because of the margin and the p&l that it brings in, I always feel that there's a need for a bit more independence there where you can actually go and share information with other banks, regulators, independent third parties, I don't know what you're going to construct it as, so that you're able to go and add that one plus one. Yeah, we've also got the same concerns. We're seeing these types of transactions, which

when we combine that with what you're seeing, there's something that's really going on here that we should be concerned about, when you're focused narrowly like that you can't do that, is there talk about trying to work more collectively, as an industry, Nic Swingler: You're spot on center, there's so much more benefits and a significant increase in effectiveness that we can achieve. If we start to collaborate, that to your point, at the moment, I'm seeing my slice of the pie. So I see the the wedge, most criminals, and you can probably put all of them in there. And especially the entities, they are multi bank, and they know that the benefit of multi banking is that they can split their business into components that is very difficult for anyone to put together. So if I have a portion

of something, I can't see the bigger picture. Collaboration at the moment, works on a couple of angles. So it's private, private. So that will be the banks amongst themselves. We have just kicked off in South Africa. Now, a workgroup that

will analyze whether we have impediments to share information across the banks, and that will include ourselves though I the banking industry, it will include the information regulator, the FDIC, etc, etc. So everyone just looking at what are the impediments? And therefore, what do we have to change? Do we have to make a an amendment to a certain act or a law to allow and provide for that? What are the safeguards? How can we do that in a way that's acceptable? So that is a Nic Swingler: It can be just a painting so there are exemptions. So if you do something in the in the pursuit or fighting financial crime, then having a level of privacy shouldn't be afforded to to a person. So I don't think POPI is trying to, to provide I'm not the lawyer,I was the the chief operating officers, I should be careful for getting a legal opinion. But my belief is that we actually can do some things

and we shouldn't interpret POPI as as trying to provide the criminals with a safeguard or with with privacy of all the information. So that will be unpacked in terms of the private private, what you see globally, you see the AMAS at the Monetary Authority of Singapore, they are driving from the regulator side, banks do share information they have gone live with that you've seen in the Dutch in the Netherlands, they have got a private initiative, but it's it's supported by the public sector, where the banks will start sharing and the UK are talking about the assembler regulation being amended, able, enabling the banks to be able to share information, and then for the bank to share data and also to mine the data in a consolidated fashion as opposed to in a in a in a wedge or a slicer that. So I think we will definitely move into that space. I know that there's a massive benefit from from that in terms of being a lot more effective. So you find more, you find

things you you probably would have maybe found much later, you can find them early, early detection, those things are all beneficial. The second aspect is the private public sharing. So that's the sharing from the banks through to the FDIC through to law enforcement through to national prosecuting authority. In South Africa, we launched SAMLIT, which is this South African Anti Money laundering Task Force integrated task force, where we working together with the fic. We have target operating groups, we have expert working groups, that's where we unpack in a safe environment, a lot of aspects that allow us to share information specifically on a topic or target with the authorities. So that has actually led to a significant improvement in the effectiveness across the Internet chain. There is more to be done, but both on

public public and public private, those are two key enablers for us to be able to stand any chance of being better at the game. And I think it's been recognized across the country and definitely across the globe, it's already in place in terms of sharing their specific pieces of legislation, for example, in the US as well, that enables that already. So I would expect us to follow that we are pushing hard as the as the bank, so we will do whatever we can to, to to be able to be more effective. Colin Iles: So we got looking forward, you know, some progression then. So we've got regulators who I think, are deservedly recognized globally as being good regulators proactive, not necessarily the fastest, but their regulators would like to see, you know, more progression, but they're backing a risk based approach. You know, for example, we've got a collaboration starting across banks and other institutions and bars are trying to go and create frameworks for information sharing and partnering so that you can see the whole picture.

So these are two great starting points. You're hopeful you're there's not necessarily a benefit for banking, but you're hoping you'll see the the framework starting to level same risks, same approach. Over time, let's see whether I'm less convinced that we're going to see that one happening particularly quickly. But you know, we'll see. Okay, so we're

off to a good starting point. But now we've got this huge influx of new technologies, which is starting to change the game, both for financial services and for the criminals alike. And I wanted to go through three of them to understand how you see these playing out over the next couple of years. The first was sovereign identity that was top of mind for me, after chatting with one of your ex colleagues actually, Andy Baker about sovereign identity, it's feels like something which could be revolutionising how people are going to be actually dealing with financial institutions. Nic Swingler: Absolutely, the the days of presenting a certificate, green ID book, or currently ID card, those things are subjected to a significant amount of, of fraud or the ability for them to be to be used to, and reproduce in a way that someone getting that or receiving that other branch can quite easily be, be be confused or conned into accepting it. So back to the user document is a piece of paper, take the box, on we go, we have to get you something that is probably more credible, the experience from the customer side is much better. We can I mean, the next step up from there would be the

banks are able to, to ping the Home Affairs database, which has the unique names, surname and ID number and biometrics of the fingerprint. And for the more recent was also the photos of individuals. So that is at least a step up. So from, from my point of view, from a quality aspect, I would much rather prefer that than someone presenting a physical document or record. And also, the experience on the customer side is so much more rich, because the customer can walk in with nothing. And we're able they can say I'm coming out and they'll say, Okay, I hear you coming out, stick your fingerprint down there. Now say yep, I can see that you are Colin Iles. So

those are, the more we move to that kind of it's a finite way of being able to determine who the person is, we have to we can't not verify a person's identity otherwise, we we start off with something that is impossible to control so Colin Iles: That it feels like a really interesting one, Nick, because, you know, self sovereign ID, I've got my app and, you know, I'm on boarded by you guys. That gives me a certain quality of credentials in terms of the persona that you know, the relationship I have with Bank A, now I go along to ensure or I go along to the I don't know, get a driving license or or join a club, they're able to access it if we permission to go and see Yes, he has, you know, gone through a series of you know, approvals this bank has got a relationship with Him, we've got therefore a bit more certainty that this is the right person to go and deal with. Now, I can go and allow that information to be shared from my app, it seems to be going in a direction where you know, we're going to one plus one is three and the environment is just a lot easier, both from a removing friction, but also reducing risk for multiple organizations dealing with individuals and companies. Nic Swingler: Absolutely. They're the only thing you want. Sovereign ID it's kind of similar to facial recognition is the is the confidence level you want to attach to that. So but

it's not from a principal, the concept point of view, I think you can depending on how it's been rolled out, you can get your level of confidence that I can say that is Colin Iles because of the way that it's constructed and presented. So there shouldn't be from a principle point of view The challenge for a an institution to move through that it will just be the quality of what degree of confidence can I put into that specific representation, the same way that at the moment, the quality of the Department of Home Affairs is deemed to be adequate and sufficient and appropriate, we just have to get that sovereign ID to to have a level of quality, that's acceptable, because then the reuse is just multiplied. If the quality is there, the person can do anything with it. And I think that's the that should be the idea. If the quality level, then that there will be a problem

across the board. Colin Iles: Then the next one I was interested in is crypto. Actually, the next two is crypto and AI. Obviously, we want to find out about that. But I want to do crypto first, because in some ways AI might be a shorter conversation. I'm imagining to go like this. Are you doing a lot with AI? Or are you trying

to do a lot with AI? Yes. Can you see massive advantages? Yes. Is everyone else? It's almost like, you know, unless we enter the specifics, crypto, I'm more confused about I can't work out if this is a net benefit. For the banks in terms of financial crime, it's a it's a kind of, it's not really helpful, because it's actually benefiting the criminals. You know, you're you're set. I don't know what what's happening in the world of

crypto both in terms of the technology and the currencies in terms of financial crime. Nic Swingler: Cryptos interesting. I revert back to same risk, same rules. So they are significantly similar risks in that, but the rules are, are not level at all. And I think we see this across the globe, there are a lot of regulators who are unhappy and who are firming up regulation and raising the ball talking about registration, there's a discussion is that I think around whether the crypto providers should be listed as regulated by the by the fic, it'll probably go in that direction. The providers actually wanted to go there,

because if everyone plays by the same rules, then it's, it's fine. The other comedies, the same way. A credit card doesn't misbehave is the person who uses the card who misbehaves. A crypto asset doesn't misbehave, it's how it actually is used. It is also a how you're able to do to kind of in the first instant purchase, that's a where did the money come from? There are various aspects within the broader crypto markets are environment that that don't deliver the quality. And if the quality isn't there, at the point when it is on the way in is very difficult for the bank to be able to lift the quality, I can't lift the quality of a transaction that's being done with no controls, because it's not my customer, I can't see that don't have access to that. So sometimes the banks are left in very difficult situation where the risk is just too significant. So what do you then do, and I can't mitigate it.

Because that I mean, we have examples of fraud being committed within another accounting app. So the money goes into crypto exchange goes into probably two or three currencies, Off it goes, it's gone within 20 minutes on a Sunday evening. And if you unpack that, the customer at that specific crypto provider was on boarded, but it was with two IDs of two deceased individuals. So it's very difficult to for the banks to actually operate an environment unless the controls are lifted. So that's the the actual players now the players, for people who want to buy and sell crypto all our customers. And they are free to do that as long as they comply with the rules and the laws of the country. So there's

no issue with with customers trading or buying or selling crypto investing in crypto, some of the crypto providers depending on the risks they pose to us, we may or may not want to do business with them, or the risk profile needs to be of the right appetite for us to be able to to accept that we will capture go it's still I mean the technology of the blockchain and many, many banks, including ourselves are looking at can you use that technology to actually maybe a very fun to authenticate other aspects of of your, your, your processing environment, etc. So that is sound but we will the the currency elements of of the crypto discussion go? I guess we'll have to wait and see. Colin Iles: But I think Marius is going to come back and join we've got about five minutes left and I want to take Kirsty's question actually in terms of AI, so perhaps I was a bit flippant saying of course you're going to go and do AI I think Kirsty is she's correcting me, which is good. Okay, it's not so obvious that AI is going to be beneficial for banks potentially. Do you have the datasets actually out there to

go and train your models? If you do put the models in the place? How are you going to go and remove you know, the bias and actually See understand whether it's working because then you don't understand what's happening in the model. So perhaps it is a little bit more complex. What's your take on, on there using AI in the real world make? Nic Swingler: Did it make you feel better? I think both you and Christie are all right. Absolutely, we are using it. But there's not a silver bullet in that. And we have to be focused and specific around how we deploy them. The deployments that we've done on necessarily models that basically this run on the terrace at night and they self learning. And off they go,

we have to provide a level of transparency and the level of what we put into that that model is actually a reflection or depiction of the decisions that our analyst would have made, we do significantly high quality assurance on the output of that. What I do like about it is there is a full audit trail. So every decision, you can see exactly how it was made, which is a thing that the regulators will require. We engage very closely with our regulators around the components, we have applied artificial intelligence. And we haven't gone like I said for,

for unsupervised models that just run we can we can play around with that. But they don't form part of, of the call, once we are happy with something, it's been tested, it's been run in parallel, we've done the QA, we will bring some of that into live production, and we have elements of an AI sitting in live production, but it is definitely is being done. It definitely is useful. It's a it's a critical element of being able to to be better at risk management. But to Chris's

challenge. Absolutely. It's not something where I can take it off the shelf and say, now I can sit back because the AI basically is running my function. But we won't be there for for my lifetime. Work lifetime. That is Colin Iles: we let's see. Let's see, you're still young Marius. Marius Mare: Thank you. Thank you, Colin. Nick, from us from

Simon, and thank you very much for spending your valuable time with us and our listeners today. I hope that it was valuable to all of you. For me, certainly, you know, thank you very much for the very practical approach. You know, in terms of financial crime and risk management, it's good to see that, you know, that we're going to see some good logical practices coming in, into into the domain and into the discipline. You know, I think one of our, you know, one of our passions and purposes in cyber, and is also to make a contribution to financial inclusion across the continent. You know, I mean, obviously, as

we know, it's a big issue. And I think it's not just about financial inclusion, but it's also about how do we make it easier, cheaper, and safer, you know, for our for our people as they get taken up into into the financial services world. So and that's a key thing. And then maybe just also calling for, for everyone that mess the dog on H. Ns, SSI, self sovereign identity, go and follow that on the link. I do think, as we spoke about these things tie in together. You know, I mean,

obviously, identity of people as a key component of financial inclusion, and digitization of processes as we move forward. So, thank you, gentlemen, for your L column. Good to see you again. We'll see you again in January. So follow us see what that's going to be all about. I don't think we finalized that topic yet column.

Colin Iles: No . If anyone's got a topic, you know, obviously, email back you can email to the mailer that you'll have received, you can put it on the chat now before we kill the call or, you know, or look up, cyber in on myself on the internet colonisers, easy to find lots of ways to message and just tell us what you'd like to hear about. So I'm fascinated about, you know, the future and how technology is changing in financial services and industries in general. So we've got the right partner who was siren who are operating at the forefront of this space. So if you want it to be discussed, we'll organize it. Just let us know what the topic should be.

Marius Mare: Yeah, great. And then just finally, from the cyber family to all of you have a good festive season. Stay safe. You know, take a good break and happy holidays, and we'll see you in the new year. Colin Iles: See you in the new year. Nick, thank you very much again, Marius Thank you and thank you. We'll see you again

January.

2021-12-01

Show video