The FinCrime Files – Q&A with Renata Hoes, Chief Compliance Officer at MFEX Luxembourg
Hi Renata, can you describe your role and a little of your career background?
Currently the Chief Compliance Officer, MLRO and Data Protection Officer at MFEX Luxembourg, I have had a very successful career in the investment sector in numerous senior positions working for MFEX Luxembourg S.A, Generali Investments Luxembourg S.A., PwC and Schroders. I am currently the Head of the Global Crisis Committee for MFEX.
Prior to my transition to the Fund sector, I gained +12 years’ experience in the cross-border unit-linked life insurance industry during which time I worked at Lombard International Assurance and Zurich Insurance to set up and develop the Compliance Departments in Luxembourg.
I hold an MBA from Boston University, and I am the President of the Luxembourg Chapter of the Association of Certified Fraud Examiners. I am also a member of various working groups of ALFI and ALCO.
What do you consider to be your top 3 challenges in fighting financial crime today?
There are a number of factors which are coming together to make the fight against financial crime a major and costly challenge.
First, regulators around the world are all trying to solve similar issues. However, they all tackle them in different ways, with different rules. This means that, for global entities such as MFEX with operations in multiple jurisdictions, we have to determine which rules apply to each transaction.
As an example, for sanctions screening, each jurisdiction issues its own lists of sanctioned entities, so checking each transaction in real time to ensure sanctions controls are being properly followed requires several different black lists to be maintained, updated and used. Fortunately, we have access to systems such as World Check and Dow Jones to take away some of the burden for us by having all lists from all jurisdictions in one system to screen our client names against. However, in our business, we can’t simply place full reliance on systems alone (we no longer do compliance in a ‘tick the box’ approach). We have to be pragmatic and assess the different cases depending on the initial risk assessment.
Secondly, most financial institutions are addressing the issue of cyber-crime, of which we have seen a significant increase in fraud during Covid-19. Financial institutions need to introduce much stronger cyber protection both externally as well as internally. When we can demonstrate strong security and cyber protection as a company, client loyalty can increase, and market perception improves. Recent research has shown that protection of client assets is amongst the highest priority issue for clients when selecting a financial provider.
Thirdly, a key question to ask yourself is how do we fight against terrorist funding and prevent money laundering? One answer to this is to begin breaking down the operational silos. By bringing together all alerts from across the company, receiving KPIs from all external and internal players and putting that into one single system can help us spot non-compliance and stop suspicious activity. This will allow us to see patterns emerge and help prevent potential additional fraud. In addition, financial crime now includes financial fraud, money laundering and bribery, as well as a lot of new cybercrimes, which are even more difficult to monitor and prevent.
The threat has become so diversified that it is impossible for compliance departments operating in silos to effectively manage it.
Mitigating and responding to these new types of crimes will continue to be a problem, as predicting threats and new patterns is very challenging.
The key message here is that Compliance needs to step out of their silos and begin communicating with legal, operations and their company’s sales team, whether through meetings, or by clearly understanding your business model. Having a strong internal relationship with your operational and sales team is critical. This does not mean we are stepping out of our “2nd line of defence” role, we are merely putting on our compliance advisory hat and assisting our colleagues to do what is best for the company.
What are the most frustrating things you have to do in terms of dealing with due diligence data, such as manual searching, paper trails, or waiting for customers?
At MFEX, we work mainly with institutional clients and have automated tools which have decreased the need for manual research (although this is still done for verification and extra due diligence) and all our data, including our compliance assessment is included within our on-line Global Fund Watch (‘GFW’) system which has eliminated a lot of the paper trails.
It is obvious that the workload related to due diligence of counterparties must decrease. The same questionnaires are being sent between the parties in many e-mails which can take months to complete, we need to wait for answers, some questions are never answered, etc. This is a big issue in the financial industry where we all need to carry out due diligence on 3rd parties we work with which is extremely time consuming.
You recently featured in an article in the Journal of Financial Compliance where you talk about ‘the three lines of defence model’ – can you briefly summarise a little about this?
I wrote an article with my co-author, Karin Gehlert, “The evolving role of compliance – enforcing your three lines of defence” which was published in the Journal of Financial Compliance at the beginning of the 2020.
This paper describes the Three Lines of Defence Model within organisations in connection with the Danske Bank scandal and outlines key principles that can serve as the basis to strengthen the compliance environment and culture within organisations to prevent major scandals.
Despite the increasing legal and regulatory requirements for financial institutions within the European Union, scandals surrounding compliance and corporate governance failures are continuously being revealed. Apart from significant fines and monetary losses as well as reputational damage for the concerned organisations, such scandals lead to pressure on legislators and international (supervisory) bodies to again further increase regulatory requirements.
The main principles of the article come back to the previous questions which all leads to better internal communication and getting out of the silos that we are in. The key takeaway from this paper is that although the rules are complex they must be known. Policies and procedures must be read as a starting point. Maximise the knowledge of all parties and the scope of the internal relationships. Strengthen relationships between compliance and the business and gather important information.
No automated monitoring tool or system is intended to replace staff intuition, experience and the need to remain vigilant. Boosting the compliance culture in the company and leading by example is key.
What are the challenges faced in the funds industry that are different from say, retail banking sector in terms of AML / KYC / CDD?
Let’s first look at the similarities – customer risk-rating models are one tool used by financial institutions to detect money laundering. The models deployed by most institutions today are based on an assessment of risk factors such as, for the retail banking sector, the customer’s occupation, salary, and the banking products used and for the fund industry, whether the distributor is regulated, what policies they have in place and how they carry out the screening of their retail client.
The information is collected when an account is opened, but it is infrequently updated. These inputs, along with the weighting each is given, are used to calculate a risk-rating score. But the scores are notoriously inaccurate, not only failing to detect some high-risk customers, but often misclassifying thousands of low-risk customers as high risk. This forces institutions to review vast numbers of cases unnecessarily and dilutes the effectiveness of anti-money laundering (AML) efforts as resources are concentrated in the wrong place.
Most AML models in both retail banking and the Fund industry are overly complex. The factors used to measure customer risk have evolved and multiplied in response to regulatory requirements and perceptions of customer risk but still are not comprehensive.
Models often contain risk factors that fail to distinguish between high- and low-risk countries, for example. In addition, methodologies for assessing risk vary by line of business and model.
Different risk factors might be used for different customer segments, and even when the same factor is used it is often in name only. A web of legacy and overlapping factors can make it difficult to ensure that important rules are effectively implemented. A person exposed to political risk might slip through screening processes if different business units use different checklists, for example.
Instead, we need to examine our AML programs holistically, first aligning all models to a consistent set of risk factors, then determining the specific inputs that are relevant for each line of business (here is the difference between the Fund industry and Retail Banking). The approach not only identifies risk more effectively but does so more efficiently, as different businesses can share the investments needed to develop tools, approaches, standards, and data pipelines.
How has the current pandemic situation affected your day-to-day role?
Whilst the world is in an uncertain place, one thing is sure and that is that MFEX, along with all other financial companies are required to remain compliant with the laws and regulations we fall under. Compliance doesn’t disappear, and the control functions need to be involved closely with the business during these times.
Let’s talk about some of the compliance issues I’ve seen over the past months.
1. Policies and procedures
The majority of a company’s policies, and in particular procedures, are geared towards the company’s operating in its “business as usual” way. In times of crisis, some of these policies and procedures will need to be reviewed or temporarily amended to cater for the circumstances.
For MFEX, our key policies lie in operations and being able to carry out subscriptions and redemptions for our clients. Processing our client’s orders have always been done “promptly” to meet the cutoff date of the fund. We can’t forget our important KYC policies to ensure appropriate due diligence is carried out on our clients.
2. An overload on certain teams
With the crisis, we’ve had to consider whether existing timescales can be met given that this is a crucial part of our business. During our Crisis Meetings, we identified teams with similar knowledge in other jurisdictions who could provide support if one of our key operations staff got sick. Whilst undoubtedly some areas will be quiet in a lockdown situation, other areas will remained very busy and there is a risk that capacity could be reached. Taking on too much work can lead to issues for our employees in dealing with their caseload, to stress, and thereafter potentially, mistakes.
Another struggle we have faced is signatures and we made a significant decision in a very short time to onboard an eSignature tool, a way to sign documents electronically. This was crucial as our senior management was spread globally.
4. Data Protection and Breach Reporting
MFEX, like all major companies, have GDPR compliant policies in place.
For example, we need to consider what happens to confidential paper that is printed by employees working from home. It is worth reminding your staff of the importance of these confidentiality policies, in particular that they should not send emails to personal email addresses or keep confidential information on their personal phones.
Supervision encompasses a number of different activities, some of which usually take place face to face. Obviously, supervision must happen and must be effective. With everyone working from home, there is limited supervision and a number of risks could arise which companies need to consider.
I’m not speaking about supervision in a formal manner, where you have weekly meetings with your line manager or departmental meetings.
I’m talking about informally supervision; overhearing a call that someone is struggling with, or someone popping over to your desk with a quick question on a topic they’re not sure about. We shouldn’t underestimate the impact of being able to stop by someone’s desk to provide support or check a piece of work in reducing the number of mistakes that would otherwise occur in a company. In the current lockdown, this has no longer be possible. MFEX has considered how to replicate this type of support with other communication strategies and we are making a lot of use of our instant messaging tool to provide the same instant access to supervisors and team colleagues.
Each team at MFEX have come up with different solutions that work for them – some use our chat application, others have morning and evening conference calls to see if there are any issues upcoming or if there were issues faced during the day. MFEX has a very flat and open communication style which has worked extremely well for us during this time of crisis.
Finally, where do you find inspiration? What podcasts, books, social influencers, events etc do you follow or recommend to our audience?
I get my inspiration from two main sources:
1. Learning through trainings and conferences. I try to attend as many conferences as I can, which have been on-line over the past months. Whether these are directly linked to my function or on topics such as cybercrime, IT security or project management, there is always something to learn. During the confinement, I took two on-line courses at Yale and the London Business School and just completed a mini-MBA at the Luxembourg Business School on Crisis Management. I strongly believe that you can’t get enough training, you will always walk away with a few new ideas.
2. I have a strong network in Luxembourg which is both formal, through the Association of Certified Fraud Examiners in Luxembourg (for which I am currently serving as President), the Association of Compliance Officers or the Association of Luxembourg Fund Industry.
In addition, with my informal network made up of ex-colleagues or people I have known for years in the industry, we tend to pick up the phone to discuss a case (on a no name basis of course), an issue we are facing or just to discuss how to deal with a new regulation.