Transcription:
Howard Fields (00:09):
As they mentioned, my name is Howard Fields. I'm Chief Compliance Officer for MasterCard. To my right I have Rachel Hynes and Deborah Connor, introduce yourself.
Rachel Hynes (00:18):
Sure. Thanks Howard. Hi, my name is Rachel Hynes. I'm a Managing Director with KPMG's Consulting advisory practice in the FS Risk, Regulatory and Compliance space.
Deborah Connor (00:29):
Hi, good afternoon. I'm Deborah Connor. I'm a Partner with Morrison Forster in their Washington DC office. I've been in private practice for about a year and a half. Before that I spent 25 years with the Department of Justice, most recently as the chief of the money laundering and asset recovery section where we did a lot of B-S-A-M-L enforcement. Nice to be with you all.
Howard Fields (00:51):
Great. So we're going to jump right into this. As the last panel said, we're closing out. This is an exciting time in payments. I think from a compliance perspective, it's interesting being on the compliance side and often getting the compliance as a barrier. I think it's the exact opposite. Compliance is the enabler for the business if used appropriately. So for everyone who stayed, you're going to hear all the secrets for those that left, hopefully their competitors and we'll do better than them going forward. So we're going to talk through the complex relationship between rigorous compliance standards and business expansion. We're going to talk about the CALVIS for compliance being a catalyst for innovation as well, and we'll explore some of the technology use cases to help this relationship go along. And with that, we're just going to dive right in. Rachel, I'll start with you just with what are you seeing in the industry now that increases the criticality of compliance and how it's used?
Rachel Hynes (01:52):
I think specifically given the events from the past year or so, we've seen a resurgence from regulators going back to things like heightened standards, enhanced prudential standards, and resetting the table back from the foundational basics of getting your risk compliance control frameworks in place so that you have a strong foundation to build upon. The regulators are looking for it, your banking partners are expecting it, and we're seeing a rising of the ties as your peers get more compliant, get more foundational elements under their belts from risk control frameworks. So right now it's really critical to get those elements in place because of the expectation is increasing as are the fines and as are the findings. And in order to grow and be successful, you have to have all of those components in place in order to really get the rails in line to get the railroad moving.
Howard Fields (02:41):
Deb, can you build off that as well?
Deborah Connor (02:43):
Sure. I think 2023, the financial regulators came out with guidance on third party risk management of third party relationships. And also we saw through that year several consent decrees and orders with the regulators including the FDIC and the OCC related to some banks who got in trouble with some of their FinTech partnerships and their management of that risk. And I think what the regulators were saying and trying to understand is getting their arms around this fast-growing technology. What it says for all of us in this business is if you're working well, business and compliance together, hopefully you can build in all of those controls before you get to a point that you have one of the regulators sitting in your space, which if you look at some of those consent decrees, you'll see that there's some fairly onerous requirements including in one that the FDIC required that the bank come back to the FDIC for approvals for any further third party relationships with FinTech. So the hope is through seminars like this that you start to build conversation and find ways to build in that safety and risk control before you get to the far end of those regulatory enforcement actions.
Howard Fields (04:03):
So going back to, we talked about expectations and you both were really focusing on the regulatory environment and law enforcement environment. What about the expectation of partners and customers on compliance? It's something that I've seen in my own role. I've seen customers proactively digging into compliance programs to decide whether or not they want to do business. Are you seeing something similar?
Rachel Hynes (04:27):
Yeah, absolutely. I think what something we're advising all of our clients on, particularly in the payment space is put your customer first. They're building the trust and the reliance and trust in you as an institution. So you have to be able to give them that back and they know where to dig, they know what to look for. They know what a DDoS attack means now. And so they understand that if you don't have the right infrastructure in place to get back to an operational resilience kind of an atmosphere where we are making sure the customer is first getting the payments back in their hands, how do you stand the business back up very, very quickly? I think we're seeing a lot of that flight back and forth between companies. And so it certainly is changing the conversation to be not just regulatory in nature and not just bank partner in nature, but how do you make sure that your client base feels safe given the events that's happened, particularly in the past year that you were mentioning. These things are public and so folks are very aware of the repercussions of not getting it right.
Deborah Connor (05:22):
Yeah, we've seen clients have come in, customers actually have come in and said, now we're thinking about partnering. You kick the tires on their AML program, their BSA program, their compliance program. Will you go with us arm in arm to talk about looking at this program to see if this is a business opportunity we want to engage in? Certainly it happens when folks are looking at deals, when they're thinking about mergers and acquisitions, when they're thinking about long-term partnerships asking us to look and think about how their compliance program measures up to the expectations that have been fairly clearly articulated by the regulators over the last several years. There's certainly roadmaps for what you might be asking about and what you look for when you're thinking about these partnerships.
Howard Fields (06:10):
So now go back to the whole theme of this compliance as a business enabler. Some of the things that we do at MasterCard, there's products that we offer that my compliance team has actually brought to the table. We've actually brought some m and a activity to the table as well. We proactively engage and we're involved in product development. Do either of you have examples that you could share of how compliance enabled some type of business initiative, something new or just growing something?
Rachel Hynes (06:43):
You can take this one first. I should. I'm jumping in every time.
Deborah Connor (06:46):
No, that's fine. So we have seen compliance come in and working with their business partners on new products and thinking about a launch and an announcement about a new product launch. And they're coming in together as partners in the project to understand what the bells and whistles are of this project, this new payment plan, this program, and where the guardrails should be. And you don't just see the business professionals in first. You see them with their compliance professionals coming together on a product launch or thinking about what do we need to build in to the documentation to our master service agreement, to the other portions of the product so that together they both have a stake in the success of the product and the work. And obviously if compliance is in with the business professionals from the beginning, selfishly it may alleviate some of the larger problems on the backend if you stop and see around corners before you've actually launched the product.
Rachel Hynes (07:50):
I would echo that I think we all know success and growth is a matter of balancing risk and reward. And so being able to take the right kind of risks and move in the right direction and know what those risks that are that you're taking and how they aggregate up to the top of the company so you can directionally change that takes compliance to be able to see across the institution that takes your risk management team to know what's going on and where all the different components lie. And so having that partnership and being able to innovate together allows not only the products and services you mentioned but also growth into new jurisdictions. It allows for you to feel comfort that you are meeting the regulatory requirements and some of these more strict environments and that you can do so successfully. So a lot of times when we work with clients in the advisory space, we'll do a pilot in a more difficult jurisdiction, for instance of a control framework, launch a new product just as a test and see how it reacts, whether it's to the customer base or the regulatory environment.
(08:44):
Take that back, think about how to innovate and move on, and then we can move together as a group. You mentioned everyone is in it together and I think that's really true that your risk and compliance team wins when the company wins. Everybody's growing together and there's this kind of old adage of risk and compliance maybe being that the bootstraps, the seatbelt, but if you don't have a seatbelt, you can't drive the car, so we have to do it together. You want to go faster, you got to have better brake, and if you want to go faster, you got to have a five point harness, not just a two point. So it moves in the right direction I think together and innovation is something that we should all be doing together.
Howard Fields (09:18):
So diving deeper on that jurisdiction, when we're preparing for this panel, we were talking through how businesses, especially in the FinTech and payment, as they try to grow into different areas, they pick and choose their markets based on the level of regulatory framework, what they might need from a compliance infrastructure. You mentioned that that's limiting. Can you talk through a little more detail? How is that limiting for a business? How does that by not embracing compliance, they're not enabling their own growth and how they can foster or going forward?
Rachel Hynes (09:50):
Sure. I mean the long of it is you're going to get fined, you're going to get stopped. Your clients are not going to trust you, they're not going to believe you. And so you have to be meeting the expectations of that area. And there's a competitive landscape happening there too. You might be new on the scene in a new jurisdiction, and so you want to make sure that you're getting competitive advantage and building those relationships with your local regulators for instance, so that you're able to maneuver the right way. And that takes education of your institution. It takes education with your second line risk and compliance partners and education of the first line business folks as well to understand what they're up against and what the expectations are in this new jurisdiction. I think someone asked a question about training earlier, and yes, there's training at the top of the house, but even within a specific jurisdiction there may be new things you've never heard of before and never seen before. And so it does take that compliance team and your legal team and your risk team to think about what are the avenues that we can be successful here? And then once you learn that, how can we cascade those best practices down to other elements within your institution as well.
Howard Fields (10:56):
Deb, do you have any examples of where the lack of compliance had an adverse impact or is it something you talked to more?
Deborah Connor (11:07):
Yeah, so as we're dealing with this kind of global approach and the different ways that you might try to arbitrage regulations, what happens if you are engaged in that or your product folks think, Hey, here's a jurisdiction where if I'm sure I'm limited here, I function well under this regulatory regime, but where we found you run into problems is if you don't well understand your product or your compliance folks don't. Well understand where you've positioned yourself and you find that in fact, you may think you are outside of the United States operating in one jurisdiction, but you have a fair amount of US users. And there have been some recent enforcement activity involving money services businesses who think that they were operating completely outside of the United States when in fact there was a healthy number of US users, which then brings you right back into the US regulatory framework and the A ML and BSA requirements for that. So I think those are the kinds of examples where you get a product or you get a geographic location where you think you are safe, but you may not understand if you don't, well understand where your data sits, who your users are, or in a regime where perhaps the KYC is less, you could find yourself subject to a completely different regulatory framework that you didn't even know you were part of.
Rachel Hynes (12:41):
I love that you mentioned that it's not just environments where it's more strict, it can also be something where it's more lax, and so you expect the boot shops to be there and they're not, or you expect that it's just a very different environment in either direction. It's a really good point.
Howard Fields (12:56):
What's interesting when you look at the payment space and to grow, you have to be global, right? You really need that aspect. And over time you see different industries, different jurisdictions are putting more enforcement cases on various fintech's. Right now we're seeing quite a bit coming out of Europe, but there have been some avoid names, but there's been some recent very large companies, whether they're crypto related or not, that it's because of a lack of view on compliance that has taken them down and it's this ongoing investment of compliance is a difficult task. So what advice or what are your thoughts on how can compliance officers or how can people on the business side build their relationship, strengthen their relationship before something goes wrong? What needs to take place? What advice would you give your clients on building those internal relationships?
Rachel Hynes (13:56):
I think it's a great question. So a lot about what we've been talking about so far. When you think about risk and compliance, you're talking about specific laws, rules and regs in meeting those, but there's also these larger programs of conduct and culture that is exactly where I think this is the conversation is building an environment told from the top appropriate conduct and culture is the relationship in advance between all of your lines of defense. It's your first line business, it's your second line risk and controls, it's your third line internal audit all working together to protect the firm, protect the client, protect the environment if you'll, and so I really think it's a moment where we can all come together and work as a team to maneuver in the right path.
Deborah Connor (14:41):
Yeah, I absolutely agree. I think you have to in the way that you worry about relationships. Fintech's too with banks or others, you have to worry about your internal relationship. And I know everyone has a lot of work on their plate. We all have busy days, we all have what's right in front of us. Where we saw, where I saw companies get in trouble is when you do really have siloed, you have a siloed situation inside institutions. And I would encourage clients to find ways to build partnerships. I know there's been conversations today about what do we do in a hybrid work environment? How are we building teams, how are we mentoring people? It's the same for business and compliance. What are the little things we can do in terms of ensuring that we're together, even if it's where you're physically located in an office, if you have a monthly meeting and more than one time you choose to bring your compliance partner along or your business partner along, or you have small strategic relationships and that this tone that we all work together is set at the highest levels. Folks in an organization have to see that this is valued by the individuals who have the real decision making capability because everyone is, I know there were discussions this morning about how will I get ahead? What do I want to do in my organization? How can I add value? Who's paying attention to that? I think in fostering these kinds of relationships, you can guarantee lots of success for everyone in the organization and these partnerships will really pay off in terms of business opportunity and development.
Rachel Hynes (16:16):
And maybe just to build on that a little bit on the tactical side about building those relationships because that is so valuable, have the outreach early and often get to know who your partners are so that you've already built that relationship and when you need them, they know who you are, they're going to answer your calls, they're going to do it in a nice way, it's a relationship. And so I think certainly in my business as well as banking and payments in everywhere, the role of that team is to enable you to do your job and do it well and let the business grow or let the business innovate. So I think making sure you have those outreach moments early and often, like I said, really gives you the foresight and builds that relationship. So when you need them, they're there. For me in particular, it's also a little bit about greasing the wheels with my risk and compliance team. So I do a lot of contract negotiation and I've got my risk team on speed dial, and so I need something done quickly. They know who I am and they're ready for me. I'm going to also know who my business is. And so we're able to talk more quickly through things. And that comes back to the product and services. If you are a risk and compliance team is aware of what you do, typically what you're looking for, that you've got your controls in place, that you're thinking about things appropriately, it really helps out in your own personal space and your own innovation techniques, whatever that means.
Howard Fields (17:36):
I think for me, I've been doing compliance for two decades, a little over two decades now. And I knew early on that relationships were very important. So for me, me, it's proactively engaging with the business team where I am now at my level, I get involved with as many business meetings I could possibly, even if compliance isn't on the calendar, I just want to be there in the room. So I'm just part of the team because often I think these compliance issues will kind of seep in through a meeting, and if you are there, you have your seat at the table, you are able to address it. But it also requires, I think both business teams and compliance teams have to want these relationships. There's often, I've come across a lot of compliance folks that are, they think they're police officers and it's just speed traps and arresting and stopping. And it can't be that. It has to be this open dialogue when things are good on both sides. But on the business side, being open to engaging people, having a compliance team at the seat at the table and continuing to engage even when there's not a problem is very important.
Rachel Hynes (18:53):
Maybe thinking about, one of the questions you asked earlier about was an adverse business impact. And I think one of the things that we're seeing a lot comes back to the heightened standards and these regulatory reviews that are coming in. We're seeing a lot of horizontal examinations being done looking at issue management in particular and self-identified issues and how that tracks from the moment of identification all the way through to remediation on the back end. And so having the foresight, I suppose, to know when to raise the issue and know when to call your relationship person to say, Hey, this has happened. Is this the correct severity bucket to risk rate this activity? Not only does that help you make sure that you're doing your job more easily, you probably save yourself some time down the road with compliance. And then when not it picks it up.
(19:39):
But also it allows our compliance service professionals to look left and right and understand if this issue is specific or something that's more pervasive across the function, across the actual institution. So now you're allowing your partners to think more broadly and start thinking about themes. And that's the second issue that we're seeing on this cross horizontal right now as a lot of thematics regarding the issue. So not only are you highlighting it when you need to, are you bucketing it the right way from a severity, but also are you looking thematically to understand that this is something that needs to be addressed on a more holistic path. So I think again, having that relationship with your team to be able to say, I saw something and not wait for it to work it's way all the way through, which will really be helpful for you and your institution as well.
Deborah Connor (20:23):
This reminds me of a situation where business compliance, legal, really legal and compliance brought in were brought in advance of a potential for a new relationship and new product with a customer, a new customer. And months, two months in advance, there was some lead time to when they needed to get this relationship off the ground, legal and compliance were working with the business folks and we would be on calls and we would all be on the call together. So it was not business feeding information to compliance, compliance and legal, figuring out what the implications of this were, sharing that back and that information, traveling back to business, it just became everyone at the table. And I think when that happens and business and compliance can really see in real time how each other think from the compliance side, selfishly, I think you start to build in the ability for folks to see red flags or raise issues or start calling and you'll have these relationships where a business may have just a seed of an idea and the industry you are all in, products move fast, ideas move quickly, technology comes as fast as the speed of light.
(21:38):
And so if business can reach out at the very initial stages and start talking about here's what we're thinking about, here's what we want to do. And I remember you saying in the meeting there were these concerns, you don't have the problem of it percolating through to the end when you're ready to have a launch and someone sits down, looks at all the paperwork, thinks about the product, and compliance raises their hand and goes, you know what? I think we need to put the brakes on here for just a minute or two to figure out how we get around this one issue.
Howard Fields (22:08):
I think what's important about that aspect and the issue spotting along the way, what I've seen with a lot of startups in the payment space is the compliance officers actually the chief operating officer and potentially two or three other jobs and compliance isn't at the forefront. And when they're looking at issues or problem solving, that may be one of the shortcomings I think that will pop up from time to time. One of my takeaways is making sure that you have the right expertise at the table to really assess and address the issues we talked about. The prior panel was talking about technology and AI in the compliance space. How are you seeing technology help enable better, enable better compliance relationships and better risk management for our companies?
Deborah Connor (23:04):
Okay.
Rachel Hynes (23:06):
Sure. I think we were talking about gen AI before, it's almost like what is our defense to gen AI coming in? But I think it can also be a very powerful tool for you payments firm as well. Just building off of that issues conversation we were just having, we're seeing a lot of our clients start to put Gen AI to use to help the company be more lean and mean with the folks that they have. So in order to grow, you got to be efficient. We know that. And like you were mentioning earlier with payments probably to move it fast so you're innovating left and right. So how do you do so in a lean mean way? We're starting to see gen A come through to look at things like issues that are maybe less impactful, less severe. We can start to work those through and review what is the theme. We can use natural language processing to read through complaints, for instance from customers. Now we don't need people reading through and understanding what's going on, but we're actually feeding the machine and machine learnings and thinking through, okay, thematically, how do we go back? So it's not putting a bot behind the scenes, but it's helping our compliance team get smarter and it's helping therefore us be a little bit more efficient with our time. And of course that leads to cost effective and efficiencies, which is something everybody's after.
Deborah Connor (24:17):
Absolutely. I think that is really the terrific part of gen AI. The issue that you want to watch out for, not that I'm always the person to put on the breaks, is do you understand how your AI technology is working? Do the folks who are supporting it, it can't be a black box where information goes in and you understand that it's going to generate alerts and that it's going to flag issues. How is that happening? And I think for those of us who have had been in regimes where there's rules-based systems, now we're going to this holistic approach. It is terrific and it will reduce staff. It will more sharply identify issues, but you have to make sure that your team understands what the program does. And that can be hard depending on the level of expertise, folks who have more aptitude for this behavioral learning than others. But if you don't, I have seen instances where there's just not a great understanding of the product that's being used for compliance. And then there have been problems on the back end of that.
Howard Fields (25:29):
I definitely can't say enough about AI from a compliance perspective, but I am going to say enough, I'm going to move on to other parts of technology on how the business and compliance can work better. And one of the things that we do at MasterCard where we can, we embed our compliance tools via APIs or building them directly into normal business workflow. So it's a more seamless interface with the business. I think anytime you have to come out to do KYC checks or get feedback out of one system and try to get back into whether it's very difficult. So we try, I don't want to say a hundred percent successful, but we try to build it into what we're doing. It becomes very helpful that way. So just shifting to when we talked about technology, what have your thoughts on getting the business to invest in compliance? I think getting funding has always been a difficult thing from compliance and other functions, especially support functions. How would you encourage people to invest in that?
Rachel Hynes (26:43):
I mean, I think it's something you have to do right now. It's the environment we mentioned earlier where your banking partners are expecting it, your third parties are expecting it. And so if you don't have the foundation in place, you're going to miss out on this competitive edge. So I really think that there is kind of both a carrot and a sick when it comes to the compliance house and really needing to have that framework there to build off of and to prove, like you mentioned earlier, not just early regulators, not just to your team, but also to your client that they are safe and sound and they can trust this institution. So if you want to grow and you want to grow safely, we've really got to have this kind of control framework at a minimum set down so that when there's a problem and you can resolve that quickly. So for me, I think it's just, it's a necessary component of any successful business, whether or not there's a regulator breathing down your neck, it's also about that partnership and about the ability to expand beyond just what you see directly in front of you.
Deborah Connor (27:44):
Yeah, I think it makes for a good sales pitch. This is your marketing tool. You start to share with your business folks that compliance is critical, that your customers care about it, new products. So this is a sales tool for your product folks to say, we have a solid compliance program, we have good tools and good monitoring. You should trust us. It, it's another marketing tool when you're facing business customers to say, this is an asset, this is a big asset like everything else, however you're going to design your product, whatever the logo is going to be, this is your brand and part of your brand is the strength of your compliance program. So first, I think it's just, it is a good sales too tool for those in the business, especially since your customers are also subject can be subject to the same kind of requirements for more stringent ones than you are. And secondly, I think it leads to a lot of innovation too. If your business folks believe that you have a strong compliance program that you're plugged in, that you're listening to regulators, that you have that, that partnership. They know that you can expand those products and services for them and it's just adds kind of more products to what they can be thinking about in the future.
Howard Fields (29:13):
So I'm going to keep us on track because we are compliance and I do want to open up just if there's any questions. Everyone's afraid of compliance. That's a shame. So in closing, what would be your takeaways for this group, Deb?
(29:38):
What would you want to impart on this group as they go off back to their.
Deborah Connor (29:42):
So I think it's this idea of partnership. The way you partner with your customers, wanting to build these strong partnerships with business and compliance. Compliance is just going to be so critical to the strength of products and organizations across the globe. Regulators are really paying attention to how compliance does their job. And on the business side, that's what you're going to sell to have good products, to develop better products and to keep those relationships close and growing. And there's lots going on now, especially in the tech industry, how folks come together, having those partnerships, those strong partnerships. That's my takeaway.
Rachel Hynes (30:23):
That's great. Then I would say same as far as the relationship piece, but also we talked a lot about compliance and enabling innovation. It also enables that protection piece. So we're talking about our customers of our customer data. You've got a lot of payment information, a lot of very serious data that you're protecting. And having compliance built the correct way enables that of course. And also it builds the trust with your customer. So building a relationship inside, but also building a relationship outside the house, I think is just incredibly important. And compliance should be an enabler for that.
Howard Fields (30:56):
And I echo that point, your customers and your business partners care. They care about your compliance program, especially if you're dealing right on time. If you're dealing with larger financial institutions, if you're dealing with large companies like MasterCard, we will poke and prod a compliance program and we will walk away from partnerships and deals if we see stuff is lacking. Because you said earlier, it's the culture, right? You can see that culture and if it's prevalent there, where else is that popping up? And the other piece is if you're looking at M&A activity, if there's a potential investment into your entity or an allied acquisition, the larger shops are looking at your compliance culture to understand how you've gone about business and potentially may walk away from it. So compliance, it really does matter. Great. So thank you for your time. Thank you for staying.
The Changing Dynamics of Compliance in Payments
April 12, 2024 11:00 AM
32:05