High-Risk Customers and Whether Or Not Compliance People Can Be Accused Of Discrimination 🤔
Something interested happened recently in my compliance world and I wanted to share this with you.
A FinTech company was going through an audit and it was found that they had an institutional client with one of the owners born in Iraq. This person has lived in Europe for many many years and had all the required documents about their legal residence, passport, and all that jazz. The question was whether this client (legal entity) should be classified as high risk or not.
My take is that the fact of being born in Iraq, Afghanistan, Zimbabwe, or another “high-risk country” is not always a risk factor. I understand that when someone lives or has business in a high-risk country – yes, potentially, there is a higher chance of them being exposed to corruption, bribery, violent crimes; the financial system there may not be as transparent, the police and the courts may not always be efficient, and the population registration or border controls may not always be the state-of-the-art. So yes, there are some valid concerns about accepting customers or funds from certain countries. However, when someone was just born in a country, left many years ago, lives, studies, works, and manages their money in Europe for many years, they have not been exposed to the risks of their country of birth for a long time, which is why they should not be treated as “default high risk”.
I wonder if companies should have some anti-discrimination or “fair treatment” rules covering compliance decisions for cases like that – I mean, compliance or risk officers can decide whether or not to grant loans or how much to charge for insurances, or whether or not open a bank account to someone, so there is a direct impact on people’s lives, right?
So, what would be risk indications that are more objective and hopefully bias-free, where it comes to risks and red flags?
Here are a few examples:
Lack of stable income.
Lack of proven social connections and social media footprint (fraudsters and criminals tend to be very discreet and honest people tend to overshare).
Resident address in certain post-codes (again, be careful and do not rely solely on this factor!!!!)
Lack of certain regular expenses on your bank account that indicate that you are planning for long-term (e.g. criminals rarely pay for insurances, memberships, education, and training).
In some instances – random payments for rental cars and rented spaces or storages, especially, in different locations at the same time.
Lots of personal payments back and forth.
In compliance, it is super important to be open-minded and really differentiate between the risks and the stereotypes.
Earlier this week I met with regulators in one of the European countries, and it was very clear during that meeting that they felt bound by something written in a law a long time ago. Logically, they understood that this specific requirement was, perhaps, redundant, or could have been achieved by different means, but as regulators, they had to enforce the law regardless.
There was a moment when I felt really frustrated by this situation. It was not personal – quite the contrary, it was a very friendly and open conversation, but “existentially” at some point, it felt like a dead-end: How do we move past this and solve the issue? I did not really see at the time a way forward… Like, there was no way that this FinTech startup would start collecting physical documents with notarized signatures by registered mail (I’m talking figuratively) and there was no way that the parliament in this country was going to change the law in the next 2 months.
A lot of compliance people know that there is always a way and that common sense will prevail in the end, but at the time, I just did not see the “how”. Later that night, I talked to a friend from PayPal, we went down the memory lane of how we were introducing remembered login experience with PayPal Touch and how many issues it caused from a regulatory perspective, with respect to strong authentication requirements. But we solved it, after a while. Funnily enough, during this conversation with a friend, I had an “a-ha!” moment, and now I have an idea of how to combine different regulatory provisions and successfully argue the case.
Lessons learned:
Regulators love quotes, comparison tables, and data.
Think about the spirit of the law, when the letter of the law is not something that you feel you can do. Maybe you will find a way to achieve the same result by other means?
Don’t try to solve the issue in one meeting, it often works better, when there are a process and a dialogue, where trust is built over time.
Don’t give up.