Compliance Challenges in the Evolving Fintech Regulatory Regime: Key Challenges in Digital Customers Onboarding

By Nelson Cheung, Compliance Director, Oriente

Nelson Cheung, Compliance Director, Oriente

Fintech opens up business opportunities for both traditional financial services company and fintech start-ups. Not only does it provide operational efficiency, but it also enables delivery of financial services cheaper and more convenient to customers who could be living in remote area where traditional financial services are not available.

As fintech evolves over time, it becomes challenging for the regulators in striking a balance between fostering technological innovations and protecting the consumers. While fintech specific regulatory requirements are yet to be released, we have seen regulators showing concerns in a number of areas.

Digital Customers Onboarding (DCO), as the first step to bring in the customers, although it sounds straightforward, it is equally challenging for internal compliance professionals to ensure compliance as the regulators setting out Fintech specific requirements (that is, innovation versus protecting consumers). The key challenges a compliance professional would face when reviewing a DCO initiatives will be discussed below followed by appropriate approaches to handle them.

Regulators Expected KYC in DCO to be as Robust as KYC Conducted Face-to-Face

With DCO, the financial services companies can no longer use traditional face-to-face approach to verify the identity of the customer, question the customer the purposes of opening a bank account/applying a loan or determine whether the customer looks suspicious. However, regulators do expect due diligence controls, which are at least as robust as those performed face-to-face.

There are number of electronic Know Your Customer (eKYC) service providers available in the market. While some of these service providers claim that their eKYC solutions meet regulatory requirements, financial services companies have to study these products carefully to ensure the product fulfils your company’s compliance obligations, especially when your company is operating in different countries, meaning the regulatory regime can be varied.

Consent is not Always Bullet Proof

Whether to improve customer experiences, to learn more about your customers or for internal risk management purpose, financial services companies might make use of the mobile app to obtain as much information from the customer’s smartphone as possible, for example, the contact list, geographic locations, and so on.

Of course, your legal and compliance colleagues would have already included such access in the terms & conditions (T&C) or privacy notice that the customers have to “read” and “accept”. Such acceptance is considered as a consent by the customers for the use and disclosure by your company as stated in the T&C or the privacy notice.

As Fintech Evolves Over Time, It Becomes Challenging For The Regulators In Striking A Balance Between Fostering Technological Innovations And Protecting The Consumers

Led by increasing number of complaints against the abused access to personal data available in the smartphone, regulators have started to regulate such access. Some regulators have issued a white list of information a mobile app can have access to; some regulators, although yet to issue new requirement, publicly provide their view that relying on traditional “read” and “accept” of a lengthy T&C and privacy notice as the basis to extract personal data from the customers’ smartphone as unfair.

Applying General Data Privacy Principles in Big Data/Artificial Intelligence Initiative Can be Challenging

Insights generated from big data analytics, when used properly, can be useful for various purposes, for example, calculating the risk of default payment of a borrower, to determine what products are suitable for a particular customer. Big data when coupled with artificial intelligence (AI), which can learn and evolve without the need for human intervention, is even more powerful. The question is whether the outcome or the process itself is fair to the customers.

There is a real-life example: a credit card company rated all customers of a shop as higher credit risk because a number of customers of that shop had poor credit card repayment records. From the credit card company perspective, it may help reduce default payment rate. On the flip side, from the consumers perspective, I can be a diligent consumer and just happen to walk into a shop which, unfortunately, has numbers of bad customers. Is it fair for the credit card company to rate me as a high risk customer?

Data protection authorities and financial services regulators have shown their concern on the Big Data/AI use cases, however, how to define fair collection and use of data are yet to be seen. Financial services companies still have to apply general data privacy principles when reviewing their big data and AI aspects of the digital customers’ onboarding initiatives and have a guess on whether their collection and use of data would be considered as fair.

Product Review and Approval Process

Once the product team has an idea, legal and compliance should be consulted to determine whether there are any laws and regulations that ban such product. Once the product’s preliminary design is ready, legal and compliance should be further consulted to identify all relevant laws and regulations that apply and suggest controls to be implemented.

During the development phase, close collaboration between legal and compliance and the production team is crucial as how the product team interprets the controls suggested by legal and compliance can be quite different from their expectation. Another reason is product team focuses primarily on the product features and ensuring a pleasant customer journey, adding a new screen to include necessary disclosure that requires the customers to read and accept can affect the total time required by the customer to complete the account opening process, which can be one of the most important KPIs.

Finally, legal and compliance should be one of the sign-off parties before the product is launched to ensure all suggested controls are in place and there is no surprise (that is, features deviate from the design).

We will Get There

While the regulatory regime and industry practice around fintech are still evolving, compliance professional will have to be both creative and conservative, that is, being creative in finding new ways to ensure compliance, while being conservative when uncertainties arise as to whether the fintech initiative is acceptable from regulatory perspective.

When clear guidelines or even fintech specific regulations are released by the regulators, we, as a compliance professional would have a better idea on how to ensure compliance, by then, there might be new technologies and new areas of compliance concerns that change the compliance landscape. After all, we are living in an ever-changing world.