• wblogo
  • wblogo
  • wblogo

A builder of compliance systems shares his thoughts

Chris Hamblin, Editor, London, 5 November 2020

articleimage

Francesco Fulcoli, now the chief compliance officer at the digital remittance service TransferGo, spent years working in the private banking industry in a compliance capacity. In this article he shares his experience and views with Compliance Matters.

Fulcoli has been based in London for a long time and remains there today, despite the UK's second 'lockdown' having come into effect yesterday. This interview is in the form of a question-and-answer session.

Q: How did you enter the world of compliance?

A: I started in compliance by coming in from banking and a government body and then moved into FinTech. I worked for the International Olympic Committee, then the Italian Parliament, then I worked for a stock brokerage. I did over six years at Oppenheimer & Co as a compliance AML officer. I looked after the Israei [Tel Aviv] desk, the London desk, the Jersey desk, the Hong Kong desk and the Frankfurt desk. I looked after the onboarding of clients. I was dealing with funds, hedge funds, asset managers and banks.

Q: At what speed does onboarding take place these days?

A: We can do it in 2½ minutes – we get the person's details, ID, passport, and all the tech behind it can do the rest. [Editor's note: TransferGo's customers are blue-collar workers, so this is not intended to apply to sophisticated clients. However, the remainder is relevant.] We have GEOIP technology, so we can locate exactly where you are and when you're being onboarded. If you say you're in London and you're actually sitting in Baghdad – something we haven't encountered yet – we can pick that up. And we detect where the payments are coming from.

Q: What is your solution to the 'build or buy' dilemma, the quandary that every bank faces when deciding whether to build an AML system from scratch or use the services of a software vendor?

A: I prefer to use a hybrid. There is a difference between screening and monitoring. I prefer to build the front end and outsource the back end because if I were to build both, that would be the easy part – the problem would be maintenance. Also, if such a system goes down, what then? Do you stop all the business? Vendors are more reliable. One vendor that I used only gave us one minute of down-time in a year. The service has to be reliable because if I do not screen my customers, I cannot let them through. Banks also have to screen existing customers – if someone is put on a list, the bank must find out whether he is one of its customers within 72 hours. At TransferGo, I make sure that every customer gets screened daily and recipients are screened whenever there's a transaction.

Q: So you build systems that stop bad transactions from happening?

A: Yes. We aim to prevent money laundering and fraud. The NCA is overloaded. It receives millions of SARs every day, but what about trying to prevent? It's best to do all the due diligence up front.

Q: How does your system look at a customer?

A: We have built a learning machine system called a dynamic risk score which hopefully will turn into AI in the following years or so. The system will learn the behaviour of the customer. If something is amiss or outside the normal behaviour of our customer, the system will stop the transaction. If he suddenly sends a lot of money to South America for the first time ever, the system will change the overall risk of the account, whatever the risk profile was that you had at the start. We say "this account is to be reviewed now...before we allow the transaction to take place."

Q: What do you do to find out whether a customer is a politically-exposed person or PEP?

A: In the case of a screening flag, we always investigate to understand if its a true positive but you always may have false positives. If that happens, the machine has done its part and the compliance officer must then take a risk-based approach. When in doubt, he must apply a higher risk.

Q: Do you have any interesting memories from your time in private banking?

A: Definitely. I was there a long time ago, six years ago. I remember one thing in particular. I did the first KYC system within the company; before then, the traders were making notes on a piece of paper. If you leave a note on a piece of paper you can't remember why it's there any more! We took one year to build a minimum viable product for KYC. These days, things are faster – at TransferGo I only needed 3 months. FinTech takes less time now.

Q: Are you struck by differences between compliance over here and in the US and Switzerland?

A: There's not much difference between jurisdictions. They always have the same kind of approach, they tend to say what to do but not how. What I find very hard is that with some regulators it's very hard to get a contact [to whom one can talk about a concern and receive advice].

Q: This leads us on to technological neutrality. Even while regulators say that they don't want to dictate whether banks use this-or-that software, they are now interested in helping firms develop it. Many people think that this is because they know that they are clueless about tech and want to keep their fingers on the pulse. Do you agree?

A: Yes, I'm agreeing with you. The FCA tech hub did understand that there was a gap in its knowledge – especially with the PSD [the European Union's Payment Services Directive] and with APIs [application programming interfaces]. There was definitely a lack of understanding. The FCA – from a FinTech point of view it has accepted it as a good thing and is keen to help and develop.

Q: When a start-up or the start-up part of a big bank goes onto the 'Regulatory Sandbox' software development scheme, what is it getting out of it? The relaxations of the rules are miniscule.

A: When you want to set up a FinTech/RegTech, you don't know if the FCA will grant you a licence. In the sandbox what they are trying to build is something acceptable to the FCA. The FCA is becoming a main partner in the building of compliance tech.

Q: Do you have any words of wisdom to impart about the FinCEN files?

A: Well it's not a matter of uploading the names from the ICIJ site onto our system. We've looked at the names on our RDC [Regulatory DataCorp] database. Luckily, we are a very young FinTech so we don't have this kind of business on our books. The Fincen files show us that post-transaction monitoring is obsolete because you can do some money laundering for a customer and the transaction goes ahead. In the FinCEN files, the big banks reported their suspicions and did their job. Then nothing happened.

What I got from the FinCEN files is the sense that we all lost the whole [shooting] match. There's no one loser. We don't want to admit that the system is obsolete and very slow. When you ask the customer to explain why he wants to do an unusual transaction and he gives you an answer, you have to look into it before he makes the transaction itself.

Q: Will you ever get out of compliance?

A: Not for now. I quite like what I'm doing now, building compliance technology. 15 years ago there was a fear in the office of compliance officers but now there's a different vibe. Compliance is on the front line now. Compliance can help the growth of a firm. Today it's very unusual to find a compliance officer who's glad to use technology to do his job. The old-school compliance officer usually works behind a firewall and the tech team is somewhere else. I don't want to be sitting at my desk writing policies and procedures all day. Nobody can follow them anyway if they do not match the reality of the firm’s business model – in that case they are just there for visiting regulators to read. I want to be involved in the building of the product from day one and to make sure that we actually apply all compliance rules accordingly.

If I were to leave I'd teach at university – I did it before. I'd like to teach youngsters to be a chief compliance officer like me.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll