IT@BANK | SECURITY — Impaq (Gfi)
Business Process Automation versus Security and Financial Fraud Prevention
There are more and more regulatory obligations, the amount of data has been growing and so have the number of actions to be taken. How to turn that trend into success, namely to join security and business together forever, is described by Tomasz Imbiorowski, head of the Security Department in Bank Pocztowy, Dariusz Wojtas, Head of R&D in IMPAQ and Marzena Janicka, Director of Sales for Financial Sector in IMPAQ.
In the multitude of new regulations for the banking sector, including PSD2, PAD or the General Data Protection Regulation, the new regulations on combating money laundering are of particular importance. How has the situation of bank changed as a result of the legislation amendment in this area?
Marzena Janicka, Director of Sales for Financial Sector in IMPAQ: We have operated on the market in accordance with the provisions of the EU directive on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the so-called AML 4) and national regulations, based on that legal act, providing for many changes important from the perspective of the financial market operations. One of the most important novelties is the expanded definition of a politically exposed person (PEP) which at present covers also the national public officials, including members of parliament, city and commune governors or judges. This means that banks and other obliged institutions will have to apply special risk assessment measures much more often, including e.g. verification of the sources of income of the exposed persons and making decisions on selling bank products by the managers. The Fourth AML will also oblige the banks and other indicated entities to carry out the financial institution risk assessment. The first such a procedure must be completed by 13 January 2019. This deadline cannot be postponed as the General Inspector of Financial Inspector will use the analyses provided by entrepreneurs to assess the national risk in the first half of the following year. Here, we can assist our bank customers soonest and help them carry out the so-called initial verification, i.e. verification of the entire data base of a given institution’s customers.
Tomasz Imbiorowski, Head of the Security Department in Bank Pocztowy: As a practitioner in counteracting money laundering and terrorist financing, dealing with such aspects for years, I may add that the previous serious amendment to the Act on counteracting money laundering and terrorist financing of 2009 introduced significant changes. They referred to the role of institutions obliged in the AML process, changing it from the passive ones, registering transactions, to the active ones, basing their customer relations on a risk assessment. The new Act of 1 March 2018 on counteracting money laundering and terrorist financing, based on the Fourth AML, is not as much a revolution as an evolution of the previous approach. Having completed the basic stage of the project devoted to adapting Bank Pocztowy processes I had a chance to lead, I can claim that the amount of significant amendments introduced is not as huge as could seem judging by the volume of the Act, though some of them are so extensive and their impact on the customer service processes is so important, that the implementation of the Act is a serious challenge for the banking sector. What I mean here in particular is the changes of the customer service processes.
And what is the bank’s approach the new regulations?
TI: Banks took an active part in the process of creating the new act and in consulting its wording, so it was not a surprise and in my opinion the adaptation processes were carried out smoothly. In Bank Pocztowy, big legislative changes are implemented in the form of projects, focusing on the efficient and cost-effective new process implementation or the modification of the existing ones. This year, the challenge has been the implementation of several very extensive legislative amendments at the same time, concerning the security area (AML, STIR, GDPR, Cybersecurity System Act, PSDII), which requires effective coordination of product teams and IT teams, and an appropriate involvement of units responsible for a given area.
To what degree can the obligations connected with combating money laundering be translated into the banks’ condition?
Tomasz Imbirowski, Head of the Security Department in Bank Pocztowy: Changes resulting from the provisions of the Fourth Directive and the new Act of 1 March 2018 are spot ones, but they modify the bank front office processes and the security unit processes to a really high degree. Customer service processes had to be extended with new components, including identification of a politically exposed person (PEP) on the national market or recording of an occasional transaction. The approach to beneficial owner identification was changed from liberal due care to the mandatory identification of an individual as the beneficial owner. What is more, it is necessary to mention a highly significant change of components existing for nine years, referring to the transaction register which, in theory, was cancelled by the new regulations. This is accompanied by a serious modification of the process of submitting data to GIIF which, unfortunately, is not identified entirely because the change of that process has not been specified in detail. All those changes, introduced by the new legal regulations, increase the work intensity of customer service and analytical security units, as well as the costs of banks in AML processes. Based on experience from several months when the new act has been in force, I can claim that we are bound to carry out a new process improvement, focused in particular on automating and improving identification processes of PEP and beneficial owners to make them easier and less complicated.
Let me ask wickedly what IMPAQ (GFI) does when faced with such market changes?
Dariusz Wojtas, Head of R&D in IMPAQ: The most important thing is we listen to our customers! If it were not for their experience, data and real-life cases, our system would be just a mock-up. Its success for a given customer depends on numerous factors, first and foremost, on the common understanding of the needs and the development of the implementation method. Sometimes, everything goes smoothly, sometimes a Proof of Concept is required to feel the result for the chosen scenario. The compliance of our systems is conditional on the regulations which is why we follow legal amendments and, since we have customers in many countries, we sometimes see differing implementations of EU regulations in different countries we need to be prepared for. Last but not least, we observe the market and here centralization of data about entities is getting more and more important. This refers to data from various sources (products, complaints, applications, own fraud file, information from the Internet, sanctions list). The topicality of data, rapid search for connection and precise management of access rights to such data. And also API provided for customer systems. We have been about to create a forensic analytics module which will enable us to visualize connections rapidly, discover anything not obvious, carry out mass hypothesis verification, including in automatic processes. Also our long-term practice gained when cooperating with various market institutions, including the ones from outside the banking sectors, is important. We have cooperated with one of the largest sea forwarders who uses our kdprevent system to assess the risk for shipments transported by sea to verify it they can accept them onboard. Similarly, companies in the chemical sector which, according to the regulations in force, have to assess the risk of selling their products to specific entities, based on the most topical data. The awareness of the need to verify the customers and partners has been growing. IMPAQ (GFI) is able to ensure access to such resources. In this respect, we are a partner of renowned providers, including Dow Jones and Thomson Reuters.
The number of requirements has been growing, the systems keep multiplying, new people are required. Is there any recipe for that?
MJ: Recently, much has been said and written about the fact that there is no workforce on the market and this is not a revelation. What changes on the part of our customers, is their approach to and openness to automation. Because of the growing volume of cases to be served, it is of high importance what events will be classified for manual analysis by an analyst, and how much of them will be handled automatically. We are experienced in business process automation, also introducing business decision automation via a decision engine which, so to say, substitutes us based on the preset business scenarios. We have also been working actively on introducing analytics components based on Machine Learning (ML) and Robotic Process Automation (RPA) into our offer to reduce manual handling and guarantee fast task completion.
TI: I may confirm that adapting to the new legal regulations, banks pay attention to the highest process automation and the lowest employees’ involvement in manual tasks. Such an approach was employed this year, adapting Bank Pocztowy to the new regulations, e.g. the above-mentioned Act on counteracting money laundering and terrorism financing and the new Act on prevention of the use of the financial system for the purposes of tax frauds (the so-called STIR).
DW: A handy solution is our AntiFraud Hub, a system for fraud prevention, distinguished by the jury of IT Leaders 2018 competition this year. It is an excellent example of process automation. Its decision engine, apart from online analyses of the incoming credit applications or transactions, can assess data from various sources automatically, e.g. decisions made in banking processes, periodic risk assessments, can report alarms when specific indicators are no longer within the specified limits. Let me add it does it in next to no time, ensuring high quality of verification. Another component of key importance is extensive workflow where further processing of a given case may take place. This handling can be automated thanks to imbedded processes for handling escalation or integration with other systems. This is a comprehensive solution which adapts to the existing customer’s systems in the course of implementation and this, as you know, is the gain in terms of time and cost for the entire solution.
The article was published on IT@Bank, November