The Need for Automated Assurance Exemplified by N26’s AML Issues
Every compliance officer knows just how burdensome a remediation project or a lookback exercise to fix a financial crime controls issue can be. These efforts are time-consuming, expensive, and take attention away from other priorities. But the unfortunate reality is most institutions don’t know how well their financial crime controls are working at any point in time.
So what’s the result? The first time a controls failure is identified is just the beginning of the story and a cascade of other issues follows soon after. This pattern - and the clear need for a better assurance solution - became apparent once again last week in Italy for N26, the German digital bank.
What happened in Italy?
Italy’s central bank banned N26 last week from taking on new customers or offering new products or services, such as cryptoassets, to existing customers in Italy.
The reason? The Italian regulator identified “significant shortcomings” in N26’s compliance with AML regulations during inspections in late 2021.
This wasn’t the first AML misstep for the bank. In 2021, prior AML failings by N26 led the German Federal Financial Authority, BaFin, to restrict N26 to a maximum of 50,000 new customers per month, impose a €4.25 million fine, and appoint a special commissioner to oversee the bank’s AML remediation efforts. N26, at the time, stressed that it was taking measures to fix its AML issues and meet the highest standards of financial crime prevention.
What the recent ban in Italy shows is that even one financial crime issue can be difficult for institutions to get out from under, as financial crime compliance requires such significant time and resources and further issues may soon pile on. This makes it critical for institutions to have assurance that their controls are operating effectively at all times.
What is the broader underlying problem?
Compliance officers rely on periodic, manual dip sampling to tell them how effective their financial crime controls are. But this only provides a partial look at things that happened in the past.
As a result, no matter how well-designed an institution’s controls may be, it is difficult to answer the fundamental question - are those controls working now?
N26’s situation shows that even if you’re intensely focused on getting your financial crime compliance right, you’re still limited by the tools available to ensure your controls are working properly. This limitation is hugely important, and we wrote a whitepaper to help you think about how to measure the effectiveness of controls well. The problem is that if even one breach or failure escapes notice, it can multiply into a much larger problem before you (potentially) find out about the issue much later.
The solution is an automated approach to assurance. Just as other financial crime technologies help institutions onboard customers, monitor transactions and manage cases, the next step is for institutions to use technology to make sure their controls are continually working with real-time feedback on any breaches or failures.
Compliance officers then aren’t reliant on a small, backward-looking sample set to tell them if their controls are effective - they can know that ongoing, automated monitoring of all their controls will surface issues more completely and quickly than any manual dip testing. And if an issue is identified as in the case of N26, compliance officers can feel confident that there isn’t a cascade of more issues coming. That is certainly better than uncovering a huge mess during a lookback or having the regulators discover the issue themselves!
What can you do?
This latest news once again shows that new banks and fintechs - often focused primarily on growth and expansion - can’t overlook their anti-financial crime obligations. Eventually, that approach will hinder, not help, growth. Controls failures or breaches may become incredibly burdensome and costly to fix later, especially if the deficiencies catch a regulator’s attention.
We recently created a guide for managing increasing financial crime compliance burdens and risk exposure without hindering growth. Instead of getting in the way of expansion, a careful approach to laying out your financial crime technology stack at the beginning of your journey will only help you scale faster and smarter over time.