The next frontier of compliance: Compliance 3.0 and the era of automated testing

The next frontier of compliance: Compliance 3.0 and the era of automated testing

Welcome to my latest blog series, where we’ll be exploring the compliance landscape, from Compliance 1.0 through 2.0 and into the current era of Compliance 3.0.

Over the next four installments, we'll dissect each stage of evolution, drawing insights from frontline compliance experts navigating the challenges of financial crime prevention and regulatory expectations. Together, we'll unravel why strategies effective yesterday fall short today. Our journey will include a step-by-step guide to constructing a Compliance 3.0 solution, considerations for building or buying your crime-fighting toolkit, and a compelling real-world example of how Griffin, an API-first UK Bank and full stack BaaS platform, partnered with Cable to spearhead Compliance 3.0.

Compliance 1.0 - A Walk Down Manual Memory Lane

During the era of Compliance 1.0, the landscape was dominated by physical branch-centric operations and characterized by manual compliance controls and testing.

I remember having a savings account at a local building society when I was a kid. Every time I wanted to deposit a check from my grandparents after Christmas, or to withdraw money to buy something, I had to take my little blue book, wait in line to meet a branch manager, and provide documentation to prove I was the account owner - it was a manual, slow and painful process. All financial crime checks were conducted on the spot, introducing inherent vulnerabilities to human errors during data entry and document verification. It would not have taken much for someone to steal my little blue book and do away with my savings. 

Looking back, it's evident why this manual approach could lead to compliance gaps.

Compliance 2.0: Automation in the Digital Age

Fast forward to the early-2010s, when the advent of challenger banks and fintechs marked a pivotal shift in the consumer experience. We found ourselves in a technological transformation, where API integrations and automation were competitive advantages and customer experience was everything. Compliance 1.0 wasn’t designed for this new digital world, where the entire customer lifecycle was completed online or through a smartphone: everything from KYC of the onboarding process, to ongoing transaction monitoring and AML. It was time for a transformative change, leading us into Compliance 2.0 - a stage marked by the adoption of automated compliance controls.

In my 4.5 years as Head of Financial Crime at Monzo, operating in the era of Compliance 2.0, I witnessed the transformative power of automation in compliance control systems; digital identity verification and screening for onboarding decisions, and digital-first tools to identify ongoing fraud and AML. 

However, my time there also revealed a crucial gap—yes we had automated compliance and financial crime controls, but we still had a manual approach to testing, understanding and evidencing effectiveness.

The Compliance Conundrum

When I looked around for an automated effectiveness testing solution, there simply was not one. Every Compliance Officer I spoke to followed the same playbook:

  • Check-box compliance
  • Set it and forget it controls
  • Spreadsheet based work
  • Human dip sampling less than 1% of accounts and transactions
  • Ongoing, expensive remediation projects
  • Annual Audits
  • Annual regulatory examinations

The Compliance 2.0 world is like taking part in a Formula 1 race without any feedback from the car - imagine driving a Ferrari around a track with no onboard computer telling you the engine has a fault or the brakes have a problem or your tyre degradation is high. You are not aware of any impending risks. I am a huge F1 fan, but I would not want to get in a car like that. 

So why are we running compliance like this, when there’s trillions of dollars, billions of customers, and significant reputational damage at stake?

Ramp Network, an FCA-registered crypto asset business, exemplifies the industry's challenges. Their compliance coverage was around 1%, managed through manual processes, spreadsheets, and ad hoc communications. Limited and sporadic manual testing meant comprehensive oversight was nearly impossible, leading to low confidence in compliance outcomes.

My aha moment and the birth of Cable

Just as Compliance 1.0 had to become Compliance 2.0, we now urgently need the next paradigm shift to Compliance 3.0.

My goal in introducing Compliance 3.0 is to provide a technological solution for automating compliance effectiveness testing. This empowers companies and compliance teams to test 100% of their controls in real-time, ensuring continuous confidence in their functionality. No longer should companies wait for audits or reviews to identify issues—now, they can catch and address them proactively.

Cable tackles the growing problem of meeting regulatory demands that have shifted from 'in place' to 'in action.' Compliance 2.0 is no longer sufficient, necessitating evolution. Take a look at our other blog posts to show why regulators are taking action now!

  • OCC Consent Order to Blue Ridge Bank signals intense BaaS regulatory pressure in 2024 (Read more)
  • Metropolitan Commercial Bank's (MCB) $30M fine for inadequate oversight of third-party programs (Read more)

Compliance 3.0: Ferrari effectiveness testing to match Ferrari compliance controls

Compliance 3.0 is not just about having controls in place; it's about actively proving their effectiveness in real-time. The journey from Compliance 1.0 to 2.0 marked the digital evolution, and now, with Cable, Compliance 3.0 ushers in a new era of digital evolution that brings with it automated testing and proactive risk management. We now have the tools to move:

  • From check-box compliance to real-time always on compliance
  • From set it and forget it compliance to real-time risk based compliance
  • From spreadsheet based work to technology based work
  • From dip sampling only 1% of accounts and transactions to testing 100% of everything
  • From ongoing, expensive remediation projects to small, individual issue-fixing
  • From annual audits to in the moment audits
  • From annual reviews to real-time reviews of controls

Here is a useful table to visualize and understand the distinctions and benefits through the compliance evolution:

In the next blog I will unpack real-insights from a recent webinar we hosted ‘Adapting to a New Era: Architecting a Modern FinCrime Tech’ (You can watch now for a sneak peak about what I will cover in the next blog), to help you build the ultimate Compliance 3.0 compliance effectiveness testing solution.

Powered by Ghost