Refinitiv. You're a very well known figure in the money laundering, etc. world. Where did you come from?
Nigel Morris-Cotterill: I was a lawyer in private practice until the mid 1990s. After leaving private practice, I combined being an in-house lawyer in financial services and the telecoms industries with setting up a consultancy for financial crime risk and compliance which included building risk models and designing and implementing risk and compliance systems. Over time, I increasingly focussed on risk strategies. Right from the outset I had looked over the horizon so that businesses could put in place flexible systems that would allow adaptation for risks as they became clear rather than having to make major revisions. In this way it was possible to deal with changes in risk as part of routine awareness and compliance training rather than to make it look like major change, which staff resist.
These days, the focus of my work is on identifying risk in new technologies as well as areas that global bodies and therefore regulators define as currently important and therefore trendy. I find myself looking for ways to minimise the direct and indirect costs of compliance with ever-more complex and prescriptive systems while maximising risk management and the ability to head off risks before they become trendy.
R: Do you see the demands placed on compliance departments as benefiting or hindering the control of financial crime?
NMC: Broadly, ever-more rigid compliance systems militate against the effectiveness of risk management; the focus on measurability does nothing to actually prevent financial crime. It simply provides a stick with which regulators can beat businesses if they choose. That is not to say, of course, that there should not be compliance or that parameters should be set by regulators. Of course there should be. But in recent years, the detail of how that compliance should be performed places an excessive obligation on compliance officers who become clerical workers when what we, that's society at large, need are those who think freely and can identify anomalies and act accordingly.
R: Do you think, then, that the industry is too focussed on systems rather then on results?
NMC: Absolutely. My view is that, in relation to financial crime, the only result that matters is whether criminal conduct is identified and prevented. I've seen a comment recently that the majority of compliance officers who stated an opinion about the skills they think are essential to develop said data analysis. That's absolutely true - by doing that, institutions can set their own criteria for exception reporting.
R: Do you think that technology will help in combatting financial crime?
NMC: I've been an early adopter of many kinds of technology since the early 1980s. So I'm not some kind of Luddite. I'm not scared of tech but equally, I'm not dazzled by it. What I see in all the fuss about RegTech, "AI" and so-called block-chain solutions is nothing new. Literally, nothing at all. All of the above are variations on a theme that computer people have been trying to sell for getting on for half-a-century. There is an enormous drive to convince financial institutions that they need some form of "AI" or blockchain system. Here's the truth: none of it is any use if a financial institution doesn't have a means of collecting, analysing and reporting on all, and I mean all, the data in its possession. Twenty years ago, I urged banks to insist that all back-office software use a common database in a common format. The tech industry resisted and the financial sector lay down and played dead. As a result there are, in many institutions, dozens of incompatible systems including those that have been retired and store records up until their retirement. Fix that and then we can start to talk about what to do with the data because once it is all accessible, querying it is child's play, building combinations of data is simple data-matching, analysis is the application of simple rules. A bank, for example, can build those in-house, it can set its own risk profiles and criteria. It doesn't need to spend millions of dollars a week on consultants to tell it what it already knows.
Will it help? Right now, we are in that annoying phase where banks, etc. are buying-in expensive software and paying a fortune for installation and maintenance when that money would be better spent on the education of staff and recruiting more and better risk and compliance staff and on migrating the data to a common data format.
I also want to mention external data, that is the KYC/CDD data that banks either buy-in and integrate or access on a case-by-case basis. It is literally impossible for any such platform to be comprehensive. Literally. Impossible. It is also vital that such information is up to date not only as to information that is entered but also as to changes to information already published. There are a number of good services several of which have a specific focus but there is only one that is backed by the world's biggest news organisation: WorldCheck. I mention WorldCheck because it's backed by Thompson Reuters owners of Refinitiv and I must declare an interest because I am a consulting editor with Acculus, a sister business.