Interview: Nigel Morris-Cotterill, Refinitiv, November 2019, Istanbul

A short Q&A by Refinitiv at their GRC Forum in Istanbul, November, 2019.

Nigel Morris-Cotterill
World Money Laundering Report - Interviews

Refinitiv. You're a very well known figure in the money laundering, etc. world. Where did you come from?

Nigel Morris-Cotterill: I was a lawyer in private practice until the mid 1990s. After leaving private practice, I combined being an in-house lawyer in financial services and the telecoms industries with setting up a consultancy for financial crime risk and compliance which included building risk models and designing and implementing risk and compliance systems. Over time, I increasingly focussed on risk strategies. Right from the outset I had looked over the horizon so that businesses could put in place flexible systems that would allow adaptation for risks as they became clear rather than having to make major revisions. In this way it was possible to deal with changes in risk as part of routine awareness and compliance training rather than to make it look like major change, which staff resist.

These days, the focus of my work is on identifying risk in new technologies as well as areas that global bodies and therefore regulators define as currently important and therefore trendy. I find myself looking for ways to minimise the direct and indirect costs of compliance with ever-more complex and prescriptive systems while maximising risk management and the ability to head off risks before they become trendy.

R: Do you see the demands placed on compliance departments as benefiting or hindering the control of financial crime?

NMC: Broadly, ever-more rigid compliance systems militate against the effectiveness of risk management; the focus on measurability does nothing to actually prevent financial crime. It simply provides a stick with which regulators can beat businesses if they choose. That is not to say, of course, that there should not be compliance or that parameters should be set by regulators. Of course there should be. But in recent years, the detail of how that compliance should be performed places an excessive obligation on compliance officers who become clerical workers when what we, that's society at large, need are those who think freely and can identify anomalies and act accordingly.

R: Do you think, then, that the industry is too focussed on systems rather then on results?

NMC: Absolutely. My view is that, in relation to financial crime, the only result that matters is whether criminal conduct is identified and prevented. I've seen a comment recently that the majority of compliance officers who stated an opinion about the skills they think are essential to develop said data analysis. That's absolutely true - by doing that, institutions can set their own criteria for exception reporting.

R: Do you think that technology will help in combatting financial crime?

NMC: I've been an early adopter of many kinds of technology since the early 1980s. So I'm not some kind of Luddite. I'm not scared of tech but equally, I'm not dazzled by it. What I see in all the fuss about RegTech, "AI" and so-called block-chain solutions is nothing new. Literally, nothing at all. All of the above are variations on a theme that computer people have been trying to sell for getting on for half-a-century. There is an enormous drive to convince financial institutions that they need some form of "AI" or blockchain system. Here's the truth: none of it is any use if a financial institution doesn't have a means of collecting, analysing and reporting on all, and I mean all, the data in its possession. Twenty years ago, I urged banks to insist that all back-office software use a common database in a common format. The tech industry resisted and the financial sector lay down and played dead. As a result there are, in many institutions, dozens of incompatible systems including those that have been retired and store records up until their retirement. Fix that and then we can start to talk about what to do with the data because once it is all accessible, querying it is child's play, building combinations of data is simple data-matching, analysis is the application of simple rules. A bank, for example, can build those in-house, it can set its own risk profiles and criteria. It doesn't need to spend millions of dollars a week on consultants to tell it what it already knows.

Will it help? Right now, we are in that annoying phase where banks, etc. are buying-in expensive software and paying a fortune for installation and maintenance when that money would be better spent on the education of staff and recruiting more and better risk and compliance staff and on migrating the data to a common data format.

I also want to mention external data, that is the KYC/CDD data that banks either buy-in and integrate or access on a case-by-case basis. It is literally impossible for any such platform to be comprehensive. Literally. Impossible. It is also vital that such information is up to date not only as to information that is entered but also as to changes to information already published. There are a number of good services several of which have a specific focus but there is only one that is backed by the world's biggest news organisation: WorldCheck. I mention WorldCheck because it's backed by Thompson Reuters owners of Refinitiv and I must declare an interest because I am a consulting editor with Acculus, a sister business.

R: What do you think about FinTech?

NMC: I have yet to see a FinTech product that does anything new. They are shiny interfaces to provide existing services. But they are an enormous part of the financial services landscape and cannot be dismissed. There are a number of special challenges: there's regulation which often misses the point. It tries to regulate the tech when what it should do is regulate the activity. Regulators who allow "regulation lite" or a "sandbox" are failing to regulate properly. If a FinTech company is providing services that are regulated by a specific regime when performed by, for example, a bank the regulators should do one of two things: regulate the FinTech company in the same way as the banks or apply a light-touch regime to those services when provided by banks. Regulators should not be developing parallel regulation, a fast-lane and a slow-lane, for the provision of the same service.

The next challenge is to decide who regulates: many FinTech applications apply across borders. Let's think: what is is regulation for? Essentially, it's for a combination of consumer protection and the protection of society's economic well-being. But many FinTech companies operate outside the country in which they are regulated. So what? you may ask. Surely complaints will be dealt with wherever they arise.

So, I ask you this: can you think of a single instance where a country that hosts an internet business - be it FinTech or otherwise - has taken action against that business at the request of an overseas consumer?

There is no consistency of regulation so what is banned in country A is fine if the business is regulated in country B. That places consumers in A who assume that all FinTech companies operating in their country do so on a level regulatory playing field.

And what about totally fake FinTech companies? One I came across recently runs out of Easter Europe with a fake address and false-flag telephone numbers in London and even a false-flag telephone number in Singapore which, as we know, has actively courted the FinTech industry for several years.

So what do I think about FinTech? It's window dressing for a generation that think it's cool to all kind of things on their phones but it's just that - a gateway into the same activities as there have always been, but sold to people who are blinded by the bling and don't look behind that.