Titel - Title


Seven insights into effective Compliance Risk Management for FinTechs

Compliance Risk Management as an opportunity

While you’re enjoying your holiday break and contemplating new plans for the year ahead, here are seven insights that might interest you. They will help you build an effective, sustainable and responsible Compliance Risk Management and create a competitive advantage.

Co-written by Josefina Gonzalez Lopez & Viktoria Rudenko

Compliance Risk Management as an opportunity

The attention for the FinTech sector is increasing. FinTech companies advance and grow quickly, forcing the entire financial industry to embrace innovation and challenging the traditional business model. As a result regulators show an increased focus on FinTechs. However, in order to sustain this growth and be compliant with regulatory requirements, FinTechs need to have a sound and effective Compliance Risk Management (‘CRM’) in place. What does this entail and what are some of the key insights into effective CRM for FinTechs in the Dutch market to focus on? Below, we will share seven insights into effective FinTech Compliance Risk Management.

1. Risk strategy embedded in the entire organisation

At the core of CRM stands a clear risk strategy with a Risk Appetite Statement that includes integrity risk. This helps FinTechs to clearly articulate the extent of risk taking and mitigation at an organisational level. Having a clear and proper risk strategy in place to support the business strategy, which is clearly embedded in policies and processes, and adhered to throughout the organisation, is key to an effective CRM.

2. Fully encompassing Internal Governance Framework in place

Proper segregation of duties and responsibilities is paramount to CRM. Due to often scattered policies, organisational overviews and blurred lines between the departments of the three lines of defense, resources are incorrectly allocated, activities are performed twice or not at all and risks are missed. Therefore, a fully encompassing Internal Governance Framework with a clear RACI model is imperative and stakeholders across the organisation should be responsible for adhering to the established duties and responsibilities. 

3. Internal Audit function & Compliance function in place

Following laws and regulations, FinTechs are required to have a Compliance and Internal Audit function in place. A lack of or a limited Internal Audit function prevents Audit from being able to effectively monitor and properly supervise the Compliance function. The same goes for a missing or limited Compliance function regarding its monitoring role over the Compliance activities within the first line of defense.

4. Holistic, data-driven and granular Systematic Integrity Risk Analysis

It’s imperative to define and document a process with clear roles and responsibilities for the first line of defense, regarding the execution and evaluation of the yearly Systematic Integrity Risk Analysis (‘SIRA’) whereby the second line acts as an advisor and challenger. Additionally, a holistic, data-driven and granular organisation overview is required as a good starting point for the SIRA execution, as per the ‘DNB Guidance Integrity Risk Analysis’. When executing the SIRA it’s also imperative to assess the integrity risks of e.g. the different types of payment methods offered to the merchants, and to have a clear risk scoring model in place.  

5. Customer Due Diligence following applicable laws and regulations

Laws, regulations and requirements from regulators require - among other things - continuous monitoring of customers. We regularly see that certain monitoring controls, such as PEP screening, Sanctions and Adversed Media screening checks, are missing. Additionally, make sure to run proper identification and verification checks and have up-to-date and aligned CDD policies and standards in place.

6. Enhanced set-up of Post-transaction Monitoring

Regulators expect a well-configured post-transaction monitoring (‘TM’) system in place. Adequate transaction profiles are crucial for effective TM as well as a clear line of sight end-to-end from SIRA risks to TM business rules, including rationales. For more information, see our blog on TM here.  

7. Anticipate upcoming Outsourcing regulations

In December 2021 the European Banking Authority (EBA) Outsourcing guidelines should be translated and implemented into national law. Prepare yourself in time to take advantage and avoid any potential challenges by implementing the guidelines in your organisation. For instance, make sure you have a clear overview of all outsourced activities, a mapping of contracts and implementation of reviews.

Navigating through effective Compliance Risk Management

Today’s business climate is characterised by disruption and volatility. At Deloitte, we help FinTechs gain a new view on risk and provide tailored advice - seeing CRM as a vital performance lever, revealing untapped opportunities to create a competitive advantage and to overcome challenges your organisation is facing.

Did you find this useful?