In December 2020, the Inter-Governmental Action Group Against Money laundering in West Africa (GIABA) issued a policy advisory paper on fintech risk and opportunities. The paper pointed to several important issues including roles of stakeholders in ensuring Africa’s safe digital transformation. One recommendation was to put in place strong regulatory framework to promote the work of fintechs. Therefore, this paper will consider how to design a compliance framework that will satisfy the need of stakeholders in the ecosystem.
Compliance Overview
The Cambridge dictionary defines Compliance as the act of obeying an order, rule or request. Emphasis can be placed on the term act which connotes a deliberate willingness on the one to obey, with limited, if at all, options to do otherwise. Framework is defined as a system of rules, ideas or belief that is used to plan or decide something. System therefore illustrates two or more elements put together to achieve a defined objective and outcome. In simple terms, compliance framework refers to sets of compliance elements consolidated to provide guidance to the various ecosystem players in the fintech industry. Contrary to traditional financial service providers such as banks, fintechs are defined as companies that directly or indirectly provide financial service to customers including the excluded segment via digital channels such as USSD, mobile app, thereby promoting and achieving financial inclusion. While developing a compliance framework for a fintech, it is imperative to bear in mind the need to develop systems that do not impede but rather promote the financial inclusion agenda.
Internal and External Compliance
Compliance framework has two main sources, namely, internal, and external. The former refers to rules set up by the fintech company itself to guide operations to achieve defined financial and business objectives, while the latter refers to rules set by regulators, policy makers and key third parties (such as certification bodies) to create an enabling environment, ensure safety and soundness of the financial system and to provide an overall common playing field. Furthermore, external compliance may be considered from a primary and a secondary perspective. See diagram below for illustration.
The primary source basically refers to the main or core regulator of the fintech. Few examples are the Bank of Ghana, the Central Bank of Nigeria, the Central Bank of Kenya, Central Bank of Uganda and South African Reserve Bank. They are classified primary because they are the only institutions, mandated by law to issue fintech licenses to prospective applicants and to determine which products and services are permissible. This means go-to-market is only enabled upon successful procurement of required license from the regulator. Because issued licenses are usually conditional, there is the need to take note of license requirements codified in acts, regulations and guidelines that give power and authority to the regulator to issue the license.
The secondary, which I term “Auxiliary source” of external compliance refers to regulators whose requirements are secondary to the core mandate or operations of the fintech. In other words, auxiliary regulators complement the requirements of the primary regulator. They include the Company Registry, Data Protection office, the Tax office, among others. Suffice to mention that compliance with secondary regulators requirement is also imperative to ensure the going concern principle of the fintech and to obtain customer trust and investor confidence.
Compliance Elements
- Strategy
A paramount document to start with when developing a framework is the compliance strategy. This strategy should stem from the overall business strategy as this gives the compliance function opportunity to contribute to both the top-line and bottom line of the business. Compliance strategy should be developed to complement and support the achievement of business goals and social outcomes, if any. For example, based on a proposed strategy whether market penetration, partnership, cost leadership, the compliance framework should identify potential risks and opportunities and develop remediating controls to complement the proposed strategies. A regulatory engagement plan could be one important pillar or theme in developing the compliance strategy because that identifies the fintech’s value proposition and proposes how to engage the regulator from an outlook perspective. This strategy approach deepens relationship with regulators, expedites product and partnership approvals, and accelerates speed to market.
- Governance
The involvement of board of directors and management of fintechs plays critical role in not only developing compliance frameworks but also in ensuring success of the same. Fintechs must ensure an appropriate mixture of board members in terms of competency, profession and skills. The board must have a fair balance of knowledge and experience of the fintech business and risk and control issues to govern effectively. Instituting board and management risk and compliance sub-committees remain one of the proposed ways to achieving good balance between the business and risk issues. Effectiveness of these sub-committees can be a reality through frequent engagement including periodic reporting and escalations, where necessary. Developing terms of reference for these sub-committees is highly recommended. The board must appoint internal auditors to perform periodic independent reviews of the entire compliance framework, pointing out deficiencies and providing recommendations to remediate same. The independent review is to determine whether or not the compliance framework adds value to the fintech business objective. Due to cost implications especially for start-ups, fintech companies can engage their external auditors to perform the required independent review to enjoy economies of scale. Finally, appointment of a Compliance Officer with the requisite skills, knowledge and experience in Compliance, Risk management, Auditing, Information Security with a previous fintech or banking background will enhance the governance element of the framework.
- Policies and Procedures
Reflecting on internal compliance where the fintech company sets rules to guide and govern its operations, policies and procedures remains eminent. Numerous policies and procedures are required as part of fintech operation but considering the digital modes operandi, two key policies are of high priority. They are Anti-Money Laundering (AML) and Information and Cyber Security policies. AML Policy ensures fintechs are not engaged in illicit financial transactions or are not used by customers and third parties as conduit to perpetuate criminal activities. The AML policy also spells Know Your Customer and Customer Due Diligence (KYC/CDD) procedures required to manage money laundering exposures with customers and partners while ensuring compliance with the Financial Action Task Force (FATF) recommendations. With the increase in cyber-attacks in the digital space, fintechs need to develop Information and Cyber Security policies and implement same to safeguard customers, partners, and other relevant stakeholders. A board approval of the policies including budgetary allocation is required to satisfy regulations and show commitment from the top of the business.
- Reporting
Reporting is an integral part of the compliance framework as this task occurs at different times with different stakeholders. Reporting could be internal and/or external where the former involves reporting by the Compliance Officer to board of directors via the risk and compliance sub-committee and the Chief Executive Officer (CEO). The latter occurs when the Compliance Officer reports to both primary and secondary regulators mentioned earlier. Returns submission is scheduled at different periods such as ad-hoc, daily, weekly, bi-weekly, monthly, quarterly, semi-annual, yearly, and bi-annual with different deadlines. The framework needs to keep a tracker of reporting requirements versus timelines. In an automated environment, this tracker can be digitized with alerts to remind scheduled Officers of an impending report. There are several off-the-shelf applications to assist. Compliance Officers must develop reporting procedures to manage sensitive information from staff such as reports that needs to be investigated and escalated to the Financial Intelligence Centre if confirmed to be suspicious.
- Risk Management
Compliance risk which is the risk of non-compliance with regulatory requirements should be a key performance indicator for every Compliance Officer within the framework. Compliance risk has huge financial and reputational cost implication to fintechs. One of such is the risk of money laundering which can be perpetuated via customer transactions and during capital fund raising by the fintech. To this end, the framework should include controls such as risk assessment, transaction monitoring and screening using public and private trusted database against customers, partners, and investors. Fintech risk assessment is a growing need that must be explored further.
- Knowledge Management
The general expectation of knowledge management within the compliance framework is to establish adequate capacity building efforts of staff including board of directors and management. The essence of this expectation is to create a learning culture and environment where compliance insights are shared and referenced to directly influence fintech operations and product development. Publishing periodic newsletters tracking emerging topics on compliance can be an ideal example to implement.
Role of Fintech Regulators
Regulators play myriad roles in the fintech and digital financial space in Africa. The fintech industry has witnessed massive regulatory support and regulators are encouraged to continue with their frantic effort at ensuring the success of the ecosystem. Regulator’s primary responsibility is to create an enabling environment to support fintechs. Considering that most fintechs in Africa are in their early to growth stages of the business life cycle, regulators must develop regulations and requirements that reflect same. Failure to proportionate regulations may lead to over or under regulation creating disincentives for some stakeholders. One way to achieve proportionality is to hold frequent stakeholder engagements to give the regulator better status understanding of the fintech industry and different perspectives to key regulatory gaps and challenges. If the stakeholder forum is properly instituted, it will serve as the basis for periodic reviews of regulations, guidelines, notice and other regulatory tools.
Conclusion
In summary, developing compliance framework for effective running of fintechs to achieve financial inclusion is a collective effort by all stakeholders engaged in the digital ecosystem. While fintechs are encouraged to implement industry best practices such as the GSMA Mobile money code of conduct, where applicable, regulators and policy makers must show a “friendly yet firm approach” to regulating the space to reach a fair balance.
About the Author
Samuel is a Governance, Risk and Compliance expert with 16 years of experience in Banking, Fintech and Consulting. He can be reached via: [email protected]