Despite five financial institutions (JPMorgan Chase, American Express, Capital One, Bank of America and Citibank) spending more than a $1 billion on marketing in 2018, compliance isn’t something the average consumer hears much about. Partly, it’s because the idea of compliance is technical and not very sexy; the other reason is that the incumbent banks aren’t especially good at combating financial crimes. In September, the United Nations said that $1.6 trillion is laundered each year.
Matthew van Buskirk co-founded Hummingbird because he believes that technology can help improve the compliance and anti-money-laundering space. His company works as a layer above a financial institution’s compliance monitoring systems, making them work in concert to efficiently combat financial crimes. He believes Hummingbird can be a Fintech tool that helps make the banking system fairer, safer, and more reliable. That’s why Unifimoney has brought on Hummingbird as an advisor to help with compliance.
We called Matt to better understand the compliance challenges facing banks and to learn how a systemic change could truly shift the balance of power away from fraudsters and back to financial institutions. "I believe technology companies and Fintechs can actually be much better about preventing fraud and all the other bad activities that could hit a customer than a traditional financial institution," he told us, "because their data environments are just much more modern."
van Buskirk: It was a result of the cross section of our founder backgrounds. I'm a former regulator and my first job actually needing to build an operational compliance program — as opposed to critiquing one from the outside — was with a startup called Circle, an early cryptocurrency company. When I went out to look for software solutions in the compliance space that could help with a crypto company in 2014, I found that basically, nothing existed. So, we ended up needing to build a lot of stuff in house, which meant I was basically kidnapping engineers from the product team. I met my cofounder Joe there when he was the Head of Product — after the company launched, he evolved his role into becoming the Head of Risk of Data Sciences. Over the course of three years, we built a lot of cool stuff. However, eventually, I came to the realization that there's a whole additional set of stuff that it didn't make sense for any startup to build in-house. If we were going to prioritize where to put our time and money, it would be in monitoring and screening solutions to help us be more targeted and make automated decisions faster. My compliance team was still doing a huge amount of work on the back end using Google Sheets and Google Docs manually.
So, we realized that there was this whole case-management function that didn't have a modern solution. The second piece of it was that we believe the future of compliance technology and risk technology stacks in the financial world is going to be very modular. IIf you look at the most sophisticated Fintechs in the world, they're not relying on pre-bundled external vendors to tell them what transactions to flag; they rely on their in-house data sciences team combined with a variety of best-in-class external vendors to do that for them. It can be much more precise than an off-the-shelf all-in-one vendor could be because they have an intimate familiarity with their own business and can put the exact pieces they need together to create an optimal solution. We came to the conclusion that if case-management solutions were flexible and designed to provide structured data feedback loops into monitoring systems, it could enable companies to do their work much more easily than if they were working with the kind of pre-bundled case management that exists today. Even if you invest in a really modern solution, it's rare that that solution can do everything for you; you're still forced to have four or five parallel systems that don't speak to each other. So, we wanted to build the layer above where we could aggregate across everything, providing a unified interface, and then let our customers pick and choose the data and monitoring vendors that they wanted to plug in or build their own in house.
There are a bunch of reasons, but I think the biggest problem is that the approach that is codified in regulation today was set when the laws were written 40 plus years ago and it assumes that all the work would be done by people on paper. As an example, there is an industry best practice called the “Three Lines of Defense” where you train the frontline person to do their job, and then the compliance function audits and tests the front line to see how well they're doing, and then the audit function tests how well the compliance function is testing the frontline people. But that only makes sense in an era when there's a high opportunity for manual error since all of the work is being done by hand.
Obviously, neobanks are building everything from the ground up with modern technology, so they're not going to throw dozens or hundreds of people at the compliance function to do this work manually. They want to invest in having a scalable, repeatable, tech-based methodology to do it. But the regulators are still looking for the same things that would be seen at a more traditional financial institution. So, the measuring stick is wrong. The neobanks are looking at the process that will hopefully achieve the result that the regulator wants to see, as opposed to actually measuring the results themselves.
So, compliance is a lot more about controlling the downside risk so consumers never really hear about it unless something goes wrong. It's table stakes. But while a big bank like Wells Fargo can survive a major regulatory issue, a neobank would probably die.
But there is an opportunity there: a really well run compliance function can become a competitive advantage, because it can be much smarter about what you put customers through in a CX and UX sense. If you build an effective customer identification program, then most of your customers will just fly through without ever having any slowdown to their experience. And similarly, when you're screening for fraud or money laundering, if you're good at that, you're only going to be causing a hassle to the people who are actually exhibiting really shady behavior. That'd be a big change from the current system where a lot of people who through no fault of their own get caught up in the dragnets of banks, because the old-school approach to monitoring commonly produces more than 90% false positives. So, if you invest properly, compliance really can become an advantage for you.
To get to your specific question, though: one of the biggest challenges most Fintechs have is that customers know if they're banking with Wells, JPMorgan, or whoever, that one bank can cover all their financial needs. As of now, it's rare that a Fintech is able to do all of that. That's one of the unique aspects of Unifimoney's approach: that you're hitting all the major bases in one platform. It's pretty uncommon.
It's an interesting situation, because I believe technology companies and Fintechs can actually be much better about preventing fraud and all the other bad activities that could hit a customer than a traditional financial institution because their data environments are just much more modern. They can actually do things like machine learning, behavioral modeling and all that kind of stuff, where even the best of the big banks out there have so many legacy technology stacks that they can't effectively adapt. Four or five years ago, one of the biggest credit card companies in the world was still advertising for an active posting for COBOL programmers — that kind of legacy tech limits what you can do.
So, when it comes to consumers being wary to switch to a challenger bank, it's less about the actual ability to build a trustworthy product and more about the adoption curve. Early phase startups are not going to have that trust, just because they're new and early and don't have a track record. That’s why startups can benefit from tying themselves into other brands that have built trust to demonstrate that they're taking the security and protection side of things seriously. A lot of financial institutions don't publish the relationships with their anti-fraud or anti-money-laundering provider, because they think the fraudsters will then use that knowledge against them somehow. But it would be great to see a trend more towards companies actively saying, "We've partnered with these three companies to help secure your money and prevent bad things from happening. It's not just our team doing it; we're relying on the expertise of multiple other teams who are all specialized in their field."
So, it's more of an aggregate risk than a specific new type of threat that's coming. We believe that the way compliance — and specifically anti-money laundering — is done today is completely broken. The UN reported that we're catching less than 1% of global money laundering, which accounts for somewhere between $2 and $5 trillion a year. Think about how much money we're spending to achieve a less than 1% result — it's a pretty poor return on investment.
The fundamental reason why that is the case is information asymmetry. The criminals are freely sharing information amongst themselves — if they've developed a new tool, they're selling it to other criminals. They don't have any restrictions on adopting new tech, so they're always at the bleeding edge. Whereas, a law enforcement agent I've spoken with said they have seen it take up to 36 months for the entire industry to become aware of a new type of technique that's being used by bad actors since many community banks only hear about them through annual compliance conferences.
Fintechs have the ability to change that, because of their ability to build modern data environments from the ground up. But what we really need is more cross-industry collaboration and information sharing. We need to build an immune system for the industry. The first time a new attack type is used, it's new, but then the analyst figures out what it is. Then, ideally, we'll come up with a cross industry standard, where that institution can then share the characteristics of that attack, so that everyone else can look for those things too. That would mean the attack only works once or twice; not again and again for 36 months. As of now, one bank shuts you down, and you go to the next one and keep making money.
I have used an analogy in a couple of speeches: today, the entire industry is like a bunch of ships sailing alone in the fog and pirates can pick them off individually and no one will ever know. We need to get them all close enough together into a fleet and able to coordinate and defend each other if we want to actually make a meaningful dent in financial crime. I believe it's going to start in the Fintech space, because we've got the technical capability to do it and we can prove that it can work. Then, hopefully, it will become the new standard going forward across the entire financial industry.
We are now slowly rolling out our beta program. Be one of the first to get access by signing up today.Request Access