EXPERT'S VIEW Good practices in the field of compliance - what fintechs can learn from traditional financial institutions

In Polish, the concept of compliance is often translated as the supervision of accordance with the law, but this translation does not fully reflect the idea. Rather, the compliance system should be understood as a set of measures, tools and actions taken to ensure accordance with legal provisions of the entity’s activities, internal procedures and regulations, and best practices. The scope of the compliance system should therefore not be limited only to mitigating the risk related to violation of the law, but more broadly – non-accordance with all rules and principles adopted for application.

The obligation to implement an effective and adequate compliance system is inherent in the regulatory requirements for supervised financial institutions, e.g. banks, brokerage houses or investment funds. This type of entities are required, among other things, to appoint a person responsible for managing the compliance risk (Compliance Officer), adopting appropriate procedures and internal regulations that set out the directions of activities in this area, conducting regular inspections, establishing an appropriate channel for reporting possible irregularities and raising employees’ awareness of the regulations applicable in a given company and the consequences of their violations.These obligations often significantly limit the scope of freedom of activity of a given entity and are associated with additional costs and difficulties. However, practice shows that in many cases an efficient compliance system is not an additional formalism, but actual support in ensuring the proper functioning of the enterprise. For this reason, it is more and more commonly observed that certain solutions in the compliance area are adopted on the basis of best practices, also by entities that have not been directly obliged to do so by legal provisions.

The most common (and often the most painful) effect is the application of sanctions for violating the legal regulations governing a specific activity. The pace of changes in legal regulations – in particular with regard to dynamically developing new technologies – forces the obligation to constantly monitor whether the activity conducted by a given entity complies with the applicable regulations. The omission of a significant amendment may result not only in high fines, but also in the application of sanctions in criminal proceedings (e.g. due to running a business without the required permit).

Fintechs – as entities operating in the sphere of high uncertainty and regulatory volatility – should particularly supervise whether their activity does not fall within the scope of the new regulations. At the same time, it is worth following not only changes in legal acts, but also official guidelines of national and EU regulators – the Polish Financial Supervision Authority, ESMA (European Securities and Market Authorities) or EBA (European Banking Authority). Many of the obligations imposed on financial market participants or the manner of fulfilling these obligations do not arise directly from legal provisions, but from the supervisory practices of these authorities. For example, the provisions of the Act of March 1, 2018 on counteracting money laundering and terrorist financing do not contain precise guidelines regarding the methodology of preparing the so-called institutional risk assessment.

This issue, in turn, is important, taking into account the fact that a significant number of fintechs have the status of an obligated institution and are obliged to accept this document. However, guidance on the proper implementation of this obligation can be found in the Position of the Polish Financial Supervision Authority of April 15, 2020 regarding the risk assessment of the obligated institution. Thus, in order not to be exposed to the accusation of improper performance of obligations during the control of the AML / CFT area, in addition to a thorough analysis of the provisions of the Act, it is also worth getting acquainted with the positions of competent authorities, e.g. the Polish Financial Supervision Authority or the General Inspector of Financial Information. The above example clearly shows that expert navigation in the meanders of legal regulations and guidelines of supervisory authorities is the foundation of every professional activity. Undoubtedly, an effective compliance system makes it easier.

The risk of lowering the quality of services: The lack of an efficient compliance system may not only significantly expose a fintech to the risk of violating legal provisions (and, consequently, the application of severe sanctions), but also significantly reduce the professionalism and quality of services provided. Observation of the market leads to the conclusion that not all entities in the new technology industry are ready to operate on a large scale. It turns out that it is problematic to ensure the required level of security – in the most crucial areas from the customer’s point of view.

Requirements in the field of cybersecurity, risk management, protection of clients’ interests or the quality of services provided for traditional capital market institutions (i.e. banks, investment funds or brokerage houses) are extremely strict. Such entities are required to meet the highest standards in terms of management staff, IT infrastructure, protection of confidential information, and even the premises in which the business is conducted. In turn, entities from the fintech industry operate largely outside of direct legal regulation, and the services they provide are usually not subject to the supervision of competent supervisory authorities or are subject to it to a limited extent*.

This means that – as a rule – the tough restrictions for traditional capital market entities do not apply to them, and no central authority exercises supervision over the standard of the services they provide. Therefore, it is impossible to reliably and comprehensively verify whether a given entity performs its activities with the utmost diligence.

This leads to a lower level of customer protection in comparison to financial services from the regulated sector. Incidents related to data leakage, loss of customer funds as a result of hacking attacks, technical failures or problems with financial liquidity are not unprecedented. All this, in turn, negatively affects the reputation of fintechs and grossly undermines the trust of customers. It is therefore crucial that fintechs pay special attention to ensuring appropriately high standards in every sphere of their activity. Invaluable in this respect is the implementation of an efficient compliance system, the primary goal of which will be to control the legality and correctness of the actions taken.

The lack of specific statutory obligations in the field of compliance risk management very often prompts entrepreneurs to downplay the critical spheres of their activities, mainly due to cost reduction. However, the savings are often only apparent, as the costs of restoring the company’s operations to the state before the incident caused by non-compliance often significantly exceed the costs of a complete implementation of the compliance system.

Therefore, it is recommended that fintechs follow the relevant regulations and guidelines for regulated financial market entities on the basis of good practice.

Obviously, such action must be adequate to the scale and specificity of the conducted activity, so as to facilitate the efficient functioning of the enterprise and at the same time not constitute excessive and unjustified formalism. Each fintech should, therefore, prepare a map of risks related to its business and, on this basis, develop an appropriate method of reducing them. However, some areas are of key nature, regardless of the specifics of a given activity, so it is possible to create a universal catalog of good practices, the implementation of which should be considered by each entity:

• development of rules related to the identification and management of conflicts of interest
• development of rules related to the protection of confidential information and professional secrecy and the protection of personal data
• developing rules related to outsourcing, i.e. entrusting the performance of specific activities to external entities
• development of rules related to the consideration of complaints and claims
• developing rules related to the functioning of IT infrastructure and monitoring its security

In most cases, the scale and type of conducted activity will not justify a significant expansion of internal regulations and procedures, however, for the sake of clarity, it is recommended that the rules of conduct in the above-mentioned areas be collected in concise internal procedures (instructions) in order to standardize the practice. Compliance with these rules should also be constantly monitored by a designated entity.

*For example, the activity of an entity that acts only as an Account Information Service Provider (AISP) is regulated within the meaning of the Entrepreneurs’ Law Act and requires an entry in the register of payment service providers and electronic money publishers kept by the Polish Financial Supervision Authority. On the other hand, taking up activity as an AISP does not require a permit from the Polish Financial Supervision Authority, and therefore the scope and intensity of supervision over this type of entities is significantly limited in relation to, for example, domestic payment institutions.