FCC Leaders Interview: Assurance & Testing – An Interview with Natalie Merrylees
Financial Crime News sat down with Natalie Merrylees to discuss her thoughts on the purpose, challenges, opportunities and the future of Assurance, as well as the importance of trying to identify “hotspots. weak spots and blindspots,” the use of technology, regulatory expectations and much more besides.
FCN: What is the purpose of Assurance?
NM: Assurance provides a semi independent spotlight to reconfirm whatever needs to stay working, is working, or alternatively, is a whistle to gain attention when problems are Identified or aren’t being fixed. In many organisations right now, this role is one of oversight of the firm’s policies and procedures, working to a defined framework and method, and taking its baseline data from the Firms own risk assessment activity
FCN: What do you mean by Semi-Independent
NM: By Semi Independent I mean, we are part of the second line of defence that provides a programme of ongoing monitoring and testing of both the business’s financial crime controls, some of which are carried out of course in the second line. As such whilst we are fully independent of the first line, we are semi independent of the second line. Oftentimes we will be reviewing the performance of colleagues and peers, so it’s even more important to ensure any Assurance function not only has the full ability to call out issues but also the full support to do so.
FCN: How do you decide what to focus on? How do you prioritise?
NM: Much like Audit, Assurance formulates an Annual Plan, informed by the Firms Risk Assessment, but also by other factors, leveraging risk metrics, data analytics and aware of the context in which Assurance is being performed, for example avoiding unnecessary duplication of effort. The Plan is very much risk based and is consulted on, and approved by appropriate senior managers and governance bodies, again much like Audit. It’s important though you also build capacity to flex and react.
FCN: What are the most important factors in building and maintaining an effective Assurance function?
NM: Becoming & remaining effective is no easy task, especially with risks increasing, and as such, expectations rising. Still there are also opportunities that are now available that make the challenge a compelling one. To me the most important factors are as follows:
- Skills – having the right people on the job is critical for accurate, reliable observation and engaging intellectually with stakeholders. You need to have, or have access to, experts in specific fields. As well as having a solid understanding of the legislation and regulatory expectations; you need to possess IT and software testing capability to be able to mine models and assess outcomes in transaction and sanction screening. You need also to have strength in curiosity and a strong belief in the purpose of what you are doing.
- Making it Count – 2nd Line teams often struggle to get noticed. Output needs to be concise, relevant, punchy and heard within the right fora. However, making certain that reports are sufficiently seen at senior levels is only part of the picture. The ability to make it count and be understood with the people who do the work in the business is critical. To do that of course, you need a strong culture of ethics and of doing the right thing. The lack of reward for control improvement and sustainable business is a common root cause of issues and a frequent complaint among the Assurance community.
- Competing Demands – Many teams are in a matrixed environment or operate within a consultancy model in the drive to be efficient. In these scenarios, two elements are key. Firstly, connect modules together; packaging key controls within a business or process can be very powerful – consider what can be achieved if you use the lens of conduct, crime and culture, over a traditional KYC review. And secondly, seek out the unknown, find hidden risks. Use the data to maintain a watching brief; ensure over aggregation is not hiding an onboarding concern, look at new product approval processes vs volumes – enable the data to seek out all possible scenarios, then triage and focus your resource.
- MI vs Judgement – A common battle is trying to focus on the right outcome where a first line test or process has become a factory operation. In the drive to simplify and standardise, there is a subtle shift from why the operation was set up to how it operates. Where quality and risk reduction are replaced by volumes processed and backlog pace. Assurance colleagues need to consciously make decisions based on outcomes, and not just on MI.
FCN: What does a fit for purpose Assurance function look like for the future?
NM: Aside from meeting the challenges already outlined, the other core consideration is how to leverage the increase in data availability and manipulation and the use of that to understand behaviour better, as opposed to being swamped by the data that’s available. Data Analytics are shifting the sand, and with significant advances in data technology, organisations are able to streamline testing consistency and widen focus beyond issue location and remediation to be more forward thinking.
As data lakes increasingly elicit better base MI in screening, transaction monitoring, does the Assurance purpose change? If the data is scanning for signs of breaks in the policy framework such that we can maintain a regular watchful eye– can we better focus energy to align with the aims of those trying to manipulate the system?
Assurance colleagues are beginning to explore other more radical options. Can our role include pro-actively identifying how to manipulate and navigate the system for ill gain? More practically, we are seeing data enabling the creation of alerts in the other risk types in the same way screening tools work– increasingly this is the case for Bribery and Corruption. While the success rate/true match is currently variable, it is clear that we are on the path to creating actionable results.
Assurance practitioners are both supportive and wary of the reliance on analytics to tell the true story. Consulting firms are also still outlining more traditional areas for consideration: the financial crime framework, change controls to address new legislation, review of sanctions screening tools and alert dispositioning, onboarding and KYC. The conversation is beginning to shift and industry discussions are talking about the need for Assurance capability to keep pace with the evolution of financial crime programmes.
FCN: What about the Regulators – how do they influence your activities?
NM: Regulators in my experience are supportive of Assurance capabilities, in addition to Audit, though do not insist on dedicated capabilities and / or mandated frameworks, but recognise their importance in practice. Of course as Regulators move beyond focussing just on regulatory technical compliance to focus increasingly on the effects on customer outcomes, the Assurance function must reflect this evolution too. There is a general move beyond traditional Assurance and testing methods to a new focus on more data driven automated aggregated reporting across risk types. This enables us to see across the organisation, for hotspots, weak spots, and blind spots. The common thread in all of these activities is to identify issues of behaviour, conduct, morale, intent and control that stem from either poor leadership or dysfunctional groups. Where poor behaviours have been normalised, and these have ability to negatively manipulate teams, systems, processes. Identifying these early and taking remedial action can prevent negative outcomes arising in the first place.
FCN: So it’s all about the People?
NM: Not all, but a large part is. The good and the not so good. Of course firms are also targeted and vulnerable to abuse from outside, either by criminal activity and or cyber threats. Technology is an important enabler though.
FCN: Tell us more about emerging Technology and what we could see in the future?
NM: We are beginning to see vendors offer web based risk sensing – where using open source data derived from social media platforms is an emerging capability for piecing together the likely areas of wrong doing from outside. We have been able to extract patterns of unusual behaviour, for internal fraud and AML risk, we have started to move away from time and resource based Assurance processes to something more efficient. We are beginning to successfully identify patterns using algorithms within the operational risk frameworks. This is starting to shine a light on pockets of people altering outcomes, owners of key controls that fall just below key thresholds, business areas with persistent issues etc. We can now routinely analyse the language and tone in board papers and cross reference with controls information. This is enabling focused, sharp work and it is pointing toward conduct and behaviour as the predicate offence. It is seeking to reinforce the need for a strong compliance culture and a clear tone from the top.
FCN: What Advice would you give to an anyone aspiring to lead an Assurance Team?
NM: To be successful in Assurance I believe it’s crucial to possess and recruit those with the ability to listen, to navigate and connect. SME domain expertise is also important and should not be underestimated as programmes become more complex. That said, be involved and be professional, but don’t be engulfed nor confined by process and methodology. Assume the responsibility to travel through the organisation, diverted by chance, observation and curiosity too. I see Assurance as a mirror to an organisation, which must reflect and explain the true state of things, of the processes a company operates and the behaviours it encourages or supports. Remain a tourist in your organisation, use all available tools and data to get to know it – but continue to seek to understand how it behaves. .
Natalie Merrylees is an experienced Financial Crime Assurance professional, having worked across 4 international Banks. Currently Global Head of Financial Crime audit at Aviva.