A few weeks back the U.S. Financial Crimes Enforcement Network (FinCEN) published a bulletin urging financial firms to do better at identifying deepfakes that fraudsters might use to evade customer due diligence programs. The bulletin was only six pages long – but the subtext underneath those six pages speaks to a deep truth about corporate compliance challenges today.
The risk doesn’t care whether it’s regulated or not.
That is, with ever increasing frequency, things that once upon a time had been pure compliance risks are now operational risks as well. So senior executives and corporate boards can’t dismiss something as “just a compliance risk” that can go to the back of the line. Ignoring that threat could bring real operational, financial and reputation consequences, which might well be even worse than whatever regulatory enforcement actions might come along, too.
This is an important point for compliance officers to appreciate. The more you can articulate its significance, the better you can position the compliance function as a vital part of your enterprise. You can win greater support from senior management, more respect from operations teams, and ideally even more resources for a robust compliance function – all because you can demonstrate that strong compliance capabilities are a strategic advantage regardless of the regulatory landscape at any given moment.
Let’s take a closer look at that FinCEN deepfake guidance to see that idea in practice.
Risks now work on multiple levels
The bulletin begins with a quick review of the generative AI tools that are now widely available, and how fraudsters are using those tools to falsify the documents banks rely upon to verify a customer’s identity. For example, fraudsters have used gen AI to fabricate driver’s licenses, passport cards, and other forms of photo identification. Sometimes fraudsters find a genuine image of a person and alter it; sometimes they fabricate an image out of thin air.
FinCEN then offers suggestions for how a financial firm might try to sniff out those deepfakes when a fraudster tries to open a new account. For example, if you suspect a deepfake image, you could run reverse image searches or screen against other open-source databases to see whether the image matches with known fakes. Firms can also use more sophisticated techniques such as examining an image’s metadata or using software designed to detect deepfakes or manipulated images.
All good advice (for any business, financial firm or otherwise), but we should also step back and consider why firms need to care about this:
- Because they’re legally required to do so; the Bank Secrecy Act requires financial firms to maintain a system of anti-money laundering controls, including customer due diligence.
- Because it’s just good common sense. If a firm doesn’t have a strong customer due diligence program, soon enough you’ll be overrun by fraudsters trying to fleece your firm and your other customers for every cent you have.
Those two points might seem obvious, but remember that for many years, No. 2 was not a serious threat. People couldn’t fabricate documents with a few clicks on a keyboard. They couldn’t open a new account without setting foot in your physical office. They couldn’t impersonate the voice of your CEO and order $10 million to be wired to an overseas account. Now they can.
In other words, modern technology has transformed a compliance risk (“we need strong customer due diligence controls to pass our next regulatory exam”) into something that is also an operational risk (“we need strong customer due diligence controls so some fraudster doesn’t sucker us for millions.”)
Look around the business landscape, and you’ll see other examples of that dynamic over and over.
Once upon a time, a company needed strong vendor due diligence to address the compliance risk of anti-corruption statutes; now you also need those strong due diligence capabilities to root out unreliable suppliers and support business continuity if critical vendors suddenly go off-line. You need strong anti-harassment training not just to avoid a civil rights investigation, but also to avoid private lawsuits and customer boycotts.
Things that were compliance risks have expanded to be operational risks, too.
Build a better risk management capability
If this is the world corporations are facing, then the trick for compliance officers is to broaden your horizons, and to reframe your value to the enterprise, as something beyond regulatory compliance.
Regulatory compliance will still always be a top priority, but a strong compliance program can also be crucial for effective risk management. That’s the point you need to emphasize to your senior management, the board, and leaders of other first and second line business functions: the capabilities that make your compliance team even stronger can also help them manage their risks, too.
And what would those compliance-turned-risk management capabilities be? We can identify a few.
- An ability to map your compliance and operational risks, so you can see where those risks have converged to be one and the same
- Strong due diligence capabilities, because transparency into your supply chain risks will always be crucial
- Strong internal reporting channels and culture, so you can quickly hear about potential trouble and move to intercept it
- A close working relationship with other business teams and especially the internal audit function, so you can design smart, effective internal controls for all those risks
Compliance officers might be muttering, “Duh, I’ve already been pushing for all this for years.” I’m sure that’s true. The challenge now is to reframe those arguments in that larger context that senior management will understand: the context of enterprise risks – which used to be different from compliance risks, but with every passing day the two now look more and more alike.
That’s how compliance officers can position themselves and their programs as valuable assets in a world full of risk and regulatory uncertainty.
Looking to streamline your risk management efforts? NAVEX has solutions designed to automate your risk governance to help your program meet your current and future needs.
