Regulation, risk and reward with HSBC’s Chief Compliance Officer, Asia Pacific
- "Some of the key things that I see will be around digitalization, open banking, artificial intelligence and robotics, workforce transformation, cyber security, and as mentioned, sustainable banking as well as regulatory technology."
- "We're also already seeing an increase in regulatory complexity, and banks will need to invest significantly more, in my opinion, around regtech solutions. These solutions will certainly help banks to manage regulatory requirements more effectively and efficiently and help drive some of those efficiencies to reduce the overall cost of being compliant with regulations."
- "As [these technologies] progress and become more mainstream, regulators will be looking to address some of the pretty big open questions out there around the ethical implications of some of the algorithms and all the potential biases in [them]. Are we susceptible to legal and potential [privacy] violations? Is machine learning and AI making decisions, and where do we rest the accountability for some of these?"
Darren Furnarello, Chief Compliance Officer at HSBC Asia Pacific, talks regulation, risk and reward with Protiviti Managing Director Adam Johnston. What does the future of the regulatory environment look like, how do we navigate it, and what keeps compliance officers up at night?
In this interview:
1:30 – Compliance priorities right now: Sanctions, resilience, privacy, sustainability
6:12 – Meeting the challenges of the future: Open banking, AI, regtech
10:36 – Balancing digital transformation with data and other risks
13:23 – Future of banking regulation
19:10 – The next 10 years through a compliance lens
Regulation, risk and reward with HSBC’s Chief Compliance Officer, Asia Pacific
Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today we're exploring the future of money and I'm excited to welcome in Darren Furnarello, Chief Compliance Officer for HSBC Asia Pacific. Darren has held several senior level positions within HSBC including roles in global transaction banking and trade finance. Darren, thank you so much for joining me today.
Darren Furnarello: Thanks, Joe. I'm really happy to see you today.
Joe Kornik: I'm pleased to welcome in my colleague, who will be interviewing Darren, Protiviti Managing Director Adam Johnston, who serves as the Country Market Leader for Hong Kong. Adam, I'll turn it over to you to begin.
Adam Johnston: Thanks, Joe. Welcome again, Darren. It's always a pleasure speaking with you and I'm very excited to dive into our topic today, the future of money through the lens of compliance.
As the Chief Compliance Officer for the Asia Pacific region, you lead a large team of compliance professionals across some 20 businesses and 18 jurisdictions overseeing the compliance function for HSBC in Asia Pacific, ensuring compliance with laws, regulatory requirements, policies and procedures. Frankly, you have a lot on your plate. How do you prioritize all those various responsibilities and which ones require the most attention right now?
Darren Furnarello: Thanks, Adam. Thanks for having me. I'm also looking forward to the session today. Thanks for the intro. You certainly make the role sound huge and important, so thank you for that.
Let me just perhaps frame and give some context just around sort of the responsibility and then I'll try and tackle that question in order. One of the key things to help me do my job and to execute those responsibilities is obviously having a robust compliance framework, which really consists of globally applicable principles, but also making sure that there's enough adaptability in those principles to allow for local regulatory requirements and nuances. Another key aspect of that is also making sure that we have global policies which are clearly comprehensive and detailed and provide clear direction and guidance to each of our business’ unique risks.
Of course we also have horizon-scanning tools which help us identify emerging risks. This really helps us to stay informed about what risks are emerging. It gives us great insights to regulatory trends and changes. We also look at macroeconomic and geopolitical issues and events. This also gives us great insights in terms of what we think the potential impact could be to our business as well as our compliance controls and our framework.
Just to maybe bring that alive a bit, I'll use a good example of all the risks that we've seen that have stemmed from the Russia-Ukraine War. This has been unprecedented for the financial services industry where we've seen an unprecedented level of sanctions as well as activities-based sanctions which has been very challenging for financial institutions to manage and to comply with. This is predominantly because some of those activities-based sanctions and restrictions—banks have never designed specific controls or measures to be able to comply with those. To some extent, we have to have agility to be able to implement new controls and frameworks to ensure that we are managing those specific risks as an example.
But if I were to also kind of just put the Russia–Ukraine war aside, some of the other risks that we continue to monitor and do require additional attention is things around asset quality. This is obviously given the backdrop of the macroeconomic environments as well as challenges that we see across the credit landscape. This means that we're conducting regular health checks on our counterparty exposures, which also include non-bank financial institutions as part of the portfolio review.
We clearly also focus quite heavily on operational resilience. This always requires ongoing reviews, testing and enhancements, particularly in the spaces around cybercrime and cyber security, data privacy, even third-party risk management, including things like cloud service providers etc. Of course, financial crime is always up there in terms of the key focus. This always requires constant tuning and enhancements given we've seen pretty advanced technical advances around the digital and crypto space, introduction of global wallets and digital payment platforms. These all bring new risks for a bank like ours to manage and to mitigate, and we also need to look at what enhancements we need to make to the overall AML framework as well as our monitoring capabilities around this.
Lastly, I'll just mention obviously green and sustainable banking has clearly come into sharp focus in the last year or two. We are working very closely with our businesses and regulators around climate risks, around climate risk management processes and governance, including thematic reviews on green products and greenwashing related risks. Many of these still require ongoing work, particularly from a regulatory perspective and the supervision that regulators want to put around climate-related risks as well as clearly defining some of those risk taxonomies.
Adam Johnston: So as you look out over the next three to five years, do you see that changing? What do you think will be the biggest issues facing compliance officers in the banking sector in the future and how do you prepare to meet those challenges?
Darren Furnarello: Yeah, that's a great question and to some extent I would say the future is almost already on us and we're already seeing a number of changes which are happening now and will continue to happen in the future. So undoubtedly, we will see significant transformation in the banking sector, which will be undoubtedly again driven by advances in technology, evolving customer expectations, the changing dynamics of geopolitics, the global economy and all of these will require some level of regulatory change or enhancements.
Some of the key things that I see will be around obviously digitalization, open banking, artificial intelligence and robotics, workforce transformation, cyber security, and as mentioned, sustainable banking as well as regulatory technology. Just to cover a couple of those off, digitization—as I've already mentioned, we’re already seeing a big acceleration around this through a number of banking services and this is already started from simple account onboardings through digital platforms, the use of Zoom and other identification platforms, right the way through to mobile banking and to online banking platforms. Advances in this space will definitely, definitely continue and we will see this take and become more prevalent as more and more customers are getting more comfortable and turning to digital channels for their banking needs.
I think open banking will further transform banking services, really enabling those third-party developers to access customer data. Of course, this will need to be with customer consent, and we’re definitely seeing acceleration around the build out of innovative apps and services in this space. This will obviously create more competition within the industry and will certainly force, as I see it, more traditional banks to innovate faster or they will simply be left behind in terms of keeping up with the changing demands of customers as they move to more mobile and online banking solutions.
The adoption of AI and robotics in banking operations I think will see a significant increase in the coming years. Banks will generally use these technologies to improve the way we do risk assessments, fraud detection, even customer service. We can see this perhaps for instance through the use of sort of AI chat box which we’re seeing significant advances with especially technology like ChatGPT and others, which still have question marks in terms of the ethics around it, but we’re seeing these big technological moves.
So I also think these technologies will be used for various operational tasks simply to help the banks become more effective and efficient, but also hopefully improve the overall customer experience when dealing with banks.
Lastly, I would just mention that we're also already seeing an increase in regulatory complexity, and banks will need to invest significantly more, in my opinion, around regtech solutions. These solutions will certainly help banks to manage regulatory requirements more effectively and efficiently and help drive some of those efficiencies to reduce the overall cost of being compliant with regulations. And hopefully with the use of these technologies it’ll also reduce the risks and the cost of non-compliance. We've seen significantly over the last few years that regulators have stepped up quite spectacularly their enforcement actions over the last few years for financial non-compliance and these have resulted in very hefty fines and penalties in the industry.
I'm also seeing a trend where technical compliance has to be a must for banks and other institutions. As regulators become more sophisticated themselves with the adoption of vetted data, analytical tools and AI, they will be holding banks to technical compliance, which means banks need to get the basics right, let alone start thinking about how to manage some of the risks of the future.
Adam Johnston: With all that being said, how do you balance digital transformation—all the emerging technologies from AI to cloud as you mentioned and the potential efficiencies that it brings—how do you balance them with data protection, security, risks, and regulation?
Darren Furnarello: Look, most banks already are embarking some form of digital transformation in one shape, form or another. From my perspective, strategic planning is absolutely critical here. Management needs to have a very clear strategy, in my opinion, around sort of the digital transformation programs. This really needs to be driven by a clear understanding of what technology exists, how that can be integrated, and what are the benefits that will bring to the bank.
For example, what are the benefits of using AI machine learning to improve operational efficiencies or enhance business priorities to help with risk mitigation strategies etc.? When we embark on digital transformation and the application of bringing in a new technology, we look at this through a number of lenses. One of the key lenses we do look at this through is through our customer lens. So regardless of the technology that we're going to deploy, we need to make sure that we understand, how does this actually improve the customers’ interaction with the bank? Are we improving the way we're servicing them? Are we making their touch points with the bank more seamless? Are we improving the overall experience of the customer as they interface with different parts of the bank or different products and services? How are we actually enhancing the overall customer protection around their data and personal information?
So directly correlated to that is, obviously, as you start to deploy some of these things, data management and privacy become critically important. So even when you think about the adoption of artificial intelligence or cloud technologies, these both demand very robust data management strategies, which means that we need to adhere to data privacy regulations, which we know continue to change. We're already seeing how tricky and how more costly this has been done, especially for global and foreign banks, as we see more data localization laws which we need to manage and that does create a bit of a challenge for us.
Lastly, I would also say a key aspect to which we look at this through is the lens of business alignment. Does the adoption of these new technologies, are they providing business value? Does it align to our strategic business objectives? I'm always keen to ensure that as we deploy and use new technology, it does serve a practical purpose beyond just keeping up with the times.
Adam Johnston: As somebody who spends a lot of time thinking about standards and procedures to ensure compliance programs detect, prevent and correct non-compliance with laws and regulations, I'm curious to hear your thoughts about where you see the regulatory environment evolving over the next several years. Are there changes that you expect on the horizon?
Darren Furnarello: I'm going to answer that in maybe a strange way. To some extent the future is already here and some of the things that I covered off earlier —we are really seeing how this and the advances in technology are shaping the future of regulation. So some of it we anticipate and certainly I’ll give you a few thoughts of where I see it going. Again, I would say, given the advances on digital and cyber security, we will absolutely see that this will become key in terms of deploying digital platforms and key around enhancing operations. So we'll definitely see more regulation from regulators and I think particularly there'll be definitely an emphasis around cyber security and how we're managing those.
We will definitely see more regulation around data privacy. As I've mentioned, we're already seeing some of this taking hold and more and more governments and countries implementing these local data privacy laws, which really demand for data to be managed onshore and not to be held into these global data lakes and global databases. So there will definitely—I think we'll see evolving regulation around this and I think it will be more sort of defining of the standards and the protocols that we would need to enhance and implement to protect customers, to protect customer data, and to some extent, from an operational resilience, to protect the banking system from cyber attacks, ransomware attacks through the uses of new and more advanced technologies which can be hacked and may not have same security protocols as some of the more traditional banking platforms.
I think we're also seeing quite significant advances just in terms of central bank digital currencies. I think these again are new and will be complex developments. This will definitely necessitate new banking regulations, from our perspective. I think as these central bank digital countries also gain traction and adoption, regulatory bodies will need to think about what is the legal framework around that? What is this technical framework around to manage the associated risks with that, but not just around managing associated risks, but also how they enhance the potential benefit of the introduction of these sorts of products.
I think what I'm also seeing is there's definitely a lot more of non-traditional players are entering the financial services market and these are things like fintechs or big tech firms. I think we'll see quite a lot of regulation coming out to make sure that they are equally regulated. Maybe not to the same extent of traditional banks, but there will be regulations extended to them to make sure that they're adhering to AML-related requirements, data requirements, cross-border type requirements. So in this space I think there will be increased regulation; also predominantly just to level the playing fields against traditional banks. Otherwise, you do put a huge emphasis on traditional banks trying to cover both these big tech firms and fintechs through the provision of their banking services where you could see regulators kind of saying, “Well, we rely on the infrastructure of big banks to do that for us.” We've been strongly advocating that we think more regulation is required in this space, in particular where we are giving out virtual banking licenses as well.
I did mention sort of mobile banking before. I think we're really seeing with the introduction of mobile banking and online banking services, this is already, I guess, through digital finance blurring geographical boundaries. So I think we'll see more regulation certainly from around the world where regulators will need to pretty much collaborate more frequently to manage some of the associated risks with cross border transactions.
Lastly I'll mention and maybe to finish this question a bit more controversially, is I think there will be regulation on AI/machine learning. I think these technologies will definitely in the future transform the way banks operate, how they manage customers, customer data, services and operations. I think these technologies, as they progress and become more mainstream, regulators will be looking to design and to address some of the pretty big open questions out there around the ethical implications of some of the algorithms and all the potential biases in these algorithms. What does that do? Are we susceptible to legal and potential [privacy] violations? Is machine learning and AI making decisions and where do we rest the accountability for some of these?
Adam Johnston: Thanks, Darren. That's very comprehensive. We've covered a lot of ground today. I do have just one final question to close on, and that is if you do think about the future of money from a compliance lens in the distant future, say beyond five years, five to 10 years, what's the one thing that concerns you the most?
Darren Furnarello: Again, a great question. I think the risk of future money will definitely be we're moving to virtual currencies, crypto, crypto assets, tokenization. I think this is the one thing that generally will keep me awake at night and that's predominantly because it's unregulated at the moment. We've already seen some issues with Ponzi schemes in the digital and crypto space and I think it’s not very clearly understood by customers and I think there's a lot of vulnerabilities there where people could be caught into this, trapped into this where customers could be taken advantage of. I think this also opens up tremendous risks for banks in terms of, really around the financial crime risk space, because a lot of these digital platforms, digital assets, tokenization, or whatever it may be in the future will definitely make it more difficult for regulators, banks and law enforcement to really enforce some of the AML rules and regulations that the bank holds themselves accountable to today.
So I think there needs to be significant advancement just around how that is regulated but also significant upskilling which we need to do from staff, from our own internal operations, to be able to kind of —how do we effectively manage these new potential risks that will come through all of these digital platforms, because people are moving away from more traditional banking.
Even if you think about the mobile phone, 10 years ago what it could do versus what it could do today, the technical advances that you can pretty much run your whole life on your iPhone or your smartphone. I think the future generations will want to do all of their banking, all of their finance, all of their transactions via these mobile devices and platforms and that does create a plethora of risks and issues that we need to think about, to manage, to safeguard customers, make sure that they're not being taken advantage of, make sure that banks and systems are not being held to ransomware, which we've seen in recent months and years.
It’s a very big question, Adam. There's a lot of components there and a lot of things. I think as these things evolve, hopefully they evolve quickly but hopefully they don't evolve so quickly that we don't have time to manage and mitigate the risks.
Adam Johnston: Yeah. Absolutely. Darren, thanks again for your time today. We covered a lot of ground. Very, very insightful and we really appreciate you spending the time.
Darren Furnarello: It's my absolute pleasure and again, thanks for having me.
Adam Johnston: Back to you, Joe.
Joe Kornik: Thanks, Adam and thanks, Darren. Thank you for watching The VISION by Protiviti interview. On behalf of Darren Furnarello and Adam Johnston, I'm Joe Kornik. We'll see you next time.
Darren Furnarello is the Chief Compliance Officer for HSBC Asia Pacific where he oversees all compliance professionals across 20 businesses in 18 jurisdictions. In this role, he is the responsible risk steward for regulatory compliance and financial crime risks. Darren has held a number of senior positions at HSBC over the last 23 years, including Head of the Financial Institutions Group (FIG) Hong Kong, Regional COO, FIG Asia-Pacific, and Regional Head of Traded Credit Risk Management, Asia-Pacific. He has also been the Head of Global Markets Transactional Client Group and European Head of Hedge Funds, both within Global Banking and Markets, EMEA.
Adam Johnson and a Managing Director with Protiviti and the country market lead for Hong Kong. With over 15 years experience, he has spent much of his career consulting to Fortune 500 organisations, helping them solve complex transformation and resourcing programmes and projects. Adam’s specialisation is in Executive Leadership Development and Strategy, Employee and Resource Engagement, Programme, and Project and Change Management.
What could C-level executives and directors be doing to prepare for the regulatory future? Darren Furnarello offered this advice:
Pressure-test current compliance programs and the effectiveness of controls. This is usually done through specific regulatory inspections, internal assurance reviews and through internal audits. This is vitally important to ensure there is a clear understanding of gaps, weakness or ineffective controls and to determine the necessary resources and strategies to meet new regulatory requirements. Organizations should also consider conducting scenario planning exercises to anticipate and prepare for different regulatory scenarios.
Develop a strong compliance culture. This includes creating and enforcing policies and procedures that align with regulations, providing effective compliance training, and fostering a culture of transparency, accountability and ethical behavior. Employees should be encouraged to report potential compliance issues, and there should be a robust system for addressing and resolving concerns.
Build regulatory relationships. Business leaders must stay in touch with current regulations and proactively seek information about potential changes. Building and maintaining relationships with regulatory agencies and industry bodies can help anticipate changes and provide opportunity for input on proposed regulations. This could involve participating in public consultations and partnering with industry associations to collectively address regulatory concerns. Executives should also work with government relations teams to articulate the potential impact of regulations on their organization and present alternative solutions.
Embrace regulatory technology. Executives should leverage technology solutions to streamline and automate compliance processes. Regulatory technology tools can help monitor for regulatory changes, track compliance activities and improve reporting capabilities. By adopting regtech solutions, executives can proactively manage regulatory risks and ensure timely compliance.
Recognize that regulatory change is inevitable and should be viewed as an opportunity to adapt, innovate and ensure long-term success. By staying informed, building relationships, conducting impact assessments, fostering a compliance culture, engaging in advocacy, adopting technology and collaborating, executives can navigate regulatory change more effectively, minimize disruptions and improve compliance. I strongly advocate that executives view regulatory change as an opportunity to strengthen their businesses practices/strategies and maintain trust with the customers and industry they serve.
Ensure there is a robust regulatory change management framework. This means having a dedicated teams and functions for assessing, implementing and monitoring regulatory change.