The Tower of Babel in Digital Banking

The Tower of Babel in Digital Banking

People who work in specialized fields seem to have their own language. Practitioners develop a shorthand to communicate among themselves. The jargon can almost sound like a foreign language. — Barry Ritholtz

Risk and Compliance is an area full of jargon. In a previous blog post I discussed how the language used in risk and compliance can confuse and alienate people who are not familiar with it.

The technology domain has a similar problem with language barriers. There is even now the Sideways Dictionary which helps people understand terms like “zero-day”, “metadata” and other jargon using analogies and metaphors.

With Digital Banking and Fintech bringing together new technology and compliance, these two confusing lexicons collide and the potential for confusion is huge.

Digital Banking is growing fast, with some banks self-declaring themselves as technology companies and new digital banks significantly growing customer numbers. I have been working at the intersection of Technology and Risk within teams in Financial Services for the last few years, at both established firms and startups. During this time I have met very few people who understand both risk and technology well, particularly to the extent that they can make sense of both languages.

Even Senior Executives who are responsible for making important decisions relating to technology and risk often do not understand these in detail. Under the Senior Management Regime, individuals in banks have personal accountability for risk being taken in different areas of the business. This means people can have enforcement action taken against them if they do not act responsibly. So as it becomes harder to make sense of the risk from technology, it is more important to do so.

In the past, when most of the technology which banks used was backend systems, the responsibility for technology risk was typically delegated to IT teams. Risk was managed by defining processes and controls which all teams had to follow — architecture review, security testing, performance testing — giving rise the to ‘tick box’ mentality where teams see their objective as jumping through all hoops required to go live rather than understanding and taking ownership for the risk in the technology they are releasing.

With the rise of agile technology delivery and teams wanting to work more autonomously, this model breaks. It also makes it very difficult for Senior Managers to take informed risk when it relates to technology as it becomes virtually impossible to understand the implication of going live without a particular tick-box checked. They can either play it safe by not going live with anything which has not been through all waterfall controls and governance, potentially losing time to market, or they take accountability for risks they do not properly understand.

Fixing the confusion and ambiguities between technology, risk and business teams is one of the things we are working on at Smarter Human. We want to make it really easy for people to immediately understand the risk and business impacts of technology changes.

If this pain point is one you have experienced we would really like to hear from you and get your input. Contact me on Medium or at

“Never impose your language on people you wish to reach.” — Abbie Hoffman, U.S. social and political activist

Risk and Compliance manager wanted, must be able to code

Risk and Compliance manager wanted, must be able to code

Last week I attended an event at Revolut’s offices where the CEO Nik Storonsky and some of his team took us through their approach to managing risk and compliance. They were joined by ClauseMatch, a great RegTech startup who are helping them with smart policy management.

I love to see how new fintech companies are approaching risk and compliance as they tend to think very logically and use technology creatively. This is certainly true of Revolut who have established Compliance Product teams which are made up of a responsible product owner who also knows compliance, front and back end developers, data scientists and a designer. They also have Compliance Service teams who manage manual exceptions. Their objective is to automate as much of risk and compliance as possible to reach a goal of 1 Compliance agent per 100,000 users.

Each team has 6 month goals, Key Performance Indicators (KPIs)and Key Risk Indicators (KRIs) which can be tracked in realtime. They monitor risk indicators in realtime and automatically escalate breaches of their appetite to the Head of the team, the Risk Enterprise Committee or the Board depending on the severity of the breach.

By creating engineering capabilities within the Risk and Compliance teams and producing technology to solve regulatory related problems, they are in effect creating internal RegTechs.

It’s not just Revolut who are building technology and using data to improve their risk and compliance capabilities. Monzo are currently hiring for a Risk Data Analyst and one of the questions the role is meant to help with is:

“What are the high impact automation tools that can be built for the risk team so we minimise time spent on recurring processes?”

Spending large amounts of time on recurring risk and compliance processes is something which I have seen in many organisations and indeed an opportunity which RegTechs are responding to.

In Chris Skinner’s recent blog, he was talking about the important of data to banks and a comment he made resonated a lot with the risk and compliance approach Revolut had showcased:

“But what is new is a bank being organised around data and analytics; the very design of the bank starting with the customer and their data; the basic premise of the bank being an enterprise data store of information and leveraging that information through automated intelligence to win and differentiate itself from the rest of the pack.”

I believe that the approaches these digital banks are spearheading for risk and compliance will eventually become the norm across the industry and the larger organisations looking at opportunities with RegTechs will have a head start on adopting these.

There are undoubtably still a number of challenges to address outside of the ‘recurring processes’ which are more easily automated.

Banks adopting new approaches not only have to tackle internal cultural change but also with the regulators, who not only set the rules but are accustomed to seeing these met in certain ways. Even reconciling the language between technology teams and compliance can be a challenge. For example, to make sure that products are suitable for customers, Compliance would generally be looking for a ‘target market’ to be defined. However, technology teams would have covered off this risk using personas and measuring actual customer usage. I’ve seen teams struggles to reconcile these perspectives and actually understand each other.

Other risk and compliance topics which are not so easily automated are interesting ones as they relate to a company’s ethics and human nature. For example, defining ethics for data use which would ultimately feed into data analytics platforms and machine learning applications, take some deep thinking and debate. Figuring out how to prevent employee misconduct without a command and control environment takes an understanding of human psychology and behaviour. A great example of this is how Starling use Automated Privilege Management via Slack for releases to Production.

This mix of major opportunities to improve with technology and human behavioural considerations is why I find risk and compliance a great area to be working in at the moment. It’s also why I decided to found Smarter Human with my co-founder, Sebastien, to change things here. Despite the common conception that Risk and Compliance is ‘boring’, done the right way it doesn’t have to be.

The full video of the Revolut and ClauseMatch event is here.

Surviving the 3 minute pitch competition

Surviving the 3 minute pitch competition

This year I attended Web Summit with Smarter Human on the Alpha startup programme. As part of this we had the opportunity to apply for the PITCH competition. Having tried to explain our Fintech solution to an investor without knowledge of the industry in a 15 minute slot (a story for another day!), I knew this was a hard sell when pitted against consumer products at a cross-industry event. To our surprise we were accepted to compete. After our initial celebration we realised that this meant we had to write and deliver a pitch. Having gone through this and survived I wanted to share how we did this in case this is useful to other people.

What do you want to achieve?

We started with defining what we wanted to achieve with our pitch. What would a success be?

For us this wasn’t winning the Pitch competition (although that would have been nice!). Success for us was having a non-Financial Services audience understanding the problem and what we do at the end of 3 minutes.

With this in mind we sat down and mapped out a story for us to tell.

We had a hard deadline just a couple of days away for submitting pitch materials so we had to create these at the same time as the story. Ideally I would have liked to crack the story before creating the slides but we made do.

This blog on How to fix your shitty pitch is a must read for designing pitch slides, even though it’s targeted at investment pitches. There was also a great talk at Web Summit this year on this which you can watch here.

To improvise or to learn?

I am not generally a fan of scripted pitches. That said, when you have 3 minutes it’s difficult to guarantee anything unscripted will run to time. Even a three syllable ‘how-ev-er’ takes up precious seconds when compared to a ‘so’. After running way over time when practising trying to improvise I decided to trade some natural delivery for loose scripting.

I wrote what I wanted to say and then timed myself reading this out slowly until I had content to fill just under 3 minutes. Once I had a version I was happy with I recorded myself saying it.

When you listen to a song repeatedly you quickly find the lyrics make your way into your head almost subconsciously. I decided to try the same with my pitch and listen to this 3–4 times a day. Goodbye Hamilton, hello Smarter Human pitch. Yes I did hate the sound of my own voice after a few days in but I also learnt my pitch with minimal effort and with only 10–15 minutes a day.

Listening to it also helped me identify phrases and parts which I didn’t like. Each morning I would do a new recording making little changes.

I also ran through the pitch with friends and family. I would advise to test early as I did a run through with my partner a day before the competition and then was left trying to make last minute changes.

Presenting the pitch

We had slot 7 out of 8 at 4pm on the first day. It wouldn’t have been my first choice as we also had our Alpha startup stand that day but it was nothing that a good coffee couldn’t fix before.

The standard of pitches was high which was both encouraging and nerve wracking as I watched them. The other people pitching were also very friendly.

How did it go? We didn’t win but I was happy with how it went and it was a great learning experience which I would repeat.

You can see our final pitch here if you want to make up your own mind.

The overall PITCH winner was Wayve, a company developing self-driving cars which learn how to drive using machine learning as opposed to being given a set of rules to follow. You can watch the PITCH final here.

What I learnt

Killer ideas are king. This was what really determined the winner rather than the specific published marking criteria.

Be clear about use cases. We had a question on how our product would be used in a real life scenario. This is something we are working on articulating better.

Show rather than tell. All three of the finalist included a demo which they talked over during the pitch. This really brought their ideas and products to life.

Tips for hiring Risk and Compliance in Fintech  -  the real unicorn 🦄

Tips for hiring Risk and Compliance in Fintech  -  the real unicorn 🦄

Sooner or later most Fintechs will need to hire a person or team to manage Risk and Compliance. For Digital Banks, Payment Service Providers or companies using Open Banking this will likely be to help meet regulatory requirements, but even non-regulated companies who need to sell or partner with regulated companies will need some expertise in this area.

While it may seem like Risk and Compliance is a generic area which anyone with some prior experience can cover, in my experience getting this person wrong can cause big problems for tech companies needing to release trustworthy products fast.

Why is the role so important?

In an early stage business, risk taking is key. The early activities someone from risk and compliance will lead on — setting a risk framework, policies etc. — will define how the whole company makes decisions about what risks are most important and which to take. If this is done wrong or someone copies exactly what they did at their previous company, this can set your company up for months of bad decision making.

Another watch out relates to the friction and waste which Risk and Compliance processes can add to your product production processes if done wrong. This is a particular risk if your hire doesn’t understand the fundamentals of how you produce a product, for example agile software delivery. I have seen (multiple) examples of delivery teams being asked to produce long Word based documents or PowerPoints for each technology release. Given that modern technology companies do multiple releases per day this is not a workable model for a Fintech. This kind of thing can slow you down, create friction internally and often ends up with teams circumnavigating the processes blocking them. Ultimately this makes your Risk and Compliance activities detached from what is actually happening in the company and consequently of little value.

Why is it hard to find the right person?

There are two main reasons I believe it is hard to find good people for Risk and Compliance in Fintech.

  1. There are few people who have a good grasp of agile, technology and risk. All three of these are needed to design customer centric approaches to risk and compliance which integrate into a digital business.
  2. Compliance is based on following tried and tested approaches, most of which have been developed for non-digital organisations. It’s rare to find people who can use first principle thinking to differentiate between what is done through habit and what the regulation really requires.

For companies looking to expand internationally, there are additional challenges as the regulatory requirements can differ a lot between countries, particularly outside of Europe. When hiring someone with experience from a larger organisation, there will normally be a trade-off between someone who has worked hands on in one country or someone who has worked at a strategic level across multiple countries.

What to look for when hiring Risk and Compliance in Fintech

Based on my experience, these are the four things I would prioritise when hiring Risk and Compliance in Fintech.

  1. Understands agile software development. If you are at heart a technology company this is the production process for your business. It is very important that your production line is not disrupted by teams outside of this. If the agile manifesto is at the heart of your software team’s approach to work, other teams such as Risk and Compliance should also subscribe to this and develop their processes in a way which takes this into account.
  2. Understands technology. As fintech company, a lot of your risks and controls will be technology based. If someone doesn’t have a basic understanding of the technologies you are using, it will be hard for them to make sense of the materiality of different security and resilience risks against other operational risks. Beware of generalist risk and compliance people who claim it’s not necessary to understand the technology to assess the risks — I’ve never seen this to be the case.
  3. Continuously learns and experiments. When someone joins your company they will be designing ways of doing risk and compliance based on what they have seen done previously. Most of the approaches currently used for risk and compliance have not been designed with technology companies in mind so need some critical review and redesign. While this is a tricky task, hiring someone who at least appreciates that current methods need changing and wants to explore new approaches is a good start. Beware of anyone who comes armed with policies or processes from a previous company — this may sound like a time saver but is more likely to be a case of trying to fit a square peg into a round hole.
  4. Does not misuse PowerPoint and Word. Hours of time are wasted everyday in risk and compliance teams creating slides in PowerPoint full of information which likely not be read and will immediately be out of date. Someone who is open to ditching PowerPoint in favour of collaboration and data driven tools will help create a lean, forward looking team.

Bringing emoji to risk assessments

Bringing emoji to risk assessments

Risk and compliance. Sounds boring, right? 😴

If you work in Fintech, particularly if you are regulated, this is an area you will need to get your head around. Whether it’s for applying for regulatory permissions, going through the due diligence to partner with a bank, or even hiring someone to manage Risk and Compliance, you will undoubtably come across the need to identify risks relevant to what you do and explain how you manage these.

It’s actually important to get right as well as this covers how you plan to keep your company and customers safe — pretty fundamental for a business.

Think you sound clever? 👨🏼‍🎓

Language is one area in particular which makes risk and compliance unnecessarily complicated and alienating. Monzo identified a similar issue in the language that banks tend to use and created a tone of voice guide for their employees which they have made public. They make some interesting observations including on the need to speak your audience’s language:

“When we say ‘terminal’ do we mean ‘card machine’? When we say ‘funds’ do we mean ‘money’? When we say ‘reversal’ do we mean ‘refund’? And if not, do we explain why?

We can’t get around the fact that sometimes we have to use technical language, and that some terms have nuanced meanings (like ‘refund’ versus ‘reversal’). But we can always be precise about exactly what we mean, and help out people who aren’t familiar with the subject.”

This made me wonder if the same logic could be applied to risk and compliance. What effect would swapping the normal terminology for something a lot more simple have on the experience of having to do a normally dull risk related task? And could I get rid of language completely and rely on the universally understood emoji? 😍

The experiment 🕵🏽‍

For the task I decided to use a risk assessment. A risk assessment is an activity you do to identify all the events which could go wrong in your business and all the things you have in place to help stop these happening or fix them if they do. With this information you can understand which events should be your biggest current concern and take actions to address them.

Lots of Fintechs will have to do risk assessments. The FCA require all companies registered or authorised for Open Banking to submit a risk assessment as part of their application and then annually after that. Regtechs working with banks will need to explain how they manage their risks as part of on-boarding processes. Risk assessments are part of daily life at established banks and generally require dedicated teams to help ‘non risk savvy’ people complete these due to their complexity.

For the purpose of the test I imagined a startup called Smarter Theatre 🧠🎭which would access Open Banking data to make theatre recommendations to people based on their transaction data. It would also initiate payments on the behalf of customers to take advantage of the best theatre offers when these come up.

Next I follow 5 steps to do a basic risk assessment infused with emoji…

Step 1: Identify what your company needs to protect

The first step of doing a risk assessment is identifying what needs protecting. In risk speak these are called impact categories. For Smarter Theatre I chose:

👫 Customers (without these I have no business)

💰 Money (always critical for a startup)

🏛 Regulator/ FCA (as I need regulatory permission to access Open Banking)

😳 Reputation (key to building trust as a new business)

Step 2: Figure out what could go wrong to put these at risk

Depending on the level of detail you need to go and the complexity of your business into this can get quite complicated. For a thorough approach you would want to create a list of things that could go wrong first from brainstorming, then go through an industry standard list (‘risk taxonomy’). For this example I’m just going to look at things which could go wrong for my Customers 👫.

📴 The app is unavailable due to a technical issue (‘Systems availability’)

🤔 Poor recommendations made to customer (‘Conduct risk’)

🍯 Employee is tricked into giving logon details to someone (‘External fraud’)

😈 Hacker steals customer data from our systems (‘Information Security’)

😤 Unhappy employee steals customer data to sell. (‘Internal fraud’)

Step 3: Decide how much of a problem these are

To decide how much of a problem these are you first need to work out a rating system so you can compare different risks later (‘risk rating’). Ratings are normally based on the impact and likelihood of something happening.

For my impact rating scale I have used the face of the CEO if it happens.

😕 — downcast CEO, mildly annoying to customers

😠— ruffled CEO, annoying enough for customers to complain about

😡 —angry CEO, bad enough to stop customers using my app

🤬— fuming CEO, major disruption to customers or their financial well-being

For now I won’t base it on the numbers of customers impacted but as I grew my customer base this is something I would want to add.

For rating how likely something is to happen I will use a scale based on my chances of seeing the following animals in the next 24 hours.

🦄 Unlikely <10% chance

🦉Not very likely 10–50% chance

🐰 Fairly likely 50–90% chance

🐈 Highly likely >90% chance

(This scale is obviously 🇬🇧 specific, in other countries you may see 🦄 every day!)

Using this scale I can now rate my risks to decide how much of a problem they are. For simplicity I’ll just take the last example to look at, my unhappy employee 😤 stealing and selling customer data.

I think this would be a major issue for my customers as someone might use their data to access other accounts they have and cause them a lot of disruption. That’s a 🤬 or fuming CEO for impact.

Given I only have a couple of employees I don’t think this is very likely. That said, they are only taking equity at the moment so may be desperate for money and I have only known them for a short amount of time. That gets an 🦉or not very likely.

Normally you would now combine these two together to get an overall rating (‘inherent risk”). I’m going to leave this for the time being to avoid getting too complicated.

Step 4: Decide if you want to take any action to do anything about them

Now I have rated my risk I can decide what I want to do about it (‘risk treatment’). My options would be:

👊 Make it less of a problem (“reduce”)

👌 Do nothing (“accept”)

👉 Make it someone else’s problem (“transfer”)

👋 Stop doing whatever makes this possible (“avoid”)

Based on the fact employees stealing data would have a very high impact 🤬 on my customers, I decide I want to make it less of a problem. 👊

Step 5: Design ways of stopping the events happening or fixing them if they do happen

So now I have to think of ways I can make this less of a problem. For a thorough approach I’d look at tried and tested ways how other people tackle this problem (‘controls library’). For now I’m just going to use my common sense to think how I can:

🛑 Stop it happening (“Preventive controls”)

🔍 Figure out if it has happened (“Detective controls”)

🎁 Put it right if it has happened (“Corrective controls”)

To stop it happening, I could restrict who can access the customer data by setting up access controls. If this isn’t an option as I need all my 3 staff to access this to service customers for example, then I could log every time the customer data is accessed and set up alerts for any behaviour which looks suspicious. 🔍

To help stop it happening 🛑, I could also talk regularly with my employees to understand if they are unhappy about anything and prioritise being able to pay salaries so they are less likely to be in a situation where they are desperate for money.

My reflections on emoji in risk assessment 🤔

  • Emoji work very well for identifying the impact categories (things I want to protect) and the risk ratings (how much of a problem it is).
  • Emoji are a lot more engaging than risk language and they can make you smile just using them.
  • It’s hard to find emoji for the risk types (things that can go wrong), doing this for a whole risk taxonomy would really be a big job. Simple language would work better for this.
  • The emoji library needs some additions. Why is there no robber emoji? Or a plug being pulled?

Smarter Human is rethinking risk management for Fintech. We believe existing approaches to risk and compliance do not work for companies looking to deliver at pace using agile software delivery. Our mission is to make managing risk an activity which adds value rather than overheads.

We are going back to basics to deconstruct the accepted ways of doing risk and compliance, test the assumptions underpinning these and rebuild solutions using what we learn.

If you would like to join us on our journey, by sharing pain points, ideas and trying out our early prototypes, get in touch at or sign up to our Fintech Risk Hackers meetup group.

How much it will cost you to access Open Banking account information in the UK

How much it will cost you to access Open Banking account information in the UK

After reading about how Open Banking is opening up access to customers’ account and transaction data you may well have a great idea for a product you want to launch. This post is to help you get an idea of how much money it will cost to register with the FCA and ongoing unavoidable costs once you are registered.

Firstly, let’s assume you only want to access account and transaction data for your product or service. In regulatory speak, if you want to access this data and present it back to the customer you are providing ‘Account Information Services’ (AIS) and you would be a ‘Account Information Service Provider’ (AISP).

Since January 2018, in the European Economic Area (EEA) you need permission from the financial services regulator to provide these services — in the UK the regulator who gives this permission is the Financial Conduct Authority (FCA). After getting permission you will be a ‘Registered Account Information Service Provider’ (RAISP).

If you want to provide payment services as well, such as initiate payments or hold money for your customers it will be somewhat more complicated (and costly) as you will need to be authorised rather than registered. This basically means you will be subject to following more rules and may need to have some upfront capital. There are a lot of possible different options here so we’ll just look at costs of offering Account Information Services for the moment.

So on to the costs…

  1. Application fee. You will pay this when you send in the application to the FCA. Unfortunately if you are not approved it is not reimbursed. This is currently £1500.
  2. Ongoing regulatory fees. Once you are regulated you will need to pay an annual fee. This goes to covering the running costs of the FCA and the Financial Ombudsman Service (FOS). The amount you need to pay depends on your gross income. If your gross income is £100,000 or less it will be about £600. With a gross income of £1 million it would be about £1000.
  3. Personal Indemnity Insurance (PII). As a RAISP you are required to have insurance which covers you if a third party claims to have suffered a loss, usually due to professional negligence. The European Banking Authority has published criteria on how to calculate the amount of cover needed. You should budget about £1000 for £1 million cover.

*Update on PII – since publishing the article I did some further research on PSD2 specific PII insurance. As there are limited suppliers in the market currently these have quite high minimum premiums in place. The lowest I found was £2,500, with two others coming in at £5,000 and £6,000.*

Bear in mind the above are estimates and there may be other costs associated with getting registered, for example if you use a consultancy to help with your application. Links to the sources used for these calculations are below.

FCA application fee —

Ongoing regulatory fees — (use fee block G003)

Personal Indemnity Insurance —

FCA guidelines on Personal Indemnity Insurance —

Image by Ken Teegardin from Boulder, Boulder (Piggy Bank On Pennies) [CC BY-SA 2.0 (], via Wikimedia Commons