First in a series of interviews with leaders in the fields of Risk, Compliance and Information Governance across the globe.
Miguel Mairlot is the Risk and Compliance Officer for Lombard International Assurance and a Professor of Financial Law. I sat down with him at the beginning of the year to learn a little more about his experience in the field of Risk and Compliance and pick his brain on issues like GDPR, the future of privacy rules, the role of A.I. in “fintech” and any advice he can offer millennials looking to get started in the business.
What is it about the business discipline of Risk and Compliance that originally attracted you to the field and keeps you interested?
I spent the first 10 years of my career working in litigation, specializing in banking and finance laws. My expertise and knowledge of the MiFID regulation (Markets in Financial Instruments Directive) led me to work on its implementation for various financial institutions. At that time, legal and compliance tasks were usually performed by the same department. Although I’m interested and continue working on several aspects of the MiFID regulation, I devote most of my time on issues related to money laundering and the detection of serious tax fraud in the event of repatriation of assets.
How do you think companies should approach implementing GDPR and what do you think will be the greatest challenges here?
Any company subject to GDPR should take great care when implementing the requirements set out by this new regulation. Before its entry into force, data protection was not a top priority for many European companies. Now, the paradigm is about to change, due mainly to the hefty fines which can be imposed and the potential reputation damages which may result from a violation of the GDPR provisions.
Among all these tasks, raising awareness among employees about the risks related to the infringement of the rules set out by GDPR might constitute the biggest challenge since this new piece of legislation is considered as a important cultural change in Europe.
The implementation of GDPR will require the revision of internal procedures, the appointment of a Data Protection Officer in some cases and a mapping and assessment of all the data processes, as well as contractual changes. Among all these tasks, raising awareness among employees about the risks related to the infringement of the rules set out by GDPR might constitute the biggest challenge since this new piece of legislation is considered as a important cultural change in Europe.
Last year, New York introduced the Stop Hacks and Improve Data Electronic Security Act (SHIELD) bill which among other things updates breach notification requirements. There have also been efforts to pass bills similar to the EU’s “Right to be Forgotten” requirements. Given some of the geopolitical shifts around the world, including Brexit and a US administration emphasizing deregulation, do you see support for these regulations increasing or waning?
The inflation of the legislative texts which took place in Europe since the last financial crisis has no precedent. Complying fully with all the national and European laws and regulations becomes increasingly complex and costly for companies. Data protection does not constitute an exception to this rule.
Even if its provisions were heatedly debated by the GAFA before the European commission during the drafting process of GDPR, this text constitutes the last bastion that protects European data users against their potential abuses.
The decisions given during the last few years by the European Court of Justice (namely Maximillian Schrems v Data Protection Commissioner; and Google v Spain) are in line with this trend. For theses reasons, I believe that any change in the Data Protection regulation that would reduce the rights of the data users would necessarily create a political crisis and lead to a reconsideration of the democratic legitimacy of our institutions.
The Financial Services and Markets Authority (FSMA) is one of the two authorities, along with the National Bank of Belgium (NBB), entrusted with the supervision of the Belgian financial sector. In the United States it is FINRA, the Financial Industry Regulatory Authority and the SEC responsible for insuring compliance for our banks, insurance companies and publicly traded organizations. We all know the benefits of regulating our financial environments but what do you see as the challenges in working with these groups on increasingly complex compliance issues?
In order to build a strong compliance program, it is of utmost importance to work towards good communication with regulators. Since last year, any individual employed in the financial sector who observes an infringement against the financial legislation rules which the FSMA is responsible for enforcing, can report it directly to the FSMA. The whistleblower’s identity is kept secret and the law protects any individual who, in good faith, reported the infringement. Even if we can be pleased about this recent development, regulators should also have sufficient staff to perform – on a risk-based approach – on-site controls and exercise the ability to impose sanctions in the event of non-compliance. Otherwise, it becomes difficult to convince any employee or management about the importance of complying with applicable rules and regulations if no significant sanction is ever imposed by the regulators.
The news is full of articles about the future of A.I. and Robotics in the financial sector, some more realistic than others. How should Financial Institutions approach introducing Artificial Intelligence and Robotics into their environments and will it have a positive impact on compliance in the long term?
Financial institutions have been leveraging software to detect suspicious transactions related to money laundering and identifying counterparties subject to sanctions for years. Some of them already make use of predictive models. The use of A.I. or Robotics may present many opportunities for financial institutions if certain tasks or low risk decisions can be made using these new technologies. In addition to being cost-effective, these solutions could improve the efficiency of a compliance monitoring program and help mitigate risks in a more efficient manner. However, I seriously doubt that regulators would agree that all compliance tasks may be entrusted to an A.I. tool or any other form of Robotics, mainly for liability purposes. To my knowledge, no robot has been held responsible (yet) by a regulator or a court for a violation of a legal provision.
What is your advice for young professionals, millennials, entering and trying to succeed in the field of Risk and Compliance?
I would advise them to question their own ethics. What is your take on issues like money laundering, sanctions, the fight against terrorism or data protection for instance? Compliance offers the opportunity to practice law in a more preventive and efficient way than ever before. Within an organization, your decisions will often be challenged by the sales or product department which does not always understand the underlying issues that can be raised by certain unethical or illegal behaviors. For these reasons, it is important to keep a long-term vision in order to achieve sustainability while ensuring business growth. If you have that vision, embrace the challenges and opportunities in this rewarding field.
In the next couple months, I’ll speak Jones Lukose of the International Criminal Court and with April Dmytrenko, a recognized thought leader in the field of information management, governance,compliance, and protection.