Standout Moments - Becoming a MSB
There were two defining moment for me when nTrust became a licensed Money Services Business.
The first was on January 23rd 2012 – I opened a letter sent from the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) notifying us that our registration as a Money Services Business had been approved.
Throughout the 4 months prior to this notice days were filled with endless application preparation and I had threatened I would cartwheel around the office when we got the good news. But on that day I was in a dress and reverted to a professional squeal and high fives.
The exhausted effort for both of the certifications was equal, (our MSB application followed our first PCI DSS Certification approval audit) lots of infrastructure shaping and policy drafting. The latter, I have to admit (and I hope my compliance peers can relate) is my playground.
Having learned from my experience, the following are tips for getting your company through a regulatory application process efficiently while setting the team up for success at the same time:
Start with the Rule Book
With nTrust going from conception into “let’s build this thing” phase we started shaping our organization around the regulatory guidelines of our governing bodies. The FINTRAC guidelines provide an outline of the Canadian legislative requirements and mandates responsibilities for a compliance regime, record keeping, client identification and suspicious report filing.
Everyone on the team must know these guidelines by heart, from Developer to Marketing Director. When we know the rules, we know our sandbox, so it's now up to us to build the castles.
Thinking of Regulatory Guidelines as a To Do List
We took each of these guidelines, listed them out like a Table of Contents and with a top down approach (or To Do List mentality) started to add policy and procedure between the lines.
We researched other companies published policies, companies that were both in and outside our industry. We saw how the same policy requirement could be expanded on or remain simply straight-forward depending on the company’s risk. This approach resulted in a management consensus on how strict or lenient we were in specific areas and the company’s appetite for risk.
This research also provided us insight into unique and creative ways to incorporate our brand and culture while formatting our policies and manuals.
Make internal manuals interesting to read, inject company history or facts, and stories behind the policies to get the reader through what can be very dry content.
Indirect Culture Builder
We were starting from scratch, while we were developing this internal compliance regime other policies like our recruitment strategy and annual general meeting structure were taking shape and slowly so was our corporate culture. Our core values of security, transparency and service were becoming stronger and more present as we documented day to day procedures.
Testing and Balance
As we drafted the customer on-boarding and identification P&P’s we consulted with Development and Experience teams to build these flows into the platform. Closed beta test runs followed to get feedback and it was a creative challenge balancing the need to capture the customer’s complete profile and their attention span while communicating trust and security. It was feedback, build, beta, feedback, build, beta... on repeat until we got it just right.
The regulatory requirements for user identification require us to capture full contact and profile information on the user. For first time user registering with a new company, like nTrust, we had to make sure the on-boarding experience answered “Why do I need to provide all this information?”
Enhancement through Partnerships
Once our platform infrastructure was in place and the supporting P&P’s were printed, bound and ready for application submission we established partnerships with leading authentication services that significantly improved our security, operational efficiencies and customer experience. We partnered with Iovation, device-based fraud protection and authentication service provides powerful tools to fight online and mobile fraud before users ever get into an account and do any damage.
Leave room for the Gaps
With all compliance application submissions you are either submitting direct to the regulator or through a third party, both ways after submission a review process will follow and a gap analysis report will be provided. This gap analysis will highlight areas that require adjustment and your team must be prepared with resource capacity to make these changes efficiently. Some regulators will outline a gap adjustment timeline others will leave it open ended, but its best to prioritize as the regulator will want to see that your organization can quickly adapt. In this industry regulations change frequently, such changes can have minimal impact or can greatly change your business.
As if getting through all of this was not a recognized accomplishment in itself. There was still the second stand out moment that summed up all these efforts.
In June 2013 a representative from FINTRAC visited the nTrust Vancouver office to conduct an audit, when we concluded the representative informed us that we should receive a “gold star” for having such an established compliance regime at such an early stage.
The audit process tested the nerves but we were confident from all we put in, and it was this single comment that was the pat on the back for the team on a job well done.
Post A Comment:
0 comments: