Risk and Business process management for Neobanks

From regulatory halt to business continuity: How a Neobank managed to overcome a regulatory setback

A major player in the fintech industry recently made the headlines by being urged by a local regulator to address its significant compliance and security flaws that led to severe breaches of anti-money laundering (AML) and terrorism financing laws. As a result, the neobank faced significant fines and was placed under supervision, dealing a critical blow to its reputation. Its operations were restricted in some markets, and its development plans were curtailed until all its issues were resolved.

The regulator raised significant concerns about the neobank’s lack of process documentation, which is a regulatory requirement for financial institutions. This absence of documentation left the institution in complete darkness regarding understanding how its operations were structured and carried out. Consequently, the neobank faced an increasing number of support cases, and fraudulent activities failed to be reported on time to regulators.

Uncover Compliance Challenges with Documented Processes

The company's rapid growth had led to a lack of formal documentation for processes, causing them to be scattered and disorganized. Additionally, the absence of a second line of defense, which includes risk management, internal controls, and compliance measures, exacerbated the problem and resulted in significant compliance and control failures.

This situation underscored the inherent risks associated with attempting to identify compliance issues, particularly those related to fraud, in the absence of a comprehensive understanding of the organization’s operational structure and processes. The lack of a dedicated compliance department further exacerbated these challenges.

It was evident that decisive steps were necessary, and for the neobank, these steps manifested in the implementation of a digital solution.

The neobank started looking for a tool that could assist in designing, documenting, and maintaining its business processes in a shared repository that could depict an accurate and up-to-date view of its operations. Additionally, the tool had to support the real-time management of risks, compliance, and audits across all business processes and IT assets to improve risk identification and management.

Achieving compliance through three key steps

The neobank opted for the MEGA HOPEX platform to streamline the documentation and management of all its processes, enhancing the efficiency of its risk and compliance management.

MEGA HOPEX uniquely combines Business Process Modeling and Governance, Risk, and Compliance (GRC) within a single platform, empowering organizations to adopt a Compliance-by-design approach. This facilitates a more granular management of risks by directly embedding controls within business processes, all while ensuring complete transparency for regulatory authorities.

To ease the implementation of MEGA HOPEX, a phased approach was adopted based on industry best practices. This approach primarily involved the inventory and documentation of core business processes, followed by the management of risks (Compliance, operational, IT, etc.) that could impact those processes. Finally, the continuous assessments and regular audits helped reinforce the compliance framework further. This approach allowed the neobank to achieve a smooth tool implementation and mature its process methodology and GRC practice as the project unfolded.

This approach required strong cross-functional cooperation between the process and GRC teams and was sequenced accordingly to minimize disruption to day-to-day business activities:

• Phase 1: Identification and documentation of business processes. By leveraging HOPEX Business Process Analysis, the neobank conducted a comprehensive survey to inventory and then model the numerous processes utilized within the organization. This approach provided a clear understanding of the architectural structure of the neobank’s operations.
• Phase 2: Risk management. Building upon the comprehensive process documentation effort achieved in Phase 1 and leveraging the integrated GRC module within the tool, the newly appointed risk and compliance team was able to identify key risks directly on the processes’ models. This approach enabled them to promptly identify potential compliance risks, subsequently facilitating the design and implementation of the necessary mitigation controls.
• Phase 3: Internal audit. Ultimately, the compliance framework developed in Phases 1 and 2 was further tested and validated by the Internal Audit department using HOPEX Internal Audit Management module to enhance the overall operations and strengthen compliance within the organization.

A centralized platform for outstanding benefits

As a result of implementing MEGA HOPEX, the neobank now enjoys the advantages of a centralized platform serving as the authoritative source for process and compliance data. This implementation has yielded numerous benefits:

1. Regulatory compliance:The neobank clearly understands its processes and has established a robust compliance framework that addresses the complexity of financial regulations.
2. Building trust:The neobank has successfully rebuilt trust and credibility with regulators and customers by implementing transparent processes and maintaining clear and diligent communication around risk issues. As a result, the bank has been able to resume development plans that were previously halted.
3. Cybersecurity: By mapping its risks and controls to its IT assets, the neobank has strengthened the security and legality of its digital assets. This, in turn, protects customer data, prevents fraud, and maintains customer trust.
4. Technology:Through the mapping of its IT applications within the solution, the neobank can enhance the effective management of technology lifecycles, mitigate technology risk, and monitor technology obsolescence to support and develop its digital-only business model. This has also strategically positioned the neobank to seamlessly align with the forthcoming European DORA (Digital Operational Resiliency Act) regulation.

MEGA HOPEX has brought significant benefits to the neobank. The solution helped improve its regulatory compliance, resume operations in previously restricted areas, and build trust and credibility. This also helped the neobank strengthen its cybersecurity and improve its technology management capabilities.

Neobanks, despite their tech-savvy origins, share regulatory obligations with traditional banks to ensure the safety and stability of the financial system. The HOPEX Platform serves as a potent tool for managing regulatory complexity, helping neobanks in ensuring robust compliance.

Solutions

• HOPEX Business Process Analysis
• HOPEX Governance Risk and Compliance
• HOPEX Internal Audit Management
• HOPEX Platform
• MEGA Services Team