FinologeeENPAY alleviates payment process-related regulatory challenges of financial industry professionals
What do banks, insurance companies and fund industry professionals need to consider in light of outsourcing requirements and IT security risks when enhancing and automating their payment processes and technical infrastructure to access their bank accounts? How can AML/CFT and fraud prevention obligations, as well as accounts reconciliation and reporting requirements, be met?
Enterprise Payments (ENPAY), Finologee’s new professional payments and multi-bank account access management platform, is designed to enable financial industry and institutional players to enhance their payments processes. Beyond operational efficiency and true to Finologee’s identity as a RegTech and a regulated Professional of the Financial Sector (PFS), ENPAY has been developed with regulatory compliance at its core all the way from the choice to use ENPAY, to the execution of payments, to accounts reconciliation and reporting obligations after the payment process. In this article, we will outline these steps in detail and point towards the respective compliance aspects that are particularly important for regulated entities.
Find out how ENPAY can provide secure and reliable answers in a largely “tick the box” approach to compliance – in 3 steps:
STEP 1: Choosing ENPAY – Meeting ICT outsourcing and security obligations
- Compliant outsourcing in line with CAA and CSFF expectations
Feedback from our regulated clients is that one of the key legal challenges in selecting an external provider (especially one that will assist with sensitive business processes such as payments flows) is to ensure full compliance with the wide array of regulatory obligations relating to outsourcing. ENPAY and the underlying platform on which it relies aim to facilitate the outsourcing compliance process in several ways:
- ENPAY is designed to provide the technical tools to support clients with their payments processes whilst enabling them to retain control and flexibility over process specifications (e.g. payments validation requirements, authentication and signature mechanisms, etc.). This should facilitate compliance with regulatory principles limiting the ability to outsource core functions and requiring regulated entities to retain control over business processes.
- The terms and conditions applicable to ENPAY meet Luxembourg and EU outsourcing requirements, notably: Circular CSSF 12/552 on Central Administration, Internal Governance and Risk Management; the EBA Guidelines on Outsourcing Arrangements; the Law of 7 December 2015 on the insurance sector and Article 274 of Commission Delegated Regulation (EU) 2015/35 of October 2015 supplementing the Solvency II.
Did you know? As a Support PFS subject to CSSF supervision, Finologee is itself subject to equivalent outsourcing obligations (notably through Circular CSSF 17/656 which mirrors banks’ outsourcing obligations in Circular CSSF 12/552), ensuring that regulatory requirements are met throughout the outsourcing chain.
Finologee is also subject to identical professional secrecy obligations as financial institutions and insurance companies pursuant to article 41 of the law of 5 April 1993 on the Financial Sector.
- ENPAY is hosted in Luxembourg with EBRC, which is also a Support PFS. EBRC is the number one player in Luxembourg market in its field and has a redundant setup with three certified Tier IV data centers. It operates back-to-back with Finologee’s ISO27001 and SLA commitments, providing Finologee with a dedicated platform designed to be fully compliant with IT outsourcing requirements imposed on Finologee pursuant to Circular CSSF 17/656.
2. Bank-grade ICT and security risk management
Information and communication technology (ICT) and security risk management obligations, including in respect of the use of suppliers, have also multiplied in recent years, notably with the publication by the CSSF of Circular CSSF 20/750 on Requirements regarding information and communication technology (ICT) and security risk management in August 2020. This trend is likely to continue, with the approaching implementation of the Digital Operational Resilience Act, known as “DORA”, which will create a harmonised framework of rules that all institutions supervised by either the EBA, the EIOPA or ESMA will need to follow relating to operational resilience.
Finologee aims to enable regulated players to apply a largely “tick the box” approach to compliance with these obligations when selecting it as their ICT outsourcing provider:
- As a Support PFS, Finologee is also directly subject to the obligations of CSSF 20/750 (which applies to all entities within the CSSF’s perimeter of supervision). In addition, it applies state-of-the-art security standards and is ISO/IEC 27001 certified. These elements guarantee bank-grade compliance with ICT and security risk management obligations, which in practical terms, greatly facilitates assessment and monitoring for our clients since there is a strong parallel between our respective security commitments.
- ENPAY relies on professional channels such as SWIFT, the world’s leading provider of secure financial messaging services, to interact with account banks to ensure best-in-class security standards in the transmission of data. Since SWIFT is a professional network made up of financial institutions and assimilated entities, Finologee’s eligibility to participate stems from the fact that it is a regulated entity which satisfactorily meets SWIFT’s membership criterion. Finologee is subject to regular audits from SWIFT to ensure that its SWIFT-related infrastructure continuously meets SWIFT’s security criteria.
Finologee’s expertise has been recognised by the Luxembourg IT community by awarding Finologee “ICT Outsourcing Services Provider of the Year” at the 15th edition of Gala IT One.
STEP 2 – Carrying out payments – Facilitating compliance with risk management obligations
1. Fraud prevention
For regulated companies, ensuring that there are robust accounting processes in place is part of the central administration requirements set out in applicable texts (notably: Circular CSSF 12/552, the Law of 5 April 1993 on the Financial Sector, and the Law of 7 December 2015 on the Insurance Sector).
A strong focus of these requirements is on the “integrity” of the accounting organisation. The CSSF, for instance, specifies in Circular 12/552 that accounting procedures must be defined and implemented to “ensure compliance with the principle of integrity to avoid, in particular, that the accounting system is used for fraudulent purposes” (Section 220.127.116.11. on the financial and accounting function).
International audit norms used by external auditors for reviewing regulated companies’ accounts also include detailed obligations relating to fraud detection in financial statements (see particularly ISA 240). This includes the misappropriation of assets, often through employee fraud (e.g. embezzling receipts of causing the entity to pay for fictitious goods/services). The ISA 240 norms recognise that misappropriation of assets may occur due to inadequate internal control, including an “inadequate system of authorisation and approval of transactions”. This means that financial institutions and insurance companies have not only an operational incentive, but also a legal obligation, to ensure that the risk of fraud in their accounts is well managed.
ENPAY may help by enabling companies to implement sophisticated order validation workflows involving different departments (for example, requiring sign off from the compliance department for all payments over a certain amount). The rules underlying the workflows are fully customisable to reflect clients’ internal policies and processes and can also easily evolve over time along with changes in regulation or the level of risk.
Integrity is ensured by relying on secure authentication and signature mechanisms, using LuxTrust, FinologeeAuthenticator or relying on a client’s own stack.
To find out more about FinologeeAuthenticator, Finologee’s own Authenticator mobile App relying on INCERT-issued certificates, click here.
In addition, ENPAY keeps a detailed record of user profiles so that permissions granted to an employee/member of management at any given time are easily visible. This may also be used to streamline responses to queries from auditors/regulators, as it is for instance possible to export a list of authorised users and provide it directly to the requesting party (e.g. an auditor).
2. Counterparties management & AML/CFT requirements:
Another important aspect of payment workflows is the management of counterparties and in particular, the handling of money laundering and terrorism financing risks. CAA Regulation 20/03 and CSSF Regulation 12-02 (as amended by CSSF Regulation 20-05), in this respect, both make it clear that the audit of annual accounts of insurance companies by the approved statutory auditor should include the compliance with AML/CFT requirements.
ENPAY is a powerful tool to increase AML/CFT compliance in counterparties and transaction management, by:
- Ensuring that payments are made only to pre-approved beneficiaries saved in the ENPAY interface with automated controls on each transaction/counterparty creation or modification (applying an adequate validation workflow and checks against any blacklisted IBANs);
- Enabling bidimensional visibility on the relationship with any given counterparty, by being able to view both outgoing and incoming payments in a consolidated view;
- Setting up automated checks set up to verify that payments are systematically being made to, and coming in from, the same account initially associated to a counterparty;
- Creating payment thresholds and differing validation processes based on criteria such as AML/CFT risk of a given type of transaction or counterparty.
Future evolutions of ENPAY will be linked to Finologee’s KYC Manager platform so that, for instance, a risk-level change in KYC Manager will trigger a corresponding change of rules in ENPAY (e.g. maximum payment amount authorised). This integration will further increase the levels of compliance management reliability and efficiency.
STEP 3 – After the payment: accounts reconciliation and reporting obligations
In close connection with reducing of the risk of fraud, it is also important for companies to have an accurate, real-time overview of outgoing and incoming payments. This is not only an operational necessity, but also required to comply with accounting obligations (e.g. to reconciliate accounts and accounting entries) as well as with reporting and audit obligations.
Such reporting and audit obligations include, of course, the preparation of annual accounts and their review both internally and by an external auditor. Through ENPAY, Investment firms or insurance companies for instance that are subject to the Capital Requirements Regulation (575/2013) and Solvency II (Directive 2009/138/EC), can rely on consistent source data including visibility on underlying flows which is essential in this context, given the careful financial management and analysis required to comply with the obligations stemming from these texts.
ENPAY, through its multi-bank connectivity, allows all payment information to be available on a single platform, whilst ensuring the integrity of the displayed information through robust processes. The platform can be used to export audit logs (through embedded export pdf functionalities) and generate time-stamped consolidated statements (using electronically signed/e-sealed documents). These reporting functionalities can be customised: For example, it is possible to filter reporting by counterparty in order to obtain a bidimensional counterparty view of outgoing and incoming payments, which can save precious time in accounting processes. ENPAY also integrates sophisticated reporting and analytics including in-detail insights on transactions.
These features, which provide real-time qualitative data that is easy to exploit, may thus be particularly helpful with information reconciliation in the context of internal and external control missions and in preparing financial reporting. The consolidated reporting and data export functions can also be used to streamline responses to audit requests.