#43 – RegTalks with Gabriela Couto, Revolut

Transcript

Welcome to RegTalks, the podcast dedicated to the latest trends from the world of RegTech, FinTech, and financial regulations.

My name is Claus Christensen, and I’m the CEO and cofounder of award-winning RegTech provider Know Your Customer Limited.

Today, it is my great pleasure to welcome Gabriela Couto, KYB subject matter expert at Revolut as my guest. Before taking on her role as the KYB subject matter expert two years ago, she already held a bachelor and master’s degree in criminology.

Thanks for joining the podcast, Gabriela.

Thanks for having me, Claus. It’s such an honour for being here.

You hold a master’s in criminology and now specialise in corporate onboarding compliance at Revolut. I wonder how viewing our area through the lens of a criminologist influences how you design KYB controls and spot red flag behaviour in company data, for example.

So my criminology background really helps me a lot and just think beyond just taking, like, some regulatory boxes. In criminology, we learn that specifically when studying white collar crime or organisational crime, we focus a lot on the rational choice theory and the opportunity structures.

Unlike street-level crime or, as we call, conventional crime, the white collar offenders are often operating within legal frameworks, and they tend to exploit the gaps or the grey areas that they know exist.

And they are usually educated, well resourced, and they are not acting impulsively, but they are thinking and they are strategic in their crime. When I’m reviewing KYB flows or trying to help design risk factors, I learned something when I was on my bachelor’s that it’s a phrase: To catch a criminal, you must think like a criminal. I try to apply this phrase when I’m reviewing KYB.

For example, is the shareholder structure of a company unusually complex for no good reason, or are there any nominee directors popping up across multiple countries’ jurisdictions?

And regarding the shareholder structure, is it opaque for any reason or is it opaque on purpose? Something like this. And I think that having a bachelor and a master’s degree in criminology really helps me in identifying patterns, the context, and the motivation, not just focus on isolated risks. And I think that this mindset is, like, a key to build these risk based KYB frameworks that can usually help to spot red flags and not just flag anything that looks slightly different.

Very interesting. I find that idea, “to catch a criminal, you have to think like one,” very interesting in this, your answer. To me, that actually reminds me of my own insights in this area where I catch myself sometimes thinking the way these registries do or do not have certain information or not updated often enough or not verify information. Oh, here would be an opening.

If I were a criminal, I could use this. And, of course, we’re not criminals. We’re on the other side. But that thinking, absolutely, you need that.

And it also reminds me that while a lot of people might think compliance is a dry, boring area, we do have very colourful adversaries, and we’re fighting the good fight against crime, corruption, terrorism, and so on, and not just checking boxes. I find that endlessly refreshing in this job. It’s a good thing. So you also said another thing there that I found very interesting.

Different actors typically commit street level offences, and they think differently, like burglary or theft, and white collar crimes, such as corruption or money laundering. Can we go deeper into that? I think it’s really interesting. Does understanding criminal typologies shape your work today?

Yes. And this was actually one of my favourite things to discuss in college because I think it’s really important to differentiate these two types of criminals.

Because when we are talking about the typical street level offender, they are often acting out of necessity or an impulse. For example, we can think of someone committing theft due to actual economic hardship. But when we are talking about the white collar criminals, they tend to be system insiders.

They are people with access, education, and deep understanding of the system that they are abusing. Because as you mentioned previously, when we are dealing with these types of registries, we know which registries are more reliable and which ones require more information from us. So if we are thinking like a criminal, we should choose the ones that are more opaque and they don’t have public access information.

And I think that this is really important when we are talking about these specific typologies because in compliance, white collar crime is less about chaotic or violent behaviour. It’s more about control and concealment. So in KYB, I think we are more looking for deliberate misdirection.

For example, shell companies or cross border layer structures, fake invoices.

So I think that these criminal typologies and understanding these shapes how I evaluate risk today. And there is actually an interesting case that happened here in Portugal with the bank Espírito Santo and its CEO, Ricardo Salgado, that is currently still being judged because of fraud, money laundering, falsifying accounts, and market manipulation.

And he was the CEO of that banking service and hundreds of people have lost their money because of these types of crimes. And when you look at that man, this might sound a little bit not correct to say, but when you look at that man, he’s a person in society, has a really important role. So normally, you will not think of him as a criminal, but he is and he has used the knowledge that he has on the banking system and on the Portuguese framework to commit different crimes involving not only the banking, but the clients of the banking that have lost millions of euros because of that crime, not only one, but a lot of crimes that he has committed regarding this bank Espírito Santo.

So what I’m hearing is that there is even an element of social justice going on here of fighting white collar crimes just as much as we fight more ordinary ones.

Of course. I’d say that’s a good thing. But you could argue that the results of fighting corruption and money laundering have actually an even more impact because they work on the root of a problem, the flow of illicit funds, and they typically impact many more people as in this case with this bank.

Exactly.

Alright. Earlier this morning, I just made a dentist appointment for myself, and I had to smile to myself. No idea I’d ask you this question later. In a recent blog post, you compared Legacy KYB to going to the dentist—essentially, painful, especially if done manually. First, how did you come up with the metaphor?

You can see I have braces. So I really know what it’s like to have something in and to go to the dentist. And it’s so painful, like, for three days that you change the braces, it’s so painful, but it’s essential because without them, I would not have been able to correct my smile. So I actually thought of this metaphor when I was looking at small business, for example, within the KYB because sometimes we might ask for documents to this small business that they don’t even know what we are talking about. And the biggest friction points, I think, that are the lack of standardisations across jurisdictions.

Demand will document collection and verification. Like I said, the risk models that we have right now are treating the micro business the same as the multinational conglomerate. So I think that in order to prevent this and in order to facilitate the customer side of applying for a bank account, I think we need to really focus on automation and that integration.

And if we can verify a company based on their registries to verify the beneficial owners in real time, I believe that the drop off rate will go down because we are not asking so much from the user because we are accessing it on our site. And if the official registries are public, in fact, we will be able to grant this information and to obtain everything or most everything that we need without bothering the customer, sometimes asking for documents that they don’t even know what we are referring to because they just submitted the documentation to begin a business activity, and they don’t specifically know what we are asking. So I think that our main goal is to keep the good customers in while trying to filter the bad actors and try to do all of this procedure really fast to make sure that the drop off rate goes a little bit below.

Like, I will not comment on the part of connecting to registries because everybody knows that is what Know Your Customer Limited does and does well. But, yeah, generally, I do see, again, kind of an equalisation going on here. With technology, we actually have the opportunity of making it easier to be onboarded and getting financial connections, accounts, cards, loans, and so on for SMEs and new start ups just as easy as it is for the more established companies that have five years of audited accounts and have all the paperwork ready to go and have secretaries that do that. By automating, we can make it as easy for the small guys as it is already, for the more established ones.

So I, again, see if automation can be a good driver here. And automating trust at scale is really one thing. Revolut must be onboarding business customers across, I don’t know, twenty or thirty markets by now. I’ve seen you popping up everywhere.

Think Hong Kong. I have myself an Irish account here and an Italian. So yeah, it’s really available in many jurisdictions.

Not in all jurisdictions where it’s the same availability, and that’s what you said earlier about the differences, but not the same availability of corporate data points or openness indeed about beneficial owners. What are examples of the perfect or easy jurisdictions you found, and what are the difficulties and the not so good ones?

I think that you know which countries are fantastic to work with when we are referring to the registries. And UK, it’s fantastic. The same goes for Ireland. The same goes for Denmark and also the Baltics.

They’ve got open and structured registries, and you can easily pull down clear ownership, structured information through the registries, and it’s really helpful. Maybe that’s why Revolut is working so much within these specific countries because it’s so easy for them and for us to initiate and to conclude the onboarding procedure.

But there are also the less ideal ones, the ones that have complex corporate secrets or restrictions. For example, I’ve pointed here somewhat some countries, British Virgin Islands, Cayman Islands, the United Arab Emirates, specifically Dubai. As we all know, it’s a tax haven for a lot of people. The poor Luxembourg.

Some of these countries are really hard to work with because either the beneficial ownership is not disclosed or it’s buried under a lot of layers of nominee directors, off shelf structures. In these cases, we are often stuck with a lot of documents, a lot of PDF documents, a lot of manual review, analysing every document to make sure that we are not missing anything. And most of the times, we are not because the information is not there. And also, in these specific countries, we, a lot of times, need to go back to the customer to request clarification or to request more documents because the ones that they provide, they are not enough. So in this case, I think it’s not just about data availability.

It’s more about the quality, the transparency, and how easy it is to reconcile records across borders.

So I think we all should look to, like, the UK, the ones that are referred, and make the official registries so easy to work with in these countries.

It’s strange, actually, if you think about it, how diverse Europe has stayed in this regard.

Mhmm.

And with your organisation, you can directly see how that is a barrier for certain countries. We are not Mhmm. The same in Europe in anti money laundering because the regulations have evolved so locally. And, yes, it’s supposed from the AMLD4, D5 from the European community, but they are still quite different in their implementation.

And that has Yes. No. Maybe that goes better now, but we have one AML regulator in Europe. They have started now and seen, their first post in LinkedIn and so on.

Let’s see what comes out there. I have to, like, point out one jurisdiction. Actually, one jurisdiction, I will correct you there. I would say Singapore is actually one of the more open ones, albeit probably a lot of structures do have topcoats that are in the more secretive BVI or Cayman.

Mhmm. Yes.

In Asian structures for, not so much for reasons of tax friendliness or so, but it’s for ease of use for international investors and so on that shy away from these jurisdictions sometimes. I’ve seen that in entrepreneur friends’ rounds where they say, oh, yeah. I have the BVI topcoats because I want American investors, and they don’t invest in, let’s say, Hong Kong. That thing happens there. Very interesting.

Looking ahead from here, basically, what’s happening in technology right now. I mean, it’s so quick at the moment. It’s like every week there’s some new development. What new developments are you thinking about for the next, let’s say, three, four, five years? Will AI agents, open registries or digital identities finally make KYB totally painless and not like a dentist visit? What are you most excited about and what keeps you awake at night?

I think that I’m most excited about, as you said, the AI agents that can actually do contextual analysis across the documents that will save us a lot of time that we can further use for more complex structures and more complex analysis of more difficult jurisdictions.

My dream is honestly open registries with verified and relatable data, honestly. And also, as you say, the digital identities for directors and beneficial owners. I think that these all could make the onboarding more intuitive, but it would only work if there is global cooperation and data trust.

However, I think that some things that might keep me up at night might be the overall alliance on artificial intelligence. I think that we really need to be cautious within the use of AI because we might be using it too much and forget about our compliance points. I think that even though we are now more near that we have been regarding the standards for compliance. I think that within five years, the fragmented global standards will still be an issue because even though in Europe, we are all figuring it out and try to make a compact regulation, compliance does not only work in Europe. So I think that this still might be an issue in five years. And, also, if we are using AI to implement new procedure to help us work more pragmatically.

The bad actors will still be using AI. So they will be using AI for different reasons than us for creating fake profiles, fake documents, even fake selfies.

So I think we need to really think to brainstorm a lot of ideas to make sure that the AI will not only be having a negative impact within the future for compliance. We need to make sure to create legislation within all jurisdictions.

I don’t know how, but we need to in order to prevent criminals from becoming even more difficult to track.

I doubt that we can keep them away from AI.

They will even Exactly.

Absolutely.

It is a force. Like, what many of the easiest ways of catching corporate structures was just that the layering was done not very intelligently. You could tell that reuse structures and there are the same directors and that sort of thing. With AI, you can generate complete sets of twenty nine different companies that are much more complex and over different jurisdictions, and they have all the right people in it.

Yes. So fake passports and fake selfies and all that to perfection. And then the easiest ways of catching invoice fraud that these invoices were just lazily done. It’s like one amount only, and then the prices wouldn’t match in normal prices out there and all that.

That’s not going to happen anymore. They will all be perfect. So, certainly, the criminals will use it. And so on on our end, we do need to do that too.

I do believe that the underlying data that we can trust is even more important in AI worlds. We’ve used AI as well to check out, know your customer ourselves and, said, you are an experienced anti money laundering officer in a large bank. Now please look at this company, our own, and tell me who are the beneficial owners. And, yes, my name was there, but also Jane Doe.

Jane Doe doesn’t exist and does not have shares in our company. It made it up. That sort of thing does happen, obviously, but it’s rapidly developing that field, and I think we can find wonderful usages. What you mentioned earlier was about the document processing.

Lots of corporate documents are currently not forms. They are free form legal documents, the articles of association, and that sort of thing that contain important information for the onboarding process.

And that is now suddenly data. That is now possible to process. And I think that’s an amazing idea that we run these free text documents through an automated analysis and ask the AI, do these articles of association contain any special rights for a third person except the shareholders and directors there? Does anybody else have influence?

Do these directors sign individually or only together for loans? All these questions can now automatically be answered. Amazing. Technology will open those as well.

Yeah. Both sides, it is probably a bit of an arms race. Now I have one question that I ask everybody, Gabriela, and that is the one, if you woke up tomorrow as the world’s financial crime regulator, what rule or industry standard would you introduce first to make KYB more effective and less burdensome and why?

I am actually so glad that I have time to think about this answer because if it was immediate, I would not be able to come up with this. But I think I would try to push for a global standard in regards to the beneficial ownership disclosure.

Some real enforced transparency only with one format as you stated. With having a format and not free format, one definition of control, one reporting requirement regardless of the jurisdictions.

Because right now, the bad actors just hook between the weak links. Like, some jurisdictions have less rules, and they tend to go to those jurisdictions.

So I know it’s a lot to ask, but if we have consistent rules and interoperable data, I think it would massively reduce the complexity rules country. There is no weak rules country that they can go for because all of them have the same requirements.

And I think this would be good because us, the good actors, would not be drowning in paperwork and trying to understand dozens of different jurisdictions, articles of association, in case we get of incorporation, while the bad actors, the criminals, would slip through the cracks and would not be able to do what they are doing right now. Because right now, it might it’s a lot easier than if in this dream world we have a global standard.

It is a dream world. Unfortunately, I do have the power to make you the global regulator. I’d pause for you, though. Really good point. I agree, unified rules and unified format would be an absolute dream.

Not going to happen in the next five years when we know that.

We’ll have to live with a slightly messy world with different rules, with different legal traditions, and different motivations.

And, honestly, looking at the world today, there’s less of a drive for unification than in the last ten years or so, I’d say. So we might be stuck with the situation for even longer.

But then again, we’re all pros, and we have our tools, and we get the job.

Yes. At least we are used to it, so it’s fine.

Gabriela, this has been really cool. Love your angle from the criminologist’s view on all that.

Thank you.

And thanks for coming on and all the best with your career at Revolut.

Thanks for having me, Claus. And same to you. I hope you’ll continue to succeed.

Going well at these days. Thank you.

Thank you.

If you liked this episode, please subscribe to the series and leave us a review.

If you’d like to connect with us, suggest a guest or a topic for an upcoming episode, please send us a message at info@knowyourcustomer.com or visit knowyourcustomer.com/regtalks.