For startups product development, financing and other aspects often push FinTech Compliance down on the list of priorities – this can have severe consequences as the N26 case shows.
Two sides of the coin
Last week, N26 announced that it had crossed the mark of 3.5 million customersin 24 European markets who execute 16 million transactions per month, which equals around 400 transactions per minute, with a volume of over € 2bn per month.
It is another milestone on a remarkable journey full of achievements for a startup that six years ago set out to build a digital bank for the digital age. It employs more than 1,300 people and has raised hundreds of millions of dollars from well-known investors like Allianz X, Tencent Holdings Limited, Earlybird Venture Capital or Insight Venture Partners.
Another interesting piece of news was the announcement from German regulator BaFin a few weeks ago that marked the final step of an investigation into the compliance framework of the digital bank.
In October 2018, the financial watchdog spoke about the suspicion that customers with fake ID cards had managed to open accounts at N26. BaFin announced that several people with ID cards that were immediately identifiable as counterfeits were able to circumvent the checks that were based on the authenticity of their customers’ ID cards only by means of a photo identification procedure. By doing so, the user only had to send a photo of his ID card and himself to the bank via an app. This process, as BaFin explained, cannot check most of the important security features of an ID card and as such does not comply with the requirements of the German Money Laundering Act.
What followed was an in-depth audit of the bank’s procedures and controls. In a statement published in April this year, one of the bank’s two founders, Valentin Staff, stressed N26’s compliance efforts and the firm’s close working relationship with the authorities:
“As all licensed banks, N26 is subject to regular internal and external independent audits, including those by the German financial regulatory body BaFiN. Like all German banks, we are under BaFins supervision and have a very close working relationship with them. Regular audits are therefore business as usual for a bank. It is normal that during such an audit regulators identify points of improvement. We take the findings of every audit very serious and address areas of improvement as quickly as possible.”
While it is true that all banks are subject to regular audits, but given the shortcomings at N26, this wasn’t a normal audit that was conducted because it was simply time for another periodical checkup. The seriousness of the situation was highlighted by the very public censure that followed in May.
The regulator’s response
In BaFin’s Order on the prevention of money laundering and terrorist financing, the regulator commanded the digital bank to take appropriate internal safety measures and to comply with general Customer Due Diligenceobligations.In detail this meant that N26 must process backlogs in the IT monitoring, write down process descriptions and workflows, and reassign a predefined number of existing customers has identified. These measures must be implemented within a specified period. Furthermore, N26 also has to ensure adequate personnel and technical-organizational equipment to comply with its money laundering obligations and all of this has to happen by a not particularly specified date, which is certain to be in the not all too distant though.
Just to put this into perspective: while regulators regularly make the findings of their investigations public, it is not the rule to highlight the failings openly of a supervised firm if it only had been the first or minor misstep.
N26’s shortcomings therefore must have been substantial as the case of the identity verification showed, leading to a significant risk for its money laundering controls and fraud prevention.
Please call back later
Prior to the audit, stories circulated of customers that had been defrauded of their savings and could not even reach the bank’s support as N26 supposedly had switched off its hotline and experienced interruptions in its chat function, too. It is a perfect example of how to endanger the reputation of a firm and why customer satisfaction has to be at the centre of FinTech innovation. In one case, a customer had apparently lost €80,000 and could get hold of anyone at N26, while his business was on the brink of collapse. It was one in a series of phishing attacks and has forced N26 to publish a press release responding to the accusations that it was slow if at all to respond to the threat of cybercrime. Other financial institutions complained as well about the lack of availability as several banks reported that in order to stop suspicious activity they had reached out repeatedly, but found that N26 could not be reached or acted in various too slow to prevent the fraudulent activity.
Unfortunately, regulatory compliance is often not one of the priorities of FinTech startups that struggle to juggle building a product before running out of money though it is important to understand compliance as a strategic function to the company.N26 has survived this scare just as traditional organisations have managed to overcome regulatory setbacks. The list of AML and KYC deficiencies is long and regularly sees new additions. However, mistakes like this can easily mean the end of a promising startup story. So attending properly to the regulatory obligations is equally important as financing and product development.