From banking to crypto compliance—advice from Rebecca Macieira-Kaufmann
Rebecca Macieira-Kaufmann is an accomplished CEO who has an unblemished track record of achievement. Her extensive experience as a Financial Services leader in sales & marketing, risk management, and international business operations, combined with her outstanding track record of leading highly successful business turnarounds, has resulted in the effective scaling of new businesses and expanding existing operations globally for Fortune-50 financial services organizations.
Throughout her distinguished 30+ year career, which includes 11 years at Citigroup, Banamex, Wells Fargo, and Revolut, Rebecca Macieira-Kaufmann has served as a business leader for financial institutions, assisting them in growing while adhering to requirements around complex regulatory obligations and large cross-border trade.
She sits down with Notabene to share how crypto business leaders should approach compliance, including setting up their defense lines, balancing business opportunities with compliance, and performing a reverse root cause analysis to prepare for hypothetical worst-case scenarios. Rebecca currently serves as an advisor to Notabene.
1. Please tell us about yourself and your journey into banking and the financial services space.
Like all journeys, they’re often meandering. I never imagined myself in banking. I went to business school to become an entrepreneur. I studied international business and worked in Hong Kong and London. After failing to get a job in manufacturing, I ended up in consulting, which is like a Ph.D. in business strategy.
Interestingly, the firm I ended up with had a lot of financial services clients. I was able to see the inside of building societies and the British financial services space. I was intrigued. Later in France, in the insurance space, I learned that financial services are not only fascinating but incredibly complicated. This kept me interested.
Upon my return to the United States, I wanted to be a product manager because I think that’s one of the best ways to learn how to run a business and manage a P&L (Profit & Loss line of business.) The areas hopping at the time were technology in Silicon Valley and banking in San Francisco. I ended up in a banking role in San Francisco.
2. When was the first time you had to deal with AML compliance as an executive leader?
Being in the finance space, I encountered AML compliance pretty early in my career. The institution I was with at that time had a matter requiring attention (MRA), which was the first time I had to solve an MRA. An MRA is when a regulator examines your company and tells you that a matter requires your attention immediately. If the issue is not addressed and resolved, it will potentially become a consent order.
I learned to step back and dig deep to understand complex issues and solve them with a team. We set out to solve this issue as a team for the long term. We gathered people from operations, legal, compliance, and customer service, designed a framework, and subsequently implemented it. We got out of that MRA probably faster than any other MRA.
3. How do you design a balance between business opportunities and compliance?
You design a balance between business opportunities and compliance by creating your products within a legal and regulatory environment from day one. In the 30+ years of working in financial services, we often thought in lines of defense; first, second, third, fourth, and so on.
Financial service lines of defense:
- The Business team
When designing a new product, I want the Chief Compliance Officer and/or General Counsel members at the table with Product Design. Aim to solve for 99% of risk here.
- The Compliance team
The compliance team should test the products and processes’ edges. Where could the fraud happen? Where could things fall apart?
- Internal/External auditors
Internal auditors should run risk-based internal audits on a 12-24 month plan. Particularly high-risk events should be audited in 12-month increments, whereas the lowest risk areas could stand to get audited every 24 months. Your compliance team should have the same plan. Note that smaller firms typically rely on external auditors.
Regulators are four levels away for a reason. Risk areas should be accounted for before they reach this level. You don’t want someone four levels away telling you about your risk areas during an examination.
Another first line area I often learned about risk was via client complaints. Clients tell you what isn’t working. Reading client complaints should be a C-suite activity.
4. How did you approach budget and resource allocation for the compliance function?
My approach would be one of stepping away from the view of “business opportunity versus compliance” and into the mindset of “compliance by design.”
First, you’ll need enough capacity to set up and invest in training your front line of defense; the product developers, the technology development team, and the customer service team. They should understand their role in the lines of defense.
When designing a new product, I want the Chief Compliance Officer and/or General Counsel members at the table with product design. A good Chief Compliance Officer knows the regulations and the rules in your industry and could inform you of those trade-offs of how many people they need in-house and what you would bring from the outside. If your company has a reputation of giving compliance a seat at the table, you’ll attract great Chief Compliance Officers. This framework attracts better talent and costs companies less in the long run.
5. Were you surprised how much of your role covered compliance?
Yes, and no. Pre-2008, the financial services industry always thought we were doing things the right way. We had an embedded culture of excellent execution. Post-2008, increased scrutiny seeped into every department. After the financial crash, I noticed a shift in the industry that spilled over from the compliance/audit department and affected each department.
The fascinating thing about shifts is that we aren't usually witnessing the exact issue we should be concerned about; that knowledge is usually hindsight. What initially had roots in the mortgage space ended up affecting the entire finance industry.
There’s a similar shift happening in the crypto industry right now–for different reasons, of course. Currently, there’s a global regulatory shift, where people have to figure out how to deal with compliance for new asset classes and payment methods.
It’s difficult to remain ahead of the related risks concerning the current shift that we’re in right now in the crypto industry: AML rules, KYC, the Travel Rule, understanding the originator and the beneficiary are critical frameworks currently requiring focus. What are the unidentified elements? What will pose the next tectonic shift? Embedding a culture of compliance will help prepare your firm for unexpected issues.
6. When should a CEO of a new and up-and-coming crypto company prioritize compliance, and how should they attack it?
Most business leaders of crypto institutions today are faced with significant regulatory burdens when it comes to AML/CFT processes, with requirements like the Travel Rule, or they face shut-down. They are currently building up their compliance teams and introducing new methods to manage risk.
Business leads must weigh income probabilities to make compliance spending and business opportunity trade-off decisions daily under looming uncertainty. To keep the team and investors motivated and engaged with the company’s long-term health at all times, balance a certain number of short-term wins as part of the equation with the end goal, which is often a public exit or a merger.
It’s a balancing act of saying, “We need enough short-term wins that are happening at some level of frequency to motivate the team, with a strong focus on achieving the long-term goal.” Constantly building up that compliance muscle strength along the way gives a competitive advantage.
7. Let’s imagine a worst-case scenario where a local regulator fines up-and-coming crypto company two years from now. How can they work back from that?
I’d recommend performing a reverse root cause analysis as early as possible. A premortem tabletop exercise is one of the many tools to combat a worst-case scenario preemptively.
Comparable to a business continuity plan, you envision that the hurricane has happened and strategize around what to do going forward. You can do the same thing for regulatory actions; you can say, the event has happened, and now we’re being fined for XYZ violation. Launch yourself into the future and ask:
- What did we learn?
- What went wrong?
- What do we do when an event occurs?
- What is our media strategy and external communication plan?
- What is our internal communications plan?
8. Any parting thoughts or general advice to business leaders in the crypto space?
Know your regulator.
A good exercise is to go through each crypto regulator and determine what risk they are trying to mitigate. For instance, the FDIC is one of the critical regulators trying to protect customer deposits in banking. Understand the motivation behind the SEC, CFTC, or the OCC’s regulations. If regulators are trying to stop human trafficking funding, terrorist financing, wouldn’t it be best to side with them? No CEO wants their platform to be tied to facilitating human trafficking. Reputation is priceless.