How Intuit Scales Compliance Operations
Unit21’s CEO and Co-Founder, Trisha Kothari, recently hosted a webinar all about how Intuit scales their compliance operations with Rob DeCampos, Intuit’s Head of BSA/AML.
Together, they explore how relationships, experimentation, and data are key components to building a world-class compliance team.
Trisha Kothari:
Hello, and good morning, afternoon, and evening to a global audience. I'm Trisha, the CEO, and co-founder at Unit21. Thank you all for joining today's webinar on how Rob DeCampos, Head of BSA/AML at Intuit, scales compliance operations.
We would like to share a disclaimer that we are working with Intuit. However, before we dive in, for folks less familiar with Unit21, Unit21 is a set of no-code tools for risk and compliance operations teams, focused on transaction monitoring for fraud and AML case management and suspicious activity report filing and identity verification. We founded Unit21 in December of 2018 and are fortunate to work with companies like Intuit, Chime, Twitter, and Crypto.com.
We're excited to have this platform to discuss this new world and exchange learnings and best practices. We are very excited to interview one of our first customers, Rob DeCampos, from Intuit. I let Rob tell us more.
Rob DeCampos:
Thanks, Trisha. I appreciate that. Good morning. Good afternoon. Good evening, as Tricia said. I am Rob DeCampos - just in case you're curious, the background of my name is Portuguese or Brazilian. I was born in Brazil and immigrated to the states at a very young age.
Currently, I serve as the bank secrecy act officer in AML, the officer designated for Intuit, enterprise-wide over all our domestic and international products. I also cover our relationships from a card brand perspective, specifically around merchant acquisition and our responsibilities with Nacha clearinghouse rules. So, depending on who or what the product is and who the regulators and partners are, and so forth, I interface with multiple parts of the business, both on the consumer and business side.
I've been with the company for almost six years, a little bit over five and a half. I'll talk a little bit as we kind of go down in the questions about my previous experiences with PayPal and AMEX. Still, actually, I went to law school and followed the traditional legal path for a while before converting into the compliance field.
Trisha:
Thank you for sharing that, Rob, but really excited to dive more and share your knowledge with listeners worldwide. So without further ado, let's get started.
Rob, so you've been at Intuit for six years. What has been your journey? How did you get here? Tell us more about your story.
Rob:
Yeah, there are several ways to describe it, but it's been crazy fun, to be frank. I so happened to start my career at Amex at a point in time when they were really kind of resetting the bar in terms of their particular program and what they were, what they wanted to do in that space from an AML perspective.
And that was probably the best foundation and education I could ever have, meaning that they were very inspired to be a gold standard and to make sure that really kind of every space was being filled and nothing fell through the cracks in that particular program. So, this education was my foundation in terms of learning how to really do a proper SAR investigation, the things that you should really look at, how you should really analyze what is occurring in those spaces, for example.
And in that sense, it kind of gave me that foundation and that appreciation as I looked peripherally at what other institutions and other providers were doing and began asking questions like, “Why aren't they doing the same things? Why aren't they doing it the same way? What's driving that motivation and that decision? Is that negligent, or is there something else going on that I'm not aware of?”
And so that naturally sparked my curiosity, and I ended up moving to PayPal after about a year and a half, almost two years at Amex. And my intuitions were fairly correct in that they were different, and there was a reason - a motivation behind why they were different and what they were doing about it, but also too, there turned out to be a fluidity to how that risk is sitting and what's the constant change and where data comes in and how you analyze your risk assessments and how dynamic they should be in need to be in order to grow and scale with the business.
And then finally this journey with Intuit has been even more diverse because where you have the benefit of the platforms like with financial institutional organics or a large money service business, practically bank almost now like PayPal to an Intuit, Intuit is a FinTech company first, a software company first, and there's a myriad of different products, both one consumer and a business perspective.
And so, quite naturally, I can't apply a “one size fits all'' technique as a result. And that makes my job frenetic from time to time, but also super fun and engaging, meaning that there's always a new puzzle to solve every day and things are constantly changing in that regard, but in a good way in terms of how it's balanced.
So I think where Intuit in my journey kind of ends, is that a point where I didn't have the intent of being the BSA officer for the enterprise, I was brought in specifically to facilitate specific relationships on products that Intuit wanted to build that facilitated money movement.
And they needed a guy that could speak some languages in terms of like, “Hey, can you speak to the bank and make them feel all warm and fuzzy about a program that we want to do? And can you speak to a regulator and do the same thing?” And I found my calling in that regard because I am able to really put things in an altitude and on a level that regulators and partners and oversight people would understand and the board as well, and then make them feel good and that then translated into, “Hey, we want to do more of these products, Rob, help us do that.”
And then we started thinking about, “Hey, that's great. So let's talk about how do we organize or how do we set ourselves up from an AML/BSA office perspective to make sure that when a regulator is outside looking in or anyone else that's evaluating programs, we can say that we, we are in fact abiding by all the pillars that are necessary to have a compliant BSA AML program, but at the same time building in that kind of agility, to be able to kind of move from product to product, to product, to product and apply the best techniques from a risk-based perspective that are going to best serve the business and our customers.”
Trisha:
It's a really fascinating journey from Amex, PayPal, and Intuit. You mentioned a really interesting thing that a “one size fits all” approach just does not work because it is very intuitive, so complex and has so many different products, and you're constantly doing new things. I'm curious, how do you work with regulators? Intuit also works with Chase behind the scenes. How do you really think of that entire ecosystem of a sponsor bank, the FinTech, and the regulator?
Rob:
That's a good question. So the way we quantify this is that when you're first evaluating how you want to set that structure up, or what you want it to do, the first thing to understand is what the customer problem is and what the customers don't have access to right now that they're going to other parts of the market right now to try to obtain. And what is their proposal to entice customers to remain with us for these other offerings that we're going to bring into play? And so I listen really for the first part instead of saying, “Hey, we, we need to put this under a money transmission license, or let's find a strategic partner to do this.”
It's important to listen to what the actual customer problem is and how the business is thinking about solving it. Once I have that data, it's easier for me to see the picture and then provide options back to the business and say, “Look, here's what we can do in terms of X, if you want to do 100% of the things that you want this product to be able to do for the customer, I have good news, and I have bad news. The good news is we can do it.
The bad news is that we would definitely have to put it under the money transmission license, which means that we would have to build further controls and infrastructure into place to make sure that we can meet that regulatory standard. Once we offer that product accordingly and it's going to cause increased scrutiny or the sacrifice might be well, here's the deal we can do, maybe about 60% or 70% of those, those things that you want to do, but we can do that by getting into a strategic partnership and they're going to bear that responsibility or that responsibility or burden from a regulatory perspective directly.”
“However, let's be careful because if the banks or the partners we partner with on this product are smart, they're going to drive down obligations to help them meet those regulatory obligations around BSA, AML, and other requirements,” which is good and bad in a sense.
It's expected, but there is more flexibility in those conversations with your partners in terms of who bears that responsibility, who should do the KYC, how should it be validated, etc.
And so these are actually very interesting conversations, and sometimes there's a variance, right? So there's a lot of things to kind of tease out, but it also provides a little bit more flexibility.
And this is where I also sometimes encourage the business to think about it this way, too: If this is a stop-gap, meaning that you're creating this product. And you're saying, “Rob, once I have 100% effectiveness on this product, I'm done, I'm going to move on to another product.”
But if you're looking for constant iteration of a product, it's going to be more flexible to be able to do a lot of times under the sponsor banks are under your or part of strategic partnerships, because then you can experiment a little bit and you can kind of find out and get data and drawback and do champion challenger tests and kind of figure out like, “Hey, does something work? Does it not without the fear of like having to go and get permission from Miranda and do a dog and pony show for a regulator and make sure that they feel good and bring him up to speed and bring them along on that journey,” which is a little bit more of a, not impossible, but difficult task.
Nevertheless, I would just say it splits. And I would just say then from those learnings, the business then becomes more mature and develops internally. And they say, “well, you know what, we're ready. We're now ready to potentially build the infrastructure. We've done that experimentation. We have the data now to understand that we can do it on our own.”
And then that could potentially signify a movement from relying upon sponsor banks and other partners, then moving those things under licenses. So I would say it's a little bit of an evolution where we start with products, we'll make that decision, but obviously you kind of midstream based upon those learnings, we could make a decision also to pivot.
Trisha
That's a really interesting client sponsor bank, really, as a means for experimentation and to really get that agility, to be able to create and launch products quickly. What is your advice on how businesses should choose sponsor banks now that there’s a new bank popping up every week?
Rob
Yeah, I think it's very critical to have early conversations. I'm very closely connected with my partnership group as they're doing those early explorations and also my legal partners as well. They may come to me and say, “Hey, Rob, we're thinking about doing something maybe in the crypto space. And, we're thinking about talking to these two or three providers.”
And so this is good, right? Because then early on, what we're able to do is some soft testing to determine the risk appetite and to figure out what their expectation is in terms of what this partnership would look like. What would the burden be? Who would bear the risks in terms of potential losses and other events that we would need to be concerned about?
I'd say it's 90% data that you get from getting the answers to those particular questions and evaluating their policies and procedures. And then it's 10% of that gut feeling in a sense where it's even reading body language on zoom.
For instance, if I have a problem or if something breaks at 1:00 AM in the morning, am I going to be able to Slack this person or get this person on a call? Really looking for that kind of cultural alignment in terms of the missions of the companies is something important to evaluate overall as you're going to go along that journey and make that assessment.
One other thing too, I would also vet their technology, right? Because if you want to move to speed and you're generating a lot of your work and are relying upon APIs and other fast-moving technologies, there might be improvements you might want to evaluate. Bringing engineering and your architects along in that journey as well for them to make their own evaluations to recognize if they moved too slow, for example. Or conversely, they can look and say, “Well, these guys, they can move to lighting speed the way we do. So it's a good marriage at the end of the day.”
Trisha
That's really insightful where the economics and ownership of risk is more tangible, but the intangibility of the cultural alignment is extremely important and really can make a huge difference. And whether you have that agility to experiment, it's quite underrated.
So thank you, Rob, for shedding light on that.
You mentioned a really interesting thing, which is that even if you are working with a sponsor bank, there may be this division of responsibility where you have to do your own kind of monitoring of activity and then potentially escalate to them as you build in more tools, or as you decide that you need to get more tools, how do you decide between the build versus buy? Should you have an engineering team dedicated to this or, should you purchase off-the-shelf tools, and how does it play for different areas of the business?
Rob
I am a little bit biased, and I think it's because, in a sense, if you walk in any kind of compliance department, the one thing that's usually persistent is that you are not generating revenue for your business necessarily by being there in the work that you do. So generally speaking from a baseline perspective and an engineering perspective, it's a difficult conversation to have to say, “Hey, I need you to spend all this time and this resource and this money for you to build me all these functionalities.” And as a result, a lot of times, we wonder, “Wouldn't it be cheaper if we just went to market and we kind of looked at what's out there and maybe that can kind of provide what we need in order to be ‘compliant.’”
I don't think it's a bad thing. And so what I generally do is give the option to the business. And when I make those determinations, I provide factual analysis around what it would potentially take to build something in-house. Let's size it, but understand the effort and initiative that it would take, and completely run out what our costs would be end-to-end, and then making that happen. And then also building in the fact that a lot of times, engineers fail to realize that there's a lot of “run the business” maintenance associated with some of the compliance. So we try to build that into the cost as well.
And then we look at the comparison of the market and then in terms of those capacities and the costs, and really it's just a cost-benefit analysis at the end of the day, in terms of what is the smartest move for the business.
And then we try to think of it in these phases, right? Assume you're on year two of the program of this release of this product, where we're going to need tools to be compliant in the AML, or be a safe space or other compliant spaces. What does that look like? Do we grow to scale? What do we do at that point? And so what I'm constantly doing as part of my job is to work with multiple vendors on multiple compliance products and what we’ll do.
And as you well know, we have performance standards. We go to our vendors and we say things like, “You know, Unit21, here's what we expect. Here's what good performance looks like to us in this ecosystem, in this environment.”
And this is the exact line I give to haul the vendors that I work with. And we have these performance standards, and we evaluate whether we are getting the value from having this partnership and why or why not.
And it could be reasons in terms of maybe the missions of the companies have now become somewhat diametrically opposed, and perhaps as a result, the technologies aren't aligning with what we need to do to grow to scale overall. And so, as a result, we may have a conversation to say that, okay, maybe time to build, maybe time to re-evaluate.
So again, re-looking at what are the priorities of the business. Does it make sense for the business to spend the time/money and the initiative not only to build, but to continue to maintain, or are we better served by going to market?
And this was exactly how we began talking about Unit21, right? Part of the conversations and the request for proposal process that we initiated with your company was on that basis where we had that exact conversation with our business.
They were interested in exploring the “built-for-you” option, and I say, “Cool, that's great. However, here's the laundry list of costs and what is needed. What do you think?” And they're like, “Ooh, you know what, maybe you should go have a look at the market.”
And so we did. And you know, and these are the conversations that we continue to have in terms of Unit21’s value. “Is it still providing value? It is? Fantastic. So let's continue with Unit21. Let's continue on that journey. Let's continue to bring them along in terms of Intuit's growth to scale on money, movement products, and how they continue to help facilitate us with their data and what we need to do to become better automated and to leverage AI because that's the mission of Intuit.” We're committed to being in an AI-driven environment and space for our customers.
Trisha
That's certainly a very logical way to view build versus buy. A lot of companies decide to just build internally because they want control or they feel like whatever they get from outside is not going to be as great, but really the question is about ROI.
So we've talked a lot about tools and sponsor banks. What about the team? What is your framework for what a good compliance team looks like? A lot of our customers only have one or two people in compliance, and they're growing the compliance team. So what framework should they put in place to make sure that the compliance department is doing well?
Rob:
So, it starts first in alignment with human resources. They are extremely critical in that journey. I look at the Intuit model where we take great effort to screen candidates what our processes are to bring new people in, but also in terms of the roles overall, and the obvious thing from a framework perspective is making sure that I have individuals assigned to the different pillars that are needed for a BSA AML program. And a perspective provides clarity for those individuals.
Then I'm able to speak to the delineation of the roles. I have five direct reports that come to me from that perspective. And they each answer for one pillar. But not surprisingly, there's a little bit of overlap in terms of some of the work they're doing and where they need to communicate with one another. And they're great in that aspect. So the other thing, too, that's a little bit unspoken and unseen, is I really look for diversity in thought. I don't want clones of myself or of anyone else on the team.
I want the diversity of thought and experience as well. People are coming in and understanding how they can provide a different viewpoint. We have what's called a “craft demonstration” for every hiring role that we do. And part of that is when we give someone a problem statement: something to come back, and we'll send a deck and to solve. And it doesn’t matter what your answer is, it’s more about how you got there. If you were to tell me the sky is red, and this is why, I would accept that.
As long as you were able to unpack and explain to me why you believe that it was red. So really, it's an exercise where I want to understand what is the thought process of the individual to get to the solution that they're trying to drive at the end of the day in terms of building that complaints department.
The other thing too, honestly, it's passion, right? The company linked into it. If you are lazy about being passionate about the customer’s problem, you're just not going to have a good time. You're going to have long days; you’re not going to be engaged. And so that's part of it. Also, I try to be as authentic as possible here at Intuit. And I think it's important for other companies to understand and be empathetic to what the customer problem is.
And it's not just down to the customer too. It's because of our compliance team and my team; I take great affinity and the fact that we have a good brand across the company because we generally care about what other people are trying to do in the company to help solve for that customer.
Now, it doesn't matter if it's someone in marketing or someone in finance or someone on the product development side; we are genuinely interested in how they are spending their week slogging away, providing for themselves and their families. We're passionate about what every single person does, not just the people in compliance or AML and then legal. And so that's important to understand and to listen and to show that too.
Trisha:
That's a really interesting point of how you can really have the compliance team think of the business and not just the compliance operations - really to keep the larger picture of how compliance can unlock growth for the business. How do you measure your compliance people's performance?
Rob:
Well, here's the easy one, right? (Here's where I get jealous of people that are a little bit more operation centric). I can look at components of quality decision-making in terms of my work. Those are really metrics that are easily measurable, and I can say who's doing the best to who might have the most opportunity on the team. It’s kind of the same thing with productivity and how that's measured. There's always been controversy from an operational perspective regarding whether that is the appropriate way to measure. I would say, within an operational environment, perhaps, but for my team and me, not so much, so here's the obvious one, right?
We're beholden to the regulations. And so, for us, it's critical that we do not miss our SLAs, that we're in compliance with them at all times. It's critical that we have every pillar and component of the BSA AML program in place, that independent reviews are done in a timely fashion, and provide the scope and clarity that they need to.
The same thing is true with our risk assessments, my reporting to the board, training that I submit over to the board...There are definitely some “check the box” functionalities that are part of my job that I measure by, and my team is measured by that. Beyond that, here's what I would say is that all those things, I just kind of list.
You can meet an SLA. You can submit an audit report. You can do all of these things, and you can be an extremely deplorable person. You can be a complete jerk to be quite frank and get stuff done. It's not impossible. But specifically with myself and at Intuit, the “how” matters. And so, for me, it's also about our brand at the end of the day and how we are interacting with our stakeholders and how they perceive our working relationship.
I want them to think, “I really like working with Rob and the AML team. They're empathetic when things don't go well or a rule breaks or the functionality isn't there, they don't freak out. They seek to understand what the problem was. And they partner with me strategically to make sure that we have the right fixes and implementations in place.
They're understanding; they’re clear with me regarding what is a regulation versus what might be a business risk, that's strategic and smart risk-taking. They use data to drive the points at the end of the day, in terms of the decisions that they want to make, instead of just saying, ‘Hey, it's a compliance regulation. You should do it.’”
Responses like that don't fly at a company like Intuit. And so those are the intangibles and the interactions that I also measure as well in terms of my team's performance.
Trisha
It's really interesting - Intuit is incredibly tech-forward. And the variety of products that Intuit support is significant. And if someone does not have that mindset of “what should we do for the business” and a very data-driven sense, then I can imagine it becomes challenging for them to succeed in a place like Intuit.
Rob, you have an incredible career in compliance, from really learning the nitty gritties from what good brand delivery at AMEX means to running AML at Intuit. What is your advice? How should one build a career in compliance?
Rob:
“Carefully” is the best answer I would give in one word. Look: it’s strategic. I try to be as strategic as possible in everything that I do. And I think the first thing is that you have to know yourself, you have to know what your passions are at the end of the day, and you have to then do the homework to evaluate what are going to be the best environments for you to foster those passions, then to have them grow and to have them be supported.
And what's interesting is that I'll give training periodically on different topics within the company. And often, I'll interface with different people in the company, whether it's front customer service or on the backend with risk and fraud or financial risks and other components.
And I always get a couple of people that will answer this question: “What are you passionate about in terms of what you do? What are you passionate about?” And I'll get a response sometimes that says, “Rob, I'm passionate about catching the bad guy.”
That, for me, is such an interesting response if they're at a financial institution or a money service business. I think to myself if you are passionate about catching criminals, why wouldn't you be working in law enforcement? Why wouldn't you be seeking that out? That, or a legal career, would seem to be the environment that would probably foster that passion. And so what I try to do is try to direct them, because the businesses that we're in require someone to say “I am passionate about being compliant and making sure that I can share with my regulators that we're doing the right thing, we're intelligent and doing the right to more committed and do the right thing.”
But at the same time, we're also forward-thinking about doing the right thing. So that passion doesn't necessarily involve first and foremost catching the bad guy. It's about how do I put the best systems in place that are advanced, that are smart, that are AI-driven, potentially to be able to sit the large amounts of cookies data that we have to be able to put my people in the best position to spend their time on the most important and probably the most risky alerts or circumstances that they need to review.
That's my passion. My passion is experimentation; it’s looking at it from all these old antiquated ways in terms of KYC. KYB is a perfect example, right? It's like, okay, well I've collected my data points, and now I need to go on, I need to validate them.
And it's kind of one by one; let me string it across. And, you know, that's the old school way. And that is maddening to me. That is so maddening to me. Like, there must be a way this stat exists out there in a sense that it has to be a safe way to be able to compile it, to be able to, when someone enters your ecosystem to identify, whether it's through nuances and multi-factor authentication and other advancements like, “Hey, you know what, I know what the risk is. I know this risk is either low or it's medium, or it's high. And I know why,” and then I can implement that and use that data to kind of drive my processes and tighten my controls or loosen my controls or be dynamic as a result.
And so that passion is kind of figuring that out. I know I will go a long way here, but I would also say this extreme value in getting your hands dirty. And so I would say if you're looking to kind of begin, or if you're in a career right now where you're, you're operational centric, you're, you're, you're validating the KYC CQI.
Maybe you're doing this, our investigation, and the work that's fantastic. But I would also say to look at it potentially as an opportunity, meaning that you can climb an operational ladder. And there's great people that I love and operations that do their job extremely well and find a lot of passion in it and a lot of growth and a lot of fulfillment, and that's great to be an operational leader. But for me, I looked at it in terms of using that as a platform, as a foundation to have legitimacy when it comes to creation of policy legitimacy, when it comes to working with people on the technology side, legitimacy in terms of advancing kind of, or evangelizing the mission of better and smarter compliance, across the board and internationally.
Knowing that allowed me to be in these places and build my career and in the spot where it says, “I want to be in a place where I'm allowed to talk to any numbers. I want to be in a place where I'm allowed to talk freely to the legal department, I want to be in a place where people are going to understand that if I come to them, there's a legitimate reason I'm bringing value. I'm bringing value. I'm not here just to bother you. I don't need to get permission from three or four different people to go talk to someone - I'm legitimately interested in solving a problem and finding a better way to solve it at the end of the day.”
And so, again, going back to your question, self-identification, find out what you're passionate about, research the company.
There are tons of resources out there. And I would say, as you're going through the process of using your network as a benchmark of saying, “What does this company really like? Or what does it like to work from?” You can either give me the real load, but at the same time, even in my interview process, I press back. I will ask my potential boss things like “how are you going to be engaged in my development? What does that look like to you? What does that conversation look like? Is there a conversation?” Whenever you find out what your passion is, you have to develop a plan of how you investigate and then insert yourself in that environment.
Trisha
Thank you, Rob. That is incredible advice. It's, it's really interesting where I think your approach, obviously as a leader right into it and do some mature companies. You have to make sure that you're not just running around like the wild west, but marrying the maturity with the curiosity, the experimental reality, the idea of trying to push the boundaries by learning more about different areas of the business and making better decisions is really commendable.
And, and thank you for sharing your insight into growing a successful career in compliance. My three main key takeaways are that sponsor banks can really be used as a mod for experimentation as an ability to really test before deciding to bring things in-house. And it's really important that you not only choose the sponsor bank based on the economics and, um, the requirements from them for different programs you have, and you have to have in place, but also from the mindset of what really makes sense for the type of business you want to work with.
The second takeaway is data. Data is the be-all-end-all of the 21st century. And it's really important to have data-driven decisions in everything, whether it is an evaluating a tool and the ROI that you get from the tool, whether it is in making sure that your program is running effectively, as well as making sure that your teams are performing to the degree that you need them to perform at. And of course, it's imperative to marry the experiment with the pragmatism of other requirements of the time, but curiosity will enable folks just starting out in their career to have really interesting careers like Rob has had.
We have a bunch of questions from our audience so I'm gonna dive into that next. The first question is, “What is the guidance for an early-stage startup who is hiring the first VP, the first director of compliance? How should they think about that, that hire, and what questions should they ask?”
Rob:
I think it's going to depend in terms of, have you already looked at, or assessed what your risk appetite currently is in that space, meaning in terms of the products that you currently have and what your mission is from a first off perspective in terms of where you're going to go and, you know, what does that look like in terms of direct dealing with regulators?
Are you going to have to obtain licenses? Do you already have licenses? Are you looking for strategic partnerships to do these things? And so based on that, then looking at the background from a perspective of what does this person bring to the table.
And I think regardless of where you look again, I think it's just being very blunt in terms of, as you're kind of vetting and asking if they've come from a more stringent background, how are they going to feel about that flexibility? And I think the big thing, especially with most smaller companies and startups, right? It's work-life balance in a sense too.
I think that has to be essential in terms of whether they value it at maybe a higher percentage than kind of others, because, you know, I've been in those environments before where. It’s okay, as long as there is an understanding of, you know, maybe for the first year, you know, 15, 16 hour days, not going to be unusual, but you're going to be doing some cool stuff. You're going to be engaged.
You're going to drive a lot of this stuff. You're going to bring a ton of value in the company. It's going to be super exciting. So I would just make sure that your question set and your vetting really are very cognizant of that, of what the environment is actually going to be for individual and then evaluating if the individual has the ability, not just the skill to evaluate, but also I think too, in that stage, it's going to be critical in terms of their ability to properly communicate both those outside parties, regulators, but also internally, whether it's with internal legal counsel or outside legal counsel as well for making a lot of the decisions from a compliance and risk perspective. I would say that regardless of background, that he or she has got to be a good people person.
Trisha
It's really a people-oriented players, a space because you have to make sure that you can explain to regulators auditors what you're doing in order to be compliant. And it's important that everybody grows with the company.
Question 2: “What are some key items that you ask or look for when evaluating tools like Unit21?”
Rob
There's a formality that Intuit has as a larger company RFP process. So we do have the rigor of what your particular parameter of a test is as it pertains to data flow and information in case management and all the things that we would want a company like Unit21 to be able to do. I would say you should probably have that in mind. Like, what do you need Unit21 to do for you that you are not able to do for yourself and making sure that your parameters from a testing perspective are very acute to measurements of how does Unit21 then perform under what those requirements actually are in comparison beyond that?
It's like I said, it's putting in place a process for continuously assessing value and assuming that Unit21 checks that box. Well, how do we ensure that they're going to continue to do that? What are the performance standards? What do we expect for good, continual performance from Unit21 in that regard? And then making sure that that conversation occurs with Trisha and the team and making sure that there's constant communication; it’s not just after you build and then it's done. No, it’s more like, “let's set up QBR, let's look at the data together.”
What story is it telling us as well, in terms of like, “Hey, you could be more efficient here, or your risks are there.” Or actually, you realize you're running this rule and like it's creating false positive noise, and that's about it. So it's probably an indication that the risk is there; as you assess it, as it might be, why is that happening? And how can we help you pivot? So I think it's really an understanding of whether a real relationship can exist. And can that relationship grow to scale? Meaning that, consistently, as you're asking for updates and asking for things kind of measuring around, communication is there and also they seeking your feedback.
And I say, Unit21 does a great job of this. If they make a release and we're looking at what that new functionality is, fine. We're not afraid to go back and say, this is terrible. Or, you know, this is great. Or, you know, this is kind of good, but I'd like it if it also did this as well. And so, just making sure that that relationship can exist and be fluid.
Trisha
Yeah. It seems like it's finding the same kind of framework with finding a sponsor bank that you want to make sure you can do what you need to do or that you can't get from existing systems. And you can make modifications to the system based on whatever you're learning as you continue to use the system. And then, of course, the cultural element too, is this the type of company that can help me get to the level where I would want to be, or where I would want to be in the next five, 10 years.
Question 3: “Do you have a rule of thumb when it comes to conducting investigations and balancing productivity against time to investigate the million-dollar question and compliance?”
Rob
I think now is the time to be able to effectively leverage data, to apply the answer to that question, meaning that your rule of thumb has come from the point of that balance, meaning that you should be spending more time on investigations that appear from a data perspective to have all the criteria in place from SARS that you have filed previously from things that you have confirmed and identified as ads are actually, or highly potentially suspicious.
And so that's where we have conversations with Unit21 all the time. I’m grateful that we're able to meet the SLA and file our sorrows accordingly and effectively, but I'm so passionate about what's actually in them and what story is it telling at the end of that?
And so before, it kind of used to be from a perspective of like, well, you know, this particular rule, it tends to spit out these complicated alerts that require more time for investigations. And that could be true, but don't just rely on that as a blanket statement, right? Look at the data; the data should be able to tell you as you kind of measure performance as you, as you kind of measure that productivity, right?
Hey, there might be a particular reason a particular rule is causing alerts that are taking longer to investigate. And guess what - it could be not because the investigation itself is complicated. It could be because the rules stinks or the information that you have in relation to the internal data and the information that you're using to conduct the investigation isn't great. But that's another opportunity to increase productivity and your processes and your procedures overall.
So what I would say is that if you're using blanket statements, here's my advocation: If you're being measured from a blanket perspective to say that this alert should only take 20 minutes, or this should take only 45 minutes, or this is kind of a tough one, so it's going to take an hour and a half or two hours, that's fine, but if you're invested in your career, you should be like, “Hey, is there a way we can see the data associated with that and confirm that because I want to make sure if I begin to see something different, I want to let you know, and I want to make sure that's incorporated in the data.”
And so either it's fixed on our end and becomes more efficient where we have the control to be able to do that, or we're really capturing the flags to show where the risk in our business is at this point in time to say that all the hallmarks of this customer and what's going on with this money movement activity is super complicated, and I do need to spend more time to do the right thing and provide the right information to law enforcement.
One other footnote to that is that it's always changing, right? What you might determine or what might be seen in your ecosystem as complicated risk this month might pivot or change. I guarantee you, it's probably pivoted since COVID, and we'll pivot again. And so, that's part of the push that I would always give, and I would expect any operation person to push me. If that was the case too, to say, “Rob, I'm not seeing that,” that I say here, here's what it is.
Here's the flavor of the month in terms of what's going on right now, I would expect if you see these hallmarks and these activities and these flags, yeah. You should probably be spending a lot more time in that.”
Trisha
Really take it a level deeper to understand that something needs to change the system and be set up again. That's why the world has so many false positives, so many true positives. And I think your point is really in fraud, AML. Things are constantly changing; having static logic is just never going to work. And it's imperative to have that dynamic mindset as well.
Question 4: How does Intuit interact with crypto? How do you think about crypto?
Rob
It's tough. I do think about it. That's the good news. I'm very aware and some of the conversations. Here’s what I can share without divulging secrets. We do think about it. However, we think about it from a particular lens and of knowing that who our customers are and does that help serve our customers to a great degree.
And so I think we're still kind of at the phase of really kind of wanting to understand better the customer problem and how crypto would provide a solution if you kind of think about it as well. Right? Intuit, as the largest consortium of small, small businesses and businesses that have only been in existence for, under one year. And so the struggle then there is, look, these are businesses right now that, you know, the majority of small businesses fail kind of within that first timeframe period.
And we're more interested in giving them a little bit more fluid financial products at first in terms of understanding what their issues are, how do we best solve them with products that we have, and then kind of move forward. I think eventually we'll probably find out what that answer that question is, and then maybe target specific businesses in terms of like, all right here, here's maybe some businesses that are a bit more mature and are probably ready to kind of take that leap into assume that type of risk associated. And obviously too, it's going to depend on the crypto industry, right?
If it becomes a more common use, it could also kind of permeate and penetrate into small businesses as well at which at that point, you know, we'll change and say, “Okay, now it makes sense to introduce it sooner rather than later, as a result bottom line.” I, talking a little bit, you know, about the regulations and from a New York DFS perspective as well, we're kind of very aware of what we would need to do to be compliant in that space. So I'm not fearful of it. In fact, I think it's a very interesting challenge and one eventually that I'd like to, to challenge and to, and to tackle. But for now, there there are other things that we're targeting from an Intuit perspective.
Trisha
Thank you all for sharing that.
Final Question: What background has been the most useful for the BSA AML compliance team
Rob
This kind of goes back to my mantra in terms of, I don't hire clones, I don't want to. And so I look at those kinds of diverse backgrounds in the sense, and in terms of like, if you look at what I would call the big four, you either have worked for a regulator, you've worked for a big four consultant, you've worked for a FinTech, or you've worked for a financial institution, or you've come from law enforcement. All those have their value in certain spaces and certain places as well. So I look for that diversity, but I also look for the meaning for me. Again, I have to go back to it.
I look for passion. So if someone is passionate and the question I always ask is like, no, no, no. What, what does it mean? What makes you passionate about compliance and what factor of compliance, but also like, I'll ask specifically, what about Intuit makes you passionate and I'll often find it's, it's very interesting, right? Like people will feel that compliance is compliance.
I'll come in, and it's a FinTech business, whatever, but no, I'm highly interested in terms of whether you know what Intuit's principles are? Do you know our mission and what we believe in - what we help facilitate? Like, what the things that we care about. What drives us to make the right decisions and then to practice good ethics at the end of the day. And I think as long as there's an alignment there in terms of Intuit's value system, and they happened to provide an environment where I want to grow from a compliance perspective if those are answered in the affirmative, then usually we're pretty good.
Getting started is easy
See first-hand how Unit21
can help bolster your risk & compliance operations
