Hindsight packs a powerful punch. Looking back at the Wirecard scandal, it seems remarkable that regulators, investors, suppliers and other stakeholders did not see the downfall of the German payment processing company coming. The Financial Times began investigating the company six years ago, following a tip-off about irregularities in its accounts. It published a string of well-researched stories over the coming years and regulators in a number of jurisdictions began to take note. But the company weathered the storm, only collapsing into insolvency in July.
The story of Wirecard is a salutary tale. Much lauded for its innovative technology and rapid growth, particularly in its home country, sceptics were dismissed and, in some cases, maligned. Capitalising on the company’s apparent successes, its charismatic leadership team were able to bat away difficult questions – and too many of those who should have known better took the firm at its word. In retrospect, this was a classic case of the Emperor’s New Clothes.
In the end, Wirecard’s collapse came remarkably quickly. In June, it was forced to file for insolvency after conceding that €1.9bn of cash supposedly in its accounts could not be found and probably didn’t exist. The FT published documents showing that a company which had claimed to serve more than 200,000 business customers had actually relied on just 100 accounts for more than half its revenues. This, in other words, was a business with a handful of very large customers and a remarkably long tail of tiny accounts.
There are no doubt be further revelations to come. Wirecard’s former chief executive was arrested following the company’s collapse and faces investigation. The German parliament has announced an inquiry into the affair. Authorities are also looking into allegations that critics of Wirecard had been the subject of online hacking and phishing attempts.
The bottom line, however, is that this appears to be another case in which red flags raised about potential concerns ranging from false accounting to money laundering were not taken sufficiently seriously. And the fall-out has been highly damaging – not just for Wirecard’s investors, but also for businesses on whose behalf it previously processed payments, from fintech start-ups in the financial services sector in individual merchants all around the world.
Lessons from a scandal
From a banking perspective, the Wirecard saga underlines an imperative that has sometimes been overlooked in the efforts of recent years to improve know-your-customer (KYC) and anti-money laundering (AML) processes. It is not enough just to know your customers, because the risk they pose may actually come from their own client base; this is therefore a world in which banks must know their customers’ customers too.
It is imperative for banks to mitigate the risk of getting caught up in similar scandals in the future. Clearly, much of the work from a KYC and AML perspective when dealing with PSPs and MSPs will focus on these businesses themselves, and the questions that banks must ask themselves is as follows:
- What are the legal and regulatory requirements these businesses operate under, both in the individual territories in which they operate and on a cross-border basis?
- What continuous monitoring work can be done to identify any signs of misconduct or financial distress?
- What services are they providing to merchants, including regulatory compliance work?
Automating the process
Given the scale of work required to achieve such goals, banks and other financial services providers still working with more manual processes are likely to struggle to rise to the challenge. Rather, a shift to a more automated approach to KYC and AML compliance is now necessary, with systems that capture a broad range of metrics through which it is possible to monitor the risks posed by MSPs and PSPs, including the risks that may be inherent in their client bases.
Such an approach will stand or fall on the quality of the data to which banks have access, and on the tools they have at their disposal to analyse this data from a risk perspective. However, with systems built on APIs that ensure a constant flow of data into KYC and AML processes and tools, it is now possible to embed best practice into relationships with MSPs and PSPs – and to ensure you can genuinely know your customers’ customers.