How does CRS affect financial services companies in Hong Kong?
CRS is an acronym for the OECD’s Common Reporting Standard. The CRS framework was setup to combat tax evasion and protect the integrity of tax systems, but what exactly is it? Which countries are participating and what are the implications for financial services companies in Hong Kong? This article will help you understand CRS and how it may affect you under the incoming CRS requirements.
What is CRS?
For the CRS framework, companies in Hong Kong are required to identify and annually report to the Inland Revenue Department (IRD) the financial accounts of tax residents of foreign reportable jurisdictions. The information can include; bank deposits, securities accounts, assets, insurance products etc. The reporting standard helps to standardise the submission of information, to make it easier for information to be shared and analysed between the participating countries.
Which countries are participating?
A detailed list of the reportable jurisdictions can be found here. Currently, approximately 75 jurisdictions are participating, including all EU member states, Australia, Canada, China (including Hong Kong), India, Korea, Malaysia, Russia and Switzerland.
Consequently, If any of your clients are from one of these countries and have accounts in Hong Kong, you’ll need to start preparation to create the reports to submit to the IRD.
What should you do?
At the minimum, you need to start by making sure you have up to date and relevant information on your clients. It is important that this data is accurate. You should begin communication with your clients to establish whether you’ll need to report on them. We would recommend sooner rather than later. You will also need to be mindful of this when you onboard new clients.
If the required client data is not on a database or online system (such as our Link|FS platform) then we recommend you begin to digitise your data to remove reporting headaches that will appear later. This is what the data looks like for reporting. It’s in XML format:
CRS Reporting Screenshot XML
From September 2017, the IRD Portal comes online for registration and by January 2018, the IRD should start to issue information requests. The current end goal is the reporting and sharing of information between countries to begin at the end of 2018. You can automate your reporting by adding onto existing internal processes you may have (provided you have some digital records) and you can connect to the IRD portal for automatic uploads, makingthe process much smoother and reducing the room for error. More information here.
Note. Some of the dates mentioned above have changed in the past so it’s important to keep up with any changes that may affect you. We’ll post about them on our updates page.
This is Part 1 of our series of articles in “Digital Client Onboarding for Financial Services: Move Fast, Ask Less”.
So, what does User eXperience (UX) have to do with compliance? Well, when we break it down to the nitty gritty, your new client will more than likely have their first interaction with you while researching your company or the service(s) it provides via your website. After they have surveyed your website, clicked some links and maybe built some trust, they then make the decision to contact you. This is when they will inevitably end up at a web form.
This is a web form. A nice one.
Web forms have a lot to do with UX and UX is part of client onboarding and that is closely related to Know Your Customer (KYC). The KYC process is all to do with regulatory compliance. With web forms being the most common way to perform digital client onboarding, you guessed it, the initial user experience with your company has a lot to do with compliance. But get it wrong and you might not have to worry about KYC & AML/CTF or any of that, you might not even get the client.
You have to start with the customer experience and work backwards to the technology – Steve Jobs.
I’m sure not long ago it would have seemed odd to mention ‘UX’ and ‘regulatory compliance’ in the same sentence, but times have moved on, fast. Every company, from the biggest on the planet to the smallest garage upstart is trying to enhance their digital experiences and the way they connect with their customers.
The world’s biggest retail banks are now feeling the pressure from mobile-first startups that create apps with fantastic user experiences to try and draw customers to their platform. See Number26 and Monese as some prime examples.
Monese Banking App
So why is it so difficult to create a great, digital client onboarding experience and what’s been wrong with the approach until now?
Regulatory complexity has grown and so has the volume of data required for KYC and client onboarding
From our experience working with clients, we have come across all kinds of forms. Depending on if they are regulated and which regulatory body they are licensed with, if they have to submit CRS or FATCA reports, whether they’re onboarding an individual or a corporation, or simply down to how they handle their KYC and compliance internally. Most commonly, we work with clients that have forms with between 60 – 200 fields to complete. So, what’s a field?
This is a bad web form. Particularly if you need to enter a lot of information.
The example above has 9 fields. You can imagine having to complete a form like this with 60 – 200 fields to handover your information (plus additional supporting documents). You can’t just digitize your existing forms like for like as it presents a number of challenges. We’ve listed the 4 main ones we’ve come across:
Form Fatigue: Ever gone to complete a long form and needed to take numerous breaks from it? Not only for your sanity but also because you may not have the information or document required at the time. Or worse still, you’re half-way through a form online and it loses all your work when you try to come back to it?
Repetition: We found the client’s who were being onboarded were getting asked for the same information up to 2 and sometimes 3 times on the same form. Even when converted to digital! ‘Didn’t you just ask me that?’.
Flow or Logic Missing: Asking someone to enter information at the wrong time and out of context is a real issue. The constant need to flick between pages or endless scrolling makes for a bad user experience. ‘If you selected Yes, go to Section 5’.
The Paper Mentality: If you’re just taking your current paper form and putting it online, you’re going to run into problems. The digital experience needs to be a lot different and more familiar for someone who uses Phones, Tablets, Laptops etc. everyday. You’ll run into at least 2 out of 3 of the above issues. And more. What happen’s when you need to add more information in a particular section but there is no space?
Thinking about how a form can be organized as a conversation instead of an interrogation can go a long way toward making new customers feel welcome.
― Luke Wroblewski
As you can see, a web form actually has a lot to do with compliance and is integral to a successful digital client onboarding programme. Getting this wrong will get you bad results and a bad first impression and maybe even a lost client. This is where UX comes in and it can turn a bad experience into a delightful first interaction for your clients. As Steve says: You have to start with the customer experience and work backwards to the technology.
This is Part 1 in our series “Digital Client Onboarding: Move Fast, Ask Less”. In the next installment we’ll look at “Form Data: Can data be used to hone a better digital client onboarding experience?”. If you would like to receive our updates, please sign up here…
If you ask a cyber security expert to secure your enterprise environment, they may not allow anyone to login or access email remotely and would request that you use passwords such as s23r8@#$23nr2345$%^456324k2345!#3 and request that you change them to something just as confusing every 7 days. This quickly gets in the way of people doing their job. There has to be trade-off. But is this really a risk vs reward scenario or can there be a happy (and secure) medium?
We see something similar with software solutions that are hosted onsite (your IT manages it) vs cloud solutions (the vendor manages it). The latter is often referred to as SaaS (Software as a Service). Normally to get new software installed, which in turn provides a service to the business, there are a number of hurdles to get over. Those hurdles predominantly involve time and money when the outcome you want is really the service the software provides. In the argument of software onsite vs cloud services, what are you really risking?
Financial services software either makes you money, saves you money or reduces your risk. Some do all 3.
Your data, at someone else’s house
As the world of technology moves away from high upfront software and hardware costs towards subscription based services or cloud offerings, the questions heard from the market and businesses looking to make this move are:
Is all my data secure?
Is my client’s personal and/or company data secure?
These questions are valid and businesses should definitely be asking them. The reality is, SaaS or cloud providers have the exact same concerns. Their businesses depend on their client’s and the data they hold for them. They are responsible for their client’s data and need to make every effort to ensure it’s security. The cornerstone of any SaaS or cloud provider’s business is data security. If they were to be hacked and have data leaked, this could be potentially very damaging to their business, and for some companies this would put them out of business entirely.
Is cybersecurity and its effects on compliance something you discuss at management meetings?
The move to the cloud is happening fast and it’s no longer a matter of if or when. If you look at the largest cloud provider on the planet, Amazon Web Services (AWS), you’ll see they are growing at a rapid rate. Many companies are not buying servers anymore and hosting themselves, they are leveraging the power and scale of cloud providers. Oracle and Microsoft have effectively become cloud companies and are actively promoting this.
Microsoft Office 365 Cloud now hosts all email data for insurance giant Metlife, with 64,000+ staff on their platform. Monthly active users of Office 365 commercial now number over 85 million, up more than 37% year over year. The SaaS CRM behemoth, Salesforce, now has a market cap of US$58.25B (at time of writing) and is a 100% cloud company. You cannot install their software onsite.
The original (in)famous SalesForce Logo
Salesforce now boasts such clients as Barclays, American Express, GE, Unilever and more. These companies all trust their data with a cloud software provider. Not just any data; but sensitive data such as their client lists, prospects, partners etc. All on Salesforce cloud. Even UBS has moved compliance functions to Microsoft Azure cloud and DTCC are moving to the cloud “to reduce risk and cost and improve the resiliency and security of DTCC’s systems”.
These vendors, large or small, are all too aware of the kind of scrutiny placed on cloud or SaaS providers. To do business with big companies, you need to pass through vetting processes and lengthy due diligence questionnaires. Ever seen these kind of questions below asked of your business?
Who in the organization is the owner for the Information Security program?
Does the organization encrypt data at-rest?
Does the organization multi-tenant data or processing on the same system? If so, how is confidential client data kept secure?
100% cloud is not always the only option
Before cloud or SaaS vendors make any changes to their offerings, they think of data and application security. The cost of getting this wrong far outweighs the efforts involved of getting it right. Some companies will offer a number of ways to deploy their software, including: Public Cloud, Private Cloud and onsite/Hybrid solutions.
It’s by far easier to manage a shared service/public cloud offering as they only need to manage a group of scalable servers that they have control over. If deploying their offering onsite, they need to engage with IT teams, security teams, operational infrastructure teams etc. This presents some challenges and certainly adds to the hurdles.
Decision makers are often caught in a tough position when exploring cloud or SaaS as a viable alternative to traditional infrastructure and application service methods. Fear of data leak and location is the primary concern. But does the cost savings outweigh the perceived risk?
The financial argument
From a purely financial standpoint, many decision makers are not entirely aware of the true cost of operating their environments. Expenses relating to a facility and infrastructure often are hidden in other budgets, so their view of operational cost is limited to staff, hardware purchases, maintenance agreements and software licensing. Overlooked expenses often include the impact of business damaging downtime and the cost of capital that could be more efficiently used in generating income. On the whole, the cloud or SaaS initial outlay and ongoing costs have proven to be more cost effective than going with onsite. However not everyone is ready for the cloud.
Evaluating business needs
Research shows that cost is seldom the primary driver toward cloud services. Instead, improved service levels, infrastructure agility and increased security ranks as the top three drivers. Overburdened infrastructure or small IT teams often cannot cope with the rate of change and demand, and desperately need to empower business units to provision services that add value, fast.
If the goal of a business is to move more quickly than their competition, the platforms on which they innovate and operate must keep up with these requirements. If they cannot, then irrespective of the cost of a cloud solution, they are simply not performing a business enablement role.
So where are we now?
The question of whether cloud is a viable alternative to the existing methods of deployment is not a comparison of apples to apples. An organisation needs to determine accurately what it’s objectives and goals are at a business level, understand whether they can afford to divert much-needed capital into a non-core activity such as operating IT infrastructure and then consider whether a scalable, flexible a
nd cost-efficient solution will serve their original goals more effectively. And most importantly, securely.
For many providers, time will tell and the market will drive them in the direction it sees fit. At this point, there is a definite increased interest in cloud and SaaS but some companies are reluctant the be the first movers, but don’t the first movers often get the advantage?