Rein Graat

Jeroen: Welcome, Rein Graat, Chief Compliance Officer at ING Group, thanks a lot for taking the time to speak to Leaders in Finance. First of all, could you please introduce yourself?

Rein: Thank you. I am Rein Graat, the Group Chief Compliance Officer of ING. I have a versatile background, having worked in both the first and second lines. Experience gained in business, risk and legal in different parts of the world have given me e a different perspective and the ability to understand and integrate the agendas of both. This combination has been very fulfilling for me.

Jeroen: Wonderful. If you could choose one or two aspects that you particularly enjoy about your job and working in this field, what would they be?

Rein: I would say that one of the most rewarding aspects of compliance is its role in upholding an organization’s most valuable asset: trust and credibility. In a world that is increasingly complex and where change is constant, the compliance function must understand the evolving landscape, the organization’s position within it, and the associated compliance risks. This requires making informed judgment calls to protect the organization. Navigating that complex landscape and ensuring organizational safety and security, is exciting to me. As a compliance function, you can be the tail that moves the head.
One acronym for the compliance risk landscape today could be ‘VUCA’. Volatile, uncertain, complex and ambiguous. Five years ago, being proactive was good. Now it is a necessity. This requires being nimble, adaptive and quick to respond to the ever-changing, fast-paced environment in which we operate.

Jeroen: I think your job is never boring, right?

Rein: Spot on. Far from!

Jeroen: If you look at the broader compliance field within financial services, what do you see as the biggest challenges right now, either for you personally or in general?

Rein: Let me highlight two significant developments that are clearly presenting challenges for institutions, especially those operating internationally. Firstly, there’s the issue of geopolitical risk and the risk of regulatory divergence on a global scale, particularly in regulatory compliance areas. This includes the heightened complexity in managing anti-financial crime measures, especially concerning sanctions. These challenges are also related to the fragmented state of the world order and ongoing conflicts. They also bring about risks like sanction circumvention, with financial institutions now expected to actively detect evasion practices. Today, we witness various conflicts worldwide and the strategic weaponized use of sanctions, which clearly make this a top challenge. This poses a significant hurdle for the industry, prompting us to deeply consider how we can collectively address these issues amidst the current fragmentation.
Another significant challenge is related to technological change. This includes risks associated with Artificial Intelligence, cyber threats, increasing technological outsourcing, and the monopoly of a few global players. There are numerous emerging technologies that we must understand, assess for their potential risks to our organization, and formulate appropriate responses. Additionally, the rise of digital asset service providers introduces new complexities and uncertainties. These emerging technologies also offer opportunities for organizational leverage but also require careful risk assessment and management.

Jeroen: That makes sense. When considering geopolitical risks alongside technological developments and risks, they often converge, especially in areas like cybersecurity during geopolitical tensions between countries, right?

Rein: For sure. It is crucial to stay vigilant and continuously monitor these developments, striving to understand them and develop proactive responses. This preparation aims not only to enhance our readiness but also to educate our teams on evolving capabilities and operational methods—from today’s practices to those of tomorrow—ultimately maximizing our effectiveness. The compliance environment generally speaking is not yet very data-driven, so adopting a more risk-based and data-centric approach is essential. This shift allows us to focus intimately on critical areas, optimizing our efforts where they matter most. These tools also play a crucial role in safeguarding the organization against emerging risks such as cybercrime and ensuring data privacy, safeguarding invaluable assets like customer data that are central to any large organization. Clearly, the stakes are high, underscoring the importance of getting these strategies right.

Jeroen: Do you have any examples from last year of compliance, geopolitical, or technological trends that caught your attention or that you found particularly interesting or concerning?

Rein: There are a couple of things, but one that stands out, both globally and locally in the Dutch context, is the intersection of AML compliance and data privacy. This topic has been extensively discussed as it presents unique challenges for organizations. AML regulations often require the collection and processing of personal information, while data privacy regulations mandate the protection of this data and the rights of the individuals. Therefore, compliance must carefully navigate these regulations to strike a balance between fulfilling AML requirements and respecting data privacy.
What we’re seeing is a growing recognition of the need for an integrated agenda. Public and private sector must collaborate closely to navigate the complex environment of AML compliance and data privacy. This convergence is increasingly acknowledged, and more discussions are taking place around these issues, highlighting the need for an integrated agenda rather than individualized position taking. This trend requires courage from both public and private entities to explore legislative tension to jointly find ways to improve. I think this is one of those clear things that have been on the agenda last year and will be on the agenda for next year as well.

Jeroen: You are referring to situations where banks, whether in the Netherlands or elsewhere, want to collaborate to fight economic crime by sharing certain anonymized data. However, due to privacy concerns or other regulatory issues, this type of data sharing is often not possible.

Rein: Absolutely. Clearly, the rules are there to protect both individuals and customers. But it is also an environment where we are trying to find a right balance. That means, focusing our attention and efforts where they are most needed to target serious criminals. Criminals operate across banks and boundaries. It takes a network to fight a network. This requires determining what information we can share and how to share it effectively. We are still in the early stages of developing our views, which involves navigating through some grey areas. That also means that we sometimes need to take a step back to see how future regulation, like the Anti-Money Laundering Regulation, can either support or limit this. If the regulatory landscape changes in ways we didn’t anticipate, we’ll need to revisit our strategies and business cases. This also applies to cases like Transaction Monitoring Netherlands, which have the potential to materially contribute to fighting serious crimes. But we need to acknowledge and understand how future regulations will affect our ability to fight financial crime.

Jeroen: I want to ask another question about technology. We have already touched on some aspects, but I’m curious about your view on whether technology is more of a friend or a threat, especially in areas like compliance, sustainable finance, or cybersecurity. I assume your perspective might be somewhere in the middle, but I’d like to hear your thoughts on how ING perceives technology in this context.

Rein: You are right. Our perspective, particularly from a second-line standpoint, is somewhere in between. Technology can be both a friend and a challenge. On the positive side, technology can greatly benefit an organization. Technology is to play an increasingly crucial role in mitigating compliance risk. Advanced analytics, automation, and real-time data can be leveraged to enhance our monitoring capabilities and compliance risk management processes. It will help us to manage and anticipate risks, as well as position ourselves for resilience, scope-expansion, and the long term rather than simply surviving through potentially turbulent years ahead. More data-driven allows us to be more precise in focus. This enhances effectiveness, which not only benefits the organization in multiple ways but also improves efficiency. Efficiency, in turn, allows for better allocation of resources, focusing on the most important issues. Leveraging technology, especially as a new way of resourcing for the future, is crucial. It’s important to move towards understanding how to effectively use and deploy these technologies. Equally important is recognizing the new risks they may introduce to the organization. For instance, if you look at AI, the transformative potential is undeniable. However, so too are the multifaceted risks it present. This brings new challenges and sheds light on the need for robust AI risk management strategies. It requires us to relook at out frameworks and controls, to see whether they are still providing the right protection for both our customers and us. So yes, it is exciting and frightening at the same time. Therefore, it is a topic that we need to engage with, understand the technologies and figure out how they can either benefit or pose risks to the organization. Ignoring or dismissing technology is not an option. AI is here to stay. AI becomes increasingly intertwined with our daily lives and critical systems. It becomes paramount to understand, anticipate, and mitigate the risks associated with its deployment.

Jeroen: Makes sense. Before I get to my final question, I have one more on this topic regarding hiring talent. Specifically, in the compliance field and for your teams, are you now also hiring more people with technological expertise that can help in the compliance field and have a deep understanding of technology?

Rein: Absolutely. For instance, at ING, we have launched a new strategic Compliance program called NEXT, which suggests there is a continuous movement, a momentum. It puts a dot on our horizon for the years to come. As we aim to create a future-proof compliance function, it’s crucial to integrate technology, data analysis, AI, and even generative AI into our processes. Our focus includes sourcing talent through our center of excellence, emphasizing the need for these skills to be developed and relevant for the future. As a result, we are indeed hiring more individuals with data analysis expertise and technological skills in the compliance function. And from a career perspective, to enhance our appeal, we are also exploring the best environments to centralize these capabilities, creating a supportive ecosystem for our teams that comes with attractive career-outlook. This definitely affects our organizational structure and determines how and where we choose to base our teams.

Jeroen: For my last question, do you have any advice for those who are starting out in the compliance field within financial services? You’ve already touched on one key point—understanding technology is crucial these days. Do you have any additional tips for newcomers in this field?

Rein: Maintain curiosity and keep learning, exploring different roles and environments. Embrace the opportunity to make and learn from new mistakes. Those are the best learnings you can give yourself. Whether moving from second-line roles to first-line positions, transitioning between different areas like conduct and financial crime, or taking on audit roles, exploring various aspects of the field early in your career will provide you with new perspectives and help you understand the agendas of others, which in turn will enhance your ability to advance your own agenda as a compliance expert. It allows you to understand your target audience and speak their language. More importantly, it helps you gain a complete view of the entire environment you’re working in and determine the best way to position yourself.

Jeroen: Wonderful. Thank you, Rein Graat, Chief Compliance Officer at ING Group, for taking the time to speak to us in the run-up to the Leaders in Finance Compliance Event on the 19th of September this year. We are delighted that you will be one of the speakers and are looking forward to having you there. Thank you.

Rein Graat: Thank you and I am looking forward to the event.