NMI’s Payment Playbook Podcast – Episode 12: Kathryn McCall, Chief Legal and Compliance Officer at Trustly

Are you navigating the complex realm of security and compliance in payments? Brace yourself for an insightful journey with our guest, Kathryn McCall, Chief Legal and Compliance Officer for Trustly Inc. We promise an engaging discussion on how Trustly, a leading global player in open banking payments, is reshaping the field with a cost-effective alternative to traditional payment methods. Learn about Trustly’s unique approach to fighting friendly fraud, the significance of know your customer checks, and the necessity of adherence to the Bank Secrecy Act and Financial Crimes Enforcement Network guidelines.

What are the intricacies of anti-money laundering and compliance? Kathryn shares her expertise on the challenges in this area, underlining the importance of continuous monitoring for suspicious activity. We delve into the delicate yet essential balance between prompt payments and stringent security measures. Kathryn also shares her thoughts on creating a compliance culture, the inevitable increase in regulations, and how Trustly's expert team artfully manage their compliance programs. So, buckle up for this riveting conversation and get ready to leave with a enriching understanding of compliance and security in the payments industry!

Greg Myers: Hi Kathryn, and welcome to this episode of the Leaders in Payments Podcast, where we’re looking at all of the things that happen before a transaction, or, put another way, before money ever moves, and, of course, merchants and vendors and payments companies being compliant and keeping data secure are two of those things, so that’s what we’re going to talk about today, so welcome to the show.

Kathryn McCall: Thank you very much, Greg. I am happy to be here.

Greg Myers: Great, so tell our audience a little bit about yourself, maybe a little personal and professional background.

Kathryn McCall: Absolutely. So, my name is Kathryn McCall. I am the Chief Legal and Compliance Officer for Trustly Inc. I’ve been with Trustly since January of 2018. I first came in as outside counsel and then I moved in-house in December of 2019. I live in San Francisco, and I have almost 25 years of a combined experience in corporate governance, debt and equity financings, M&A and then, of course, also payments. Here at Trustly, I’m responsible for all legal, regulatory compliance and enterprise risk matters in the Americas. I advise our executive team and the board of directors about compliance, regulations, rules, how to comply with the law and stay on the right side of the law.

Greg Myers: Okay, great. So, tell us what Trustly does. Give us the 50,000-foot overview of Trustly.

Kathryn McCall: Sure so Trustly is a global leader in open banking payments. Another way to phrase that is pay by bank. It’s an alternative to making payments to merchants by credit card. Our solution helps merchants process consumer payments at a cost of up to 50% below those credit cards. We offer guaranteed payments to provide instant access to funds for the merchant and also to help eliminate charge backs, which are expensive for consumers and for merchants. Our UX and risk engine delivers superior approval rates, which makes merchants and consumers very happy. We also help merchants with instant payouts and a full suite of open banking data products. We currently focus on enterprise merchants across multiple verticals, like e-commerce, financial services, billers and gaming. We work with companies like AT&T, Dell, Coinbase, Verizon, Lyft, T-Mobile, ebay, Western Union, Fanduel, Draftkings and GoFundMe and others.

Greg Myers: Okay. Well, let’s dive into the topic at hand, which is security and compliance. So, can you give us the high level 50,000 foot level of what security and compliance is all about?

Kathryn McCall: At the highest level. I would say that security is fundamentally about mitigating risk through strong governance and leadership, proper risk management protocols and promoting proper security best practices throughout the organization. It’s a proactive and preventive measures, which are the highlight of strong security against malicious actors. It’s multifaceted, so mainly it’s about ensuring that an organization adheres to all relevant laws, regulations and industry standards, and also that it keeps abreast of the latest fraud acts that are going on, the latest fraud attacks that have happened, what bad actors are doing, and it’s really about protecting the integrity of our financial networks.

Greg Myers: Okay, and so there’s a lot of players or companies sort of to help our industry stay safe and secure. So, can you talk about some of those, or at least maybe some of the functions that you perform, and kind of, how does it all, how do all these players work together to keep us safe?

Kathryn McCall: Yeah, there’s a lot that goes into keeping our financial network safe and secure. Yeah, I would say there’s a lot of rules and regulations that go into it so, such as the Bank Secrecy Act and the Financial Crimes Enforcement Network, which then enforces the Bank Secrecy Act. We’ve also got a lot of players and vendors involved in the industry, such as Signified, Alloy, Verif and Quantexa, that help fight against friendly fraud conduct. Know your customer checks provide quick and accurate identity verification. Also tools to check on who are the people that say if we onboard a merchant onto our systems, who are the people that control that merchant? You know you can look at the high level and say, oh, they’re a corporation, they’re founded in Delaware, but who’s pulling the strings behind that network? Where are they located? Where are their sources of funds that come in? So, you can follow up and find out a lot of that information through vendors, through regulators and then also just through public searches, searching and pulling data and information, such as information from the Secretary of State about the corporation.
And then all of these tools all come together and you have to use and pull different sources for different types of activities in order to control and protect your financial network and also others. So, each company, I would say, plays a really unique role in mitigating fraud and risk, but they’re all an integral part of our industry, by collectively creating an environment that enhances security and compliance.

Greg Myers: Yeah, you mentioned something when you were sort of given your description earlier about how you advise senior leaders, leadership executives, board of directors. Is there any one thing within this big realm of security and compliance that sort of always gets talked about, or is it really just, Kathryn, just keep us safe? I mean, is there anything that sort of bubbles to the top?

Kathryn McCall: There’s a lot of just, we’re safe, right, we’re okay, right, we’re in compliance with the laws, right. But there’s also a lot of concern, you know, driven by our board of directors and our executive team, about are we protecting financial networks as a whole? Are we? We don’t want to be a loose link or a weak link in the chain. So, there’s a lot of emphasis on looking at the merchants that we sell our services to and that we onboard to our platform. Who are these merchants? Have we performed all the know your customer or KYC checks on them? Do we really know and understand who’s in control of that organization and who funds that organization? Where’s their money coming from? Why are they using our services? How are they using our services? And it’s amazing to me just how granular and a lot of respects our board of directors can be about checking those merchants and refreshing the information that we get on our merchants. And if we have merchants who are, say, you know, it’s the last thing that anybody wants to do, which is refresh that due diligence information, provide you with all the information that we provided you in the past, but now you want it again. Now you want us to fill out these questions about who we are and provide copies of our IDs and all of those things, and it’s really the last thing any company wants to do.
But it’s amazing to me how our board of directors is. How many merchants are late in fulfilling that request. How late are they? Should we turn them off? And you know, we know we won’t get the revenue from them, but maybe we need to turn them off and not allow them to transact over our systems in order to protect us. Again, it’s all about protecting the integrity of the financial systems. You know what’s the reason that they’re late. Do they have a good reason? Or is it something like we just don’t want to, or well, maybe we don’t really want to disclose that, to Trustly. So, if we delay long enough, maybe the question will just go away. And, believe me, the question will not go away and our board of directors will follow up.

Greg Myers: Yeah, that’s interesting. You know, with stuff that’s gone on in this industry, I mean it’s always been here and it always will. But a few bad actors can affect all of us, right, and there’s been a few things recently that you know, recently in the last year, that have happened that make certain segments of our industry look bad. So, I think for most of us who’ve been in the industry for a while, this is kind of obvious. But maybe can you talk about why this data security and security in general, why is it so important? And what are the ramifications? Obviously, we know the big ramifications of being in the news and things like that, but what are the other ramifications of not having a safe and secure environment?

Kathryn McCall: Sure. So, I think there’s two things going on here with in terms of data security, and number one is the devastating impact it can have on an individual if their personal financial information or personally identifiable details get leaked. We’ve broken our trust with those people and it’s almost impossible to get back. Then the other thing to look at is also the impact on our financial networks in general. If our data security is not secure and if bad actors can get in there and can leverage information that they’re able to find maybe they’re able to assume a consumer’s identity or steal information out of there or create some nifty new fraud conspiracy out of that data then we’ve compromised the integrity of the financial networks.
Again, as you mentioned, there’s the loss of trust. There’s the reputational impact. It is when that trust gets shattered and it’s very public. It’s an uphill battle to win it back. There’s still that. Weren’t they the ones that I think seven or eight years ago did blah, blah, blah? It’s not only protecting consumers and protecting their identity, but also protecting the financial networks. It’s essential that you have strong security procedures at the forefront to prevent breaches like that from ever occurring, and having a strong and secure environment for data. Having that strong and secure environment for data is really commonly expected in today’s world, and failure to provide it has serious consequences on reputation. Especially, we’re dealing in the payments industry, with people’s financial information and payments on very important matters payments of their mortgage, payments, on other matters that could have really harmful consequences to the individual.

Greg Myers: Yeah, absolutely. Well, let’s turn a little bit and talk about AML. Can you tell our audience what it is and what are the ramifications of not being compliant in that area?

Kathryn McCall: Absolutely. AML is anti-money laundering. Money laundering is trying to make illegally obtained funds look and appear legitimate in the financial systems. When we talk about anti-money laundering or AML, we also need to talk about counter-terrorist financing or CTF. Counter-terrorist financing is using funds to, like what it sounds like, finance terrorist activities. Sometimes counter-terrorist financing can be almost more challenging than AML because the source of those funds could be legal. It’s just going to fund an illegal activity.
Around anti-money laundering and counter-terrorist financing, there’s a lot of rules and regulations around it. There’s the Bank Secrecy Act, the USA Patriot Act, which have controls and you have to have an AML compliance program in place. If you’re a financial institution or a money services business, you have to monitor your systems to look for suspicious activity, file suspicious activity reports. You have to endeavor if you know who your customers are we’ve talked about that before the KYC procedures know who your customers are, know who’s transacting on your systems, know what their transactions look like, so that if there’s a spike of new, different activity, it may not necessarily be money laundering or terrorist financing that you should know enough about your merchants to look at it and say, for instance, we’re in the gaming industry. Oh, it’s Super Bowl Sunday we had a spike in activity. That makes sense, so that you know your customers, you know their history, you know the consumers who are transacting, so that if you see something like huh, it’s a Monday in July and one of our gaming operators is experiencing a spike in activity, but there’s really no big games going on and there’s nothing happening. So, we need to look in that.
It’s about having the systems and the alerts and the processes in place, that you get those alerts and that you can look into those matters and say, hey, we’ve got a fraud ring going on or this is something different. We need to shut things down or slow the pace of transactions down while we look into this matter, make sure that our services aren’t being used for money laundering, aren’t being used for terrorist financing. And then, of course, you know there’s the self-interested matter, which is, if we breach the law, we could be subject to sanctions, fines, negative reputational impacts. It’s better up and it’s really. You know, as we mentioned before about data security, it’s really tough to reestablish your reputation after something happens, becomes public. You look unprofessional and you also look, you know, like you’re not being diligent to protect criminal activity in the industry.

Greg Myers: Yeah, and it’s just fascinating to me that payments companies, financial services companies have all of these rules and regulations and government entities that they have to deal with and we can still onboard merchants pretty fast and we can do transactions in seconds. And you know, that to me is fascinating. And I’m just curious and you don’t have to answer it from a Trustly perspective, but from like an industry or your knowledge perspective, like how many, how many bad things are happening or getting caught, like we never hear about them? But you have all these processes in place and you mentioned it slows down transactions or turn people off, or I mean, does that go on a lot more than we really realize?

Kathryn McCall: It does, it really does. And then there’s a lot of times and this came up recently where we noticed an attack within our systems, and shut it down, looked at it and it analyzed it and then one of our executives was talking to another friendly executive at another company is like oh, you got hit by the blah blah blah. Yeah, it’s like. Oh, so you know it’s. It’s like okay, they hit that company, they hit this company. You know they go around and they hit a lot of other companies, sometimes with the same schemes, sometimes with different schemes, which is why I think it’s really important that the companies and the players in this industry talk to each other and bring these things up with each other. Hey, this happened to us over the weekend. You know you might want to look or blah, blah, blah, or here’s how we protected against it, because it really does happen a lot more often than I think the average consumer would think.
There’s also been times like our risk team is really great at analyzing and they know when we turn a merchant on, they just know like we’re turning something new on and the fraudsters are out there waiting to bounce. So, they’ll turn it on real slow at first, so slow rate of transactions. They’ll gradually ramp it up. If they notice anything going on, they’ll bring the pace down. They’ll ramp it back up and really analyze what is going on so that we get a feel for what the pace of transactions are with that merchant. What the amounts are. Are the amounts? You will talk to merchants like what are your average dollar amounts of the payment transaction? So, then you know when we look at like, well, this merchant told us that their average transaction is 30 bucks but we’re seeing $300. So that’s different. So, let’s slow that down. Let’s talk to the merchant and see what’s going on here.
But I do, it does happen a lot more often than I think people are aware of and I’m the same way like you, all these systems we have and multi-factor identification and all of these things I get frustrated with and I have to remember like this is for my protection. There’s a reason that all of these things are out there and when I look at something else or I get hit with a different type of identity verification thing when I’m trying to make a payment or do something of, I always think, aha, somebody got hit with something, so they had to change their risk rules, they had to change their monitoring system and now something else is coming up. So, it’s a lot of push and pull I know we’re getting into a bit of a different topic, but a push and pull between greasing the wheels for the consumer and the merchant but then also putting enough you know, brakes and controls in place so that we can halt stuff or stop things midstream to protect the consumer and the financial networks.

Greg Myers: Yeah, well, what do you think are some of the biggest challenges that companies face when it comes to being secure and compliant?

Kathryn McCall: Oh, I think it’s just that nothing is ever set in stone. There are some companies that think, oh, we’re just going to set our compliance and establish some security standards and we’ll just set it and we’ll forget it and move on. But it’s really the opposite is true. You know, regulations in the industry are constantly changing and evolving. There’s new innovations and developments that come out and can cause a change in rules and regulations. Some of these new innovations and developments open up in so many ways or something purely unintentionally, but open up new opportunities for bad actors in the industry to come in and say, aha, there’s a hole, there’s something I can exploit in that.
So, the landscape is constantly changing. The rules and regulations are constantly changing and evolving. The landscape of threats is always evolving. Bad actors are constantly devising new schemes, constantly thinking of ways to overcome safeguards. They’re ingenious in coming up with ways to circumvent rules, regulations and controls that are in place. I think some people think, ah, it’s theory. Compliance, that’s a boring industry. Whatever, it’s constantly evolving and you’ve got to constantly stay one step ahead of the bad actors. You’ve got to constantly monitor all of your systems and controls in place to make sure that you’re being compliant with the tapestry of rules and regulations that are out there. And in the United States we’ve, of course, got the federal rules and regulations. Then we have 50 states that all have their own rules and regulations, so it’s just constantly evolving and changing and nothing is really set in stone. So, you really have to be adaptable and have a robust plan to meet ever-changing threats and needs.

Greg Myers: Well, what do you think the future looks like? Maybe thinking out five, seven years from now? How do things look different?

Kathryn McCall: I think we’re moving in the area of, unfortunately or forcibly, more regulation and not less. I know that there’s a lot of governmental agencies that are looking at open banking payments, pay by bank, and coming up with ways to govern the industry and looking at the different ways that this industry can be exploited and thinking about the controls that they need to have in place. I think also the bad actors out there are going to become more sophisticated as technology continues to evolve. They’re going to come up with ways to overcome that technology or exploit that technology. So, security and compliance are going to become increasingly important and at the same time, as I mentioned previously, regulation and oversight will follow suit. As the bad actors get more sophisticated, the rules and regulations follow.
So, I think it’s imperative for companies to create and foster a culture of compliance within their organizations. Make sure everybody knows and understands that. Even maybe you work in marketing or somewhere where you just think, oh, money laundering, fraud, all those things security, compliance is completely unrelated to me. But you never know and you might know something that you notice hey, we’re onboarding such and such a merchant, but I was at a trade show last week and heard somebody say that they’re not a very good actor in the space. So, it’s about making sure that your organization as a whole has a culture of compliance so that in five to seven years and we’ve got more sophisticated bad actors, more rules and regulations that everybody is aware that it’s on everybody’s shoulders. To look at it, I think the payments industry in general is going to continue to accelerate and grow, with third parties coming in shaking up the competition, and all of us are going to be faced with these malicious actors and legal roadblocks or I wouldn’t say roadblocks, maybe just more controls and more challenges to make sure that you implement controls that are required. So, yeah, I think it’s just going to become more regulated and more oversight.

Greg Myers: Okay, well, let’s circle back to Trustly, and you’ve talked about a lot of these things that have to happen, and can you tell us how do you manage all of your compliance programs, with all of the technology and the people and the tools? So how do you manage all of that?

Kathryn McCall: Yeah, so I’m the lucky person that compliance falls within my remit, so I get to manage all of that. We’re constantly building and evolving our compliance team and also the tools that we use and the controls that we put in place. We have a strong central team of compliance gurus, it security professionals, GRC that’s governance, risk and compliance experts and legal counsel, regulatory experts, etc. That are constantly monitoring, updating and improving our various compliance programs. We also have training programs for our employees. Our employees just finished our anti-money laundering and counter-terrorist financing training in the month of August, which I know they were all very excited to participate in and complete.
We make sure that we have the best enterprise risk management that we can. We’re constantly looking at what are the risks coming into our enterprise, what are the risks in AML, what are the risks in CTF, what are the risks of fraud, etc. What new risks have come up, what have we heard from others? And just making sure that nothing is really set in stone and that we remain adaptive and nimble and that we talk to each other and we talk to other people in the industry. That we also like when I say we talk to each other, that we talk with our risk team.
What are you guys seeing? Are the risks that we’re managing and watching for? Are they adequately capturing the risks that you’re monitoring and protecting us against with your rules and regulations? What are the new regulations that are coming down? What do we need to do to change our systems to comply with those regulations? We regularly consult with external resources, such as outside legal counsel. We talk to regulators, we talk to cybersecurity experts and we have auditors come in and audit our systems and let us know if they see any deficiencies or any weaknesses, so that we can close those gaps and make sure that we don’t have any weaknesses in our systems. It’s a constant being nimble and adaptive and aware.

Greg Myers: Okay, well, Kathryn, we’ve covered a lot of ground so far. Is there anything else you wanted to go over before we wrap up the show?

Kathryn McCall: Yeah, I would just say for everybody in this industry. It’s really on all of us to make sure that we protect the integrity of this financial industry and maintain the trust of the consumers in the industry, that we let the consumers be completely unaware of all these threats and pay their mortgage on the fly from their phone and not think twice about it and have that whole transaction go through completely seamlessly and be on two or three seconds unaware of all of the various checks and controls and risk rules and monitoring that that transaction goes through before completion. And, Greg, I just want to say I’m really grateful for this opportunity to share my insights and give deeper insight into how much effort Trustly puts into creating a secure and compliant environment for its employees and for the financial networks.

Greg Myers: Well, I think, as someone who’s been in this industry for a long time too, you kind of grow to take this stuff for granted. And it is such a huge part and I think you said it so well that we all play a role in keeping it safe and that safety and security is important for all of us. Any one company that does something bad or wrong or whatever it hurts the entire industry from a lot of different perspectives. So, you’ve had some great insights today. I really appreciate it. I know you’re very busy, so I wanted to thank you obviously for being on the show and I appreciate the time and the insights.

Kathryn McCall: Absolutely. Thank you so much, Greg. I appreciate being here.

2:28 - Kathryn McCall Bio

3:20 - About Trustly

4:33 - High-level Description of Security & Compliance

5:33 - Players and Functions

10:05 - Importance & Ramification of Data Security

12:43 - AML Compliance

19:36 - Biggest Challenges Companies Face

21:33 - Future of Security and Compliance

23:55 - How to Manage Security and Compliance