Using Suptech To Improve Supervision
Tuesday, Nov 23, 2021

Using Suptech To Improve Supervision




This summer, Toronto Centre accepted submissions for an essay contest in which participants were asked to describe how supervisory technology (SupTech) can improve the effectiveness of financial supervision.

The competition received a large number of high-quality entries from our international network. We are pleased to announce the joint winners of this contest as Olawunmi A. Adelusi and Chinunam Boms Onumajuru, both of the Central Bank of Nigeria, and to publish a combined version of their submissions as a Toronto Centre Note.

Reflecting the high standards of the entries, we have also included in this Note an Annex based on a submitted essay from Farida Paredes Falconi of the Superintendency of Banks, Insurance and Private Pension Funds, Peru.

Toronto Centre commends all those who submitted an essay and congratulates these three outstanding writers on their accomplished works.



The COVID-19 pandemic, and the measures taken to contain it, have resulted in a severe global economic recession, large-scale disruptions to operational processes in both private and public sector organizations, and an acceleration in the growth of digital innovations that were already underway.[2]

Financial supervisors have been affected by all of these consequences of COVID-19[3]. They have had to address the heightened credit, insurance, market and operational risks in the firms they supervise; to rethink their approaches to ensure business continuity and the safety of their staff; to minimize their “on-site” visits to supervised firms; and to respond to the risks arising from the increasing use of financial technology[4].

This Toronto Centre Note discusses one key element of these supervisory responses, namely an increased interest in, and use of, “SupTech” - the use of technologically enabled innovation by supervisory authorities to support supervision. Supervisory authorities are increasingly using technology, data, and data analytics to improve the effectiveness of supervision.

This Note focuses on the growing use of SupTech by the Central Bank of Nigeria (CBN). Annex 1 sets out a second example, describing the use of SupTech by the Superintendency of Banks, Insurance and Private Pension Funds (SBS) in Peru.


Fintech, RegTech and SupTech

Banking and other financial transactions are increasingly becoming technologically driven, with many transactions being undertaken virtually and with improved digital experiences. The advent of new technologies has changed the entire financial landscape, bringing with it both risks and opportunities. As financial experiences become increasingly technology-based, faster and personalized, so is the threat posed by the vulnerability of financial institutions to risks such as cyber risk.

The inception of Fintech is a vital innovation in the financial services industry. Arner et al. (2015) describe the development of Fintech as a continuing process during which finance and technology have evolved together and which has led to numerous incremental and disruptive innovations, such as internet banking, mobile payments, crowdfunding, peer-to-peer lending, and online identification[5].

The rapid adoption of these technologies and the development of new business models in the financial sector poses an increasing challenge both to new entrants and to incumbent financial institutions.

Financial supervisors therefore need continuously to re-evaluate and sharpen their skills and approaches to supervision to keep up with changes in the financial sector. Supervisors must match the accelerating pace of technological innovations with commensurate technological tools in discharging their supervisory roles to be able to address the threats posed to the financial system. The efficiencies that these technologies offer can also be harnessed to support the compliance of financial institutions with financial regulation (RegTech)[6] and the conduct of financial supervision (SupTech).[7] The proactive application of advanced technologies opens up unprecedented regulatory and supervisory possibilities[8].

Broeders and Prenio (2018) describe SupTech as the use of innovative technology by supervisory agencies to support supervision. It is the process by which supervisory agencies digitize their reporting and regulatory processes, resulting in more efficient and proactive monitoring of risks and of the compliance of financial institutions. Similarly, the Basel Committee for Banking Supervision (2018) defines SupTech as the use of technologically enabled innovation by supervisory authorities.

There are many reasons why the emergence of SupTech is accelerating. The post-global financial crisis regulatory reforms have led to an upsurge in reporting requirements, hence the need for more efficient and effective monitoring to derive the benefits resulting from the increase in data availability. In addition to more data, better data are also a catalyst for SupTech. Better data are created through the harmonization of definitions in data dictionaries. Also, the growth in storage capacity and computing power opens the way for SupTech, while advances in data science have led to the development of new technologies that are relevant to supervision.


Benefits of SupTech for supervision

Toronto Centre (2018) suggests that there are at least two reasons supervisors should adopt SupTech. First, innovative technology will help supervisors to achieve their supervisory objectives. Second, without investing in technology, supervisors may be unable to deal with the developments in the financial sector (such as the rise of FinTech) and any related expansion of their statutory mandates.

In addition, SupTech can help supervisory authorities to achieve their objective of promoting the trust of economic agents in financial institutions and markets, thus supporting the core objectives of regulation and supervision.

Furthermore, SupTech can be a catalyst for a risk-based supervisory approach that can adapt more quickly to a constantly evolving environment. Several financial supervisors are already using innovative ways to implement a risk-based approach to supervise their financial institutions. Risk indicator dashboards, centralized data warehouses for supervisory reports, and early warning systems are just a few examples of tools that are  now entrenched in several supervisory authorities worldwide. SupTech offers the potential to radically improve existing tools and to develop better ones. The application of innovative technologies at the design stage of developing new regulations can also help to assess the potential consequence of policy proposals.

SupTech enhances regulatory data, automation and the streamlining of work procedures and tools, which significantly enhances data analytics - that is, the ability to analyze data in a faster, efficient, robust, and more complex way than using conventional analytics and data. SupTech can support the integration of multiple types of data in supervisory analysis, thereby increasing the accuracy and efficiency of decision-making, shifting resources away from process-oriented tasks. In doing so, SupTech can help to allocate supervisory resources more effectively and support more effective risk-based supervision.

SupTech could however also have a significant organizational impact, which may raise uncharted legal and ethical issues.


Constraints on the effectiveness of SupTech

Despite the efforts of supervisory authorities to enhance supervisory processes through technology, various challenges have been encountered in developing and using SupTech applications.

Data Quality

According to Broeders and Prenio (2018), the experience of early users of SupTech was that data quality proved to be one of the most serious constraints to the application of SupTech. The standardization and completeness of data is key to data quality, particularly where data sources are very large, for example data on equity and derivatives markets transactions. Data quality is an issue of foremost concern given its critical role in the effectiveness of SupTech applications.

Similarly, Broeders and Prenio (2018) identified some issues in developing or using SupTech applications, including a lack of transparency in some of the data uploaded; computational capacity constraints; increased operational risks, including cyber risk; limitations in data quality, management support and buy-in from supervision units; and rigid rules in project management. Hence, human intervention through supervisory expertise is still viewed as indispensable in the supervisory process, particularly in further investigating the results of analysis and decisions on the course of action.

SupTech provides supervisory agencies with a platform to digitize reporting and regulatory processes, thereby enhancing efficient reporting and proactively monitoring the risk and compliance levels of financial institutions. The increased efficiency in reporting could turn risk and compliance monitoring into a more forward-looking and more predictive process. But without quality data, SupTech will have a limited impact. Thus, increasing the quality of regulatory reporting should be the starting point to create a solid basis for the advanced analytics enabled by SupTech.

To maximize the benefits of SupTech in supervision, it is important to ensure the validity of data input, as informed supervisory decisions cannot be reached through the analysis of spurious data. To this end, it has become imperative to upgrade the available SupTech or develop a new one with the capacity to connect directly to data applications within financial institutions.

Operational Risk

The application of SupTech is likely to heighten the operational risks of a supervisory authority, in particular through an increase in cyber security risks in an automated SupTech environment. Supervisory authorities have therefore identified the need for improved risk management when using SupTech applications. While supervisory authorities may have measures in place to address data security, there is still the exposure resulting from open source and cloud applications, particularly as supervisors have had to embrace working remotely. Data security issues have accelerated due to supervisory reporting applications, given the interconnectedness of the IT systems of financial institutions and their supervisory authority.

A robust risk management and control framework is therefore required to harness the effectiveness of SupTech.

Legal risk

Closely linked to operational risk are the legal implications emanating from data collection. Supervisors do not readily know the legal requirements associated with the use of SupTech, especially with respect to data collection and data privacy laws. Legal issues may also arise from either deliberate or unintended breaches of data privacy laws. This limits the direct access of supervisors to commercially sensitive raw data of financial institutions, especially where there is no legal authority for supervisors to access these data.

Lack of Adequate Expertise

The application of SupTech requires supervisors to have the requisite skills to achieve maximum impact. The preferred candidates for SupTech support work should be knowledgeable in data science, computer science and supervision. Research shows that finding people with knowledge in all three areas is difficult, not least because they are “outpriced by the market”. The retention of qualified staff for the long term is becoming increasingly difficult. SupTech can only work when supervisory authorities have the correct dynamics of experts.

Poor Internet Connection

SupTechs are web-based applications that require an internet connection. Poor internet service has been a challenge for financial institutions and supervisors alike, as access to information becomes an issue whenever an internet service is unavailable.


Use of SupTech by the Central Bank of Nigeria (CBN)

The CBN is responsible for promoting a sound financial system in Nigeria through regulatory and supervisory oversight of banks and other financial institutions. The CBN Act, 1991, as re-enacted in 2007, and the Banks and Other Financial Institutions Act, 1991, brought all banks and other financial institutions, including microfinance banks and development finance institutions, under the regulatory and supervisory oversight of the CBN.

The supervision of banks and other financial institutions by the CBN has been segregated into on-site and off-site activities to ensure a continuing review of their operations and to maintain contact with the management of the institutions.

Off-Site Supervision

Off-site supervision requires financial institutions to submit statutory and non-statutory returns (financial and non-financial data on the institution’s operations) periodically in prescribed formats for analysis and to ascertain an entity’s compliance with prudential regulations. Statutory returns include daily, weekly, monthly, semi-annual, and annual returns including:

  • Statement of Financial Position
  • Income Statement
  • Sector by sector breakdown of credit
  • Insider-related credits
  • Schedule of non-performing loans
  • Analysis of other assets and other liabilities
  • Prudential ratios, including asset quality, capital adequacy, earnings, and liquidity ratios
  • Other critical financial performance indicators.

The CBN off-site surveillance includes analyzing prudential returns submitted by financial institutions and audited annual accounts[9]. The analysis is to assess each individual bank’s financial condition and to generate statistical data on the banking industry. The performance ratios regarding prudential requirements are also computed, while warning signs or indicators are flagged for supervisors’ attention.

The CBN traditionally commenced off-site supervision processes manually. Financial institutions were required to submit hard copy returns, while supervisors in turn uploaded the information into an excel spreadsheet for on-site supervision and financial analysis. It was a time-consuming, rigorous process that imposed costs on documentation, record keeping, and storage. The electronic Financial Analysis and Surveillance System (e-FASS) was deployed in 2006 to facilitate the online submission of returns by banks and other financial institutions.

However, the e-FASS gave supervisors an unreliable database from which to facilitate early intervention in troubled banks and to promote financial system stability. On-site supervisors were challenged with data integrity when validation of returns submitted by the bank was conducted. There were cases of unintentional misclassification of transactions, and of deliberate misreporting to present misleading information on the financial condition and on compliance with prudential requirements[10]. Some banks also expressed difficulties in complying with the changes in the system, and only a few banks designed simple software applications to generate monthly returns.

The e-FASS also proved to be expensive to maintain and was not sufficiently robust and flexible to incorporate changes in user requirements. Meanwhile, a multiplicity of IT reporting platforms and reporting tools were used across departments within the CBN. A process of consolidating returns from financial institutions and developing an integrated reporting platform was therefore initiated, and the CBN introduced the Financial Analysis (FinA), which remains currently in use.

FinA is an Integrated Regulatory Platform that enables the CBN to collect data from financial institutions, to analyze them using integrated business intelligence tools, to store them in a database, and to generate different reports using very flexible reporting tools. Submissions of returns using FinA commenced with a pilot run in December 2013.

FinA ensures complete control of documents with straightforward search, storage, and version management in the CBN. CBN supervisors can instantly access information regarding financial institutions such as financial data, addresses, contact details, financial institution type, management and directors, licences, and many other details of the institutions. FinA acts as an all-in-one information-based platform that collects, stores, organizes, and displays relevant information requested by supervisors. The development of the FinA application is consistent with the importance of SupTech and its functionality to support financial institution risk assessments, monitoring/review exercises, and enhancements to regulatory requirements.

The FinA platform also compromises:

  • The receipt and storage of monthly, quarterly, annually, and other periodic reports;
  • Display of key ratings for financial institutions such as Capital, Assets, Management, Earnings, and Liabilities (CAMEL) ratings;
  • Consolidated Financial Statements of Financial Institutions;
  • Nigeria Deposit Insurance Corporation (NDIC) Special Insured Institutions Department data requests.
On-Site Supervision

The COVID-19 pandemic tested the operational resilience and business continuity strategies of Nigerian banks and of the CBN itself. In the wake of the COVID-19 pandemic, operational risks increased given that more reliance was placed on technology and third-party service providers. In May 2020, the CBN adopted a new approach to its on-site supervisory work to mitigate the impact of COVID-19 on mobility and physical contact.

The CBN constituted a five-person committee to develop a methodology for examining banks in line with global best practices. The Committee developed a hybrid approach to on-site examination activities based on an examination process divided into three activities, namely: Pre-Examination, During Examination and Post-Examination.


To ensure that social distance and minimal physical contacts are maintained in carrying out on-site examination, the CBN designed a document management process for receiving information from supervised financial institutions. The process included the management of the CBN external correspondence repository, which is accessible only to authorized persons on a need-to-know basis. Financial institutions were required to provide the contact details of two staff responsible for uploading data to the central repository. The information uploaded was automatically moved to a location not accessible to the designated financial institution’s staff who carried out the upload, to ensure that the uploaded files were not subsequently modified.

A senior officer of the financial institution, not below the rank of an Executive Director, was required to attest to the accuracy of the uploaded documents with appropriate penalties to be imposed for late, incomplete, or false uploaded data. In addition, financial institutions were required to send a list of names and official email addresses of their staff scheduled to attend the opening and exit meetings, including representatives of their external auditors. Designated supervisors were trained on this document management process.

During Examination

In a bid to ensure continuous monitoring and risk-based assessment of financial institutions, supervisors are required to prioritize and concentrate on the critical areas of regulatory concerns tailored to each individual financial institution’s specific conditions and the impact of the COVID-19 pandemic on their operations and other risks. Of particular importance are the review of Asset Quality (Credit Reviews), Information Technology (Cybersecurity and Cyber fraud), Governance (Board, Senior Management and Risk Management), Capital, Liquidity, and the impact of the pandemic on the business models of each financial institution.

After the review of the books of financial institutions in these key areas, virtual engagements are held with relevant officers of the financial institution, through video conferencing platforms such as Zoom and Microsoft Teams. For example, interviews are conducted with key members of Senior Management and Board of Directors, including at least one independent director. The importance of this process cannot be over-emphasized, as it is critical to verify and assess the resilience of financial institutions in the wake of the pandemic.

Post Examination

In this phase, supervisors commence report writing activities, with draft reports ready within one week after the conclusion of the examination. The process is also done remotely. The reports to be submitted include:

  • Section Notes - prepared in standard format for each significant activity or risk management control function identified for review. The section note is used to fully document an assessment of the activity or the risk management control function.
  • Risk Assessment Summary – a summary of the findings and section notes with detailed information of significant findings.
  • Management Reports - the key written document sent to the institution. It addresses findings, recommendations, and follow-up of previous findings. The Management Report will also include a brief explanation of the Composite Risk Rating for the financial institution.
  • Reports for Foreign Exchange and money laundering examinations are as determined by the coordinating teams.

Where necessary, physical meetings are held between the supervisors and appropriate senior management of the financial institution to discuss the findings and recommendations. These physical meetings take place with full adherence to all Nigeria Centre for Disease Control safety guidelines/protocols.

Thereafter, the Management Report is presented virtually to the Board of the financial institution at the earliest Board meeting to set out the supervisory findings and recommendations, and to follow-up on previous findings. The report also includes a brief explanation of the Composite Risk Rating of the financial institution.

Subsequently, the findings and recommendations reported to the financial institution are followed-up on a timely basis, with institutions afforded reasonable, but firm, deadlines for corrective action. Financial institutions are expected to provide regular reports on progress achieved, which the off-site supervisors continue to monitor through surveillance of the daily/monthly/quarterly returns submitted through FinA. FinA is one of the IT tools that supported supervision during the outbreak of the pandemic as it served as a surveillance tool used for monitoring in real time the capital adequacy, liquidity, and loan-to-deposit ratios amongst other financial soundness indicators of banks.

The adoption of the new approach for on-site examinations enabled the CBN to continue to achieve one of its mandates of “promoting a sound financial system in Nigeria” despite the disruptions caused by the continuing pandemic.


Another SupTech application currently in use in CBN is the National Association of Microfinance Banks Unified Information Technology (NAMBUIT), developed by the CBN in collaboration with industry stakeholders for a unified IT platform for Microfinance Banks (MFBs). The NAMBUIT platform comprises the core banking system and sub-system for non-interest banking, agent banking, mobile payments, etc. It was designed to boost the financial access inclusion and stability of microfinance institutions. The system serves as a common platform to access data for supervisory review and analysis, and to aid decision-making. NAMBUIT also acts as an information processing tool for MFBs to improve their ability to provide necessary information to the CBN and NDIC.

The Financial Institutions Application Processing System (FIAPS) is an application employed to manage office workflows from start to end automatically. It allows for approval of jobs processed, rejections, and comments on workflows. FIAPS provides the capability of attaching scanned documents or soft copy documents during the approval or rejection of workflows. The application significantly reduced the long chain of workflow where submissions from financial institutions were manually passed through relationship officers to higher authority for vetting and to give approvals or rejection to the application.



The evolution in the financial sector landscape following COVID-19 highlighted the need to accelerate digital transformation in the sector and to design risk management processes that are fit for purpose given the heightened cyber and other operational risks. The pandemic also revealed the need for financial institutions to rethink their business models. There is an increasing need to think innovatively to open new income streams for the sector to cushion the impact of competitive pressures, increased costs, and likely impairments in the credit portfolio.

The emerging supervisory technologies and innovations have shown to have the potential to transform and promote effective supervision, especially in a world where financial institutions now rely heavily on Fintechs to provide services to their customers.

To ensure the effectiveness of SupTech to enhance the supervision of financial institutions, supervisors are recommended to:

  • Re-assess supervisory priorities and emphasize the sectors and supervisory areas more heavily affected by the crisis, such as credit risk exposures to vulnerable sectors, banking sector liquidity, insurance claims, and cyber and operational resilience.
  • Increase monitoring and engagements with financial institutions on the risks and priorities highlighted in this Note.
  • Proactively provide guidance to financial institutions on key regulatory/ supervisory expectations.
  • Improve supervisory approaches, prudential rule books and policy toolkits to focus more on early warning systems and robust off-site SupTech requires a tech-oriented approach to supervision instead of a purely finance- or legal-oriented one. While on-site examinations should not be eliminated despite restrictions on physical interactions, the approach needs to be re-assessed. The examination should as far as possible be conducted remotely with limited physical contact. On-site visits should focus on validating observations on key significant areas.
  • Collaborate or partner with other supervisory agencies.
  • Invest in talented staff and innovative technology in financial supervision, which is critical in introducing this tech-oriented approach. The buy-in of senior management and supervision staff and implementing robust risk management frameworks are also required to fully embed and maximize the benefits of Capacity building through training on the operation of evolving SupTech and cybersecurity is also essential to prepare financial institutions and supervisors for the efficient and secure use of SupTech applications.

Implementing these measures should help to promote a wider acceptance and application of SupTech for supervision and to promote financial stability in an evolving world.



Agur, Itai, Soledad Martinez Peria, and Celine Rochon. Digital financial services and the pandemic: Opportunities and risks for emerging and developing economies. International Monetary Fund Special Series on COVID-19. July 2020.

Arner, Douglas W., Janos Barberis, and Ross P. Buckley. The evolution of Fintech: A new post-crisis paradigm?. Georgetown Journal of International Law. 2015.

Basel Committee on Banking Supervision. Implications of fintech developments for banks and bank supervisorsFebruary 2018.

Broeders, Dirk, and Jermy Prenio. Innovative technology in financial supervision (suptech): The experience of early users. FSI Insights. July 2018.

Cœuré, BenoîtLeveraging technology to support supervision: challenges and collaborative solutions.  Speech.  August 2020.   

Ogunleye, Ganiya. The Embattled Regulator. Nigeria: Kachifo Limited. 2018.

Schueffel, PatrickTaming the beast: A scientific definition of fintechJournal of Innovation Management. Volume 4. 2016.

Toronto Centre. FinTech, RegTech and SupTech: What They Mean for Financial Supervision August 2017. 

Toronto Centre.  SupTech: Leveraging technology for better supervision.  July 2018. 

Toronto Centre. Guide to Supervision in the COVID-19 World September 2020.   


Annex 1:

Use of SupTech to Supervise the Integrity of individuals and Money Laundering and Terrorist Financing

This Annex presents some SupTech tools developed by the Superintendency of Banks, Insurance and Private Pension Funds (SBS) of Peru. It focuses on three tools developed by the SBS to allow supervisors to anticipate the generation of misconduct risk events, due to either a lack of moral suitability of the senior management, Board directors, or controllers of a financial institution, or a lack of systems and controls to prevent money laundering and the financing of terrorism (ML/TF).

As a preliminary step to using SupTech for the supervision process, the supervisor should have developed a risk-based approach to supervision, which takes into account the level of the inherent risks of financial institutions, the policies and procedures used to mitigate them, the adequacy of financial resources, and the final risk level. This allows supervisors to allocate the resources and techniques of adequate supervision to the level of risk.

The SupTech tools presented in this Annex should allow supervisors to improve off-site supervision, reduce on-site supervision times, have a better understanding of the current risks of financial institutions and, based on this, to develop more effective risk-based supervision.

Suitability of Individuals

To obtain information regarding the integrity of individuals, the SBS has redesigned a legacy system called REDIR, through which financial institutions send structured information on the moral suitability of the legal and natural persons under evaluation to the SBS, through a form that has the character of a legal declaration. This form contains closed questions (Yes/No) about the criminal, judicial and police records of the people evaluated, as well as their presence on international sanction lists such as OFAC, UNSC, EU, among others.

The persons evaluated must also declare if they are involved in any impediment of the General Law of the Financial System and if they are, or have been, part of an investigation process for money laundering, terrorist financing or other associated offences. The tool has an internal counterpart, Internal REDIR, where the supervisor responsible for the financial institution will carry out the assessment of the moral suitability of the assessed individual. The information submitted by the financial institution is assessed, and the identity document is compared online with the databases of the Financial Intelligence Unit (FIU) against suspicious activity reports, as well as with the database of the national identification authority (RENIEC) and the Tax Administration Authority (SUNAT). Currently, supervisors must manually search the databases of an external provider and the General Attorney database; this is due to the difficulties of integrating these databases with the tool.

It is expected that in a next version both databases will be integrated, and the supervisor will automatically obtain the possible matches of all the databases with the assessed individual. Likewise, the Internal REDIR records all the evaluations made by supervisors, which allows the supervisory authority to maintain an evaluation log of relevant individuals linked to a financial institution, so that if, at some point in the future, the same person is linked to another financial institution, the SBS will have information about the background and previous assessments of that individual. This section of the REDIR application has confidentiality safeguards, so the evaluation of a person can only be accessed by the assigned supervisor and the Chief of the AML Department. These restrictions are associated with the nature of the information evaluated and are intended to prevent information leaks.

The SBS has also recently issued regulations that clearly specify the requirements of moral suitability, technical and economic solvency for the shareholders, directors, managers and other top staff of financial institutions.

Money Laundering and Terrorist Financing

Various SupTech tools have been developed to manage ML/TF risks, in particular with regard to customer due diligence (KYC), the assessment of a customer's ML/TF risks profile, the digital on-boarding process, and transactional analysis to determine the existence of suspicious transactions. These tools have been developed by institutions such as the National Banking and Securities Commission of Mexico and have made it possible to transform granular data for the analysis of suspicious activities. One of the main challenges that authorities face when applying these tools is the quality of the data provided by financial institutions, whether it is structured or unstructured data.

Semi-Annual Report of the AML Compliance Officer

The SBS has developed a tool that captures unstructured data of the organizational structure, policies and procedures developed by financial institutions for ML/TF risks prevention. This tool can be found on the “Supervised Portal” (the institutional webpage through which financial institutions send information to the SBS) and consists of predefined forms in which the AML compliance officer completes information every six months, using the following fields:

Internal environment – this includes the annual work program for AML and CTF compliance (and its degree of progress); the functions assigned to the AML compliance officer; the personnel assigned to the management of ML/TF risks; the existence and composition of the ML/TF Risks Committee; and programs and indicators associated with staff training. The main internal normative documents associated with these risks are also requested, as well as any changes in internal policies and procedures during the period under report. Information is also requested on existing communication channels between the AML compliance team and other staff of the financial institution; any new typologies detected on ML/TF; and statistics on any de-risking applied for ML/TF reasons.

ML/TF risks management - this section includes information on the frequency of ML/TF risks assessment, and the results of the key risk indicators (KRI). Additionally, structured data are requested on exposure to ML/TF risks. The details are developed further as the second ML/TF SupTech tool developed by the SBS (see below).

Information and communication – this includes data on the type of information tools used in ML/FT risk management, their description and whether they are developed internally or provided by third parties. Statistics are also required on the number and amount of unusual and suspicious transactions for each month of the period.

Internal and External Audit - this section contains the Annual Report on the ML/TF Prevention System developed by the financial institution’s Internal Audit Unit, as well as the one prepared by the External Auditors; and the status of implementation of the recommendations made in both reports.

Other operations and services - this section covers information on correspondent banking relationships, details of correspondent banks, and the prevention measures applied where correspondent banks have high exposure to ML/FT risks.

Although these submissions are mostly unstructured data, approximately 80% of the information that was usually obtained through an on-site inspection is now delivered to the SBS digitally. This tool allows better and more intensive off-site supervision, the preparation of off-site assessment reports, and the identification of situations that require immediate corrective measures. In addition, assessing this information feeds into the financial institution’s risk matrix and provides one basis for undertaking further risk-based supervisory analysis and for supervisory intervention.

ML/TF Risks Exposure Questionnaires

These questionnaires are statistical forms in Excel that provide structured data regarding ML/TF risk factors - customers, geographical areas and products. The sections related to customers and geographical areas are similar to the systems supervised by the SBS, with variations only in the case of the product risk factor.

Customers – this includes the type of customers in accordance with the due diligence regime; customers’ risk levels; the risk assessment of different economic activities; the number of customers by economic sector; and the number and amount of Suspicious Activity Reports (SARs) associated with Political Exposed Persons (PEPs), national and foreign customers, natural persons and legal persons or entities.

Geographical zones – this includes the ML/TF risk level of each national geographic zone; the number of customers by geographic zone; the amount of passive and active products by geographic zone; and the number and amount of money of SARs generated in each geographic zone.

Products – this lists the products for each supervised system (financial, insurance, and private pension fund systems). For each product the required information includes the risk level of each product; the number of customers; how many customers of the enhanced due diligence regime are related to each product; and the number and amount of money of associated SARs.

The Excel sheets are transferred to an Oracle tool, which contains pre-established formulas that determine the level of exposure for each ML/TF risk factor, each financial institution, and each sector supervised by the SBS. From this analysis, dashboards are generated to focus supervision efforts (off-site and on-site) on those factors and on financial institutions that show a higher level of exposure, and to assess which preventive measures the financial institutions have developed with respect to identified risks. The dashboards are published in the “Supervised Portal”, to provide financial institutions with information on the level of ML/TF risks at the supervised system level.


[1] This Note combines essays submitted by Olawunmi A. Adelusi and Chinunam Boms Onumajuru of the Central Bank of Nigeria. The Annex is based on an essay submitted by Farida Paredes Falconi of the Superintendency of Banks, Insurance and Private Pension Funds, Peru.

[2] See, for example, Agur et al (2020) and Coeuré (2020).

[3] See Toronto Centre (2020).

[4] The Financial Stability Board defines Fintech as “technologically enabled financial innovation that could result in new business models, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services”.

[5] See also Schueffel (2016).

[6] RegTech refers to the applications of innovative technologies that support compliance with regulatory and reporting requirements by regulated financial institutions.

[7] See Broeders and Prenio (2018).

[8] See Toronto Centre (2017).

[9] Ogunleye (2018).

[10] Ogunleye (2018).