Beginning in 1950 with the founding of the Office of Foreign Assets Control (“OFAC”) and continuing to the present with the recent passage of the Anti-Money Laundering Act of 2020, the US enacted a complex set of overlapping laws, rules and regulations that require financial institutions (“FIs”) to take steps designed to detect and prevent money laundering and terrorist financing (the “AML Laws”). Without detailed knowledge of the AML Laws, it’s all too easy to miss a key requirement and incur significant regulatory fines, business disruption and reputational damage.
DigiPli – together with Barclays Rise – prepared a series of four articles designed to help FinTechs operating in the US understand their AML obligations, and avoid costly mistakes.
PART 1: THE WHO AND THE WHAT
Who’s subject to the AML Laws?
The AML Laws apply to more than just traditional financial institutions such as banks, broker-dealers, and commodity firms. FinTechs that operate as non-bank financial institutions (“NBFIs”) are also “financial institutions” as defined in the AML Laws. This includes cryptocurrency exchanges, operators of credit card systems, insurance companies, online lending and finance companies, P2P lenders and transferrers, money service businesses, FX dealers, crowd funding platforms and others.
What are the main requirements of the US AML Laws?
Every FI – including FinTechs operating as NBFIs – must establish an AML program comprised of four main ‘pillars’. However, the more highly regulated FIs (e.g., banks, broker-dealers, and others) are also subject to a fifth pillar, which is discussed in a future installment of this series.
The four main AML pillars applicable to all FIs are:
- Appoint an AML Officer. Designate an individual who’s responsible for overseeing AML compliance for the FI. They must have both sufficient knowledge of the AML Laws, and sufficient authority within the organization to ensure they can effectively perform their duties.
- Implement AML Controls. Establish, document, and implement internal processes, policies, controls, and systems reasonably designed to comply with the AML Laws, in a manner that’s tailored to the FI’s business and operations (“AML Controls”). The AML Controls and associated documentation must also be periodically reviewed to ensure they remain current and effective. Details as to this pillar – the most complex, costly and time-consuming one – are discussed in the next installment of this series.
- Provide Employee Training. Periodically train all employees about the AML Laws, and their responsibilities in ensuring the AML Controls are effectively implemented. The training must be tailored to a particular FI’s AML Controls, attendance must be documented, and ‘off-cycle’ training should be provided if the AML Controls materially change.
- Perform Independent Testing. On a periodic basis (most FIs do this at least annually) an independent party must test the effectiveness of the AML Controls. The testing doesn’t need to be performed by a third-party audit or consulting firm. However, the person(s) performing the testing must be knowledgeable and qualified regarding the AML Laws, and they cannot be responsible for AML compliance at the firm.
Conclusion
Designing and implementing an AML program that meets regulatory requirements in an efficient and effective manner is a complex and daunting task for many FinTechs. If you have any questions regarding your AML obligations, or if you’re looking to automate your AML program and streamline your customer experience, contact us at team@digipli.com.
About the Series
This is the first in a series of four articles that provides an overview as to what FinTechs need to know about the US AML Laws. Part 2 provides a detailed breakdown of the second and most complicated of the AML pillars – Implementing AML Controls. Part 3 addresses certain of the AML requirements applicable to more highly regulated financial services firms. Lastly, Part 4 covers best practices in AML compliance.
