Beginning in 1950 with the founding of the Office of Foreign Assets Control (“OFAC”) and continuing to the present with the recent passage of the Anti-Money Laundering Act of 2020, the US enacted a complex set of overlapping laws, rules and regulations that require financial institutions (“FIs”) to take steps designed to detect and prevent money laundering and terrorist financing (the “AML Laws”). Without detailed knowledge of the AML Laws, it’s all too easy to miss a key requirement and incur significant regulatory fines, business disruption and reputational damage.

DigiPli – together with Barclays Rise – prepared a series of four articles designed to help FinTechs operating in the US understand their AML obligations, and avoid costly mistakes.
PART 2: REQUIRED AML CONTROLS
Part 1 of this series discussed the four main ‘pillars’ of an AML compliance program applicable to FinTechs operating as non-bank financial institution (“NBFIs”). This article provides details about the second pillar – Implementing AML Controls – which is the most complex, time-consuming, and resource-intensive aspect of an AML program.
What AML Controls are required?
A FinTech operating as an NBFI must at a minimum implement the following AML controls:
- Customer Identification. Verify each customer’s identity through either documentary (reviewing an ID card) or non-documentary (reviewing / accessing other available information) means to confirm their: (a) name, (b) address, (c) EIN/TIN/SSN and (d) for individuals, date of birth. The FinTech must also notify the customer that they will be performing this verification by sending them a ‘CIP Notice’.
- Sanction Screening. Ensure that the customer is not on one of OFAC’s sanction lists. The check should be performed both prior to opening the account, and periodically during the relationship to ensure that the customer is not added to an OFAC list after account opening. Similarly, when sending funds or digital assets on behalf of a customer to a third-party recipient, the FinTech must confirm that the recipient is not on one of OFAC’s sanction lists.
- Transaction Monitoring. Develop and implement processes and systems designed to detect activity that may be indicative of money laundering or other criminal activity. Given the readily available nature of automated systems, regulators repeatedly found reliance on manual reviews of spreadsheets to be an “unreasonable” way to conduct transaction monitoring.
- SAR Reporting. Report suspicious activity that might indicate money laundering, tax evasion, or other criminal activities to the Financial Crimes Enforcement Network (“FinCEN”) within 30 days of detecting the suspicious activity.
- CTR Reporting. Depending on the FinTech’s business, file Currency Transaction Reports for currency transactions over $10,000 in the aggregate conducted by, or on behalf of, a customer during a single day.
- Record Keeping & Retention. Depending on the FinTech’s business, maintain records of each currency transfer of $3,000 or more, along with certain related information such as name, address, customer account number, date and amount of transfer and name and account information of the recipient. This requirement (the “Travel Rule”) also requires that some of this information “travel” with the transmittal order through the payment chain to the recipient’s FI. Note that FinCEN is seeking to amend the record-keeping requirements and the Travel Rule applicable cryptocurrency firms. However, due to intense push-back from the industry, coupled with the Biden administration suspending certain rule-making activities, FinCEN’s proposed amendments have been on hold for since January.
- FinCEN Registration. FinTechs that are money service businesses (“MSBs”) must, in addition to complying with state licensing requirements, register with FinCEN within 180 days after being licensed as an MSB. They must also renew their FinCEN registration every two years.
- Responding to Information Requests. Depending on the FinTech’s business, FinCEN’s may, pursuant to Section 314(a) of the PATRIOT Act, either on its own behalf or on behalf of federal, state, local or international law enforcement, request information from FinTechs about accounts and transactions of persons that may be involved in terrorism, money laundering or other criminal activity. FinTechs must comply with, document and retain any FinCEN information requests they receive.
Conclusion
Designing and implementing an AML program that meets regulatory requirements in an efficient and effective manner is a complex and daunting task for many FinTechs. If you have any questions regarding your AML obligations, or if you’re looking to automate your AML program and streamline your customer experience, feel free to contact us at team@digipli.com.
About the Series
This is the second in a series of four articles that provides an overview as to what FinTechs need to know about the US AML Laws. Part 1 discussed the four main ‘pillars’ of an AML compliance program applicable to all financial institutions, including FinTechs operating as NBFIs. Coming next week, Part 3 addresses certain AML requirements applicable to more highly regulated financial services firms. Lastly, Part 4 covers best practices in AML compliance.