What FinTechs Need to Know About AML – Part 4

Beginning in 1950 with the founding of the Office of Foreign Assets Control (“OFAC”) and continuing to the present with the recent passage of the Anti-Money Laundering Act of 2020, the US enacted a complex set of overlapping laws, rules and regulations that require financial institutions (“FIs”) to take steps designed to detect and prevent money laundering and terrorist financing (the “AML Laws”). Without detailed knowledge of the AML Laws, it’s all too easy to miss a key requirement and incur significant regulatory fines, business disruption and reputational damage.

DigiPli – together with Barclays Rise – prepared a series of articles to assist FinTechs in better understanding and complying with their AML obligations.

PART 4: AML BEST PRACTICES FOR FINTECHS

Part 1 of this series discussed the four main ‘pillars’ of an AML compliance program applicable to all financial institutions, including FinTechs operating as non-bank financial institution (“NBFIs”). Part 2 provided specific details of the AML controls each FinTech must implement. Part 3 covered certain additional requirements applicable to more highly regulated FinTechs operating as banks, mutual funds, broker-dealers in securities, futures commission merchants, and introducing brokers in commodities (“Highly Regulated FIs”). This final article covers AML best practices for FinTechs, which go above and beyond what’s specifically required by the AML Laws.

Why do more than the AML Laws require?

Once they begin to scale or seek external funding, many FinTechs operating as NBFIs implement AML best practices above and beyond what’s specifically required by the AML Laws. This is prompted by several considerations.

1. Risk Mitigation. Given the risk of massive fines, coupled with the fact that a FinTech’s management can be held personally (and criminally) liable for violating the AML Laws, the cost of ‘getting it wrong’ is huge. Plus, given that regulators will view any failure with 20-20 hindsight, taking additional steps to mitigate potential AML risk is important to both investors and management.
2. Avoiding Reputational Damage. If a FinTech’s infrastructure is ultimately found to have been used to launder illicit funds, regardless of the legal requirements this will both cause reputational damage and increase the risk of a regulator questioning whether the FinTech’s AML controls were reasonably designed. This can adversely impact company valuations, customer retention and public perception.
3. Integration with Highly Regulated FIs. FinTechs seeking to integrate with banks, broker-dealers or other Highly Regulated FIs may be expected (or even contractually required) to implement AML controls similar to those applicable to the more highly regulated entities. Failure to do so may impact a FinTech’s ability to scale or enter into valuable partnerships.
4. Non-US Operations. Many non-US AML laws, along with international standards published by the Financial Action Task Force (“FATF”), impose standards that are stricter than US AML Laws. Accordingly, some FinTechs with a global footprint choose to universally implement AML controls designed to meet the standards of FATF and all other jurisdictions in which they operate.

What industry best practices should FinTechs adopt?

What constitutes AML-related ‘best practices’ is constantly evolving to adapt to changes in the markets, technology and the political environment. While not an exhaustive list, many FinTechs operating as NBFIs implement some or all of the below best practices – regardless of whether they’re technically required by the AML Laws:

1. The CDD Rule. Many FinTechs implement the CDD Rule, i.e., the ‘fifth pillar’ applicable to Highly Regulated FIs discussed in Part 3. When implementing the CDD Rule, FinTechs place particular emphasis on: (a) risk-ranking customers using AML-relevant criteria, (b) performing enhanced due diligence (“EDD”) on higher risk customers and (c) periodically reviewing and updating customers’ risk ratings, profiles, and other information.
2. Non-US Sanction Lists. Screening customers (and recipients to whom customers are sending funds or digital assets) to determine whether they are on non-US sanction or watch lists. The most used global lists against which customers are screened, are the UK, UN, and EU sanctions lists.
3. Politically Exposed Persons. Screening customers to determine if they are Politically Exposed Persons (“PEPs”), who are foreign governmental officials and their family members and associates. PEPs are generally considered higher risk customers from an AML perspective, and many FinTechs perform EDD on PEPs.
4. Negative News. Running searches on customers to determine whether they were publicly reported as being engaged in criminal, fraudulent or other similar activities, which depending on the activity may impact the customer’s risk rating.
5. Other High-Risk Screening. Running searches on customers to determine whether they are: (a) on government enforcement or watch lists, (b) a State Owned Enterprise (generally deemed higher risk) or (c) a higher risk type of businesses (e.g., a marijuana-related business). Again, inclusion on one of these lists may impact the customer’s risk rating.
6. AML Risk Assessments. Performing a periodic (most FIs do this annually) AML risk assessment to assist the FI in identifying emerging AML-related risks due to a change in: (a) applicable laws or rules, (b) the political or regulatory environment, or (c) the FinTech’s own business activities. The results of the Risk Assessment are then used to update the AML controls.

Again, while not explicitly required by law, FinTechs that implement some or all these best practices will – if it’s later found that a criminal used their infrastructure to facilitate illicit transactions – have a much stronger legal and regulatory position.

Conclusion

Designing and implementing an AML program that meets regulatory requirements in an efficient and effective manner is a complex and daunting task for many FinTechs. If you have any questions regarding your AML obligations, or if you’re looking to automate your AML program and streamline your customer experience, feel free to contact us at team@digipli.com.

Additional Insights

While this series of articles focused on the AML Laws, many other regulatory requirements apply to FinTechs. These include federal and state registration and licensing requirements, customer complaint requirements, whistle-blower policies, anti-bribery policies, requirements under the Unfair, Deceptive or Abusive Acts or Practices (UDAAP) rules, and others. Proactively addressing the AML Laws, in addition to other regulatory requirements, early in a FinTech’s lifecycle will reduce risk in the long term, and help it establish the proper foundation to both scale and integrate with other regulated financial institutions more quickly and efficiently.

About the Series

This is the last in a series of four articles that provides an overview as to what FinTechs need to know about the US AML Laws. Part 1 discussed the four main ‘pillars’ of an AML compliance program applicable to all financial institutions, including FinTechs operating as NBFIs. Part 2 provided specific details of the AML controls each FinTech must implement. Part 3 covered certain AML requirements applicable to more highly regulated financial services firms. This Part 4 addressed best practices in AML compliance.

We hope you found the content informative and helpful. Thanks for your attention!