When it comes to financial technology (Fintech) companies and BSA/AML (Bank Secrecy Act/Anti-Money Laundering) considerations, there are many key points to understand relating to the overlap between the two from a risk perspective, as well as system processes and cybersecurity concerns. In this article, we examine some FAQs that outline what a fintech company should consider to ensure it remains compliant and continues minimizing risk.
1. Does AML tie in with or relate to SOC 2 in any way?
Fintechs often leverage third-party service providers or Software as a Service (SaaS) solutions to support different aspects of the AML/KYC (Know Your Customer) program. This requires sharing customer PII (Personally Identifiable Information) with third-party service providers. As part of the Fintech vendor risk management program, it is strongly recommended that they evaluate the potential AML/KYC vendor’s commitment to security and privacy by evaluating their SOC 2 Type 2 reports as part of the vendor onboarding process. These reports are issued annually and should be requested, reviewed and evaluated by the organization annually as part of its ongoing third-party risk management program.
2. Is there a difference in considerations if my customers are business (B2B) vs. consumers (B2C)?
From a BSA/AML program perspective, Know Your Customer (KYC) compliance will require a Fintech firm to better understand whom they are doing business with through 1) information gathering and 2) conducting customer due diligence. Individual consumers are usually easier than businesses to conduct adequate KYC program reviews because there may be more than a single individual associated with a business. Separately, reviewing a customer’s transactional activities to identify unusual or suspicious activities (Transaction Monitoring) may be more complicated and nuanced when dealing with a business versus an individual customer.
3. Is there a tie-in with cybersecurity/cyber breaches?
The Financial Crimes Enforcement Network (FinCEN) specifically discusses the need for collaboration between cybersecurity teams and BSA/AML teams. Specifically, the information provided by cybersecurity professionals could provide additional information in the identification of suspicious activity. Business email compromise is a great example of the overlap between BSA/AML and cyber. These attacks can be leveraged to steal or layer funds through a series of accounts.
4. What are the differences between insourced vs. outsourced AML personnel/systems?
This is a subjective decision that will need to be made based on a Fintech company’s unique circumstances. Finding the right subject matter expert and developing an effective system to mitigate AML risk isn’t easy, or without cost, regardless of the decisions made. Depending upon the risk associated with the Fintech, adequate mitigation efforts will need to be appropriate to the risk assessment of the company. There are pros and cons of having in-house experts and systems to execute a Fintech’s AML Program versus finding the right outsourced solutions to supplement the company’s internal AML risk monitoring. Whether it’s outsourced, insourced or, more appropriately, a balanced combination of both, the rule of thumb should be that the AML risk mitigation efforts are appropriate and sufficient for the company’s known AML risk posed by its business, customers, activities and its business counterparties.
5. How has artificial intelligence (AI)/machine learning (ML) enhanced or made AML more efficient and what are the risks of using AI/ML with AML policies?
AI/ML has been the latest innovation and enhancement strategy impacting AML Compliance programs and the Financial Services industry. While there are promising areas where AI/ML can bring efficiency and cost savings to historically manually intensive AML surveillance and investigation processes, the adaptation and regulatory acceptance of the new innovation has not been broad but case by case. Regulatory supervisors continue to monitor and closely examine whether AI/ML enhancements in the AML space are safe and effective.
Without a doubt, new innovations in blockchain technology and machine learning will bring efficiencies and improvements to the way companies have historically conducted their AML programs. The counterpoint to that is money launderers are constantly finding new ways to launder money to avoid new techniques and technologies.
6. I keep hearing about this FinCEN – what is it and how does it relate to AML?
An AML program’s purpose is, in its simplest terms, to ensure that a company is not a party or conduit to money laundering activities and, if appropriate, to satisfy all regulatory requirements. FinCEN is a bureau of the United States Department of the Treasury that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes. Their stated goal is to safeguard the financial system from illicit use, combat money laundering and promote national security. FinCEN also serves as the government agency that certain Fintechs who perform money transfer activities must register with as a licensed Money Services Business (MSB). See a recent example of how a state-licensed Trust Company ran afoul of FinCEN through their inadequate AML program and was fined $1.5 Million.
7. Why does a Fintech company need an Anti-Money Laundering Compliance program?
There are many reasons for Fintech companies to institute and execute an effective AML Compliance program:
- US regulatory agencies (i.e. FinCEN, New York State Department of Financial Services (NYSDFS)) may require a Fintech company to have an AML program, given that Fintech companies are financial services companies by their nature.
- Fintech’s commercial banks may require them to have an effective and operating AML program as part of the bank’s AML Risk & Know Your Customer (KYC) program governing their customer relationships.
- Having an effective AML Program will mitigate possible instances of money laundering, fraud or other financial crimes occurring with the Fintech company and their customers.
- Having a strong AML compliance program and governance will demonstrate to external parties (investors, customers, vendors and regulators) that the Fintech understands and has taken steps to mitigate its AML risks.
Learn how Withum positioned a Fintech company for compliance success after addressing bank regulatory concerns with BSA/AML Program implementation.
8. What are the basic requirements in a Fintech AML compliance program?
There are 5 basic ‘pillars’ of an AML program:
- Designate a dedicated AML compliance officer.
- Develop internal policies (written program) to address AML risks and controls.
- Create and execute internal training for Fintech employees and impacted staff on AML.
- Perform periodic independent testing or auditing of the AML program.
- Have a Know Your Customer due diligence program designed for the Fintech to know who their customers are.
9. What are the consequences of an insufficient AML program for Fintech companies?
- Potential regulatory penalties and fines – for example, Coinbase was fined $100M by a New York regulator (NYSDFS) on January 4, 2023 for failures in its BSA/AML program, and the Robinhood crypto arm was fined $30M by NYSDFS for violations of AML regulations.
- Certain commercial banks will not allow Fintech companies to open and operate banking relationships with them without an effective AML program, making it more difficult to conduct business and receive or send funds for the Fintech company.
- Less protection to the Fintech and their customers; from the harm caused by criminal financial activities that may occur without an effective AML program designed to mitigate the AML risk.
- Without knowing who they are doing business with or doing transactions with, a Fintech company may violate OFAC (Office of Foreign Asset Control, US Treasury) policies resulting in penalties and fines – for example, Amazon settled with OFAC on July 8, 2020 for $134k in OFAC violations for allowing prohibited transactions with Sanctioned Countries or Sanctioned Individuals.