Overcoming AML Challenges in the Age of Fintech

Aug. 31, 2016

By John Epperson, CAMS, CFE, and Arjun Kalra, CAMS
As new financial services technologies hit the global market daily, consumers have more ways than ever to make financial transactions. We can secure a loan in minutes, have robots make investment decisions for us, and make payments using our smartphones and new currency types.

In the face of these remarkable advancements, banks and financial technology (fintech) companies are starting to collaborate with each other, but that collaboration often fails to effectively address fundamental risks associated with money laundering and other financial crimes. In this article, we offer some simple strategies and tactics that can be used to address these risks so that banks and technology companies can work together effectively and focus on the innovations that are changing the nature of transactions.

A Dynamic Environment

In response to consumer demands, banks and other financial services entities have accelerated their innovative efforts to produce streamlined and frictionless financial services and products. These market advancements are fueling a significant number of startup fintech companies that are changing how finance is handled and financial transactions are processed. The advancements are generating an unprecedented number of new products and services as well as new types of business arrangements.
To meet changing market demands and benefit from potential mutual advantages, many nimble young fintech companies and longtime traditional banks are forging numerous types of relationships, from the simple and traditional – in the form of a fintech company having a bank account to facilitate the company’s business transactions – to the more complex and unusual, such as the formation of a partnership of a bank and a fintech company in order to deliver a new service or product.

The result of all this collaboration is new and emerging risk. The risks related to anti-money laundering (AML) compliance in particular are attracting the attention of global financial services regulators and require fintech and banking executives to take action to mitigate.

AML Challenges for Both Sectors

While trying to realize the potential value to be gained from their new relationships, banks and fintech companies face similar, yet often opposing, challenges related to AML compliance. Following are several of the challenges the two sectors have in common:

  • Business opportunities. Fintech companies often rely heavily on banking relationships and access to the global financial system – indeed, these requirements are frequently the cornerstones of fintech business plans. Similarly, such relationships often provide banks with significant revenues tied to account fees or income from new products and services, along with other types of benefits such as new contacts.
  • AML technology. To provide solutions and services never before seen in the marketplace, some fintech companies are deploying new methods and advanced technology to identify money laundering or prevent it from occurring via these products and services. Simultaneously, some banks that offer accounts to some fintech companies struggle to integrate fintech data or to configure their existing AML systems to monitor unique activities and products in ways that satisfy banks’ AML monitoring and regulatory needs.
  • AML program oversight. Increasingly, fintech companies are structuring their business plans, products, and services to intentionally limit their AML regulatory burden or supervision – for example, by not managing the flow of funds themselves, limiting the features of their products or services, or using banking agreements to contractually limit their AML roles and responsibilities. Bankers, on the other hand, often want fintech companies’ assurance that they are properly managing the AML risks of activities flowing through their bank accounts. In particular, bankers typically like to see fintech companies have some skin in the game as it relates to AML compliance – particularly when third-party funds are settled through the bank’s accounts.
  • Ongoing risk management and monitoring. It’s not uncommon for a fintech customer to receive from its bank a last-minute urgent request to provide significant amounts of data to support ongoing monitoring of AML compliance or to respond to a request from the bank’s regulator or auditor. Most banks don’t have the resources or infrastructure to monitor a fintech customer’s or partner’s adherence to AML roles and responsibilities.

Strategies for Bankers

Financial services innovation, revenue generation, and customer acquisition are among the many benefits banks realize by becoming partners with fintech companies or allowing such companies to open banking accounts. All too often, however, bank leaders are nervous about pursuing a relationship or new account with a fintech company because of concerns related to money laundering, increased regulatory scrutiny, and the amplified overhead spending that the bank would require to monitor the fintech company over time.
Each of a bank’s accounts, partnerships, and other relationships with fintech companies is unique, and each requires thorough vetting and due diligence before the bank determines whether a fintech company fits into its culture, risk boundaries, and strategy. However, in our experience, banks that deploy certain strategies are more likely than others to manage AML concerns successfully and, as a result, capitalize more effectively on the numerous business opportunities fintech companies can offer.

These strategies include the following:

  • Define the bank’s risk appetite and tolerance. AML compliance officers should have discussions with their senior management teams and boards of directors about the impact of fintech on the traditional banking system and strategies related to the consideration of becoming partners with – or the bank of – growing fintech companies. As opposed to establishing a blanket prohibition of certain types of customers, such as those processing third-party payment activity, the bank should consider the attributes, criteria, and market compensation that it would find appropriate and the infrastructure and resources that would be needed to effectively manage the risks associated with such companies.

    Producing documented, and board-approved, statements related to the risk appetite for and tolerance of having fintech companies as customers is an approach deployed successfully by many bankers. Each time a new potential fintech relationship or other opportunity arises, it is far easier and more efficient to assess the new business opportunity against an existing board-approved statement of the bank’s risk appetite and tolerance than it is for the compliance officer to chase down the personal opinion of key decision-makers throughout a bank.
  • Tell the fintech company what the bank wants. Does the bank want access to the fintech company’s customer data to better support transaction monitoring, customer risk rating, and sanctions screening? If so, the bank should ask for it directly. Fintech companies generally have a lot of data, and most are more than willing to share permissible information with banks if it means being able to retain a strategic banking relationship. Better yet, the bank and fintech company should have a contractual agreement about the format, frequency, and content of the data the fintech company would provide, and the bank should integrate the data directly into its AML systems.
  • Define requirements, roles, and responsibilities. The bank needs to clearly define the AML requirements, roles, and responsibilities that are expected of a fintech company that maintains an account with the bank – and reach an agreement with the fintech company and hold the company to the contractual requirements. Consider requirements for the fintech company to meet, such as retaining qualified AML compliance personnel, undergoing annual AML audits performed by a bank-approved and trusted vendor, and supplying ongoing AML metrics related to agreed-upon AML performance or risk indicators (see sidebar below, “Indicators of a Fintech Company’s AML Risk”). Banks that clearly define such responsibilities – and, more important, monitor adherence to them over time – are more likely to be able to monitor and respond effectively to changing AML risks or deteriorating AML controls in a timely manner.
  • Align expanded due diligence with the risk. Not all fintech companies present the same level of risk, and the expanded level of due diligence and a banker’s oversight of each relationship should be commensurate with the AML risk the bank perceives for each company. The bank should thoroughly evaluate and document the perceived AML risk associated with any potential relationship with a fintech company. Primary risk considerations include:
    • The fintech company’s products and services
    • The target markets and industries the company serves
    • Whether the company’s business model is subject to AML requirements and regulatory oversight
    • Results of examinations and audits
    • How much the bank would rely on the company to execute AML tasks and responsibilities
    Ideally, the depth, breadth, and frequency of the bank’s ongoing due diligence and testing will align with the areas of elevated risk the company presents. 

Strategies for Fintech Executives

The barriers to attaining a banking charter are difficult to overcome, and at the same time fintech companies are increasingly reliant on access to the global financial system – which increases the importance of relationships and accounts with banks, and often many banks. In our experience, fintech companies that deploy certain strategies often appease banks’ AML concerns more successfully and secure long-term relationships with their partner banks more frequently.

Following are descriptions of some of these strategies:

  • Share a clear AML risk assessment. Many bankers have become weary of maintaining accounts, let alone partnerships, with fintech organizations. The reason is a lack of transparency about the fintech company’s business operations, transaction types, and customer activities that flow through the bank. Without a clear picture, bankers are unlikely to be able to identify and mitigate unique AML risks or address regulatory questions and minimize regulatory scrutiny related to these accounts.

    Therefore, the most valuable document a fintech company can provide a partner bank is an AML risk assessment that clearly identifies the company’s unique AML risk and the control environment it has deployed to mitigate those specific risks. A well-documented assessment helps a partner bank understand all of the relevant AML risks and controls. If the company is seeking longer-term investments or a different infrastructure to shore up controls and better mitigate AML risks in the organization, the risk assessment should demonstrate that is the case.
  • Oversee an AML program, even when unnecessary. Even when a fintech company has structured its products, services, and business operations to limit its requirements under AML laws and regulations, the company is unlikely to be immune from money laundering. Regardless of regulatory requirements, fintech companies increasingly are adopting AML programs, hiring qualified AML officers, and implementing a system of AML controls and processes. This proactive approach can bring partner banks comfort when they see the importance a fintech company places on AML and compliance; further, the company’s actions could help satisfy the banks’ due diligence requirements and answer questions of partner banks’ regulators.
  • Simplify data and document empirical evidence. With increased frequency, fintech companies are deploying advanced means to address a variety of AML compliance issues by using techniques such as proprietary algorithms and machine learning. While many fintech companies are using data in unique and innovative ways, many are not always good at providing data in a format that’s meaningful to banks. Recognizing that the information is likely to be shared with their banking partners’ regulators, companies should critically assess the format in which they communicate information about data and advanced controls to the banks. The documentation of empirical evidence of the soundness of the fintech company’s AML practices and techniques must be in a format that banks’ stakeholders and regulators can easily understand.
  • Seek audit, assurance, and testing artifacts. A fintech company should consider proactively seeking relevant vendor reports and documented artifacts to support the effectiveness over time of its AML programs and controls. Examples include:
    • Annual independent AML audit reports
    • Service Organization Control (SOC) reports on the soundness of systems that support AML compliance
    • Results of any ongoing self-testing processes that support the sustainability of a company’s AML processes
    These documents can have a substantial impact on satisfying a partner bank’s due diligence standards.
    In addition, before a fintech company seeks out independent assurance reports, it should discuss and vet the vendor to see that it meets the standards of its bank.

Focusing on Value and Growth

The age of digital disruption affecting the financial services industry has only just begun, and unfortunately all too often bankers and fintech companies are failing to address it appropriately – that is, by forming a relationship with each other and collaborating to tackle the evolving AML risks of the fintech boom. Attention to the strategies described here can assist both bankers and fintech companies with managing fundamental AML risks and allow them to focus instead on the value, revenue, and growth opportunities that are abundant in today’s market.

Indicators of a Fintech Company’s AML Risk

While banks have long had to comply with AML regulatory requirements, only recently have they needed to define and monitor fintech companies’ AML-related performance. Minimizing the regulatory AML risk of a bank-fintech collaboration requires the fintech company to supply relevant metrics. Following are some of the metrics that indicate to the bank, as well as to the fintech company itself, the fintech company’s regulatory AML risks:

  • Number of suspicious activity reports (SARs) filed
  • Volume of transaction monitoring alerts
  • Number of full-time employees supporting the AML function and the AML staff turnover rate
  • Percentage of fintech customers concluded to have high AML risk
  • Number of relationships closed by the fintech company for AML concerns
  • Number of high- or moderate-priority AML audit issues
  • AML audit issues that are outstanding and unresolved
Contact Us
John Epperson
Leader, Regulatory Risk & Compliance
Arjun Kalra
Leader, AML & Sanctions