Explainer on Fintech AML Requirements
If you’re in fintech, understanding anti-money laundering laws is crucial.
AML laws require you to have programs and tools in place to detect and prevent money laundering. If you don’t, you can face regulatory scrutiny and hefty fines.
But the scale your AML program needs can vary depending on your company and product(s). To navigate what’s needed, it helps to understand the laws and regulations.
Here’s an explainer on the Bank Secrecy Act and Anti-Money Laundering laws.
Founder TL;DR
If you’re launching a card program, you’ll want to:
- Get familiar with AML requirements that fintech companies must navigate.
- Consider whether you need to have AML policies & procedures, a compliance officer, and employee training in place.
- Establish your KYC/KYB procedures to verify customers’ identities.
- Determine how you’re monitoring transactions in case you need to report suspicious activity.
- Talk to a lawyer! Every product has its own considerations and we’re happy to point customers to recommendations.
AML overview & terminology
The Bank Secrecy Act (BSA) establishes the basic framework for AML obligations and has been updated by several laws including the USA PATRIOT Act and the more recent Anti-Money Laundering Act of 2020. Other various laws shape AML requirements depending on the setting, but the BSA and PATRIOT Act are the primary ones that operators in the industry will reference.
We’ll generally refer to all of these as the “AML laws” in this post.
AML laws are structured to form public-private partnerships for financial crimes and intelligence purposes. Under the laws and rules, financial institutions are deputized to collect information about customers and provide financial intelligence to government agencies and law enforcement.
Financial institutions (including fintechs) have paid millions or even billions for failing to fulfill their anti-money laundering (AML) obligations. So if you’re working in fintech, you’ll want to make sure your company complies with AML laws.
Additionally, “AML” is often used to refer to both AML and counter-terrorist financing requirements, though you may hear CTF discussed separately. We’ll generally use “AML” to refer to both.The Financial Crimes Enforcement Network (FinCEN) imposed more than $600 million in fines for anti-money laundering (AML) violations from January 2021 to March 2022.
FinCEN
The Financial Crimes Enforcement Network (FinCEN) is the main U.S. regulator responsible for AML regulations and operations. FinCEN is a bureau within the Department of Treasury, and it works with other U.S. regulators to set rules for banks and other financial companies like money transmitters. FinCEN also maintains a database and employs various analysts to help identify trends and issues that inform policy changes.
FinCEN can pursue civil penalties (e.g., fines) for AML violations, and the Department of Justice can seek criminal penalties. But largely FinCEN is a supportive agency and encourages collaboration with industry participants via its FinCEN Exchange and office hours programs.
Who do AML Laws apply to?
AML laws and related requirements apply to “financial institutions,” which include:
- Banks
- Insurance companies
- Securities and commodities broker-dealers
- Anyone involved in real estate settlements and closings
- Money services businesses (MSBs), including money transmitters and companies that offer prepaid cards under their own regulatory structure
- Various other financial businesses and actors
For fintechs in the payment space, the most relevant categories are banks and MSBs.
Banks’ AML obligations will extend to third-party service providers and certain wholesale customers via contract and certain banking law provisions like 12 USC 1867(c). Additionally, a fintech may count as a MSB if they’re not careful, which triggers the need to have an AML program, FinCEN registration, and a host of other costly legal requirements.
Basic AML program requirements
AML laws require financial institutions to have AML programs, which generally includes:
- Written policies and procedures that implement the program
- Written internal controls and testing mechanisms for the program (e.g., quality control audits)
- A designated compliance officer who oversees the program
- An ongoing AML employee training program
- Reporting suspicious activities, which requires transaction monitoring
- Identify and verify customers’ identities (i.e., know-your-customer (KYC) and/or know-your-business (KYB)), unless the program fits in an exception.
If this list feels daunting, don’t be discouraged.
FinTechs will often start out as partners to regulated financial institutions versus being directly licensed and regulated. If you’re in this position, we recommend you consult with your BaaS or bank partner to check in on their requirements for your product.
The best BaaS and bank partners can help offer guidance on how to size your internal practices to meet their regulatory needs and the risks presented by your product. And because banks are the regulated entity in these partnerships, they might have tools or resources to help absorb or shoulder some of these responsibilities.
As an example, some bank partners have key FinTech staff attend annual AML training, which can help the bank and FinTech meet their compliance responsibilities.
AML programs in practice
Ideally, early stage fintech companies would have dedicated AML policies and resources.
However, some early stage fintechs may not have full policies, dedicated headcount, or employee training as they’re first getting set up and trying to find product-market fit. Instead, they may rely on their bank partner’s AML policies, and may hire a consultant to advise if they get stuck on issues.
Once fintechs have product-market fit and see meaningful growth, they often designate a compliance officer and build out their own AML policies, internal controls, and employee trainings.
As a best practice, fintechs past the MVP stage with some product-market fit should review their policies regularly to address new risks and products, and should have their boards of directors and senior management approve their AML policies annually.