Whether partnering with banks or directly offering their own products and services, FinTechs today face growing financial crimes risk. They are also stepping up their efforts on financial crimes compliance, to tackle the dual challenge of being both a target of illicit actors and a focus of financial crimes regulation.
FinTechs’ current situation reflects several developments. FinTechs have taken on increasing
responsibility for financial crimes compliance when partnering to provide services with traditional banks. At the same time, many FinTechs are also diversifying-offering more lending and depository products on their platforms-which heightens their exposure. Meanwhile, the COVID-19 pandemic has driven people’s use of digital banking to new highs, with bad actors increasing their illicit activities in tandem. On top of it all, the Financial Crimes Enforcement Network (FinCEN) is planning to issue new priorities and requirements that could compel FinTechs to pivot their compliance routines.
This article breaks down some of FinTechs’ most pressing financial crimes challenges and responses.
Working in Partnership
Banks partnering with FinTechs often delegate key control roles and responsibilities to the FinTech, to meet requirements of the Bank Secrecy Act and anti-money laundering rules (BSA/AML), USA PATRIOT Act, and Office of Foreign Asset Control (OFAC). The rationale for this is based on a FinTech’s position within the process flow of customer origination, servicing, and collection. Core FinTech responsibilities typically include the implementation of controls for compliance with certain regulatory requirements including:
- Know Your Customer (KYC): Section 326-Customer Identification Program(CllP) and Section 352- Customer Due Diligence (COD)
- OFAC Watchlist Screening
- Suspicious Activity Reporting (SAR) Section 352-Transaction Monitoring
- Information Sharing with Law Enforcement: Section 314(a)
Bank partners require FinTechs’ controls to be supported by sufficiently risk-based BSA/AML and OFAC regulatory compliance programs. Program elements include designation of authority, oversight, documented policies and procedures, training for employees and boards of directors, and independent assessment of overall design, operating effectiveness, and sustainability. Mapping inherent risk to the bank partner’s risk appetite, requirements may include additional screening methods, to identify politically exposed persons (PEP) and analyze adverse media about a customer, as well as singling out higher-risk customers who are candidates for enhanced due diligence. A FinTech may further be expected to provide another level of assurance about the effectiveness of its program, once implemented, using quality control processes,quality assurance processes, or both.
Know Your Customer
FinTechs operate in a digital and online environment, exposing them to higher inherent risk of loss resulting from identity theft In the uncertain pandemic environment, companies are exposed to increasing levels of fraud and financial loss, exerting added pressure while they are also striving to meet federal and state regulatory licensing, registration, and examination requirements.
Tools, methods, and both automated and manual processes have been adopted within the industry, primarily focused on authentication of both identity and identification information. Identity theft fraud prevention and detection methods often include multi-factor and algorithmic analytical tools incorporating identity red flags and characteristics through use of machine learning, artificial intelligence (AI), brometrics, and device multi-factor authentication for channels including mobile software development kits (SDK), webcams, application programming interfaces (API), or mobile web applications. These tools may have to meet model definitions described in regulatory guidance from the Federal Reserve Board (FRB SR11), Office of the Comptroller of the Currency (OCC 2011-12), and Federal Deposit Insurance Corp (FIL-22-2017), to comply with the “zero ClP exception” risk tolerance of partner banks and their reguIators.
In certain contexts, it may be useful for FinTechs to implement tools or methods to identify customers posing higher inherent risk. This risk assessment would be based on customer characteristics and attributes including geographic associations, primary economic activity (i.e., North American Industry Classification codes or employment types), legal entity types (for businesses), negative news, PEP status, or other customer risk factors. Such customers may also be subject to enhanced due diligence.
OFAC Watchlist Screening
Partner banks rely on FinTech partners to implement tools, methods, and processes to interdict
individuals and entities named on OFAC watchlists including Specially Designated Nationals
(SDN), Consolidated Sanctions List, Sectoral Sanctions Identifications (SSI), Foreign Sanctions Evaders (FSE),Non-SDN Palestinian Legislative Council , Non-SDN Iranian Sanctions, Foreign Financial Institutions Subject to Part 561 (the “Part 561 List”), and Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions (CAPTA). These processes are required to check entities both during the customer onboarding process as well as periodically, due to changes in the lists or in the entity itself.
Watch list screening methods often include fuzzy logic algorithms designed with rules, weights,
and thresholds. OFAC watchlist screening tools may have to meet partner banks’ model risk
management definitions and be subject to model risk management standards. The output of these methods is expected to be subject to a process in which hit review and dispositioning is performed accurately, timely, with sufficient supporting documentation, and with true matches properly escalated to the partner bank or reported to OFAC. Annual OFAC reporting is also required.
Suspicious Activity Reporting
FinTechs are typically exposed to illicit activity through fraudulent schemes and the exploitation of points of entry by bad actors. Examples include identity theft at account opening, account takeover, and complicity between a customer and counterparties. Vulnerabilities include in attention to payment methods and patterns, and insufficient CDD controls such as those verifying sources of funds.
For U.S. FinTechs, money laundering and terrorist financing risk is often reduced due to restrictive product and service terms and conditions, such as those limiting offerings to U.S. consumers and businesses, prohibiting the use of cash or cross- border payments, and requiring payments to be linked to a U.S. financial institution’s bank account. Other factors that lessen FinTechs’ risk compared to banks’ risk include the lower average transactionaI values and volumes of products and a lower level of inherent product and service risk. Still, FinTechs have suffered harm at the hands of illicit actors, and their exposure is growing, as many FinTechs begin to evolve from a single-product platform to multi-product offerings (lending and depository products)- with some even seeking to acquire a banking license.
Ultimately, FinTechs must implement methods and tools to prevent and detect potentially
suspicious activity through automated and manual transaction monitoring methods purpose-built to emphasize suspected or confirmed fraud detection. As with OFAC screening, automated transaction monitoring tools may have to meet model definitions under the partner bank’s model risk management definitions and standards. As with OFAC processes,the output of these tools and methods is expected to be subject to an investigative process in which alert dispositioning is performed accurately, timely, with sufficient documentation, and with proper escalation to the partner bank for FinCEN SAR filing.
Partner banks typically designate their own point of contact for FinCEN’s information sharing
program, and they usually retain primary responsibility for handling searches and FinCEN
reporting. Still, FinTech companies may occasionally be delegated to conduct subject searches and report true matches to either or both their partner bank and FinCEN within a two-week window. In such cases, the FinTech is expected to develop and implement comprehensive policies, procedures, and processes for responding to section 3l4(a) requests and to protect the security and confidentiality of FinCEN requests.