For fintech businesses, compliance isn’t simple. They have to meet KYC requirements, perform AML screenings, and take preventive measures against fraud. If they fail to do so, they can face millions of dollars in fines.
Here, we’ve gathered the most important information for AML compliance in fintech, based on years working with over 700 companies in the industry.
- Compliance challenges in fintech
- Building the right compliance foundation
- Introducing anti-fraud measures
- Implementing Payment Service Directive 2
- Onboarding customers effectively
- Wrapping it up: the benefits of proper compliance
Compliance challenges in fintech
Fintech is a very competitive market, with traditional institutions, tech giants, and startups all aiming to take up a dominant position—with over 5,000 new fintech businesses opened in 2021.
Understandably, fintech businesses have to compete for users—and this means putting effort into making onboarding as quick and effortless as possible. At the same time, fintech is full of fraudsters using fake identities to get loans or make payments, so swift conversion has to be balanced with advanced protection.
Here are the specific challenges that fintech businesses face:
- Onboarding users and clearing payments. To attract users, fintech businesses have to do everything they can to reduce onboarding time and make the verification process engaging.
- Regulatory sanctions. Fintech businesses around the globe are subject to strict AML requirements, including user verification, AML training, suspicious activity reporting, and more. Non-compliance with these obligations leads to severe sanctions.
- Screening for fraudsters. Fraudsters use fake identities to obtain bonuses, conduct transactions, or launch phishing attacks. Fintech businesses need to stay vigilant in order to prevent bad actors in the first place.
- Chargeback prevention. Сhargebacks negatively impact businesses through costly fees, lost shipping, transaction processing costs, and the time wasted on disputes.
In short, fintech businesses constantly have to balance high convention rates and fraud-proof security.
Building the right compliance foundation
Fintech businesses must comply with a whole set of AML requirements, from customer verification to record-keeping. The consequences of not doing so are severe. For instance, in 2021, the HMRC, a British regulator, imposed a £23m ($31.7m) fine on MT Global, a money service business, for failing to follow Customer Due Diligence and other obligations.
Here’s our breakdown of the major procedures that form the basis of compliance for the fintech industry.
Global regulators require fintech businesses to adopt a risk-based approach to combat money laundering. To do so, businesses need to consider their sector, the products they offer, and the possible risks associated. For instance, the fintech sector is considered especially vulnerable to money laundering, so fintech businesses might have to implement stricter user checks.
To mitigate money laundering risks, businesses must institute an AML compliance program—a combination of internal documents (compliance policies and guides) as well as other safeguards, including employee AML training programs, verification procedures, and reporting systems. More specifically, these programs consist of the following:
- User verification. To meet regulatory requirements, fintech businesses must identify and verify their users. This procedure is also known as Know Your Customer (KYC).
- An AML team. Depending on the jurisdiction, fintech businesses must appoint an AML compliance officer, a Money Laundering Reporting Officer (MLRO), or both. These officers are responsible for compliance, ongoing monitoring, and reporting.
- Employee training. Businesses have to educate their employees about financial crimes and their prevention. This can be done through classroom instruction, computer programs, or other types of teaching methods.
- Recording and retention. Regulators require businesses to record and store the results of due diligence checks and other reports to provide to regulators, if needed.
- Suspicious Activity Reporting. If an employee notices any signs of money laundering, they must notify the MLRO, who then reports it to the regulator. Also, the MLRO must regularly report certain information to senior management, such as the number of detected suspicious transactions and money laundering schemes during the reporting period.
Suggested read: Looking for a comprehensive breakdown of AML compliance requirements in a certain jurisdiction? Check out our ultimate guides here.
Know Your Customer, KYC for short, is an umbrella term for everything that a business should know about a customer. This encompasses Customer Due Diligence (CDD), identification, and verification.
Customer Due Diligence (CDD) is part of any KYC procedure. It involves verifying a customer through documents or information received from a reliable source. Fintech businesses must carry out CDD at the onboarding stage, before they allow users to initiate transactions.
Although CDD is the check companies apply the most, there are some situations when the money laundering risk is very low. This allows businesses to opt for Simplified Due Diligence (SDD), reducing the overall check time. On the other hand, if the situation is very high-risk, companies may need to perform Enhanced Due Diligence (EDD).
SDD is a simplified check for very low-risk situations. With SDD, it’s possible to reduce the time and extent of the verification process. Conducting SDD may be an option for dealing with publicly-owned enterprises or individuals from low-risk jurisdictions.
However, the presence of one or even several low-risk factors doesn’t automatically permit a business to apply SDD. A really thorough estimation is needed to conduct this check. So, in reality, businesses rarely undertake it.
Enhanced Due Diligence provides a greater level of scrutiny of potential business partnerships and highlights risks that cannot be detected by the standard verification procedure.
EDD is applied when users present a higher risk of money laundering or terrorist financing. For instance, if a user happens to be a Politically Exposed Person (PEP), compliance officers must collect additional data on their identity as per EDD. This includes the sources of funds and wealth.
KYB—Know Your Business
Know Your Business (KYB) involves screening companies and their beneficial owners. This helps expose shell companies and the individuals behind them.
KYT—Know Your Transactions
Transaction monitoring (KYT) helps businesses understand the source of incoming funds, clarify their counterparties’ purpose of payment, and enhance trust between affiliate financial institutions and correspondent banks.
Introducing anti-fraud measures
To screen out fraudsters, fintech businesses should introduce a combination of approaches to ensure that true document holders undergo verification. This includes:
- Automated document checks. Using artificial intelligence, businesses can expose fake photos and documents submitted by an imposter.
- AML screening. It’s best to check customers against Politically Exposed Persons (PEPs) databases, sanctions lists, internal blocklists of other platforms, as well as for adverse media to ensure secure onboarding.
- Facial biometrics. Liveness technology helps ensure that the true document holder is present during the KYC check. This prevents fraudsters from using masks or deepfakes to get verified.
- Behavior analysis. Businesses can gather data on user behavior to compare it with suspicious patterns, detecting phishing and chargebacks.
Even if fraudsters don’t launder money through a particular business, they might be using previously-laundered money to perform transactions—and it’s that business’s responsibility to prevent this from happening.
Implementing Payment Service Directive 2 (PSD2)
Payment Service Directive (PSD2) went into full effect in 2019, reinforcing KYC measures and demanding stronger customer authentication.
PSD2 requires that fintech businesses generate an encrypted authentication code for each transaction. This code should link the transaction to the user, creating a safer environment.
PSD2 also requires any third-party service provider to be compliant with the Regulatory Technical Standards (RTS) before performing any transactions.
Onboarding customers effectively
Registration and KYC/AML verification are the first steps of your customers’ journey—so it’s vital to make this experience frictionless and engaging. Still, there are some major drawbacks that can prevent you from doing so:
- Low speed. Customers may be willing to spend up to 5 minutes on the onboarding process. But if it takes any longer, they may simply close the app and never use it again.
- Unfriendly user experience. The entire process has to be pleasant. That means having a nice, clean interface, with only the essential onboarding steps.
These problems can be solved by automating KYC procedures and customizing the onboarding flow. Automation decreases manual labor and associated costs, leaves no room for human error, and increases pass rates. Customization offers alternative flows if users drop out at a certain stage.
Wrapping it up: the benefits of proper compliance
Compliance with AML requirements allows businesses to avoid regulatory sanctions, fraud attacks, and chargebacks. It also helps earn the trust of users and investors.
To stay focused on their core tasks, businesses can delegate user onboarding to a provider, who sets up the KYC process for them in a quick and efficient manner. In our experience, this reduces operational costs by up to 40%.
All in all, the right AML compliance routine helps not only to avoid huge fines, but can also improve user onboarding experience and conversion rates.