AML/KYC Guide for Fintech Companies 2024

For fintech businesses, compliance isn’t simple. They have to meet KYC requirements, perform anti-money laundering (AML) screening, and take preventive measures against fraud. If they fail to do so, they can face millions of dollars in fines. For instance, in 2021, the UK’s tax, payment, and customs authority (HMRC) imposed a £23m ($31.7m) fine on MT Global, a money service business, for failing to follow Customer Due Diligence (CDD) and other obligations. 

We at Sumsub have covered everything you need to know about AML compliance in fintech, based on years experience working with over 700 companies in the industry.

The role of AML and KYC in fintech

Know Your Customer and other Anti-Money Laundering procedures are essential for fintech companies as part of the compliance process. Companies must ensure that they follow local (and, where applicable, global) regulations regarding customer due diligence. This includes:

• Customer identification and identity verification
• Performing risk-based assessment 
• Ongoing monitoring (including transaction monitoring)
• Screening sanctions lists, PEP lists and other sources

Fintech is a competitive market, with traditional institutions, tech giants, and startups all aiming to take up a dominant position—which is why global venture funding reached $451 billion in 2022. 

Therefore, fintech companies have to compete for users—and this means putting effort into making onboarding as quick and effortless as possible. At the same time, fintech apps and services are targeted by criminals who use financial platforms for money laundering, fraudulent, and terrorism financing purposes. 

Main compliance challenges in fintech

Some of the main challenges the fintech sector faces include:

• Onboarding users and clearing payments. AML procedures can make the registration inconvenient, which may lead to customer drop-offs. 
• Regulatory sanctions. Fintech businesses around the globe are subject to strict AML requirements, including user verification, AML training, suspicious activity reporting, and more. Non-compliance with these obligations leads to severe sanctions.
• Screening for fraudsters. Fraudsters use fake identities to conduct transactions or launch phishing attacks. Fintech businesses need to stay vigilant in order to prevent bad actors in the first place.
• Chargeback prevention. Сhargebacks negatively impact businesses through costly fees, lost shipping, transaction processing costs, and the time wasted on disputes.

In short, fintech businesses constantly have to balance ease of onboarding and security. This can be achieved, in part, through automated solutions such as Know Your Customer (KYC) and transaction monitoring.

Risk-Based Approach in fintech

Global regulators require fintech businesses to adopt a risk-based approach to combating money laundering. This means considering risks inherent to the sector and products that a company deals with. 

For instance, the fintech sector is considered especially vulnerable to money laundering. To mitigate these risks, fintech companies must institute an AML compliance program—a combination of safeguards that include: 

• User verification. To meet regulatory requirements, fintech businesses must identify and verify their users. This procedure is also known as Know Your Customer (KYC).
• An AML team. Depending on the jurisdiction, fintech businesses must appoint an AML compliance officer, a Money Laundering Reporting Officer (MLRO), or both. These officers are responsible for compliance, ongoing monitoring, and reporting.
• Employee training. Businesses have to educate their employees about financial crimes and how to prevent them. This can be done through classroom instruction, online classes, or other teaching methods.
• Record keeping and retention. Regulators require businesses to record and store the results of due diligence checks and other reports to provide to regulators if needed.
• Suspicious Activity Reporting. If an employee notices any signs of money laundering, they must notify the MLRO, who then reports it to the regulator. Also, the MLRO must regularly report certain information to senior management, such as the number of detected suspicious transactions and money laundering schemes during the reporting period.

Know Your Customer

Know Your Customer (KYC) is an umbrella term for everything that a business should know about a customer. This encompasses procedures such as customer identification and identity verification.

To identify a customer, businesses usually need at least the following data:

• Name
• Date of birth
• Address

After collecting this essential information, fintech companies need to verify it. Typically, a government-issued document is used for that purpose.

Risk Assessment and Management in fintech

Fintech companies need to establish AML risk management policies to separate customers by risk level. Depending on their risk level, customers may have to submit certain documents and go through specific monitoring processes. 

Customer Due Diligence (CDD)

Customer Due Diligence (CDD) is part of any KYC procedure. It involves verifying a customer through documents or information received from a reliable source, such as checked databases. Fintech businesses must carry out CDD at the onboarding stage before they allow users to initiate transactions.

Although CDD is the check companies apply the most, there are some situations when the money laundering risk is very low. This allows businesses to opt for Simplified Due Diligence (SDD), reducing the overall check time. On the other hand, if the situation is very high-risk, companies may need to perform Enhanced Due Diligence (EDD).

Enhanced Due Diligence (EDD)

Enhanced Due Diligence provides a greater level of scrutiny of potential business partnerships and highlights risks that cannot be detected by the standard verification procedure.

EDD is applied when users present a higher risk of money laundering or terrorist financing. For instance, if a user comes from a high-risk country, compliance officers must collect additional data on their identity. This includes sources of funds and wealth.

Sanction lists, PEPs, and adverse media screening

Companies should conduct AML screening for adverse media, global sanctions, and watchlists, such as OFAC, UN, HMT, EU, DFT, etc. regardless of the client’s risk profile. Besides that, companies should check whether their customer is a Politically Exposed Person (PEP). This process should take place during onboarding and throughout the entire customer relationship.

Transaction monitoring

Transaction monitoring helps businesses build and update the risk profiles of their customers and enhance trust between affiliate financial institutions and correspondent banks. Transaction monitoring software spots unusual patterns and reviews dubious transactions made in digital or fiat currencies. 

Essentially, a transaction monitoring solution is supposed to answer the following questions:

• Is the transaction consistent with the risk profile of the customer? 
• Are the origin and destination of the transaction legitimate? 
• Is there any suspicion that the funds were obtained illegally? 

For fintech companies, an efficient transaction monitoring system is needed to easily process transactions and detect those potentially linked to criminal activities.

Onboarding

Registration and KYC/AML verification are the first steps of a customer’s journey—so it’s vital to make this experience frictionless and engaging. Still, there are some major drawbacks that can prevent a company from doing so:

• Slow onboarding. Customers may be willing to spend up to 5 minutes on the onboarding process. But if it takes any longer, they may simply close the app and never use it again.
• Unfriendly user experience. The entire process has to be pleasant. That means having a nice, clean interface, with only the essential onboarding steps.

These problems can be solved by automating KYC procedures and customizing the onboarding flow. Automation decreases manual labor and associated costs, leaves no room for human error, and increases pass rates. Customization offers alternative flows if users drop out at a certain stage.

Onboarding Solution

To screen for fraudsters, fintech companies should introduce a combination of approaches to ensure that the true document holders undergo verification. This includes:

• Automated document checks. Using artificial intelligence, companies can expose fake photos and documents submitted by an imposter.
• AML screening. It’s best to check customers against Politically Exposed Persons (PEPs) databases, sanctions lists, and internal blocklists of other platforms, as well as for adverse media to ensure secure onboarding.
• Facial biometrics. Liveness technology helps ensure that the true document holder is present during the KYC check. This prevents fraudsters from using masks or deepfakes to get verified.
• Behavior analysis. Businesses can gather data on user behavior to compare with suspicious patterns, detecting phishing and chargebacks.

Even if fraudsters don’t launder money through a particular business, they might be using previously-laundered money to perform transactions—and it’s the business’s responsibility to prevent this from happening.

Compliance with AML requirements allows businesses to avoid regulatory sanctions and fraud. It also helps earn the trust of users and investors. To stay focused on their core tasks, businesses can delegate user onboarding to a provider, who sets up the KYC process for them in a quick and efficient manner. In our experience, this reduces operational costs by up to 40%.

All in all, the right AML compliance routine helps not only avoid huge fines, but also improve the user onboarding experience and conversion rates.

Fintech regulatory requirements 
across the world

While certain requirements are practically universal, companies should always consider the regulatory specifics of the countries and industries (e.g., banking, money services businesses, etc.) they’re operating in. For example, in the US it’s not possible to obtain a license in one state and work in another. Therefore, companies would need a separate license for each state. 

---