Are you a FinTech Start-Up? Know Which AML Regulations Apply to You

Posted by Neal Reiter on Mar 23, 2017 6:00:00 AM

 

U.S. anti-money laundering regulations are extensive, filled with explicit and implicit requests, and require studying. However, the benefit of knowing them is fundamental: It will save you time, money, and maybe your business. 

The irony of starting a company is that you don't get to focus on solving the problem(s) you started the firm to solve. Instead, you focus on all the other things required to run a business. Anyone who has started a company knows that product, which should be first, often gets put behind things like fundraising. This is the equivalent of making chefs farm their own food, they can do it, but wouldn't it be better if they could focus on the one thing they're good at?

Want to Focus On
Product
Sales
Scaling
Technology
Actually Focus On
Fundraising
Recruiting
Operations
Regulations

 

This problem is very common in the FinTech space. Our clients start companies to solve a particular pain point such as the cost of remittance, the time required to send global payouts, or the difficulty in purchasing bitcoin, etc... However, they quickly realize they must focus on regulation, something many never thought or particularly cared about.  

Start-ups will often procrastinate when dealing with regulatory compliance. Entrepreneurs are doers; when starting companies to change the world there are too many things to do already, and compliance is easy to procrastinate on, because it is not fun, it is difficult and it doesn’t bring in any revenue.

When compliance does come-up, this is typically how:

Right Thing to Do

Product Launched
Investors/Bankers

Fear

Companies know they need this, and that they can be shut down for not having it
The product is used by more than friends and family
Know Your Customer is a regulatory requirement, but also helps prevent onboarding fraud
Due to regulatory action or other events, companies embrace regulation with the fervor of a convert

No matter how it comes up, the issue of regulation compliance must be handled. What we often see is that clients immediately call in a lawyer to help them solve the issue while they focus on running the business. While there are great benefits from choosing the right legal advice and expertise, there can also be some challenges if you are not careful on your choice. For example: 

1) Inexperienced Lawyers:

If you're doing new and innovative things, many lawyers won’t know the existing regulations, much less how you fit into them. This means you’re paying to get them up to speed. Moreover, we've seen clients spend a good amount of money for a compliance plan, only to realize they need a new one when they’ve pivoted, expanded, etc… because it was written by someone without experience in the industry.

2) Cost:

The lawyers who know the space and have the necessary experience can sometimes be expensive, especially for a startup that hasn't launched and is far away from revenue, much less profitability. Some law firms will allow you to defer payment until you raise a funding round, but the cost is still high. Unfortunately, many companies don’t know about compliance consulting firms who can help them at a significantly lower cost.  

3) Risk Tolerance:

Most Lawyers will want to mitigate risk as much as possible. If a lawyer puts together a compliance plan for your company and it’s found deficient, they will be the one’s blamed. As a result, lawyers can go overboard, taking a belts-and-suspenders approach that’s overly cautious.

 

The Rules

So, what should you do? Know the regulation so you can know what advice to ignore, what to follow, and what the options are. The regulations depend on your business model, whether you’re online only, and the location of your company and customers. The following is NOT LEGAL ADVICE, however it is a good place to start for FinTech companies in the US who want to know the Anti-Money Laundering (AML) regulations.

AML includes Transaction Monitoring and Know Your Customer (KYC).

United States (US)

Here's who's impacted. Be sure to read the definitions below to know where you fall, or not. If  you don’t fall under any  of these definitions, you still may have compliance regulations --  the information below is just for who the United States government defines as Financial Institutions.

 

        What are the rules?

The US has the four pillars of AML (soon to be five):

  • That you have a system of policies, procedures, and processes including:
    • Bank Secrecy Act (BSA)/AML compliance program tailored to manage risk
    • Identify high-risk operations (products, services, customers, etc…)
    • Have risk based customer due diligence (CDD) where you perform additional KYC on your higher risk customers
    • File all required reports (SARs, CTRs)
    • Detect and report suspicious activity (Transaction Monitoring) 
  • That you have independent testing of your system:
    • Must be independent
    • Validate who the auditors report their results to
    • Qualifications of the auditors
    • Validate the auditor’s work
    • Determine if the system the auditors are using can actually identify unusual activity
    • Determine whether the audit’s review of suspicious activity reporting systems includes an evaluation of the research and referral of unusual activity. the bank’s independent testing includes a review of policies, procedures, and processes for referring unusual activity from all business lines to the personnel or department responsible for evaluating unusual activity
  • That you have a designated Compliance Officer:
    • Designated by the board of directors
    • Has the authority and resources to effectively execute all duties
    • The competency of the BSA compliance officer and their staff
  • That you provide adequate AML training:
    • Comprehensiveness of training, considering specific risks of individual business lines
    • Training of personnel from all applicable areas of the bank
    • Frequency of training
    • Documentation of attendance records and training materials
  • That you know the beneficial owner (by May 11, 2018):
    • Identify and verify the identity of your customers
    • Identify and verify the identity of beneficial owners of these accounts
    • Understand the nature and purpose of customer relationships
    • Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions

Do you know these essential terms for Bitcoin regulation? 

So, what does that mean? AML includes: 

  • KYC: The US doesn’t dictate what type of AML program is required, but mandates that what you do is sufficient and examiners will later judge if what you did is sufficient.

Access our KYC Compliance Fundamentals guide

  • Sanctions Screening: The US doesn’t mandate sanctions screening. However, it does prohibit working with sanctioned entities, which de-facto requires all US companies to perform sanctions screening. You need to screen against the following lists:

Read our Sanctions Screening white paper 

  • Transaction Monitoring: The US dictates that you have a program and report certain activity. This program must be integrated into your system. We have seen clients who before working with us, have been fined for using excel spreadsheets.
    • Suspicious Activity Report: How you report suspicious activity is a suspicious activity report (SAR) which goes directly to FinCEN. When you need to file a SAR is dependent on what type of institution you are and what’s occurring, see below
      • $0 minimum for an insider crime (e.g. embezzlement)
      • $2,000 minimum for MSB’s if potential criminal action or money laundering
      • $5,000 minimum for all other financial institutions if potential criminal action or money laundering
      • SAR’s must be filed within 30 days if you know the suspect, 60 days if you don’t. What this means is that you don’t have to block a customer from transacting for doing suspicious activity
      • Quality: SAR narratives must be complete, thoroughly describe the extent and nature of the suspicious activity
      • Cannot tell the person involved
    • Currency Transaction Report: You must also report transactions of over $10,000 in cash, in one day, via a Currency Transaction Report (CTR)
    • Geographic Targeting Order: FinCEN can mandate additional record keeping and reporting via GTO. Examples include CDD on real-estate purchased in certain geographies paid in all cash
    • 314(a) of USA PATRIOT Act: FinCEN contacts 16,000 financial institutions every two weeks to determine if specific entities have accounts at their institution. You must respond to these requests.
    • Form 8300: Residential Mortgage Lenders and Originators are required to  file Form 8300, Report of Cash Payments Over $10,000 Received in a Trade or Business, to FinCEN

Accelerated Compliance & Powerful  Fraud Prevention for FinTech Companies

Starting a FinTECH company isn’t easy, this is something we know personally. However, it’s easier when you know the regulations that apply to you. No matter how great your service, you must comply with government regulation or face temporary or permanent shuttering.  The US government is very explicit in defining what type of business you may fall into and while the regulations for that business may be more implicit than other countries, they are definitely there and will be validated by Federal, State regulators. We hope the information above helped you categorize what type of business you have, and the applicable AML regulations.

This blogpost is the first of a three part series describing the applicable AML regulations for the U.S., Canada, and the U.K. To be notified when part two becomes available, enter your below.

 

Subscribe to Our Blog