Payments Service Providers (PSPs), issuers, and processors are about to feel the full heat of the regulator spotlight when it comes to financial crime compliance. As governmental organisations around the world set out their national priorities, anti-money laundering (AML) has been given top billing by the U.S. Financial Crimes Enforcement Network (FinCEN), the U.K. Financial Conduct Authority (FCA), and the European Union with the newly established European Anti-Money Laundering Authority (AMLA).
Why regulators are focused on PSPs for financial crime compliance
Initiatives such as the Payments Services Directive (PSD2) in Europe, Open Banking in the UK and Australia, and the ‘Financial World: Finance-As-A Service API Playbook’ from the Monetary Authority of Singapore (MAS) all delivered on their initial aim: opening up competition within the payments and financial services sector to drive choice and value for consumers. But with this open approach, many new fintech organisations have gained financial services licenses without robust AML processes and systems in place.
The unintended consequence of introducing competition in financial services has been to introduce additional financial crime risk. In combination with this, new fintechs sprung up with propositions that bank and transact the unbanked, or those previously excluded from traditional financial services. Whilst these mission-led payments organisations have correctly identified a gap in the market, their customer base is often considered higher-risk when it comes to AML by the financial regulators.
Regulatory requirements for AML in payments
The responsibility to meet financial crime prevention mandates for fintechs depends on the kind of license they have secured in each jurisdiction when they operate. This includes, as they expand into providing financial services in each market, whether or not they have a physical presence on the ground.
There are those fintechs who have followed the Uber model of providing the technology platform, but none of the regulated requirements. They may seek to understand the risk profile of their customers, and commercialise that insight back to them.
For those issuing accounts or any kind of payments instruments (cards, wallets, alternative payment methods), they are bound to the same AML requirements as a traditional bank, albeit likely without the same resources to manage investigations and filing Suspicious Activity Reports (SARs).
It would be a mistake for third-party payment processors (TPPPs) to assume that without an issuing portfolio they are exempt from AML mandates. The U.S. regulatory has particularly far-reaching mandates for AML through its Bank Secrecy Act (BSA), which states that “any…person who engages as a business in the transmission of funds […] or any network of people who engage as a business in facilitating the transfer of money domestically or internationally outside of the conventional financial institutions system” must register as a Money Services Business (MSB) with the Financial Crimes Enforcement Network (FinCEN). TPPPs generally are obliged to meet these regulations, although there are some exemptions for payment processors. But even as an exempt TPPP, payments organisations may need a money transmitter license (MTL) which comes with a requirement to establish an AML programme. Essentially, there is no escaping the long arm of the law when it comes to AML regulations.
No banking on banks for AML accountability
Banks are often painfully familiar with the risk of non-compliance, and as such may demand their payments partners mirror their own robust AML technology and processes, meaning BSA-compliant programmes even if technically a TPPP is exempt from the FinCEN mandates. Banks are in the process of modernising legacy risk solutions to develop a holistic view of the risk profile, including financial crime risk. Currently many banks are trapped by technical debt that prevents accurate, real-time monitoring of TPPPs.
And even if a payments processor is exempt from implementing an AML programme, ignorance is not a defence in the eyes of the law. It is still a criminal offense to facilitate the laundering of the proceeds of crime, even if exempt from the mandate to implement an AML programme.
Within the U.S. market all regulatory and governmental bodies have made their stance on the risk of money laundering through payments processors, TPPPs and payments facilitators very clear.
FinCEN, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have all issued repeated reminders and guidance on the risk of money laundering in payments, including to banks who provide banking services to TPPPs. FinCEN warns that payment processors have been used to place illegal funds directly into financial institutions using ACH credit transactions originating from foreign sources, known as Payments Originating Overseas (POOs) in the UK.
The risk of unwitting non-compliance should be enough of a business case for many payments organisations to step-up their approach to AML.
Compliance as a Service creating new revenues
As payments businesses look to become or remain compliant with increasingly stringent AML regulations, they must consider their business model. Whether they want to remain a low-risk customer to banks, be seen as a robustly compliant partner, or even provide Payments as a Service to banks themselves.
Payments issuers, both for card and alternative payments, must adhere to the same onboarding and Know Your Customer (KYC) as banks do for traditional account opening. This includes for Payments as a Service or Issuing as a Service providers. Increasingly payments platform operators are offering managed services that include Compliance as a Service for their customers, in order to both protect themselves and their end customers, and to open up new revenue streams from existing customers who want a complete, flexible, and compliant service for payment from their providers.
With Compliance as a Service embedded into the payments platform, issuers and processors can optimise the customer experience (CX) with risk profiles tailored to product and customer portfolios, ensuring minimal friction and maximum protection. To operate this way, the compliance platform must be able to segregate data within a single instance to support a landlord/tenant model that meets customers’ data protection and sovereignty obligations. Additionally, a sandbox functionality that supports testing of new compliance strategies on live data can protect the customer experience, as compliance teams can be confident of the CX impact before pushing changes into production.
Financial crime focus for payments providers
Historically, issuers and processors have sought to focus primarily on transaction monitoring in order to meet AML obligations. And while this is an important part of a robust compliance programme, looking at transactions without a strong understanding of client activity can leave the payments providers at risk of failure to file Suspicious Activity Reports (SARs) in a timely manner. The behaviour of any customer in a single moment, a single transaction, is simply a snapshot in their entire lifecycle.
Payments organisations are faced with the same problems, but once they find a vendor that understands the problems they are facing, financial crime compliance can become streamlined. Great financial crime compliance (FCC) includes next generation client screening that can assess the risk of a client and their portfolio of behaviours and transactions. And for payments organisations processing large volumes of transactions without AML solutions in place, starting with a robust client screening approach can drive great efficiency and efficacy in a new AML programme.
Discover how to build a Client Screening Solution
Photo by rupixen.com on Unsplash