The Financial Action Task Force (FATF) recently cautioned that
terrorists and other criminals are increasingly using
internet-based financial technologies (Fintech) to raise and
launder funds for illicit purposes. Areas presenting potential
anti-money laundering (AML) and terrorist finance risk include
crowdfunding, marketplace lending, virtual currencies, prepaid
cards, and other technologies that facilitate the raising,
disbursement, and transmittal of funds between end users (often
internationally).
While many of these products and services are already subject to
direct AML regulation as money services businesses (MSBs),
particularly money transmitters, some do not fit neatly within
existing AML regulatory frameworks, even though they facilitate
financial transactions. Still some businesses may not appreciate
the application of the AML laws to their technology or, even if
they do, may not have the resources or experience to implement
appropriate compliance programs.
Although regulation often lags behind technology, the growing
awareness of the AML risks presented by Fintech suggests that
heightened regulatory scrutiny is only a matter of time. As
explained by the Director of the Financial Crimes Enforcement
Network (FinCEN), the U.S. financial intelligence unit,
"Innovation is laudable but only as long as it does not
unreasonably expose our financial system to tech-smart criminals
eager to abuse the latest and most complex products." The
message is clear that FinCEN (and other federal regulators) expect
businesses to develop AML compliance policies and procedures in
lockstep with the launching of new technology, products, or
services. Those companies that are able to develop new products and
services without tripping over regulatory hurdles will have the
best shot at long-term success.
What Are the AML Laws and Why Should Fintech Care?
The Bank Secrecy Act of 1970 (BSA), as amended, requires
"financial institutions" to assist the U.S. government in
detecting and preventing money laundering. The U.S. AML rules are
administered by FinCEN, part of the U.S. Treasury. Each
"financial institution" is required to implement an AML
program consisting of (a) internal policies and controls; (b) a
compliance officer; (c) a training program; and (d) an independent
audit function. Separate but complementary to the AML laws, U.S.
economic sanctions are administered by another part of Treasury,
the Office of Foreign Assets Control (OFAC) (with policy direction
from the State Department). The OFAC sanctions prohibit U.S.
persons—wherever they are located—from engaging in
transactions with certain countries, terrorists, and other persons
that threaten U.S. national security.
By regulation, the term "financial institution" includes
banks and other traditional financial players, as well as MSBs,
loan companies, and other non-bank entities. While many of the
larger players in the Fintech industry are already subject to
FinCEN's AML rules as MSBs—a catchall term that covers
money transmitters, prepaid, check cashers, and other similar
products—others may not understand or appreciate how their
technology may trigger AML responsibilities. Earlier this year, for
example, FinCEN announced a consent order against Ripple Labs, Inc.
(Ripple), a virtual currency operator, regarding the company's
alleged failure to comply with FinCEN's AML regulations.
Specifically, FinCEN found that Ripple had engaged in money
transmission for several years without establishing a written AML
program, and had failed to implement internal controls reasonably
designed to ensure BSA compliance.
Even if not currently subject to FinCEN regulation, startups
developing new Fintech services should consider whether to
implement AML programs. A number of companies have already done so,
particularly those involved in marketplace lending and
crowdfunding. These businesses involve the use of online and other
financial technology to allow direct fundraising and lending
between individuals. According to FATF, Canada has investigated
potential terrorism-related fundraising through crowdfunding
platforms. Similarly, FinCEN's most recent annual edition of
SARs Stats, a summary of suspicious activity filing reports,
included a "spotlight" on crowdfunding as a potential
source of illicit financial activity. Regardless of whether a
service is expressly subject to FinCEN regulation, the FATF report
cautions that "electronic, on-line and new payment methods
pose an emerging terrorism financing vulnerability which may
increase over the short term as the overall use and popularity of
these systems grows."
Balancing Growth with Regulatory Compliance
One of the main advantages of startup companies is that they are
flexible and able to shift course and adapt to market developments
quickly. Although this helps from a commercial perspective, such
nimbleness can quickly push companies into uncharted regulatory
waters. The FATF report provides numerous examples of how
terrorists and other criminals have leveraged social media and new
payment technologies to raise, move, and place funds.
On a larger scale, the report underscores a challenge that all
technology startups face: how to balance innovation, growth, and
product development with regulatory compliance. From a commercial
perspective, a company's management may feel they have no
choice other than to focus resources on growth and product
development. Regulators, however, see things differently. They
expect all companies to comply with applicable laws and
regulations, regardless of size or history.
At a minimum, a company that meets the definition of a financial
institution under FinCEN's regulations, such as a money
transmitter, must implement an AML program that satisfies
regulatory requirements. But even Fintech companies whose products
fall outside the scope of current AML requirements should review
their products and services for potential AML (and other) risks and
implement compliance management programs designed to address that
risk. In addition, companies should commit sufficient resources to
ensure an effective compliance function, including, as appropriate,
investments in technology, staff, training, and monitoring. In this
spirit, it seems that there is a growing recognition in the Fintech
industry of the importance of regulatory compliance. According to a
recent Silicon Valley Bank survey of the industry, nearly half of
the participants identified regulatory issues as their biggest
impediment to success in the coming year.
The best way to get ahead of regulatory scrutiny is to make sure
that the compliance department has regular interaction with
business development teams, so that compliance is able to spot
potential risks and regulatory requirements in advance of product
launch. As a matter of course, a company should perform regular
reviews and risk assessments of its products and services. The
focus of these reviews is to identify existing or potential risks,
prioritize these risks, assess the effectiveness of existing
controls to address such risks, and determine what additional
controls are needed moving forward.
The FATF report is an important reminder that new financial products and services provide criminals and terrorists with new options for raising and transmitting funds. This is a message that Fintech companies should take to heart, as FinCEN and other regulators will continue to apply their existing legal authorities to companies in developing industries. Although not an easy task, those companies that are able to address compliance alongside business development are best positioned for long-term success.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.