KYC and AML Fundamentals for Fintechs: 2024 Guide to Navigating Compliance
Financial technology companies – from mobile banking services and remittance providers to crypto firms – look to revolutionize how people and businesses interact with money. The industry's growth has captured regulator attention, and fintechs must comply with Know Your Customer (KYC) and anti-money laundering (AML) regulations to avoid costly enforcement actions and fines.
Read on to create a risk-based approach that ensures your KYC and AML compliance program can pass regulatory inspection.
AML Regulations Impacting Fintechs
KYC and AML regulations prevent financial crimes like money laundering and terrorism financing. To comply, fintech companies must conduct customer due diligence and screen transactions to identify and prevent illicit activities. Noncompliance can result in hefty fines and damage a fintech’s reputation with customers, investors and partners.
Key KYC and AML Regulations in the US
Bank Secrecy Act (BSA): Enacted in 1970, the BSA is a primary piece of anti-money laundering legislation in the United States. Financial institutions, including fintech companies, must establish and maintain programs to detect and prevent money laundering. Under the BSA, fintech firms are legally obligated to implement robust customer due diligence (CDD) procedures, report suspicious transactions, and maintain records of certain transactions.
USA PATRIOT Act: This law significantly expanded the scope of anti-money laundering regulations in the United States. Among its provisions, the act requires fintech companies to establish KYC programs to verify the identity of their customers, including individuals and businesses. It also mandates enhanced due diligence for high-risk customers, like politically exposed persons (PEPs), and imposes strict reporting requirements for suspicious transactions.
Corporate Transparency Act (CTA): The CTA was adopted as part of the Anti-Money Laundering Act (AMLA Act) and is the most recent modernization of the US AML regulatory regime. The most important change introduced by the Corporate Transparency Act (CTA) is the requirement that all companies file beneficial ownership disclosures FinCEN in an effort to combat the use of shell and shelf companies in money laundering.
KYC and AML Regulations in the EU
Sixth Anti-Money Laundering Directive (6AMLD): The 6AMLD came into effect in 2020 and builds on the existing EU anti-money laundering framework established under Fifth Anti-Money Laundering Directive (5AMLD). It introduces further measures to enhance the EU's efforts to combat money laundering and terrorist financing. Fintech companies operating in the EU are required to comply with the provisions of the 6AMLD. This directive expands the scope of criminal liability for money laundering, enhances penalties for money laundering, improves cross-border cooperation and requires the establishment of beneficial ownership registers accessible to authorities.
KYC and AML Regulations in the UK
Money Laundering Regulations: The Money Laundering Regulations in the United Kingdom, first adopted in 2017, outline the requirements for businesses to prevent money laundering and terrorist financing. Fintech companies operating in the UK must comply with these regulations by implementing risk-based KYC and AML procedures, conducting ongoing monitoring of customer transactions, and reporting suspicious activities to the appropriate authorities. Additionally, the regulations require fintech firms to appoint a designated officer responsible for overseeing AML compliance.
Money Laundering Risks Impacting Fintechs
Fintechs are particularly susceptible to money laundering risks due to the digital nature of their operations; from peer-to-peer payments to cryptocurrency exchanges, fintech platforms provide ample opportunities for criminals to launder money.
Regulators have noticed, and fines against fintech companies for sanctions violations are rising. For example, in 2023 OFAC issued fines against prominent fintech companies, including but not limited to:
Binance (cryptocurrency exchange): fined over $4.3 billion, the largest ever against a crypto firm, in November 2023 for inadequate KYC and AML compliance controls;
Poloniex (cryptocurrency exchange): fined $7.6 million in May 2023 for violating sanctions against Crimea, Iran, Syria and elsewhere; and
daVinci Payments (payment services provider): fined over $200,000 in November 2023 for violating sanctions against Cuba, Iran, Syria and elsewhere.
Adopt a Risk-Based Approach
Fintech companies can use a risk-based approach to enhance KYC and AML efforts. This involves assessing the company’s risk exposure associated with products and services offered, geographic locations and customer profiles. Exposure to these core risk drivers can then be prioritized according to severity and potential impact. Fintechs can then implement compliance controls to mitigate their risk exposure and comply with relevant KYC and AML regulations.
Screening for Financial Crime
To effectively comply with KYC and AML regulations under a risk-based approach, fintechs must screen several types of financial crime risk data. The type and frequency of screening are determined by the organization’s risk profile and may include the following risk data:
Sanctions Screening
Screening customers against sanctions lists helps prevent individuals or entities involved in illegal activities from using fintech platforms. It’s vital to ensure your sanctions screening provider has global coverage to align with current and future geographic exposure.
PEP Screening
Identifying which customers are Politically Exposed Persons (PEPs) and Relatives and Close Associates (RCAs) helps mitigate the risk of corruption and bribery. These individuals and related parties pose a higher risk of money laundering due to their political position.
Adverse Media Checks
Screening for adverse media helps identify customers with negative reputations or involvement in criminal activities. It’s essential that an adverse media screening provider can provide real-time searches of global media, local outlets, regulatory publications and law enforcement press releases.
Beneficial Ownership and OFAC 50% Rule Screening
Identifying beneficial owners of corporate entities helps prevent the misuse of fintech platforms for illicit activities and is part of the Know Your Business (KYB) process. Screening beneficial ownership is also required under the US Corporate Transparency Act (CTA) and ensures compliance with the US OFAC 50% Rule or similar regulations adopted by the EU and UK that automatically block any business owned 50% or more by a sanctioned party.
Export Controls Screening
Export controls are an increasingly popular policy tool to restrict designated parties’ access to sensitive items. Screening against export controls ensures that you are not providing services or goods to restricted parties identified by authorities like the US Bureau of Industry and Security (BIS) or Japan’s Ministry of Economic Trade and Industry (METI).
Law Enforcement Most Wanted, Contract Debarment and Other Watchlists
Screening against law enforcement most wanted lists, lists of companies barred from contracting with governments and other financial crime risk data categories ensures fintechs can accurately identify financial crime and other risks during the onboarding process.
Comply with KYC & AML Regulations
Trusted by Fintechs and Banks to automate KYC and AML screening
When Should Fintechs Conduct Compliance Screening?
Conducting compliance screening is necessary at several stages of a fintech's business operations, from onboarding customers to processing individual payments.
AML Compliance During Customer Onboarding
It’s necessary to screen new customers, vendors and counterparties before offering services and establishing a business relationship. As part of a risk-based approach balancing seamless onboarding with thorough compliance processes, fintechs should have a Know Your Customer or Know Your Business (KYC/KYB) program that includes screening all new customers.
Know Your Customer (KYC) and Know Your Business (KYB)
KYC and KYB are the overarching compliance processes that confirm the identity and background of customers and their businesses. Effective KYC and KYB enables fintechs to assess risks associated with each customer and tailor their compliance efforts accordingly.
Within KYC and KYB, fintechs must verify the identity of customers to prevent identity theft or fraud as part of a Customer Identification Program (CIP) as outlined in relevant AML regulations.
Based on a customer’s assessed money laundering risk during the CIP process and screening, fintechs must conduct customer due diligence (CDD) or enhanced due diligence (EDD) for high-risk customers to verify the information provided by a new customer or business counterparty.
Read more about this onboarding process, including CIP, CDD and EDD in our best practices guide for KYC onboarding.
Rescreening and Ongoing Monitoring
Regularly rescreening or monitoring customers for changes to their risk profile based on newly issued sanctions or other financial risk data helps detect and prevent money laundering. Fintech companies should approach rescreening like traditional financial institutions, which typically re-screen every customer daily to ensure they have not been added to a sanctions list.
Transaction Screening
Screening transactions in real time helps identify and block illicit activities. This includes screening transaction originators, transaction recipients, and any intermediary party facilitating or processing transactions. Transaction screening applies especially to fintechs involved in processing domestic payments, international wires, or other cross-border transactions, including digital asset transactions.
Read more about this compliance process in our best practices guide for transaction screening.
What to Look for in a KYC and AML Compliance Solution
When assessing an AML compliance screening system for customer onboarding, rescreening and transaction screening the critical components are:
Accuracy: Reducing false positives minimizes unnecessary, manual compliance reviews and avoids operational disruptions during the onboarding and transaction approval. Castellum.AI reduces false positives by up to 88% compared with legacy screening systems.
Coverage: Global coverage of relevant sanctions, adverse media, and other financial crime risk data is essential to comply with local AML regulations where fintechs offer services.
Enriched Financial Crime Data: Financial crime risk data is published by government authorities in different languages, data formats and varying degrees of quality. An AML compliance screening system should standardize and enrich that data to improve accuracy and eliminate the risk of false negatives. Castellum.AI’s patented process automatically extracts and standardizes critical data like dates of birth, ID information, crypto addresses and more to ensure accurate screening.
Speed: Over 6,000 new sanctions were implemented in 2023 alone, and sanctions lists can update multiple times a day. At Castellum.AI, our financial crime risk data is updated every 5 minutes.
Schedule a custom demo with Castellum.AI to learn more about how our compliance screening system reduces false positives by 88% to automate customer onboarding and transaction screening.