The Financial Action Task Force (FATF) recently cautioned that terrorists and other criminals are increasingly using internet-based financial technologies (Fintech) to raise and launder funds for illicit purposes. Areas presenting potential anti-money laundering (AML) and terrorist finance risk include crowdfunding, marketplace lending, virtual currencies, prepaid cards, and other technologies that facilitate the raising, disbursement, and transmittal of funds between end users (often internationally).
While many of these products and services are already subject to direct AML regulation as money services businesses (MSBs), particularly money transmitters, some do not fit neatly within existing AML regulatory frameworks, even though they facilitate financial transactions. Still some businesses may not appreciate the application of the AML laws to their technology or, even if they do, may not have the resources or experience to implement appropriate compliance programs.
Although regulation often lags behind technology, the growing awareness of the AML risks presented by Fintech suggests that heightened regulatory scrutiny is only a matter of time. As explained by the Director of the Financial Crimes Enforcement Network (FinCEN), the U.S. financial intelligence unit, "Innovation is laudable but only as long as it does not unreasonably expose our financial system to tech-smart criminals eager to abuse the latest and most complex products." The message is clear that FinCEN (and other federal regulators) expect businesses to develop AML compliance policies and procedures in lockstep with the launching of new technology, products, or services. Those companies that are able to develop new products and services without tripping over regulatory hurdles will have the best shot at long-term success.
What Are the AML Laws and Why Should Fintech Care?
The Bank Secrecy Act of 1970 (BSA), as amended, requires "financial institutions" to assist the U.S. government in detecting and preventing money laundering. The U.S. AML rules are administered by FinCEN, part of the U.S. Treasury. Each "financial institution" is required to implement an AML program consisting of (a) internal policies and controls; (b) a compliance officer; (c) a training program; and (d) an independent audit function. Separate but complementary to the AML laws, U.S. economic sanctions are administered by another part of Treasury, the Office of Foreign Assets Control (OFAC) (with policy direction from the State Department). The OFAC sanctions prohibit U.S. persons—wherever they are located—from engaging in transactions with certain countries, terrorists, and other persons that threaten U.S. national security.
By regulation, the term "financial institution" includes banks and other traditional financial players, as well as MSBs, loan companies, and other non-bank entities. While many of the larger players in the Fintech industry are already subject to FinCEN's AML rules as MSBs—a catchall term that covers money transmitters, prepaid, check cashers, and other similar products—others may not understand or appreciate how their technology may trigger AML responsibilities. Earlier this year, for example, FinCEN announced a consent order against Ripple Labs, Inc. (Ripple), a virtual currency operator, regarding the company's alleged failure to comply with FinCEN's AML regulations. Specifically, FinCEN found that Ripple had engaged in money transmission for several years without establishing a written AML program, and had failed to implement internal controls reasonably designed to ensure BSA compliance.
Even if not currently subject to FinCEN regulation, startups developing new Fintech services should consider whether to implement AML programs. A number of companies have already done so, particularly those involved in marketplace lending and crowdfunding. These businesses involve the use of online and other financial technology to allow direct fundraising and lending between individuals. According to FATF, Canada has investigated potential terrorism-related fundraising through crowdfunding platforms. Similarly, FinCEN's most recent annual edition of SARs Stats, a summary of suspicious activity filing reports, included a "spotlight" on crowdfunding as a potential source of illicit financial activity. Regardless of whether a service is expressly subject to FinCEN regulation, the FATF report cautions that "electronic, on-line and new payment methods pose an emerging terrorism financing vulnerability which may increase over the short term as the overall use and popularity of these systems grows."
Balancing Growth with Regulatory Compliance
One of the main advantages of startup companies is that they are flexible and able to shift course and adapt to market developments quickly. Although this helps from a commercial perspective, such nimbleness can quickly push companies into uncharted regulatory waters. The FATF report provides numerous examples of how terrorists and other criminals have leveraged social media and new payment technologies to raise, move, and place funds.
On a larger scale, the report underscores a challenge that all technology startups face: how to balance innovation, growth, and product development with regulatory compliance. From a commercial perspective, a company's management may feel they have no choice other than to focus resources on growth and product development. Regulators, however, see things differently. They expect all companies to comply with applicable laws and regulations, regardless of size or history.
At a minimum, a company that meets the definition of a financial institution under FinCEN's regulations, such as a money transmitter, must implement an AML program that satisfies regulatory requirements. But even Fintech companies whose products fall outside the scope of current AML requirements should review their products and services for potential AML (and other) risks and implement compliance management programs designed to address that risk. In addition, companies should commit sufficient resources to ensure an effective compliance function, including, as appropriate, investments in technology, staff, training, and monitoring. In this spirit, it seems that there is a growing recognition in the Fintech industry of the importance of regulatory compliance. According to a recent Silicon Valley Bank survey of the industry, nearly half of the participants identified regulatory issues as their biggest impediment to success in the coming year.
The best way to get ahead of regulatory scrutiny is to make sure that the compliance department has regular interaction with business development teams, so that compliance is able to spot potential risks and regulatory requirements in advance of product launch. As a matter of course, a company should perform regular reviews and risk assessments of its products and services. The focus of these reviews is to identify existing or potential risks, prioritize these risks, assess the effectiveness of existing controls to address such risks, and determine what additional controls are needed moving forward.
* * * * * * * * * *
The FATF report is an important reminder that new financial products and services provide criminals and terrorists with new options for raising and transmitting funds. This is a message that Fintech companies should take to heart, as FinCEN and other regulators will continue to apply their existing legal authorities to companies in developing industries. Although not an easy task, those companies that are able to address compliance alongside business development are best positioned for long-term success.