BSA/AML Traps for the Unwary: FinTech Compliance Does Not Always Equal Bank Compliance

This alert was expanded for additional publication by Law360 under the title Fintech Compliance Does Not Always Equal Bank Compliance.

The new year is a good time to revisit policies and procedures and ensure they reflect the goals and risks of your institution. With rapidly evolving technology, frequent and regular review of policies and procedures is important to mitigate loss and ensure safety and soundness. For banks working with Financial Technology (FinTech) providers – whether as partners to extend their reach or as internal resources to support existing operations – few areas of risk need more frequent attention than Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance.

BSA/AML risk and compliance routinely ranks among the top examination priorities for federal functional regulators and results in enforcement actions and millions of dollars in fines and penalties every year. While banks and FinTechs often have independent compliance obligations, banks cannot delegate their compliance burdens to their FinTech partners. And a FinTech's satisfying of its independent obligation does not satisfy the bank’s obligation. For while the compliance obligation for banks and FinTechs are in many cases similar, a bank must comply with its obligations, not those of its FinTech partner.

The difference between the bank's obligations and those of its FinTech partner often leads to differences over what it means to comply with or satisfy BSA/AML requirements. Fundamentally, though, when structuring FinTech arrangements, because FinTechs work with banks as a service provider, the obligation should be for the FinTech to meet the bank's, not for the bank to accept the FinTech's.

What's the difference between BSA/AML compliance for FinTechs and banks?

FinTechs are often categorized as money services businesses for BSA/AML purposes. Federal regulations require money services businesses to obtain and retain certain limited transaction-level information, such as the name and address of the funds transmitter, the date and amount of funds transmitted, and the name and address of the recipient.

While transactions with certain individuals or transmission of funds to certain jurisdictions are prohibited, FinTechs generally have no independent obligation under federal law to ascertain the source of funds or to "know" the transmitter to the extent banks are. FinTech responsibilities are generally documentary, meaning they must screen for certain transactions, keep records and report various transactions to law enforcement authorities.

By contrast, banks are required to adopt and implement a robust BSA/AML program that includes "at a minimum":

• • Internal controls that assure compliance
  • Independent compliance testing
  • A designated BSA officer responsible for coordinating and monitoring compliance
  • Formal training and testing for personnel
  • Robust customer due diligence

Banks’ customer due diligence must determine the nature and purpose of the customer relationship, build customer risk profiles, and identify and mitigate risk. For each customer, this involves documenting sources of funding, typical transaction volumes, types and ranges, typical payees, etc.

Customer identification programs for banks are also heavily proscribed by federal regulation and require documentary and non-documentary identity verification through specified methods. For non-individual customers, banks must drill down to determine and identify individual owners. This gives banks a full view of each transaction to help them identify suspicious transactions and coordinate with law enforcement authorities to prevent intermediating or funding illegal activities.

How do bank/FinTech agreements assign compliance duties?

In many bank/FinTech partnerships, the FinTech undertakes principal compliance activities for the program it runs with, through, and on behalf of the bank. This activity is memorialized in the program agreement and is often captured in somewhat general language. For example, it is not uncommon for program agreements to provide language to the effect that:

Program Manager and Bank shall develop, and Program Manager shall implement, policies and procedures to comply with all know-your-customer (KYC), anti-money laundering (AML), and identity verification (IDV) rules and regulations applicable to the Customer Accounts under Applicable Law and Bank Rules. Program Manager shall make commercially reasonable efforts to ensure compliance with all Applicable Law and Bank Rules pertaining to KYC, AML and IDV in connection with each Program and maintain appropriate record-keeping relating to the foregoing. Such policies and procedures, which shall be in effect prior to enrolling any Customers in a Customer Account, are subject to prior review and written approval by Bank, which approval shall not be unreasonably conditioned, withheld or delayed.

And while program agreements often allow the bank to review the FinTech's policies and procedures regarding BSA/AML compliance, as well as monitor and audit the program for compliance, it is not uncommon for banks to rely on the FinTech more heavily than is perhaps wise. The general nature of standard program agreements and the over-reliance by the bank create an opportunity for misunderstanding, on the one hand, and non-compliance, on the other, since the fundamental nature of "compliance" for a FinTech is in many cases different than for a bank. Left to its own devices, in good faith, a FinTech partner may satisfy its regulatory obligation without satisfying the bank’s. This creates regulatory and perhaps civil or criminal exposure for the bank, not to mention the opportunity for customer harm and reputational risk.

How can banks ensure compliance?

To ensure BSA/AML compliance, banks need to understand their regulatory obligations and set policy based on those obligations and their strategic goals. From there, they should develop procedures to support the policy. For banks working with FinTechs, particularly those on whom the bank is relying to meet its compliance obligations, procedures must include activities designed to understand the FinTech's own policies and procedures, to monitor and test compliance with those procedures, and to evaluate the results.

As discussed above, the critical lens through which "compliance" must be viewed is that of the bank and its obligations, rather than those of the FinTech. Banks must also ensure the program agreement obligates the FinTech to modify its policies, procedures, training and implementation of BSA/AML compliance-related activity if the bank's monitoring and testing reveal deficiencies. To avoid misunderstandings and disputes, this right should be specifically set out in the program agreement instead of just tacitly understood.

‘Tis the season to review policies and procedures! With respect to FinTechs and BSA compliance, that means the bank's policies and procedures, and those of their program partners. Banks reviewing their positions should make sure obligations and expectations are aligned in their FinTech program agreement.

Please contact Chris Couch or any member of Phelps’ Banking and Financial Services team with questions or for advice or guidance.