As the FinTech industry continues to grow in the United States, so do the opportunities for criminals to exploit systems meant to foster innovation.

With that in mind, a trade group in the United Kingdom called the FinTech FinCrime Exchange has expanded here to promote collaboration between financial entrepreneurs and law enforcement officials. Their goal is to develop best practices in risk management that would minimize the use of financial technology to support illegal activities.

“When we heard what was going on in the U.K. and the Netherlands, we thought there was tremendous opportunity to really build on that in the U.S.” said Julie Myers Wood, the CEO of Guidepost Solutions and a co-founder of FINTRAIL Solutions.

FINTRAIL, a financial crime consultancy company, helped to create the trade group in 2017. The organization boasts 80-plus members in the U.K. and the Netherlands. The digital-only banks Monzo and Revolut and the payments software developer Stripe are some of the more recognizable companies participating in the group.

With U.S.-based FinTechs facing the same challenges as their counterparts overseas, the exchange said it was natural to expand to America. It held a kickoff event Thursday in New York, which will serve as its U.S. central hub. Robert Evans, FINTRAIL’s CEO and co-founder, said the organization will create a chapter in San Francisco early next year, and then add outposts in emerging FinTech hubs such as Chicago. The organization also wants to establish chapters throughout Asia and Europe.

“Over time, what we want to do is create a global network of FinTech compliance professionals to fight financial crime,” he said.

One pillar of the organization’s plan is to establish better lines of communication between FinTechs and state and federal authorities.

Representatives from the U.S. Department of the Treasury and the U.S. Department of Homeland Security attended the event Thursday as the trade group hosted panel discussions focused on criminal threats to the U.S. FinTech industry.

“It’s important to have that trust and collaboration between regulators and startups,” Angel Melendez, special agent in charge of Homeland Security Investigations at the U.S. Department of Homeland Security, said during a panel discussion.

“We’re really out there to find the worst of the worst. We’re not here to disrupt the financial sector. We’re here to protect it,” he said.

Some government officials still have misconceptions about how FinTechs operate, Wood said before the event. She mentioned Silk Road, the now defunct online black market where bitcoin was used to purchase illegal drugs and firearms. Its notoriety has led to heightened scrutiny of cryptocurrency related FinTechs, she said.

“I think for some law enforcement, that’s what stuck in their head,” Wood said about Silk Road. “Part of our job is to convince regulators to look beyond that.”

On the other side, Wood said FinTechs need to understand how law enforcement authorities think about their businesses. “What am I going to do so that I don’t run into a roadblock that causes my business to shut down?” she said.

When Wood asked Melendez which areas Homeland Security monitors, he said the department “looks at every crime under the sun.” However, Melendez identified three areas Homeland Security is especially interested in: child exploitation, human trafficking and the opioid epidemic.

Some of that activity is happening in New York. Criminals have used cryptocurrencies to exchange funds related to such crimes there, Melendez said.

“Those are the most nefarious of the crimes,” Melendez said. “Hopefully, this does stir something in your stomach. Innovation is important, but you have to be responsible with your innovation.”

Daniel Burstein, senior managing director for Guidepost, said the compliance offer at a FinTech company needs to act as an extension of law enforcement. “As a compliance officer, you’re in a law enforcement role,” he said. “You should consider yourself everyday as a partner of law enforcement.”

Burstein added that while no company will stop bad actors “100% of the time,” the appropriate compliance controls need to be in place to ensure any platform is safe and being used for the right reasons.

“If you want to know what keeps me up at night, it’s exactly these things,” he said.

Originally published here:

https://www.americanbanker.com/news/fintechs-to-law-enforcement-lets-be-partners-not-adversaries

Digital payments remain vulnerable to abuse by financial criminals seeking to make fast payments and undetected payments through the financial system.

There are multiple ways in which digital payments can be used by those laundering money, committing fraud, or financing terrorism. What are some of the risks fintechs should be thinking about, and what are the ways to mitigate them?

Because financial crime risks, properly mitigated, are in fact business opportunities, fintechs that take this seriously can give themselves a competitive advantage over those that have not done so.

Here are some notable examples and typologies we have come across in our own work and research:

Transaction laundering. In transaction laundering, criminals set up an internet store that purports to sell legitimate goods but is in fact laundering funds or selling illicit goods. These fake stores are onboarded by unsuspecting merchant processor systems, which process the transactions in good faith. Recent research by EverCompliant, a cyberintelligence firm, suggests that transaction laundering for the online sales of products and services in the U.S. for all financial services (of which fintech is only a part) reaches over an estimated $200 billion a year, with $6 billion going on illicit goods.

Buyer/seller collusion. As these figures suggest, there is often no underlying trade taking place. In these instances, there is likely to be collusion between the “buyers” and “sellers.“

Authorized pushed payment fraud. This crime occurs when fraudsters mislead consumers or businesses through false documentation, or manipulation through social-engineering techniques, into sending a digital payment to an account that appears to be legitimate but is in fact controlled by the fraudster.

Synthetic identify fraud. In “traditional” identity fraud, the criminal steals the credentials of a real individual. In synthetic identity fraud, the criminal starts with some authentic stolen credentials. In the United States, these are often Social Security numbers, especially those from economically “dormant” individuals such as children and senior people, which are then synthesized with fake information on addresses, age, etc., to create a new identity. According to research published in May, synthetic identity fraud resulted in $820 million in credit card losses in 2017, up from $580 million in 2015, with further rises expected in the future.

Terrorist financing. Terrorism experts have suggested for some time that online stores could be used as fronts by terrorist groups, and the March 2018 conviction of a U.S. citizen, Mohamed Elshinawy, has provided an example of this. Elshinawy, a self-professed member of the Islamic State, was believed to have received more than $8,000 from Islamic State facilitators via PayPal, ostensibly for sales of printers through his eBay account. The funds were intended to support operations in the United States, including possible attacks.

These kinds of crimes raise two key financial crime risks for fintechs in the digital payments sector: genuinely knowing your customer (KYC) and identifying unusual patterns in transactions.

Regulation technology, or regtech, is an important means of addressing these issues. There are an increasing range and variety of sophisticated online/virtual document verification firms that can test document validity through a range of techniques, from visual analysis to verifying against publicly available information and "scraping" from social media. Other firms have focused on the second problem, developing transactional monitoring tools, some using machine learning, to seek to identify unusual patterns of transactions.

However, before turning to technology, any firm working in the fintech sector should undertake a customer risk assessment during onboarding. Such an assessment should use factors that are relevant to the customer type and business model, to ensure it assesses credible indicators of risk. An assessment also provides an invaluable future benchmark for whether account and client conduct can be considered "normal," and should be regularly refreshed as the relationship continues.

Moreover, fintech employees themselves need to understand what financial crime might look like "in the moment." Even if regtech tools can identify potential “alerts,” these need to be investigated internally before possibly filing a suspicious activity report. When it comes to customer due diligence and KYC, often simple in-house investigatory measures can help. For example, a Google search of the client’s payment details or static information, such as an address, might also appear on other sites for other, completely unrelated and possibly questionable businesses.

In terms of transactions, there are common red flags that digital payments fintechs should be aware, including:

Turnover mismatch. At the opening of an account, it is common to ask the client what kind of turnover is likely in the account. Substantial differences in the expected pattern of use are worthy of investigation.

Payments incommensurate with business. Accounts might receive funds that do not appear realistic in light of the goods supposedly being traded. For instance, an online bookstore is likely to receive payments well below the $100 mark, and anything above that level would be anomalous.

Possible payment “structuring.” Accounts might receive a large amount of similar-sized funds, possibly in, or close to, round figures. This might be indicative of the "structured" payments of illicit funds in smaller batches, to avoid suspicion.

High/low velocity of payments. Short periods of high-velocity payments, or alternatively long periods of account dormancy, or alternating periods of both, are potentially indicative of an account not being used for the trading of goods, which would be likely to show a more random pattern.

Frequent cross-border transactions. Numerous cross-border payments from different jurisdictions might also be of concern, especially when those jurisdictions, such as known tax havens, might be considered higher risk from a financial-crime perspective.

None of these individual indicators should be sufficient on its own to show an elevated risk. However, in increasing combination, they should be of concern to any digital payment provider. The key question that needs to be asked is whether this makes sense, and if it does not, act accordingly. Combining this information, with that gathered at onboarding and during the life cycle of the customer, is key to helping to establishing and sifting out the potentially unusual from the downright suspicious.

Originally published here:

https://www.paymentssource.com/opinion/the-digital-payment-crime-threat-portends-a-fintech-regtech-alliance

As published in Forbes, September 27, 2018. Authored by Julie Myers Wood.

Say goodbye to the under-regulated era of cryptocurrency. While crypto trading on the more mainstream exchanges is fueling the market, it’s also bringing greater scrutiny from regulators, as shown by the recent report by the New York State Attorney General’s office (OAG) on crypto exchange abuse, The Financial Action Task Force (FATF) announcements about upcoming crypto standards, and warnings to investors. And as guidance emerges and enforcement actions increase, crypto exchanges will, slowly but surely, start to look a lot more like other regulated financial markets.  Just last month, the Financial Crimes Enforcement Network (FinCEN) announced that it now receives over 1,500 suspicious activity reports (SARS) on crypto a month now.

In the early years, crypto-trading occurred through a fragmented network of exchanges around the world, largely between anonymous parties. But it was the 2016-17 boom in Bitcoin, Ethereum, and Litecoin that really brought crypto trading to the attention of regulators.

As it stands, the current shifting regulatory landscape for cryptocurrencies in the U.S. is still very confusing. State and federal regulators are struggling to keep pace with the innovations in cryptocurrencies, and the speed to which trading has taken off.

An administrator or exchanger of cryptocurrency is a money services business (MSB).  MSBs are considered financial institutions under the Bank Secrecy Act. This, in turn, means that they fall under the FinCEN’s oversight. The Securities and Exchange Commission (SEC) considers some cryptocurrencies and Initial Coin Offerings (ICOs) as securities, and therefore subject to securities regulations. The U.S. Commodity Futures Trading Commission also views virtual currencies as commodities.  At the same time, the Financial Industry Regulatory Authority (FINRA)just recently filed its first enforcement action against an individual for marketing an unregistered cryptocurrency security.  And those are just the federal agencies—the New York State Department of Financial Services (DFS), by way of example, regulates virtual currency activities through its BitLicenses and trust company charters.  If that all sounds complicated, that’s because it is.

Shifting regulatory landscape

So, how should crypto exchanges navigate such a complex and shifting regulatory landscape?

Global crypto exchanges must develop and implement robust compliance programs covering a wide range of topics.  And yet, for just about any crypto exchange overseeing billions in assets, maintaining exhaustive compliance programs is both time-consuming and expensive.  Risk-based choices that must be made can be chancy in the absence of clear guidance and without a long history of regulatory interpretations and legal precedent.

Nonetheless, certain basic actions are clear.  This begins with creating and implementing basic Know-Your-Customer requirements. But exchanges also need to implement robust anti-money laundering (AML), fraud prevention, and sanctions screening controls. Crypto exchanges whose compliance programs fail to meet regulators’ expectations will face the risk of costly enforcement actions. Just last year, FinCEN announced a significant fine against the BTC-e exchange and the owner of the BTC-e for violating AML laws, while the U.S. Department of Justice later filed criminal charges against BTC-e’s owner.

In developing their financial crime program, exchanges should think creatively about how to effectively incorporate tools into compliance and operations. As business grows and the volume of transactions increases, it will be increasingly difficult to keep up with any alerts relating to customer transactions and performing sufficient checks with respect to onboarding new customers and monitoring existing customers.

Another key area that must be a focus is market manipulation.  Exchanges must create and implement a robust policy and corresponding framework designed to combat market manipulation.  Market manipulation can take many forms, including trader and bot activity to artificially inflate prices (as indicated by price momentum and volume), and the failure by some trade engines who do not properly control the placement of matching orders opposite buy/sell orders.

Cybersecurity is also an ongoing, and ever-changing challenge, in which failures can take a heavy toll. Just take a look at Mt. Gox, which now faces claims of over $1 billion in lost cryptocurrency, after its own bankruptcy. Crypto exchanges are still a high priority target for hackers. Hackers put a premium on personally identifiable information (PII), such as social security numbers, making the safeguarding of customer and transactional data pivotal. Assembling a cybersecurity team is an important factor in keeping your exchange compliant.  In addition to mitigating risk, a robust cybersecurity program may even be required by relevant regulations depending on where the exchange operations.  The NYS DFS has issued specific cybersecurity requirements for all entities it regulates—some of those requirements include risk assessments, designating a chief information security officer (CISO), and incident management plans.

Where we go from here

It can seem like government regulations move at a snail’s pace compared to the speed of innovation in cryptocurrencies. While regulators continue to work through existing and future regulations, and we await new global FATF standards, exchanges can consider participating in a self-regulatory organization (SRO), such as the newly formed Virtual Commodity Association.  There are many unanswered questions as exchanges grow, and the potential of SROs to help address issues and provide guidance is significant.  We have one such example already—in June of this year, the CFTC announced that it is simplifying certain obligations imposed on an SRO when carrying out financial surveillance program for futures commission merchants.

To grow business and be competitive, exchanges will have to put in place compliance programs that are not only compliant with applicable regulations but will also protect them from financial crimes that can cause irreparable reputational damage.  These compliance programs must be reliable and flexible, and constantly updated to meet the evolving requirements by federal agencies. Using robust, sophisticated tools that can automate transaction monitoring, customer screening, and certain facets of onboarding and transactions, along with setting up appropriate interfacing, will allow exchanges to devote appropriate compliance personnel and resources to the riskiest facets of the exchange and its customers.  Such programs will go a long way in reassuring both regulators and verified investors that crypto trading is a legitimate financial market and that their under-regulated days are in fact a thing of the past.

Key Points

1. Global policymakers have set their sights on cryptocurrencies, signalling that tackling the related financial crime risks is a major security priority

2. With the adoption of the Fifth Money Laundering Directive (5AMLD), cryptocurrency exchanges and wallet providers across the EU will soon face direct regulatory scrutiny and must ensure that they have appropriate financial crime risk management frameworks in place

3. In countries such as the US, where crypto-related AML/CTF regulation has already been in place for some time, regulators have indicated that they will intensify scrutiny of crypto businesses

4. Banks and other financial institutions are also facing pressure from regulators to manage their exposure to cryptocurrencies and related risks

5. The foundations for implementing a successful risk-based approach to cryptocurrencies rests on several pillars: conducting thorough risk assessments; defining risk appetite; cultivating staff competency and subject matter expertise; developing robust governance arrangements; developing, deploying and testing bespoke tools; and collaborating with industry peers 

6. In this briefing, FINTRAIL explores how companies can successfully manage cryptocurrencies’ unique financial crime risks in an innovation-friendly manner

Introduction

The EU’s adoption of the Fifth Money Laundering Directive (5AMLD) in July 2018 marks an important moment for cryptocurrency businesses across Europe. By January 2020, EU member states must bring crypto exchanges and custodial wallet providers within the scope of their anti-money laundering and countering the financing of terrorism (AML/CFT) regulation. 

The so-called ‘Wild West’ environment for crypto businesses is coming to an end.

5AMLD will put the EU’s crypto industry on par with peers in the US, where the Financial Crime Enforcement Network (FinCEN) clarified in 2013 that crypto exchanges are subject to AML/CFT regulation. Many in the EU’s crypto industry have attempted to get ahead of the curve. 

Even prior to 5AMLD’s adoption, some crypto businesses across the EU had implemented AML/CFT policies and procedures, demonstrating their intention to be responsible actors. Europol has noted that, even absent formal regulation to date, many crypto exchanges across the EU, ‘aim to comply with AML requirements regarding customer due diligence and transaction monitoring . . . [and] many have shown themselves to be willing and capable of supporting [law enforcement] investigations.’  

5AMLD nonetheless marks a turning point. EU crypto exchanges and wallet providers can’t merely be compliant on paper or on a voluntary basis any longer. They will soon be expected to demonstrate to regulators that they are actively managing their financial crime risks in a proportionate and effective manner. Failure to do so could mean fines or other penalties for crypto businesses that fail to meet regulators’ expectations. 

In countries where crypto-related regulations are already in place, such as the US, signs point to a climate of intensifying regulatory scrutiny. In March of 2018, FinCEN issued guidance stating that the exchange of Initial Coin Offerings (ICOs) falls within its remit. In April 2018, New York’s Attorney General’s Office launched an inquiry into the accountability and transparency of crypto exchanges, requesting that thirteen major crypto exchanges disclose information about the nature of their compliance frameworks, including their AML/CFT programmes.

‘Treasury’s FinCEN team and our law enforcement partners will work with foreign counterparts across the globe to appropriately oversee virtual currency exchangers and administrators who attempt to subvert U.S. law and avoid complying with U.S. AML safeguards 1.’

- Acting FinCEN Director Jamal El-Hindi, July 2017 

It’s not only crypto exchanges that are coming under the microscope. Regulators are putting increasing pressure on all financial institutions to manage cryptocurrency risks. In June 2018, the UK’s Financial Conduct Authority (FCA) published a letter to firms in which it set out its expectation that banks and other financial institutions should evaluate and manage the crypto-related financial crime risks they face. 

Beyond the US and Europe, from Canada to Japan to Australia and beyond, regulators are taking a closer look at the nature of cryptocurrency risks and how the financial sector is managing them. The Financial Action Task Force (FATF) is currently reviewing the applicability of global AML/CFT standards to cryptocurrencies, demonstrating the renewed will of global policymakers to tackle the perceived risks. 

‘The global regulatory environment for virtual currencies/crypto-assets is changing rapidly. This may make it challenging to ensure a consistent global approach, which could increase risks. Given the highly mobile nature of virtual currencies/crypto-assets, there is a risk of regulatory arbitrage or flight to unregulated safe havens.’

- FATF Report to the G20 Finance Ministers and Central Bank Governors, July 2018 

In this environment, it may be tempting to find quick fixes and to address new risk management challenges with old compliance solutions. Unfortunately, the same old approaches won’t work. Cryptocurrencies present unique financial crime risk management challenges that warrant unique solutions. A thoughtful risk-based approach to cryptocurrencies requires thinking outside the box. 

In this briefing paper, we share our thoughts about how firms in the crypto industry and in the broader financial sector can meet the challenge. 

The Crypto Industry

Crypto businesses need to keep in mind that ‘compliance’ is not just about ticking boxes. 

Best practice in AML/CFT is about thoughtfully managing risk. A well-calibrated risk-based approach can allow a crypto exchange or wallet provider to establish a truly comprehensive financial crime risk management framework that protects the integrity of its business, reduces exposure to financial crime and mitigates regulatory risk. 

We’ve identified five key areas that can help a crypto business build a best-in-class risk management framework. 

#1 Assessing Risk

A well-designed risk based approach starts with a thorough financial crime risk assessment. For crypto businesses, a risk assessment that takes account of the unique features and challenges of crypto products and services is essential. What’s more, it is important to develop a risk assessment framework that is scalable and can be used to evaluate changes in risk exposure as a company grows.  

Current regulatory guidance, such as the UK’s Joint Money Laundering Steering Group (JMLSG), sets out factors to consider when undertaking a firm-wide risk assessment:

• Geography – Crypto businesses should assess risks related to where they are located and where they offer services. For example, is a crypto exchange registered in a jurisdiction with a strict regulatory environment, and how does this operating environment impact its risk profile? Is the platform accessible from jurisdictions subject to international sanctions? Is the service available in countries with high levels of terrorist financing?  

• Customers – A crypto business should also consider whether factors about its specific customer base could impact its overall risk profile. For example, does it have any customers who are politically exposed persons (PEPs)? If so, who are those PEPs and does their source of wealth present any red flags? Are customers who are nationals of countries associated with high levels of human trafficking creating accounts in large numbers, and if so, do those accounts present signs of unusual activity?

• Product – A crypto business needs to consider how any product features might impact its risk exposure. Does the product enable the rapid conversion of fiat currency to crypto in a way that might prove attractive to money launderers? Is the product vulnerable to high value money laundering, or do its features present a risk of lower-value money mule activity that can be pervasive but difficult to detect? 

• Delivery channel – A crypto business also needs to think carefully about the risks related to how customers access its product or platform. Is it only accessible online? Or does the product involve Bitcoin ATMs or other physical infrastructure that customers can use?

In addition to assessing these general risk categories, crypto businesses should think carefully about the money laundering and terrorist financing risks that their specific offerings present. For example, whether they provide an online exchange service, a crypto ATM network or crypto prepaid cards, crypto businesses will face unique money laundering typologies and criminal vulnerabilities that are highly specific to their business type. Recent cases suggest that criminals are becoming savvier in exploiting a diverse range of crypto-related products and services, seeking out platforms that allow them to engage in increasingly complex money laundering schemes. Developing bespoke risk management solutions requires understanding these typologies in detail. 

Crypto business should also assess the financial crime risks around the types of cryptocurrencies they provide. For example, privacy coins with high levels of anonymity such as Monero may present unique risks and challenges. It may prove challenging to monitor customer activity where these coins are present. Crypto exchanges that offer privacy coins to customers need to be aware of the resulting impact on their risk profile. 

It’s important to remember that a risk assessment process should be supported by a sound methodology that enables a company to understand the evolution of its risks over time. This should include:
• Developing a logical approach to measuring inherent and residual risks; 

• Ensuring risk assessment findings are thoroughly documented and presented clearly to senior management; and

• Having processes in place for updating the risk assessment, in whole or in part, when new business lines and products are launched, geographical expansion occurs or other trigger events arise. 

‘Risk management generally is a continuous process, carried out on a dynamic basis. A money laundering/terrorist financing risk assessment is not a one-time exercise. Firms must therefore ensure that their risk management process for managing money laundering and terrorist financing risks are kept under regular review.’ 

- JMLSG, Guidance for the UK Financial Sector, December 2017 

#2 Defining Risk Appetite

When a business understands its risks, it can decide which risks it finds acceptable, and those it finds too high. 

A financial crime risk appetite statement can allow a crypto business to scale and develop new products and services in a thoughtful manner that ensures commercial goals are achieved without taking on excessive risk. As the Financial Stability Board has indicated 2, a good risk appetite statement can achieve several goals, including:

• Setting quantitative measures that track exposure to key risks, enabling proactive mitigation of risks before they become unacceptably high;

• Establishing limits to risk taking so that staff have a clear understanding of unacceptable risks;  

• Defining staff members’ roles and responsibilities for mitigating risks; and

• Providing a baseline against which assurance functions can test that systems and controls are enabling the company to operate within its risk appetite. 

By clearly defining the levels of risk they are willing to assume, a company’s senior management can establish a clear ‘tone from the top’ and foster a strong company culture. Failure to do so can result in a lax risk management environment that leaves the company exposed to reputational and regulatory risk. 

‘A sound risk culture will provide an environment that is conducive to ensuring that emerging risks that will have material impact on an institution, and any risk-taking activities beyond the institution’s risk appetite, are recognised, escalated, and addressed in a timely manner.’

- Financial Stability Board, Principles for An Effective Risk Appetite Framework, November 2013 

#3 Building a Compliance Team and Governance Arrangements

A strong company culture on financial crime is only possible if supported by a competent and effective team of suitably qualified AML/CTF compliance professionals. 

‘One of the most important controls over the prevention and detection of money laundering is to have staff who are alert to the risks of money laundering/terrorist financing and well trained in the identification of unusual activities or transactions which may prove to be suspicious.’ 

- JMLSG, Guidance for the UK Financial Sector, December 2017 

Even the smallest crypto companies should ensure that they have adequately experienced staff who understand financial crime risks, regulatory requirements and appropriate control measures. To this end, it is important to make sure that staff have received appropriate training. As the UK’s JMLSG3  advises, training should include ensuring staff awareness of:

• The company’s risks, as identified in its financial crime risk assessment;

• The company’s financial crime policies, procedures, systems and controls;

• AML/CTF regulatory requirements applicable to the company, and the consequences of breeching those requirements; 

• The types of high risk customers the company encounters, and enhanced due diligence (EDD) measures that are in place to manage them; and

• Red flag indicators of suspicious activity specific to the company’s product and service offerings, and procedures for filing suspicious activity reports (SARs). 

Larger companies should think carefully about how to structure their compliance functions so that risks are managed appropriately, and to ensure that senior management can monitor those risks over time. Compliance teams should be suitably resourced and visible within the company. 

This may be accomplished, in part, by establishing financial crime risk committees that are comprised of senior risk and compliance staff and that review key management information to assess the effectiveness of controls and identify emerging risks. Robust governance arrangements can ensure that risk management functions are on the front foot against financial crime and are not merely reactive.  

#4 Choosing and Tuning Tools

To be effective, a financial crime compliance team must be more than just impressive-sounding titles. Compliance functions must develop and utilise effective AML/CTF policies and procedures whilst having access to systems and controls that are proportionate to the risks their business faces. 

Policies and procedures should be developed with the aim of mitigating a company’s risks as identified in its risks assessments. This could include, for example, having in place specific EDD measures for identifying customers’ source of wealth where less transparent products or services are used. 

Financial crime systems and controls – such as identification and verification tools, transaction monitoring systems and sanctions screening solutions – should be appropriately calibrated to ensure a firm can operate within its risk appetite. 

Bitcoin ‘track and trace’ forensic tools have also been developed and are already assisting many crypto industry participants in identifying and managing risks. 

These systems and controls should be subject to regular audit and testing to ensure they mitigate key risks and meet regulatory expectations.  As JMLSG notes4 , effective systems and controls are generally characterised by factors such as:

• Alignment with regulatory requirements and expectations; 

• Appropriate resourcing; and

• Competent staff operating the controls. 

Whether a company chooses to undertake internal or external audit, it needs to be able to demonstrate that systems and controls are compliant whilst also enabling it to manage its risks in practice.  

#5 Working with Partners

Strength is in numbers, and crypto businesses can bolster their defences against financial crime by sharing information with their industry peers. 

At FINTRAIL, we’ve co-founded the FinTech Financial Crime Exchange (FFE), a partnership of over 50 UK FinTech companies, including several of the UK’s leading cryptocurrency firms. 

Through the FFE, crypto and other FinTech companies can share information on financial crime typologies they encounter and best practices for prevention and deterrence. 

Proactive involvement in industry partnerships, self-regulatory organisations and other similar platforms can enable a company to stay on the front foot against financial crime. 

Not for the first time, the federal government and states are at odds over the future regulation of FinTech.

On July 31, 2018, the Office of the Comptroller of Currency (OCC) at the U.S. Department of the Treasury (DoT) announced it would begin accepting applications from FinTechs for special bank charters, which would allow them to operate nationally. But individual states and inter-state organizations are strongly opposed. The Conference of State Bank Supervisors (CSBS), which brought an unsuccessful lawsuit against the OCC last year to stop the charter being introduced, has declared that it is ‘a regulatory train wreck in the making.’

The irony is that both sides of the debate want greater consistency. The key difference is determining who should drive the change. As this battle continues, how can U.S. FinTechs approach this complex regulatory landscape, protect themselves and their customers from financial crime, and change potential risks into competitive advantages?

No Single Framework

Part of the difficulties FinTechs face while navigating the U.S. regulatory environment are not only the different layers of government — state and federal — but also the lack of one single type of FinTech. Digital payments firms, for instance, are seen as money service bureaus (MSBs) under the federal Banking Security Act (BSA) and have to register both with the Financial Crime Enforcement Network (FinCEN) at the DoT, as well as gain a state license. Cryptocurrency exchanges are also considered MSBs, because they transmit funds, but initial coin offerings (ICOs), where a new cryptocurrency is offered in return for investment in the startup, is considered a form of security and is subject to the Securities Act and Securities Exchange Act, regulated by the Securities and Exchange Commission (SEC). The table below provides a simplified view of financial crime risks, regulations, and the FinTech sectors that might be affected.

What Do Both Sides Want?

First, the states are keen to see licensing for FinTechs remain in their hands, and there have been collective moves to increase alignment and streamlining across the states for all forms of non-bank financial activity. CSBS’s ‘Vision 2020’ reinforces this with what it calls is “a series of initiatives…to modernize state regulation of non-banks, including financial technology firms.” The program aims to ensure that by 2020, there will be an integrated state licensing and supervisory system across all 50 states. This includes the redesign of Nationwide Multistate Licensing System (NMLS), the core technology platform used by state bank regulators, the introduction of a Fintech Industry Advisory Panel, harmonization of state supervision, and education programs to improve bank and non-bank interaction.

According to the recent DoT report, ‘Nonbank Financials, Fintech, and Innovation,’ the federal government wishes to see financial innovation continue, but within a more consistent regulatory framework. The report suggests a range of possibilities, such as state alignment through ‘model laws’, license harmonization, FinTech/Financial Service provider partnerships, as well as the OCC ‘special bank’ charter. Indeed, the OCC itself has said that the special charter is only one option, and it is conceivable that a hybrid approach might develop over time, through negotiation between the states and the federal government. All sides seem to want to get to the same destination, but have varying views about who should be in charge.

What does this mean for Financial Crime Risk?

From the perspective of identifying, managing and mitigating financial crime risks in the U.S. FinTech sector, there are plenty of positives in these developments. Variations in types of regulation between jurisdictions can create vulnerabilities in a system that can abet money launderers. Federal legislation apart, if one state has significantly less demanding requirements for company licensing than another, then it could become a portal through which criminal funds are most easily ‘placed’ in the financial system — stage one of the money laundering cycle. And from there, the funds can be ‘layered’ — sent through multiple accounts in the financial system (stage two) — before being ‘integrated’ into a seemingly legitimate account (stage three), quite possibly in a state with higher licensing requirements. If there is greater and more demanding standardization, and more consistent application of the standards, this should then help to reduce financial crime risk overall.

How should FinTechs respond?

However, it is important that FinTechs do not interpret this positive trend in the wrong way. Improved and consistent regulation can reduce some of the niches in which financial criminals can operate. However, it does not eliminate financial crime risk, because, as experience has shown, those who launder criminal funds, evade sanctions and tax, and finance terrorism, are amongst the most creative people in the world.

So rather than becoming caught up a traditional compliance ‘tick box’ culture, or following regulatory battles, FinTechs should focus first on the actual financial crime risks themselves. Regardless of the final outcome of the tug of war between the states and the federal government, FinTechs must consider how to manage their risks in this area, in the best interests of themselves and their clients. This isn’t just good for risk management and compliance — it is also good for business.

FinTech firms should consider a simple four step approach:

1. Undertake a financial crime risk assessment. This is essential to knowing your key vulnerabilities and then being able to measure your efforts to reduce them over time. This requires challenging assumptions, testing vulnerabilities, and working in detail to understand the precise extent and nature of money laundering and other risks to which it could be exposed.

2. Understand financial crime typologies. Make use of available typologies studies related to certain offences, to understand potential exposure and assess whether any unknown risks do in fact exist. Given the anonymous character of many transactions on online platforms, FinTechs should pay special attention to the risks from different types of fraud, such as synthetic identity fraud.

3. Tailored systems. Seek to build systems and processes that are specifically designed for the risks FinTechs are likely to face. For example, although all financial institutions are subject to U.S. sanctions laws, providers involved in cross-border transactions should give higher priority to screening for potential evasion. A risk focused approach is more likely to create a healthy and proactive compliance culture.

4. Create indicators and use data: FinTechs should leverage the skill they have in utilizing data to decipher indicators of specific money laundering risks. They should continue using these indicators and supporting data as key performance indicators on a regular and scheduled basis. This is invaluable for managing risk and makes the process of future conversations with auditors and regulators considerably easier.

Understanding and implementing this process is key to stopping financial crime in its tracks and helping transform risks into opportunities.