Setting Up an Anti-Money Laundering Compliance Program? Part I: Start Here
April 08, 2021
Part I of Setting Up an AML Compliance Program.
There’s a moment of reckoning when a company determines—even though it may not be a bank—that it needs to put an anti-money laundering (AML) compliance program into place.
This situation arises when fintech startups and other non-bank financial institutions offer products and services that fall under Bank Secrecy Act / Anti-Money Laundering (BSA/AML) regulation. Or, often the case, when a regulated bank requires an AML compliance program from a fintech partner.
The costs and effort of a strong AML compliance program might seem burdensome at first, but if you weigh those against the costs of inadequate compliance——such as regulatory fines, reputational damage, and even rejection by a bank partner —the strategic decision becomes clear: you want to do this right.
To break this big project down into manageable chunks, here are the five core practice areas common across AML compliance programs:
- Assess Risks
- Know Your Customer (KYC)
Building a robust AML program isn’t a one-size-fits all endeavor, as each company will have a unique risk profile. Assess your specific vulnerabilities and risk thresholds in order to tailor the most effective approach. Take a broad view of potential scenarios for how criminals might exploit your company—not just for prototypical money-laundering, but also for possible adjacent and associated financial crime. Look at the most basic characteristics of your company: products and services, customers, and locations. Then ask questions such as:
How easily could criminals launder money through your products?
Could they use your products to facilitate other kinds of crime like human trafficking?
Could they use your company as a channel for stolen credit cards and identities?
Could they hijack your services for scams?
These are some classic scenarios, but remember criminals can get creative.
Assessing Your Unique Risks
Every financial institution has unique risks when it comes to financial crime. Bad people are out there probing for weaknesses in the financial industry – the strategies and tactics they use to commit financial crime are sophisticated. So how do you formulate a defense strategy and put protections in place? You start by thinking through your institution’s potential risks and defining a system of defenses that will help protect you. Your risk assessment process should look broadly at all types risks facing your company – financial crime, fraud, money laundering, consumer rights violations, information security and others. For this series, though, we’ll continue our focus on AML.
To identify the risk your institution has of being used to launder money, it is useful to have a framework for your thinking. Using a framework will help you think broadly about the problem and cover different perspectives.
A commonly used framework for risk assessment is to think about your financial institution along the following lines:
- Products & services: what financial products & services does your institution provide?
- Customers: what types of customers does your institution work with?
- Geographies: where are your customers in terms of geography?
The goal of thinking through your unique risks along these lines is to formulate a more thorough defense strategy. Since each category can be quite broad, let’s explore how to use them in your risk assessment work.
Risk Factor 1: Products & Services
What products and services does your financial institution offer? The risks involved with a debit card account are different than those of a mortgage, for example. By carefully considering each product or service that you offer, you’ll be able to better understand the risks associated with each.
To get you started, here’s a list of a few examples of financial products & services:
- Depository accounts (savings / checking)
- Debit cards
- Credit cards
- Prepaid cards
- ACH transfers
- Money orders
- Correspondent banking
- Brokerage / trading accounts
- Foreign currency exchange
- Remote deposit capture
- And many others…
This is just a starter list, so be sure to look closely at your business and consider every interaction you have with your customers at the product or service level. Be sure to watch for secondary products / services: for example, you might be a debit card provider that enables customers to fund their accounts via ACH transfer – it is important to consider the risks of both the debit cards and the ACH transfers.
Risk Factor 2: Customers
The next risk factor to consider is the profile of your customers. Do you provide financial products and services to people, businesses, legal entities, or some combination of all of these categories? Within these categories, there are many different profiles, and you’ll want to know which your institution works with.
If your institution provides products and services to people, think about their characteristics. Do you cater to people in a particular industry or job? A particular demographic background? People trying to achieve something specific – an auto lender likely targets people that want to buy a car, for example.
If your institution works with businesses or other types of legal entities, consider carefully what those legal entities exist for and how they might use your service. You’ll want to understand what the expected behaviors of these businesses are, which could be quite different depending on what they do.
By considering the types of customers that your institution works with, you’ll get a better sense of what their expected financial behaviors are. These expected behaviors establish a baseline for your ongoing monitoring, but they also inform the decisions you make in designing your program. This will help you understand the risks of each customer profile and spot strange patterns that might indicate financial crime.
Risk Factor 3: Geographies
The last risk factor are the geographies involved with your financial institution. You want to think broadly about geography as well, considering things like:
- Where are your customers based?
- Where do they use your products and services?
- Are people or legal entities that you do not work with directly involved, for example the recipients of wire transfers that you send – where are they?
- Could your products and services be used when your customers are away from home?
- Are the expected behaviors associated with you products and services likely to happen in a particular place?
As a concept, geography can be a powerful risk factor, particularly when considered in combination with the products, services, and customers that your financial institution caters to.
Putting It All Together
While each of these risk factors can be useful individually, you will probably do your best risk assessment work when you consider them together. We recommend thinking of them as a matrix that can help you identify where criminals might exploit your institution.
With this framework for risk assessment in place, you’ll be better equipped to design a strong AML program. In the next post in this series, we’ll take a look at the first pillar of that program: the Know Your Customer practice area.