Updated April 24, 2023
A common misconception is that a Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) risk assessment applies only to traditional financial institutions. In reality, non-traditional financial institutions, including fintech companies, also need one.
While it’s not a legal requirement, regulators and financial partners expect your fintech organization to have a BSA/AML risk assessment documented. Furthermore, demonstrating compliance through your risk assessment can make you a more appealing partner and more trustworthy in the eyes of potential customers.
Doing a risk assessment can feel overwhelming if your fintech company is caught off guard by a request for one. It can also seem burdensome because there is no set template for conducting an assessment. However, there are things you can do to make the process easier. This article discusses the benefits of conducting a BSA/AML risk assessment and best practices for developing an effective one.
BSA and AML safeguards are intended to prevent your fintech company from being used as a medium to finance criminal activities. The BSA/AML risk assessment gives you a well-rounded view of where risks lie in your business and where you have gaps in your control program that could result in noncompliance. Here are a few vital benefits your organization can gain when it performs an effective risk assessment:
BSA and AML obligations fall into two categories: direct requirements and requirements passed to you by your banking partner. If your company is classified as a money service business (MSB), you have direct BSA and AML compliance requirements. If your company isn’t an MSB, your banking partner likely is and may require you to meet those same standards to satisfy its own obligations.
This is where a lot of confusion occurs. Many fintech companies without direct AML or BSA requirements may be surprised when their banking partner asks them to produce a BSA/AML assessment. You can avoid this situation by preparing ahead and providing your banking partner with a BSA/AML risk assessment that establishes the risk areas applicable to your business and identifies the gaps and weaknesses in your control program.
Meeting these requirements helps protect your business from regulatory scrutiny, fines, illegal activity and lost business opportunities. It also gives a banking partner confidence in your control environment and provides the transparency they need for their own compliance efforts. Note that it’s important that your BSA/AML compliance risk management program enables you to monitor transactions, so you can flag suspicious activity and report it to the government or your banking partner.
Concentrating on the risk areas most pertinent to your business requires continuous effort. The BSA/AML risk assessment is useful because it reveals the risk areas you need to address when designing your compliance program, and it prioritizes those risks by areas of greatest to least importance. By working to resolve these risks you can help clear the way for your business to develop a new product or service and prevent compliance roadblocks that could derail those initiatives.
The BSA/AML risk assessment should serve as a framework to develop more effective and sustainable compliance procedures that display how your controls mitigate your risks. Over time, your compliance program will become more robust, and the regular assessments will help you determine where to allocate resources.
While there is no official guidance on the framework for BSA/AML risk assessments, there are best practices for developing an effective one.
Compliance shouldn’t be an afterthought. Without an effective risk assessment, your control program will likely be reactive instead of proactive — and you don’t want to be in the position of playing catchup to fix controls when you should be focused on growing your business. This is why it’s best to conduct your BSA/AML risk assessment during the development stage of your business to identify gaps in your controls and avoid potential debacles such as overspending on resources, delaying product launches or having potential partners shut the door before you can get your foot in.
Your risk assessment should identify the areas of your business exposed to the most BSA/AML risks. It should define and keep count of what products, services, geographies and customer types pose the greatest threat to your organization and what controls you have in place or will put in place to mitigate those risks.
For example, if your fintech manages digital lending, deposits and/or digital assets, your risks and regulations will vary greatly from those of other fintechs. Regulations and standards in those areas are complicated and rapidly changing, so you need to monitor the regulatory landscape and implement necessary controls as changes happen.
To keep on top of your biggest risk areas, you should conduct a risk assessment every 12 to 18 months or whenever significant changes occur to your products, services or the geographical locations in which you operate.
Lastly, with regard to customers, there are two areas your risk assessment must examine — customer due diligence and customer risk assessment methodology — both of which we cover below.
Customer due diligence (CDD), a key component of BSA/AML safeguards, refers to the process your organization follows to identify and verify the identities of your customers and prospects and evaluate the risks associated with them. Fintechs must follow the CDD Rule when using common payment networks like ACH and the federal reserve system.
Know your customer’s customer (KYCC) adds an extra layer of compliance and helps build a more comprehensive customer risk profile by examining who customers are doing business with, their legitimacy and their source of funds.
CDD is important because banks don’t have direct access to their third parties’ customers to deploy their requirements for identifying the customer and verifying their identity. That’s why they need to be able to trust that their fintech partner is complying with the primary CDD and KYCC requirements and adhering to a defined risk assessment methodology.
An effective BSA/AML risk assessment helps you meet these requirements and pinpoint any remaining gaps.
The assessment should weigh your inherent risk (the amount of risk that exists without any controls) and then analyze the effect of implementing controls to mitigate that risk. Not all risk is created equal. You’ll need to assess what is necessary to meet your government or stakeholder obligations and which areas present a moderate risk given your resources and regulatory requirements.
The amount of risk remaining after implementing your controls is your residual risk. Whatever level that might be depends on the nature of your company. For example, a payroll vendor faces less risk than a peer-to-peer payment platform. In this comparison, the payroll vendor likely has a higher degree of acceptable risk than the payment platform because it has fewer areas where outside actors could use its system for crimes.
Another key aspect your risk assessment should include is laying out the mitigating controls you have in place and an evaluation of their effectiveness. There is a standard rating system for controls: strong, adequate or inadequate. But you will need to assess which rating is appropriate for your controls.
This information is vital to assuring your internal and external stakeholders and making the assessment easier for them to understand. If your banking partner has doubts about the effectiveness of your controls, for example, they could end your contract. This could also keep you from moving forward with a new product or service until you update your control environment to a level that meets your partner’s standard. Both are significant roadblocks to the future growth of your company.
If regulators or your banking partners can see the thought process behind why and how you developed your risk program, they’re more likely to understand the reasoning behind your approach, and it will be easier to justify the program’s design. Part of this reassurance includes not being afraid to include categories that fall outside of the scope of your business.
For example, you may not allow cannabis companies to use your product or service. Financial institutions view that industry as a higher risk, so documenting your company’s stance could give them greater confidence in your risk posture. Continuously monitoring transaction activity is also essential. This means that your fintech is responsible for conducting client due diligence, observing client risks and periodically revisiting the client’s eligibility, identity and/or verification.
When you conduct your risk assessment and build your control program, you should include input from all your business lines. Your stakeholders understand your business better than a BSA/AML compliance officer. Having explanations from all sides of your business can provide specific knowledge that fills in the gaps where a compliance officer may be unsure.
A thorough, personalized BSA/AML risk assessment can help you develop a compliant risk management program that’s efficient, scalable and in tune with your customers’ needs, whether your requirements are direct or indirect. As a result, your program can meet your regulator, banking partner, stakeholder and client demands while protecting your organization from being used for financial crimes.
The reality is that fintech companies face extraordinary risk from many different directions. This can make it challenging to recognize all of your most significant BSA/AML gaps. To mitigate your risks before they impact your business, reach out to Armanino’s Risk Assurance & Advisory consultants to discuss how to identify and address your biggest BSA and AML risk areas.
