AML Guide for FinTechs
To find out more about fintech regulation and compliance around the world download the AML Guide for FinTechs, or get in touch to schedule a demo.
Download the guideFintech is a diverse and growing financial sector. As innovations change the fintech money laundering landscape, regulators must adapt to keep pace with fintech regulation, introducing new compliance measures to meet the challenge of emerging technologies and criminal methodologies.
The elevated criminal risks associated with fintech services mean that firms must think carefully about their regulatory environments. They must ensure that their anti-money laundering (AML) solutions and counter-financing of terrorism (CFT) measures meet their compliance obligations.
Fintechs are expected to implement AML/CFT programs in alignment with the Financial Action Task Force’s (FATF) 40 Recommendations. These set international standards for money laundering (ML) and terrorist financing (TF) countermeasures covering the criminal justice system, law enforcement, fintech regulation, and international cooperation.
While robust fintech regulation protects users and ensures the safety of their payments, the fundamental importance of fintech regulation lies in its ability to mitigate the risk of money laundering and terrorist financing.
Regulators expect service providers to treat financial compliance as an integral part of risk management. But each firm must implement a unique solution that meets its needs. With this in mind, firms must consider what measures and controls they need to achieve compliance with fintech regulations and how this solution will be refined over time.
In addition to providing protection and meeting compliance obligations, fintech regulations can:
Fintech products and services typically offer customers faster and more efficient banking experiences. But, at the same time, they often disrupt markets, creating regulatory uncertainty and opportunities for criminals to exploit compliance blind spots.
Among the top risks currently faced by fintechs are:
The FATF requires member states to establish national bodies responsible for domestic financial institutions’ AML/CFT compliance, including fintech service providers. In addition to collecting and analyzing suspicious activity reports and investigating violations of fintech regulation, these bodies are responsible for issuing operating licenses.
To obtain an operating license, fintech service providers need to demonstrate that they meet a set of AML/CFT criteria, including:
The AML/CFT ecosystem shown above shapes five core fintech regulation responsibilities:
Depending on the products and services a fintech offers and where in the world they are available, various licenses must be acquired. If a fintech decides not to apply for a license, it can outsource certain activities to a company with a license. Depending on the type of license applied for, fintechs may be subject to additional regulatory requirements such as AML, risk management, staffing, and capital reporting requirements. A list of some common fintech licenses are listed below:
Countries with diverse legal, administrative, and operational frameworks and different financial systems must take different measures to counter these threats. Fintech firms will find a range of regulatory nuances in other parts of the world.
The Financial Conduct Authority (FCA) is the UK’s primary financial regulator. The regulator sets out AML/CFT compliance requirements for UK firms under the authority of the Proceeds Of Crime Act 2002, the Money Laundering, Terrorist Financing and Transfer of Funds Act 2017, the Payment Services Directive 2 (PSD2), and the Terrorism Act 2000.
The FCA is increasing its focus on fintech regulation. In 2022, it warned of financial crime control weaknesses in UK challenger banks, a significant contributor to the UK’s fintech ecosystem. The review noted patterns of inadequate due diligence, enhanced due diligence, and suspicious activity reporting at challenger banks.
In July 2022, the FCA also announced final rules for the new Consumer Duty (PS22/9), which will be implemented across the open services of FCA-regulated firms by July 2023. These rules aim to introduce a higher standard of conduct and clearer focus on customers’ interests.
It means that all financial services firms, including fintechs, must act in good faith towards customers and help them pursue their financial objectives by providing products and services they fully understand.
UK fintechs providing trust services must also adhere to the UK electronic Identification, Authentication, and Trust Services (eIDAS) Regulations. As an amended form of the EU eIDAS Regulation, the legislation establishes various types of digital evidence (e.g., electronic seals, time stamps, and electronic signatures) to ensure electronic business interactions are safer, faster, and more efficient.
Each piece of EU legislation covers only some aspects of fintech regulation. Fintech firms providing financial services such as lending, financial advice, insurance, or payments must comply with the same laws as other firms offering those services.
The mechanisms used to harmonize AML/CFT legislation across EU member states are known as the Anti-Money Laundering Directives (AMLDs). The money laundering directives are published periodically and updated to reflect the current money laundering, terrorism financing, and criminal risks facing financial markets. The most recent version is the “new 6AMLD.” It focuses on repealing aspects of previous directives, transferring requirements for countries, and introducing changes to better align the practices of domestic supervisors and financial intelligence units (FIUs).
Aimed at enhancing trust in electronic transactions, the EU has two standards in place: EU eIDAS Regulation and the Payment Services Directive 2 (PSD2). As discussed above, the eiDAS regulation “is a key enabler for secure cross-border transactions.” It ensures that all 27 EU member countries mutually recognize each other’s notified electronic identification schemes, thus increasing the level of security of transactions for fintechs and other businesses.
While eIDAS applies to any business, PSD2 rules are specific to EU banking/financial services institutions. It was adopted by the European Commission in 2015, replacing the original Payment Services Directive of 2007. One of its most significant legislative effects, PSD2 enables third-party access to bank account information.
In October 2022, the EU endorsed and published approved text for its European crypto assets regulation – the Markets in Crypto Assets (MiCA) law – likely to take effect in 2024.
MiCA will introduce a crypto licensing framework and establish requirements for stablecoins and crypto exchanges. This will include a requirement that authorized crypto asset service providers can only perform provision of services in crypto assets. The definition of crypto assets is likely to be broad to help regulation keep pace with the rapidly developing market.
BaFin, the Federal Financial Supervisory Authority, supervises compliance with Germany’s Money Laundering Act. BaFin issued warnings to numerous German fintech service providers after audits revealed deficiencies in their AML/CFT processes.
BaFin’s scrutiny included the bank N26, which was found to have deficiencies in its IT monitoring and customer due diligence processes. BaFin eventually issued N26 with a €4,250,000 administrative fine and imposed limits on its onboarding of new customers.
AML in the Baltics – Latvia, Estonia, and Lithuania – has become increasingly important as the countries have become fintech Hubs. While this has made them attractive destinations for startup fintechs and others expanding into Europe, it puts them at risk of illicit financial activity due to their relations with countries such as Russia.
Fintech compliance teams should become familiar with the EU’s AML regulations and sanctions, Estonia’s Financial Intelligence Unit, the Financial Intelligence Unit of Latvia, and Lithuania’s Financial Crime Investigation Service.
The Financial Crimes Enforcement Network (FinCEN) is the US’ primary financial regulator and works to ensure that banks and financial institutions comply with its primary AML/CFT law, the Bank Secrecy Act, and subsequent legislation, such as the Patriot Act. The US Office of Foreign Assets Control (OFAC) serves a similar regulatory function for enforcing US economic sanctions.
FinCEN and OFAC have been adjusting to optimize their approach to fintech compliance. In particular, both regulators have focused on the criminal risks associated with virtual assets. FinCEN has released advisories on criminal typologies related to cryptocurrencies, while OFAC has issued its virtual currency guidance and even implemented sanctions against virtual currency wallet addresses.
AML for Canadian fintechs means firms must abide by public and private legislation at federal and provincial levels, the same as banks and other FIs. Canadian AML requirements include the Canadian Payments Act, Payment Clearing and Settlement Act (Canada), Bank Act, and the Bills of Exchange Act (Canada).
Certain laws and regulations in Canada are specifically relevant to fintech service providers. These include the Personal Information Protection and Electronic Documents Act (PIPEDA) which protects personal information handled by private sector firms, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
Canada’s main financial regulator is the Financial Transactions and Reports Analysis Centre (FINTRAC), responsible for identifying ML/FT.
Singapore has become an increasingly important player in the fintech world, and AML/CFT for Singaporean fintechs has developed as a result.
The Monetary Authority of Singapore (MAS) supervises compliance with Singapore’s Corruption, Drug Trafficking, and Other Serious Crimes (Confiscation of Benefits) Act (CDSA). MAS sets out compliance standards for financial institutions in Singapore and issues regular guidance.
In 2020, Singapore introduced the Payment Services Act (PSA), which brought payment service providers and fintech firms under the scope of the city’s AML/CFT regulations. It introduced requirements for fintech firms to obtain a MAS operating license.
In 2022, Singapore passed the Financial Services and Markets Bill. The bill introduced new rules that enhance the regulation of digital token service providers for ML/TF risks and gives lawmakers the power to deny licenses to operators the country deems unfit.
The Hong Kong Monetary Authority (HKMA) is Hong Kong’s central bank and financial regulator and sets AML regulations. HKMA requires that firms take a risk-based approach to AML in line with the FATF and the Asia Pacific Group on Money Laundering (APG).
While Hong Kong does not employ any specific fintech regulation, fintechs must comply with anti-money laundering in Hong Kong and are subject to particular laws depending on their functions.
Fintech firms that carry out any “regulated activities,” as defined by the Securities & Futures Commission (SFC), must be licensed by that body; money lenders are subject to the Money Lenders Ordinance. And payment systems firms and retail payment systems providers must be licensed under the Payment Systems and Stored Value Facilities Ordinance (PSSVFO).
The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s primary financial intelligence agency and regulator, tasked with ensuring compliance with AML/CTF rules in Australia and preventing other financial crimes.
The primary AML rules in Australia are part of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. While there are no specific AML regulations for Australian fintechs, the country’s fintech sector grew dramatically between 2020-2021, with investor funding soaring by 253%, compared to a global average of 45%.
Fintech firms must comply with the existing AML/CTF framework and the licensing and reporting regulations it imposes. They should treat data privacy as a priority, as it is regulated at territorial, state, and federal levels.
To find out more about fintech regulation and compliance around the world download the AML Guide for FinTechs, or get in touch to schedule a demo.
Download the guideFollowing FATF guidance, jurisdictional fintech regulations typically require the appointment of an AML/CFT compliance officer, commonly referred to as a Money Laundering Reporting Officer.
An MLRO is appointed to oversee their firm’s AML/CFT program, communicate with senior management, and liaise with financial authorities. In addition, the MLRO is involved in developing a firm’s internal AML/CFT policies, filing AML/CFT reports, and training compliance staff.
Given the regulatory importance of the role, MLROs should have sufficient expertise and authority to carry out their duties competently. This means appointees should have extensive knowledge of AML/CFT regulations and the fintech landscape and display personal honesty and integrity.
With those factors in mind, fintech firms should consider the following factors when appointing an MLRO:
While AML and Know Your Customer (KYC) requirements vary, specific essential requirements are common across jurisdictions. With that in mind, firms should put the following measures and controls in place as part of their AML/CFT compliance solution and help future-proof against evolving fintech regulations:
When fintechs detect potential criminal activity, often from existing money laundering typologies, they must inform the relevant authorities by submitting a suspicious activity report (SAR). Fintech compliance employees should be familiar with the SAR process to ensure timely submission. The process should be straightforward, clear, and informed by MLRO and senior management input.
The administrative demands of fintech regulation mean that firms must integrate technology solutions capable of managing vast amounts of customer and transaction data. AI-driven smart technology solutions should add speed and efficiency to core AML processes, help fintech firms adapt to changing regulations, and rapidly manage increasingly sophisticated criminal methodologies.
Protect your business and your customers from criminal risks with our fintech AML compliance checklist:
Read our AML guide for fintechs to ensure your business keeps on track with fintech regulation.
Discover ComplyLaunch™, our automated solutions package for early stage FinTechs.
Learn moreOriginally published 13 July 2021, updated 23 February 2023
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.
Copyright © 2023 IVXS UK Limited (trading as ComplyAdvantage).