Risky Business: How Fintech Firms Can Build Better AML and Sanctions Risk Assessments | JS held
?
[authors: Anne Walton and J.P. Brennan]
Introduction
The year 2023 promises to be exciting for Fintech. On the upside, the web 3.0 economy is poised for significant growth as decentralization favors creatives and communities with lower costs and lower barriers to entry. The downside will come in the form of more lawsuits, regulatory uncertainty, perpetuation of fraud, and operating in the dust of the crypto fallout and FTX criminal case. All of which means that this year will be anything but boring.
One of the best moves any up-and-coming Fintech can make is to not repeat lessons from the past, especially those from 2022; the vast majority of which have not been complicated, per se, and probably could have been reduced by identifying, understanding and managing expected risks.
Accordingly, it is highly advisable to take stock of existing banking partner relationships and revisit your anti-money laundering (AML) and sanctions risk assessment. Clarity on both is critical to weathering any potential regulatory storm that focuses on Fintech-heavy banks or the Fintech industry itself, particularly those in lending, neobanks which offers non-traditional banking services and payments.
One of the simplest lessons that can be implemented in any business can be summed up by philosopher George Santayana’s famous quote: “Those who do not remember the past are doomed to repeat it.” There are basic needs that most businesses require, including internal controls, accounting and financial systems, and compliance to name a few.
This article examines the risks that Fintech firms face and what they need to do to create an ongoing AML and sanctions program that will meet regulatory requirements.
For now, let’s analyze a Fintech company’s compliance needs. One of the most important steps any enterprising Fintech can take, especially in today’s regulatory environment, is to put in place a board-approved AML and sanctions policy that is based on a comprehensive risk assessment.
The importance of AML risk assessments
A high-quality and dynamic AML and sanctions risk assessment process is a key element of a best-in-class regulatory compliance program for Fintech firms and the banks. In either case, full transparency about the inherent risks the business faces by virtue of its customers, third-party relationships, products and locations, as well as the strength of the controls in place to mitigate those risks, enables a Fintech to gain a clear picture of the current and future risks the company faces.
Inherent risk is the natural level of risk in a process or activity that is not limited. For example, a third-party payment processor provides fiat on and off ramps for crypto exchanges and product users (customers) living around the world. An inherent risk is that some of these customers may be subject to sanctions by the Office of Foreign Asset Control (OFAC) or reside in a sanctioned country. An AML and sanctions risk assessment attempts to quantify and calculate the level of this risk and others, such as the risk inherent in the product that provides cross-border payments and access to crypto. US regulatory requirements mandate that a control system be in place to reduce the inherent risk to the business that, among other things, a sanctioned person will open an account or access the payment product to launder the proceeds of illegal activity.
The strongest and most comprehensive AML and sanctions risk assessments rely on accurate data on all customer and relationship types, geographies, products and transaction values and volumes. On the control side, details about the performance, frequency and ownership of compliance controls are needed to determine the strength and effectiveness of risk mitigation.
A data-driven risk assessment provides great value for Fintech companies of all sizes, whether it is an early-stage start-up getting ready for launch, or an established company. The annual practice of evaluating AML and sanctions risks for the business, including concentration and regulatory risks, demonstrates to regulators that the firm takes its responsibility as gatekeeper to the financial system seriously.
Ensure success
To guarantee that the risk assessment process is a success; keep the following factors in mind:
Know why.
To succeed in this endeavour, a Fintech company must be crystal clear on the purpose of a risk assessment. It is a regulatory expectation and best business practice. Also, the absence of one is not a good look. This means that people at EVERYONE levels – from the board to the most junior team member – need to know that a risk assessment is used to identify money laundering and other illicit financial risks. This is important because it helps protect the business against reputational damage and regulatory fines and penalties.
Risk assessments are demanding processes that often expose parts of the business to increased scrutiny by asking hard questions about products and services. Leaders must be prepared to be uncomfortable. For example, good data is needed to quantify risk and make a strong assessment. Data quality and integrity are easy to overlook when a business is in growth mode. Tensions can arise when teams are asked to produce customer or product data and can’t or won’t. In our experience, a strong leader with a compliance mindset that reinforces the value of this process and encourages constructive dialogue between stakeholders is the most successful when it comes to risk identification and mitigation. A Fintech can overcome limitations or solve problems like these when the importance of doing so is known and agreed upon by everyone in the organization and confirmed by a strong tone at the top.
Share the results.
Talk about it when you’re done. Circulate business-relevant results throughout the institution. Present the risk assessment to the board and the risk committees, discuss it and ensure that it is understood within the company.
All too often, the process is so demanding and difficult for compliance teams that it ends in silence. Don’t let this happen to you. Make a commitment at the launch of the process. Give compliance a platform to share results with team members in a variety of ways. Use forums such as town halls or informal conversations to reinforce the importance of risk assessment and its value to all.
Communication is critical to the development and maintenance of a healthy organizational culture in the Fintech industry and elsewhere. That’s good business advice, and it applies as much to a compliance cost center as it does to a revenue generator. Clear, consistent messages about the risk assessment reinforce “Why” and promotes trust among team members.
When people know and understand the results, they may be more inclined to use that information as a driver for resource allocation – including technology investments and personnel. Relate the results to the transaction monitoring coverage strategy and assess whether testing and adjustments need to be made to optimize business and compliance functions.
Rinse and repeat.
Do it again and again. Risks are not static and the assessment (process, execution, circulation) must occur on an ongoing basis to remain relevant and provide value to senior management.
Conversations about risk assessments as a normal part of business-as-usual must take place at regular intervals between compliance and the business. Management should ensure that the assessment is updated to reflect new business areas and remain proportionate to the institution’s size and complexity.
Conclusion
AML and sanctions risk assessments are a critical, but often overlooked and underutilized element of a robust compliance program. Although time-consuming and demanding, the results produced by a rigorous, data-driven assessment provide senior managers with a road map for the future. These assessments provide a gateway to growth and reveal unlimited risks that can be exacerbated by weak or absent controls and result in regulatory fines and reputational damage.
Recognitions
We would like to thank Anne Walton and JP Brennan for providing insight and expertise that greatly aided this research.
![[Gamer’s World] NFTs: Crypto Greed or Wave of the Future?](https://www.cryptoproductivity.org/wp-content/uploads/2022/07/Bored-Ape-Yacht-Club-NFT-resize-2-1000x600-120x120.jpg "[Gamer’s World] NFTs: Crypto Greed or Wave of the Future?")
