Neobanks, Small FIs Face Heavy Lift Building Compliant AML Systems From Scratch

Neobanks, Small FIs Face Heavy Lift Building AML

As a partner in the Financial Services and White Collar Litigation practices at O’Melveny as well as a former deputy chief of the U.S. Department of Justice’s money laundering section, Laurel Loomis Rimon has a unique private-public sector purview of what is involved in stopping the illegal flow of funds.

In the wake of the release of the U.S. Department of the Treasury’s Financial Crimes Action Task Force (FinCEN) bureau’s first National Anti-Money Laundering Priorities for financial institutions (FIs), she said, like it or not, smaller firms with comparatively limited resources are going to have to start committing time, money and people if they’re going to keep up with the long-term compliance roadmap.

“The FinTechs that come into this space get their venture funding, and they don’t always invest in compliance and regulations because those efforts are not part of the growth trajectory or part of the product design — even though they should be part of the product design,” she said.

At a high level, and as directed by the Anti-Money Laundering Act, regulators and FinCEN will assess FIs on their effectiveness in alleviating risks related to these priorities.

Drilling down into what FinCEN is focusing on, the priorities mandate that FIs target corruption and cybercrime, according to a FinCEN press release, as well as foreign and domestic terrorist financing, fraud, human trafficking, proliferation financing and transnational criminal organization and drug trafficking organization activity.

The expense is significant, with surveys pegging the annual cost of financial crime compliance at $214 billion, per LexisNexis Risk Solutions.

With larger banks already well-dialed into the anti-money laundering (AML) necessities, FinCEN has been aiming to get non-banks and neobanks on board with prioritizing anti-fraud and AML efforts even as they target top-line growth and new market opportunities within financial services and money movement, said Rimon.

The smaller firms, as new outfits grow exponentially and grab scale quickly, are getting big enough to merit some concern and oversight when it comes to AML efforts, meaning they’re no longer “too small” to worry about, she said.

Money mule accounts are on the rise, for example, and so are imposter schemes, as FinCEN warned during the pandemic.

Although there have yet to be specific requirements for such activities, formalizing a roster of priorities “puts a finer point” on what needs to be done, she said.

She noted that the focus on corruption includes the guidance that companies should be focused on domestic corruption, too, not just threats from outside home markets — a concept that is touched on lightly but at least has been specified. The end goals are to ultimately protect the consumer and address the gaps that may have existed thus far in protecting them.

From The Ground Up?

To start a compliance or AML program from the ground up is a huge challenge, she said, especially for smaller companies that can almost instantly see a massive online customer base take shape that can be global in reach. FinCEN might eventually look to set examinations in place and is soliciting feedback from the stakeholders involved.

One greenfield opportunity for cross-agency collaboration, and for FinTechs that are starting to re-calibrate compliance strategies, lies with cryptocurrencies. There’s been no shortage of headlines blaring ransomware schemes, platforms and exchanges used to launder money and finance terrorism.

But contrary to the conventional wisdom that cryptos are wholly unregulated “Wild Wests” of malfeasance, there are at least some efforts in place to regulate derivatives and other trading.

“There’s a lot of consternation and confusion in the industry about exactly where those lines are and which type of activity is regulated or is not,” said Rimon.

There are also “pretty broad lanes” where stakeholders understand certain assets and activities are regulated, and there are companies dealing solely in crypto that have relatively mature AML and anti-fraud programs in place, she said.

“I take a sort of measured approach to cryptocurrency,” she said. “It does offer some advantages for tracing criminal activity.”

As an example, she pointed to the fact that much of the ransomware tied to the Colonial Pipeline ransomware attack has been recovered (where the hackers had apparently thought hopscotching across digital wallets was untraceable).

“It’s a mixed bag,” said Rimon of cryptos. “It takes the type of focus and resources that most new companies don’t have.”

The Roadmap

For these smaller firms, she said, the FinCEN announcement signals that it’s time to start thinking about and reviewing policies related to AML and other lines of defense. Eventually there will be regulations handed down from these agencies that will be prescriptive, but until then, “you should be incorporating these concepts into your policies and procedures. And I think that can be done now.”

The categories are general enough so that banks and non-banks alike can undertake customized risk assessments about where and how they are vulnerable. Those efforts take time, she said. A firm could easily spend six months simply trying to get policies and procedures in place to meet FinCEN priorities.

There’s room for innovation in streamlining those efforts, through RegTech innovation that can help banks and non-banks comply with priorities. Rimon pointed to blockchain analytics as one avenue for such innovation, but she cautioned that firms can’t just expect to buy something off the shelf and be done.

In the meantime, firms must look inward at their staffing levels, as experience and knowledge are key weapons in the fight against fraud.

“Now is the time to get started, and you need to have something to show regulators when they come in,” Rimon told Webster. For these younger firms, “it needs to appear in writing in your programs and policies. And that’s something you can start now.”