Why Fintechs Need a BSA/AML Risk Assessment and How to Develop an Effective One

Why Fintechs Need a BSA/AML Risk Assessment and How to Develop an Effective One

by Bianca Sarrach
December 28, 2022

Updated April 24, 2023

A common misconception is that a Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) risk assessment applies only to traditional financial institutions. In reality, non-traditional financial institutions, including fintech companies, also need one.

While it’s not a legal requirement, regulators and financial partners expect your fintech organization to have a BSA/AML risk assessment documented. Furthermore, demonstrating compliance through your risk assessment can make you a more appealing partner and more trustworthy in the eyes of potential customers.

Doing a risk assessment can feel overwhelming if your fintech company is caught off guard by a request for one. It can also seem burdensome because there is no set template for conducting an assessment. However, there are things you can do to make the process easier. This article discusses the benefits of conducting a BSA/AML risk assessment and best practices for developing an effective one.

Key Benefits of a BSA/AML Risk Assessment

BSA and AML safeguards are intended to prevent your fintech company from being used as a medium to finance criminal activities. The BSA/AML risk assessment gives you a well-rounded view of where risks lie in your business and where you have gaps in your control program that could result in noncompliance. Here are a few vital benefits your organization can gain when it performs an effective risk assessment:

Prepares you for BSA/AML requirements from your banking partner

BSA and AML obligations fall into two categories: direct requirements and requirements passed to you by your banking partner. If your company is classified as a money service business (MSB), you have direct BSA and AML compliance requirements. If your company isn’t an MSB, your banking partner likely is and may require you to meet those same standards to satisfy its own obligations.

This is where a lot of confusion occurs. Many fintech companies without direct AML or BSA requirements may be surprised when their banking partner asks them to produce a BSA/AML assessment. You can avoid this situation by preparing ahead and providing your banking partner with a BSA/AML risk assessment that establishes the risk areas applicable to your business and identifies the gaps and weaknesses in your control program.

Meeting these requirements helps protect your business from regulatory scrutiny, fines, illegal activity and lost business opportunities. It also gives a banking partner confidence in your control environment and provides the transparency they need for their own compliance efforts. Note that it’s important that your BSA/AML compliance risk management program enables you to monitor transactions, so you can flag suspicious activity and report it to the government or your banking partner.

Helps you focus on the areas of greatest risk

Concentrating on the risk areas most pertinent to your business requires continuous effort. The BSA/AML risk assessment is useful because it reveals the risk areas you need to address when designing your compliance program, and it prioritizes those risks by areas of greatest to least importance. By working to resolve these risks you can help clear the way for your business to develop a new product or service and prevent compliance roadblocks that could derail those initiatives.

Acts as a framework for the rest of your compliance program

The BSA/AML risk assessment should serve as a framework to develop more effective and sustainable compliance procedures that display how your controls mitigate your risks. Over time, your compliance program will become more robust, and the regular assessments will help you determine where to allocate resources.

Best Practices for Developing Your Risk Assessment

While there is no official guidance on the framework for BSA/AML risk assessments, there are best practices for developing an effective one.

Conduct your assessment early on

Compliance shouldn’t be an afterthought. Without an effective risk assessment, your control program will likely be reactive instead of proactive — and you don’t want to be in the position of playing catchup to fix controls when you should be focused on growing your business. This is why it’s best to conduct your BSA/AML risk assessment during the development stage of your business to identify gaps in your controls and avoid potential debacles such as overspending on resources, delaying product launches or having potential partners shut the door before you can get your foot in.

Include an analysis of all your products, services, locations and customers

Your risk assessment should identify the areas of your business exposed to the most BSA/AML risks. It should define and keep count of what products, services, geographies and customer types pose the greatest threat to your organization and what controls you have in place or will put in place to mitigate those risks.

For example, if your fintech manages digital lending, deposits and/or digital assets, your risks and regulations will vary greatly from those of other fintechs. Regulations and standards in those areas are complicated and rapidly changing, so you need to monitor the regulatory landscape and implement necessary controls as changes happen.

To keep on top of your biggest risk areas, you should conduct a risk assessment every 12 to 18 months or whenever significant changes occur to your products, services or the geographical locations in which you operate.

Lastly, with regard to customers, there are two areas your risk assessment must examine — customer due diligence and customer risk assessment methodology — both of which we cover below.

Demonstrate customer due diligence compliance

Customer due diligence (CDD), a key component of BSA/AML safeguards, refers to the process your organization follows to identify and verify the identities of your customers and prospects and evaluate the risks associated with them. Fintechs must follow the CDD Rule when using common payment networks like ACH and the federal reserve system.

Know your customer’s customer (KYCC) adds an extra layer of compliance and helps build a more comprehensive customer risk profile by examining who customers are doing business with, their legitimacy and their source of funds.

CDD is important because banks don’t have direct access to their third parties’ customers to deploy their requirements for identifying the customer and verifying their identity. That’s why they need to be able to trust that their fintech partner is complying with the primary CDD and KYCC requirements and adhering to a defined risk assessment methodology.

An effective BSA/AML risk assessment helps you meet these requirements and pinpoint any remaining gaps.

Distinguish between inherent risks and residual risks

The assessment should weigh your inherent risk (the amount of risk that exists without any controls) and then analyze the effect of implementing controls to mitigate that risk. Not all risk is created equal. You’ll need to assess what is necessary to meet your government or stakeholder obligations and which areas present a moderate risk given your resources and regulatory requirements.

The amount of risk remaining after implementing your controls is your residual risk. Whatever level that might be depends on the nature of your company. For example, a payroll vendor faces less risk than a peer-to-peer payment platform. In this comparison, the payroll vendor likely has a higher degree of acceptable risk than the payment platform because it has fewer areas where outside actors could use its system for crimes.

Describe your mitigating controls and how they will be effective

Another key aspect your risk assessment should include is laying out the mitigating controls you have in place and an evaluation of their effectiveness. There is a standard rating system for controls: strong, adequate or inadequate. But you will need to assess which rating is appropriate for your controls.

This information is vital to assuring your internal and external stakeholders and making the assessment easier for them to understand. If your banking partner has doubts about the effectiveness of your controls, for example, they could end your contract. This could also keep you from moving forward with a new product or service until you update your control environment to a level that meets your partner’s standard. Both are significant roadblocks to the future growth of your company.

Document your methodology, and be thorough

If regulators or your banking partners can see the thought process behind why and how you developed your risk program, they’re more likely to understand the reasoning behind your approach, and it will be easier to justify the program’s design. Part of this reassurance includes not being afraid to include categories that fall outside of the scope of your business.

For example, you may not allow cannabis companies to use your product or service. Financial institutions view that industry as a higher risk, so documenting your company’s stance could give them greater confidence in your risk posture. Continuously monitoring transaction activity is also essential. This means that your fintech is responsible for conducting client due diligence, observing client risks and periodically revisiting the client’s eligibility, identity and/or verification.

Get everyone’s input

When you conduct your risk assessment and build your control program, you should include input from all your business lines. Your stakeholders understand your business better than a BSA/AML compliance officer. Having explanations from all sides of your business can provide specific knowledge that fills in the gaps where a compliance officer may be unsure.

A thorough, personalized BSA/AML risk assessment can help you develop a compliant risk management program that’s efficient, scalable and in tune with your customers’ needs, whether your requirements are direct or indirect. As a result, your program can meet your regulator, banking partner, stakeholder and client demands while protecting your organization from being used for financial crimes.

Are You Overlooking Some BSA/AML Risks?

The reality is that fintech companies face extraordinary risk from many different directions. This can make it challenging to recognize all of your most significant BSA/AML gaps. To mitigate your risks before they impact your business, reach out to Armanino’s Risk Assurance & Advisory consultants to discuss how to identify and address your biggest BSA and AML risk areas.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Cash Flow Management Guide
Savvy cash flow management helps you avoid surprises and lower your overall cost of doing business.

July 02, 2024
Quiz: How Healthy Is Your Patient Services Ecosystem?
Take a fresh look at your vendor contracts to safeguard compliance and patient outcomes and uncover savings.

March 19, 2024
Tech M&A: Achieving Successful Post-Merger Integration
Tech M&A Deals: The Playbook for Integration Success

March 14, 2024 | 10:00 AM - 11:00 AM PT