Why Fintechs Need a BSA/AML Risk Assessment and How to Develop an Effective One
Why Fintechs Need a BSA/AML Risk Assessment and How to Develop an Effective One
by Joey Losurdo
December 28, 2022

A common misconception is that a Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) risk assessment applies only to traditional financial institutions. In reality, non-traditional financial institutions, including fintech companies, also need one. While it’s not a legal requirement, regulators and financial partners expect your fintech organization to have a BSA/AML risk assessment documented.

Doing a risk assessment can feel overwhelming if your fintech company is caught off guard by a request for one. It can also seem burdensome because there is no set template for conducting an assessment. However, there are things you can do to make the process easier. This article discusses benefits of conducting a BSA/AML risk assessment and best practices for developing an effective one.

Key Benefits of a Risk Assessment

BSA and AML safeguards are intended to prevent your fintech company from being used as a medium to finance criminal activities. The BSA/AML risk assessment gives you a well-rounded view of where risks lie in your business and where you have gaps in your control program that could result in noncompliance. Here are a few vital benefits your organization can realize when it performs an effective risk assessment:

Prepares you for BSA/AML requirements from your banking partner

A fintech company’s BSA and AML obligations fall into two categories: direct requirements and requirements passed to you by your banking partner. If your company is classified as a money service business (MSB), you have direct BSA and AML compliance requirements. If your company isn’t an MSB, your banking partner likely is and may require you to meet those same standards to satisfy its own obligations.

This is where a lot of confusion occurs. Many fintech companies without direct AML or BSA requirements have existing relationships with financial institutions, which may suddenly ask them to produce reports showing the fintech company’s compliance with regulations they weren’t aware were required of them. You can avoid this situation by providing your banking partner with a BSA/AML risk assessment that establishes the risk areas applicable to your business and identifies the gaps and weaknesses in your control program.

Staying in compliance with BSA/AML requirements helps protect your business from being exposed to regulatory scrutiny, fines, illegal activity and lost business opportunities. It also gives your banking partner confidence in your control environment and provides the transparency they need for their own compliance efforts. Note that it’s important that your BSA/AML compliance risk management program enables you to monitor transactions, so you can flag suspicious activity and report it to the government or your banking partner.

Helps you focus on the areas of greatest risk

Concentrating on the risk areas most pertinent to your business requires continuous effort. The BSA/AML risk assessment is useful because it reveals the risk areas you need to address when designing your compliance program, and it prioritizes those risks by areas of greatest to least importance. By working to resolve these risks you can help clear the way for your business to move forward with a new product or service and prevent compliance roadblocks that could derail those initiatives.

Acts as a framework for the rest of your compliance program

The BSA/AML risk assessment should serve as a framework to develop more effective and sustainable compliance procedures that display how your controls mitigate your risks. Over time, your compliance program will become more robust, and the regular assessments will help you determine where to allocate resources.

Best Practices for Developing Your Risk Assessment

While there is no official guidance on the framework for BSA/AML risk assessments, there are best practices for developing an effective one.

Conduct your assessment early and update it often

Many fintechs make the mistake of doing an assessment when their backs are already up against the wall. This puts you in the position of playing catchup and needing to fix controls when you should be focused on launching a new product or service or shopping for a banking partner.

Without an effective risk assessment, your control program will likely be reactive instead of proactive, which could lead to you missing gaps in your controls, overspending on resources, delaying product launches or having potential partners shut the door before you can get your foot in. Compliance shouldn’t be an afterthought. Thinking of your BSA and AML needs during development helps you avoid these potential debacles.

Include an analysis of all your products, services, locations and customers

Your risk assessment should identify and provide transparency into the areas of your business exposed to the most BSA and AML risks. It should define and keep count of what products, services, geographies and customer types pose the greatest risk to your organization and what controls you have in place or will put in place to mitigate those risks. Additionally, you need to defend and explain why other business areas don’t call for deploying mitigating controls for your BSA/AML compliance risk management program.

To keep on top of your biggest risk areas, you should conduct a risk assessment every 12 to 18 months or whenever significant changes occur to your products, services or the geographical locations in which you operate.

Distinguish between inherent risks and residual risks

The assessment should weigh your inherent risk, which is the amount of risk that exists without any controls, and then analyze the effect of implementing controls to mitigate that risk. Not all risk is created equal. You’ll need to assess what is necessary to meet your government or stakeholder obligations and which areas present a moderate risk given your resources and regulatory requirements.

The amount of risk remaining after implementing your controls is your residual risk. Whatever level that might be is dependent on the nature of your company. For example, a payroll vendor faces less risk than a peer-to-peer payment platform. In this comparison, the payroll vendor likely has a higher degree of acceptable risk than the payment platform because it has fewer areas where outside actors could use its system for crimes.

Describe your mitigating controls and how they will be effective

Another key aspect your risk assessment should include is laying out the mitigating controls you have in place and an evaluation of their effectiveness. There is a standard rating system for controls: strong, adequate or inadequate. But, you will need to assess which rating is appropriate for your controls.

This information is vital to assuring your internal and external stakeholders and making the assessment easier for them to understand, which is critical. If your banking partner has questions about the effectiveness of your controls, for example, they could end your contract. This could also keep you from moving forward with a new product or service until you update your control environment to a level that meets your partner’s standard. Both are significant roadblocks to the future growth of your company.

Document your methodology, and be thorough

If regulators or your banking partners can see the thought process behind why and how you developed your risk program, they’re more likely to understand the reasoning behind your approach, and it will be easier to justify the program’s design. Part of this reassurance includes not being afraid to include categories that fall outside of the scope of your business.

For example, you may not allow cannabis companies to use your product or service. Financial institutions view that industry as a higher risk, so documenting your company’s stance could give them greater confidence in your risk posture.

Get everyone’s input

When you conduct your risk assessment and build your control program, you should include input from all your business lines. Your stakeholders understand your business better than a BSA/AML compliance officer. Having explanations from all sides of your business can provide specific knowledge that fills in the gaps where a compliance officer may be unsure.

Final Thoughts

A thorough, personalized risk assessment can help you develop a compliant BSA/AML risk management program that’s efficient, scalable and in tune with your customers’ needs, whether your requirements are direct or indirect. As a result, your program can meet your regulator, banking partner, stakeholder and client demands while protecting your organization from being used for financial crimes.

For help identifying your biggest BSA and AML risk areas and how to address them, contact our Fintech experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
SaaS Market Trends
Between the uncertainty of 2022 and the highs of 2021, what will 2023 hold?

December 14, 2022 | 09:00 AM - 10:00 AM PT
Manage International Tax Exposure to Set Up Your SaaS Company for Success
Navigating international tax requirements for SaaS companies.

November 22, 2022 | 10:00 AM - 11:00 AM PT
A Deep Dive Into SaaS Sales Funnel Metrics
These metrics can provide unique insights into your organization and its customer purchasing journey.

November 17, 2022