What is an AML compliance program and how do I get started?

As tech companies continue their expansion into financial services, many will be required to establish Anti-Money Laundering (AML) programs in order to comply with banking or brokerage partners’ obligations or the Bank Secrecy Act (BSA). Those that don’t can face steep government fines.

And while building an AML compliance program can help keep you in the clear, it can also help reduce the overall burden of financial fraud. According to a recent study, the average fintech loses 1.7% of its annual revenue to fraud–approximately $51 million per year. Navigating the process of building your own AML compliance program, however, can be complex. If you’re a compliance officer or decision maker in tech who’s thinking about starting that process, this guide is for you. 

Below, we’ll take a deep-dive into the world of AML compliance and walk you through how to build an AML compliance program that stays ahead of regulation, saves you valuable time and resources, and helps reduce the risk of fraud and other financial crimes.

We’ll start by answering big-picture questions like:

An AML program is designed to prevent money laundering, terrorist financing, and other forms of illicit activity by helping companies identify and address various risks. Having a program in place helps financial institutions and non-financial trades or businesses ensure compliance with BSA/AML laws and regulations for US entities. The US government agency responsible for implementing, administering, and enforcing BSA/AML is the Financial Crimes Enforcement Network (FinCEN).

All fintechs should comply with AML regulations in the sense that they should never allow their products and services to be used to facilitate financial crime. However, not all fintechs are required to develop a full-scale AML program. Fintech services regulated by AML generally include payments, money transmission, securities trading, and digital wallets. Fintechs Stripe, Paypal, and Robinhood all comply with AML regulations based on their classifications as financial institutions under the BSA, according to their disclosures. Even fintechs that aren’t directly subject to AML regulations may have obligations via a partner, like a bank.  

Maintaining fast onboarding and connectivity when implementing an AML compliance program will be challenging for many. Consumers are willing to do more to protect their identities, but their patience has limits. After all, over 68% of consumers abandon a fintech app during the onboarding process. 

That’s why a staged due diligence approach, where more time is spent on higher-risk customers, makes sense. A higher-risk customer may require additional investigation including running an intelligence report or confirming the source of cash used to fund the account. However, it may not be necessary to perform a lengthy investigation for a customer if they’re assessed as low risk. That might include a salaried employee with relatively consistent expenses and outflows each month.  

Lengthy investigative research can be time consuming and costly, especially if the work is done manually. Manual processes like hand checking PEP and other sanction lists can also be less reliable, allowing high-risk customers to fall through the cracks. 

Automated identity verification solutions can save time by quickly performing most customer identification program (CIP) requirements and creating a fast, seamless onboarding experience. Using automation, you can cut down or completely eliminate time-consuming manual risk reviews.  

Plaid Identity Verification (IDV) is an automated solution that helps fintechs prevent fraud while onboarding more customers more quickly. IDV helps complete the CIP portion of the diligence process. It assists in detecting and preventing bad actors from accessing your platform in real-time based on customizable risk levels. It can also identify and fight threats like synthetic identity fraud, presentation attacks, and account takeovers.  

Plaid Monitor supports AML compliance with automated account monitoring tools. Monitor keeps track of changes to your customers’ watchlist hits over time. It gives a complete picture of everything required for an investigation - new names, locations, passports, and dates of birth.

We recommend a risk-based approach to meeting AML compliance requirements. That means understanding your target market so that you can identify and prioritize the highest risk customers before financial crimes even occur. Keep in mind that risk can vary based on a customer’s geography, product usage, account activity, and documentation. For example, if a customer resides in a high-risk jurisdiction, that increases the risk of fraud. 

“The ground floor of building a compliance program is understanding your risks,” says Sepideh Rowland, Senior Managing Director of FTI Consulting.

Once you evaluate your customer base and determine the kind of due diligence program you'll need, you’ll want to learn more about your customers by collecting data on how and why they’re using your product. This will make it easier to identify suspicious activity and build accurate risk models. 

Here’s a step-by-step guide to help you get started.  

1. Implement a customer identification program (CIP)

A CIP ensures that a fintech or other financial services provider knows and can verify the true identity of its customers. Providers need to obtain customers’ names, date of birth, address, and identification number. Having a CIP is a good first step but it doesn’t necessarily assess a customer’s inherent risk. For example, CIP programs won’t typically look into how an account is funded or how the funds will be used. 

2. Conduct basic due diligence 

Due diligence starts by assessing the unique risks associated with each customer. Basic due diligence will help you identify the risks for most accounts, allowing for a faster onboarding process.

Due diligence should identify risk factors for accounts that are: 

• located in high-risk jurisdictions 

• processing large amounts of ACH payments or wire transfers

• listing an account holder that is different from the account’s legal title  

• matching Sanction, Warning, or Politically Exposed Person (PEP) lists

• conducting transactions that don’t make financial sense  

• displaying inconsistent levels of spending  

“Customer due diligence programs should focus on learning as much as possible about the risks a customer can pose,” explains the Head of Compliance at Plaid.

3. Perform enhanced due diligence for high-risk customers 

Enhanced Due Diligence (EDD) is a deeper level of account investigation that’s applied to high-risk customers and accounts. This staged approach can save time and resources.

EDD security checks include: 

• requesting financial statements

• running an intelligence report on a customer

• comparing bank records with data from trustworthy and impartial sources

• confirming the source of cash used to fund an account

• performing adverse media screening if a customer has been involved in a financial scandal

→ To learn more about enhanced due diligence, check out Enhanced due diligence: What is EDD in banking?

4. Ensure ongoing transaction monitoring 

The nature of a customer and their account can change over time. So it’s important to review accounts for suspicious activity on an ongoing basis. Targets can include cash-intensive businesses and accounts where the source of cash is unclear. 

Conclusion

Implementing an AML compliance program does more than help you comply with regulations. It can lower your cost of fraud and help you identify and prioritize your low-risk customers. After all, there’s value in keeping the right customers. It can also improve the quality and depth of your customer data, making it easier to deliver customized products and services.

If you're interested in learning more about AML compliance programs and how Plaid can help you future-proof your company and stay one step ahead of the quickly evolving regulatory changes, contact us or go deeper with the resources below.

Go deeper: Learn more about regulatory compliance

• Navigating the Bank Secrecy Act: Keys to a strong customer identification program

• eKYC: Digital verification improves new customer onboarding

• CIP requirements: How to improve fintech compliance