The landscape in the financial technology (FinTech) continues to evolve, and so do legal issues for those companies and their investors, particularly anti-money laundering (AML) concerns.
FinTech companies of all sizes must actively monitor the legal and AML compliance landscape to keep abreast of best practices and to identify potential legal exposure lest they find themselves the subject of regulatory or criminal investigations.
Criminal investigation and prosecution in the FinTech area is likely to expand beyond cases involving cryptocurrency providers over the next several years in light of increased regulatory focus on imposing compliance obligations across FinTech more broadly.
FinTech and the Bank Secrecy Act
As a threshold matter, FinTech companies must consider their status under the federal Bank Secrecy Act (BSA). The BSA is primarily administered by the Financial Crimes Enforcement Network (FinCEN) and broadly requires financial institutions, including money services businesses (MSBs) such as money transmitters, to implement and maintain effective AML programs.
To date, FinCEN has provided limited guidance on what businesses or activities qualify a FinTech company as an MSB subject to the requirements of the BSA.
FinCEN has made it clear that cryptocurrency issuers, exchanges, and administrators qualify as MSBs, but the vast majority of other FinTech companies are left to work with counsel to take a close look at how their business activities relate to the statutory and regulatory guidance to determine whether they qualify as MSBs.
While companies that qualify as MSBs clearly have AML compliance obligations under the BSA, even companies that are not subject to the secrecy act may not be able to avoid implementing anti-money laundering programs.
AML enforcement by regulators and prosecutors continues to be robust, and many FinTech companies are now finding that their business partners—many of whom are financial institutions subject to the BSA—are imposing BSA-type compliance requirements on their FinTech partners as a matter of contract.
Thus, FinTech companies must carefully consider all potential sources of AML compliance obligations when determining whether to implement a program.
Compliance Programs and Risk Management
Whether as a legal requirement, a contractual obligation, or a matter of best practice, many FinTech companies will find themselves needing to develop and maintain an effective AML program.
Such a program must be built around the well-known five pillars of BSA compliance:
- a system of internal controls to ensure ongoing compliance,
- independent testing,
- the designation of a BSA officer,
- training of appropriate personnel, and
- risk-based customer due diligence.
The five pillars provide a useful starting place for developing a program, but he lack of specificity of program requirements under the BSA is a common complaint of regulated entities. These challenges are all the more pronounced for FinTech companies, whose new technologies may not squarely fit the mold of historically sound AML programs.
Therefore, FinTech companies should be guided by several additional principles when developing and implementing a program.
First, the program should be built around the business activities of the company in question. This will require a deep dive into the company’s operations to conduct a complete risk assessment based on the role that the company plays in financial transactions and the customer data that it handles.
Second, the program should provide a clearly defined structure and process for identifying and managing AML concerns with a particular focus on creating well-documented decisions and predictable and consistent results when AML issues arise. Mistakes happen even under the best AML programs, but the ability to rely on a defensible process can go a long way toward alleviating regulator concerns when a problem comes to light.
Third, the program should take into account the unique “know your customer” challenges many FinTech companies face. FinTech companies may often be in situations where they are regularly handling transactions for new customers. A strong AML program will likely require them to develop processes for obtaining necessary customer details—including name, address, and identity verification—for each new customer a transaction is processed for.
Given that FinTech companies may have limited direct interaction with individual customers, it will often be necessary for the companies to work with their business partners to ensure this information is being collected and transmitted to satisfy AML compliance obligations.
Fourth, the program should be regularly reviewed and revised. As the FinTech industry expands, regulatory requirements will undoubtedly continue to increase and best practices will likewise evolve. FinTech companies should anticipate these changes and plan to swiftly implement program updates as such changes occur.
Finally, FinTech companies should consider proactively engaging with state and federal regulators on program development in light of the challenges faced by companies that are developing new technologies that are completely different from services offered by traditional financial institutions.
Numerous agencies, including the Consumer Financial Protection Bureau and the Federal Reserve, have announced a desire to engage with FinTech companies on these issues. Admittedly, however, FinTech companies that have attempted such outreach have anecdotally expressed frustration with the limited ability to obtain meaningful guidance. As regulators become better versed in FinTech concerns, however, there is certainly a hope within FinTech that these conversations may become more fruitful.
The Future of Criminal Enforcement
Federal criminal enforcement in the FinTech space to date has primarily focused on individuals and entities involved with cryptocurrencies. This is not surprising given the clearly articulated commitment of federal regulators to require companies involved with cryptocurrencies to implement robust AML programs and given the well-publicized problem of money laundering involving cryptocurrencies.
While cryptocurrency companies are likely to continue to be a focus of criminal enforcement in the near term, criminal investigation and prosecution in the FinTech area is likely to expand over the next several years in light of increased regulatory focus on imposing compliance obligations across FinTech more broadly.
Although the Department of Justice (DOJ) has not developed a single, clear method of approaching criminal prosecutions involving FinTech, past cryptocurrency criminal resolutions provide a window into likely statutory bases for future prosecutions. These cases reveal that prosecutors are looking closely at whether FinTechs that are required to do so are properly registering as MSBs and adhering to the requirements of the BSA.
In addition, prosecutors have pursued charges of wire fraud, securities fraud, and money laundering against individuals and entities in the FinTech space.
Although the majority of past prosecutions touching on FinTech have involved allegations that individuals or entities were operated primarily for fraudulent or criminal purposes, legitimate FinTech companies must nonetheless be aware that criminal prosecution under the BSA and related statutes is a real risk that is only likely to increase as regulatory regimes expand in the future.
This is particularly true in light of the DOJ’s creation in July 2018 of a new Task Force on Market Integrity and Consumer Fraud, whose mandate includes pursuit of cases involving money laundering, cryptocurrency fraud, and other financial-related crimes.
Brian Frey is a partner with Alston & Bird and member of the White Collar, Government & Internal Investigations team. A former federal prosecutor for the Department of Justice, Frey focuses his practice on representing financial institutions, major corporations and individuals in white collar investigations involving a range of criminal and civil laws.