AML/BSA 101

If you’re a fintech operator, you have likely faced this question on a due diligence spreadsheet: “Please describe your AML program?”

You have a fulsome answer along with policies and procedures, an appointed AML officer, and a detailed plan for annual audits.

And then you get the follow up question: “Great. Now please describe your CIP.”

And then your board asks what you’re doing about fraud prevention.

You are rightfully confused.

AML. BSA. KYC. KYB. CIP. Fraud.

You thought these were all the same thing.

What do these all mean and how are they different?

Here’s a quick summary:

AML: This stands for anti-money laundering, or a set of rules, laws, and procedures to prevent money laundering. What is money laundering, you ask? Watch: The Ozark.

BSA: The Bank Secrecy Act is a federal law that was enacted in 1977 designed to prevent money laundering and other financial crimes. The BSA applies to banks and only those directly regulated fintechs (we’re looking at you, MSBs).

KYC: This is a set of processes to Know Your Customer. Knowing Your Customer helps you prevent money laundering (see above).

KYB: This is a set of processes to Know Your Business. If your end customer is a business and not an individual, you will have a KYB program.

CIP: This is a legal requirement to verify your customer’s identity under the Patriot Act, an amendment to Bank Secrecy Act. CIP stands for Customer Identification Program, and it involves collecting and verifying some information about your customer

Which part is the legal requirement?

A common and fair question is how much of having an KYC program is a legal requirement, and how much of this is just nice-to-have fraud prevention program?

Your KYC program is holistic. It has components that involve your CIP (legal) and fraud prevention (good business practice)

Here’s a quick way to think about it:

  • A CIP ensures that the identity being used to apply for your product belongs to a real person (i.e., either a non-documentary source or a government issued document has the same information);
  • Fraud prevention ensure that the identity of the person applying for your product (i.e., the person sitting behind the computer) is the same as the identity you’ve verified through your CIP.

The two are closely related.

The goal of a good KYC program should be to both verify the applicant’s identity and have robust, holistic measures to prevent fraud.

Here are some examples of how CIP and fraud prevention work together to meet the goals of your KYC program.

  • When submitting the driver’s license to verify identity, we ask Johnny to submit a “selfie” holding the ID. We match the photo in the ID with the selfie.
  • We look at the IP location on the device used apply for the product and match it to the the address in the application.
  • We verify that phone number used in the application belongs to Johnny and send a short code text to that number.

You said Bank Secrecy Act. Doesn’t this apply to banks only and not fintechs?

Good question.

While you may not be a bank, if you have a bank sponsor, you are implementing an AML program on behalf of your bank sponsor. This is why the bank sponsor, in your initial diligence and as part of their oversight, will have a lot of questions about your AML program.

If you are registered with FinCEN or provide products and services that facilitate financial transactions (like money transmitters), some or all of the requirements of the BSA may apply directly to you.

Generally, fin-techs that are involved in the following products with a bank partner will need to have an AML/BSA program:

  • Consumer lending (personal lending or BNPL)
  • Business lending
  • Consumer use credit cards
  • Business expense credit cards
  • Bank accounts or taking deposits
  • Cryptocurrency exchanges

If you are a Money Services Business (an “MSB”), you will have a direct obligation under the BSA to have an AML/BSA program.

Does it matter that I’m a B2B vs. B2C fin-tech?

Yep. Your requirements may differ depending on whether your end customer is an individual or a business.

For example, if your customer is a business, you will be required to have a KYB (“know your business”) program.

In recent years, FinCEN, or the Financial Crimes Enforcement Network, part of the U.S. Department of Treasury, has been releasing more guidance on what rules to follow for a KYB program.

The Corporate Transparency Act also went into effect Jan 1, 2024. This requires all companies (LLCs, corporations) to report beneficial ownership information. What is beneficial ownership information? You can read more here.

Do sanctions screening apply to me?

Yes! Every business regardless of product must ensure that it is not working with any customer that is on a prohibited sanctions list, such as the list administered by the U.S. Office of Foreign Assets Controls, or OFAC.

There are many other aspects of an AML program, such as suspicious activity reporting, monitoring, and training, which we will cover in another post.

While we hope you found this post helpful, please note that the information in this post is not intended to be legal or regulatory advice.