KYC & AML compliance: from 1970 to 2022 and beyond

A brief history of BSA, AML, and KYC

Alloy is a modern solution to a regulatory and compliance issue that began back in 1970 when the Bank Secrecy Act (BSA) was signed into law. The original intention of the BSA was simply to track the movement of currency. The BSA required banks to report cash transactions over $10,000, but the law required little more beyond that.

Many pieces of legislation amended the BSA over time, such as the Money Laundering Control Act (1986) and the Annunzio-Wylie Act (1992), which mandated that banks document their BSA procedures and file SARs. A few years later, in 2001, the USA Patriot Act strengthened KYC procedures.

While anti-money laundering (AML) procedures primarily focus on being reactive to suspicious activity, Know Your Customer (KYC) rules attempt to be more proactive in preventing bad actors from using the financial system in the first place.

The regulatory landscape in a post-fintech world

When Richard Nixon signed the BSA into law in 1970, he clearly hadn’t put any thought into how regulators would deal with fintech companies five decades later. Because the OCC and FinCEN are mandated to oversee chartered banks, credit unions, money service businesses (MSBs), insurance companies, and brokerages, not fintech companies, it can be confusing to figure out which responsibilities for AML/KYC fall on the fintech and which fall on the partner bank.

An oversimplified but useful mental model is that regulators only care about the party that holds the charter. For example, if Fintech A onboards customers without performing KYC, the regulators would name their Partner Bank B in their action.

This might seem unfair to the partner banks, but they have an obligation to oversee “critical service providers,” including fintech partners. Because of this obligation, banks generally perform audits and/or review workflows for fintech partners’ AML/KYC procedures. Fintech partners are typically contractually obligated to bear the liability and cost for regulatory breaches that they caused, even if the regulator names the partner bank in the enforcement action.

A useful analogy one can think about is a Newton’s cradle with three balls. On one side, you have the regulators; on the other side, you have the fintech; in the middle, you have the partner bank. When a fintech fails to follow proper AML/KYC procedures, the regulator brings an enforcement action against the partner bank. The bank then passes along the financial liability to the fintech. The regulators don’t directly touch the fintech, but the fintech still feels the force of the regulatory action.

Where does Alloy fit into this?

Alloy was built to help banks and fintech companies manage all of these different KYC/AML regulations in one place, and serves customers across the entire spectrum of financial institutions and their critical service providers. Think of a neobank’s operational dependencies. Alloy has customers and partnerships across all different solutions that touch a neobank in the background – bank sponsors, banking-as-a-service providers, core systems, compliance programs, risk management solutions, card issuers, and data aggregators. Each part of the stack interacts with Alloy differently and has different regulatory obligations.

To visualize this, consider an SMB fintech company that issues virtual cards to end-users using a virtual card issuer, which all sits on top of a partner bank.

In this scenario, each company would have different regulatory obligations:

• When an end-user signs up for an account, the SMB fintech company uses Alloy to run KYB, KYC, and fraud checks on the business and any beneficial owners.

• When a debit card is requested for a new authorized user on the account, the fintech passes the end-user’s information along to the card issuer. The card issuer then runs the information through their workflows within Alloy to ensure all compliance and fraud checks pass.

• The partner bank is not required to do their own compliance checks on these end-users as long as their critical service providers (i.e., the downstream fintechs) have sufficient processes in place. The partner bank does, however, run its own end-users through the bank’s own Alloy workflows to verify the identities of the customers who come directly to the bank.

In this example, Alloy supports all three of these companies in unique and different ways while helping them to safely and seamlessly work together to provide the best possible experience for the end-users.

Each of these three interconnected companies will have their own workflows per their “risk-based approach” to compliance, and each will see a different subset of end-users. Despite each company being responsible for onboarding its own set of users, in the eye of a regulator, the chartered partner bank will always have an obligation to have oversight and an understanding of any fintechs’ compliance programs. Any enforcement action for failures would likely come down on the partner bank, which would then pass on the liability to the fintech partner.

Looking to the future: 3 areas to watch out for in the regulatory environment

As most people know, banks, credit unions, MSBs, insurance companies, brokerages, and others, along with their critical service providers, are all subject to AML/KYC regulations. What’s more fun to talk about is where regulation might go in the future.

Here are three sectors to watch closely:

1. Crypto exchanges

The regulatory framework around crypto companies is a very hot topic that warrants its own dedicated blog post. For now, we’ll just mention that BitMEX, an offshore crypto exchange, failed to do KYC checks on US users, which resulted in fines of $120m and house arrest for the CEO.

2. NFT marketplaces

NFT marketplaces are at the exciting intersection of crypto and financial services. Users are not directly sending payments to each other in a manner as straightforward as a P2P payments system like Venmo, but they are sometimes sending thousands of dollars in cryptocurrencies to exchange semi-liquid assets. Interestingly, some NFT marketplaces like NBA Top Shot do KYC checks when transferring money out of accounts, but others like OpenSea do not.

3. Art dealers

Art markets are similar to NFT marketplaces in that subjectively valuable goods are changing hands for large sums of money. Congress introduced the Illicit Arts and Antiquities Trafficking Prevention Act as an amendment to the BSA in 2018, which would have required art and antiquities dealers to perform KYC checks, but the bill did not make it into law. More recently, AMLA 2020 includes provisions about extending AML requirements to cover antiquities dealers, and FinCEN is currently soliciting the public for feedback about prospective rules. In Europe, however, Anti-Money Laundering Directive 5 (AMLD5) requires dealers to report transactions over €10,000.

Our AML/KYC laws have changed a lot over the past 52 years and they will continue to evolve, especially as new technologies disrupt the financial services industry. Alloy provides a flexible technology architecture to be able to adapt quickly to changing regulatory requirements and a team of dedicated compliance experts that will keep you up-to-date.