Opinions of Thursday, 13 April 2023

Columnist: Carl Odame Gyenti

How to effectively manage emerging Fintechs risk

The writer of the article The writer of the article

We are living in a world increasingly dominated by technology. The rise of digital technology continues unabated and is reinventing even banking and other sectors of the economy.

We have entered a period of exceptional destruction that is transforming how business is conducted and challenging the very foundation of established business models. Across the world today, banks, Fintechs and technology companies are collaborating to seek more efficient, scalable, and economic ways to manage and move funds.

The truth is that change can be exciting, challenging, and uncomfortable at times. Current period of change brings with it both new and emerging risks that need to be managed as a Fintech Company. Chief among them is the use of alternative remittance technologies from cryptocurrency and gig-economy
platforms to mobile wallets etc.

In this article I try to address and highlight the measures Fintechs can take to enhance their Anti Money Laundering/Counter Terrorist Financing, Financial Crime and Compliance framework to meet the industry Standards. As with any fast-moving environment, managing financial crime risk while keeping up with the speed at which new payment methods are emerging presents a huge challenge.

In simple terms, Fintechs is a segment of the technology startup scene that is disrupting sectors such as mobile payments, money transfers, loans and fundraising, etc. As a rapidly evolving sector, continuous growth of mobile devices, easy access of products online has become important. Adaptation of digital payments is expanding quickly among consumers and digitalization of commercial services. Consumers are driving the growth as they expect to transact more and more online.

This is impacting traditional e- commerce players as well as traditional retailers. More importantly, instant payments replace existing traditional banking instruments.

Some types of Fintechs

Fintechs offer solutions and services which comes in various types. They include Payment Service Providers (PSP). PSPs are generally like traditional acquiring business covering not only credit cards but also wallets. Fintechs. These PSP`s provide services for Consumer to Business (C2B), Business to Consumer (B2C) and Business to Business (B2B). Some clients within this scope include the likes of
Cellulant, Stripe, Paypal, Earth port etc.

Money Service Business (MSBs) also called Money or Value Transfer Services (MVTS) are client types who transfer and exchange small amounts of cash quickly and anonymously. However, these firms are vulnerable to money laundering (ML) and the watchful eye of regulators and Financial Instutitution. Just a few years ago, Western Union, the world’s largest MSB, agreed to pay a $586 million fine and admitted ignoring the fact that criminals used it for money laundering and fraud on January 19, 2017.

Third Party Payment Process (TPPP) Fintechs generally provide payroll and supplier payment services. This includes the likes of Earth port, Tricor etc. The online wallet/Digital wallets focus on Online store of value linked to an online ID or a mobile phone contract. There are also Fintechs whose main focus is on storing value cards/platforms and providing ecommerce services whose platforms connect buyers and suppliers. This includes global giants like Amazon, Alibaba, e-Bay, Expedia, PayPal, Ariba etc. The list is endless.

Measures to deal with risk

Governance and oversight

Implementing a clear governance and oversight structure is the first step in dealing with inherent risk as a Fintech. There should be a strong Anti-Money laundering (AML) framework that is adequate for the business.

For instance, you need to recruit a Money Laundering Reporting Officer (MLRO) or equivalent reporting line who must head the department. Depending on the business model, the number of AML dedicated resources should be adequate to handle the number of underlying clients and transactions. Where there are issues requiring escalations and suspicious activities, they must be dealt with in record time.

More importantly, governance and oversight requires Fintechs to be dealing with appropriate licensing from a regulatory authority. The license must reflect the specific products and services being offered. There are some Financial Institutions for instance, that do not deal with Fintechs, who are not licensed to carry out such business and without good framework and controls.

Policies, procedures and controls

Getting above right is very crucial in mitigating Fintech risk. An assessment of policies, procedures, and control framework oversight, including, total number of staff in Compliance department is essential.

The places they are located and organisational structure reporting lines, whether any regular independent audit or assurance testing is performed, and/or any other evidence the AML/CTF program is effective. The constant training of teams supporting the AML/CTF program and whether the Compliance resourcing
plan is adequate to support their current activity and growth is important. A robust AML Policy to guide the fintech is also critical. Ensuring to have relevant procedures on Customer Due Diligence process improves the quality of clients to be onboard.

Customer due diligence (CDD) framework

An assessment of whether the CDD process is adequate and appropriate for the business must be adhered to. CDD policy must include identification and address verification, ownership unwrapping, purpose, and source of funds, expected account activity, identification of authorized signatories and other
relevant parties, geography, account type, business/industry identification.

For individuals, Fintechs must ensure that official valid documents such as National cards, passport, driving licenses or election card etc. are collected as proof of identification and residential address proof. Self-certified photocopies are to be verified post sighting the originals. Authentication of documents can also be done by the Legal. Linking verification to such portals deployed helps to identity and matches the documents. Where there is a false match, the processing officer must reject the onboarding.

For non-individuals and business entities, Fintechs CDD should encompass some documents such as certificate of incorporation, certificate of commencement of business, memorandum and articles of association, board resolutions, etc. should be collected and verified, along with the identity documents of authorized signatories and beneficial owners and/or directors. For these non-individuals and corporate clients, the original documents must be first sighted, and a company stamp should be used to originally sight these documents.

It is highly recommended to categorize customers’ risk into High, Medium and Low at the time of on boarding and reassess the same during the periodic CDD renewal, based on risk parameters updated in a risk scoring model. The parameters to be decided for risk rating for your clients should be based on the
nature of business activities, locations of the customers, turnover, client’s background, country of origin, sources of fund. Measures have to be in place so that clients are subject to trigger reviews as and when any new risk flags are triggered. For trigger events, the compliance team’s involvement/approval should
be required.

Transaction surveillance / Fraud prevention

Implementing transaction monitoring for and Sanctions risk as a Fintech is also a good measure. This must include whether rules / typologies are relevant to its business model(s), customers and geographies, and/or other risks e.g. structuring or fraud. Again, whether there are rules or controls to identify payments with missing or meaningless information and finally whether the team responsible for dealing with alerts raised is adequately resourced.

Transaction monitoring systems among other things should be able to look for; 1) persons or entities seeking to hide or launder the proceeds of crime, 2.) Transactions that may involve funds used in terrorist financing, 3.) Persons or entities targeted by sanctions regimes related to terrorism and terrorist financing 4.) Persons or entities targeted by sanctions regimes for financing or supporting Weapons of Mass Destruction proliferation 5.) Round dollar amounts and/or amounts just below regulatory reporting thresholds to identify structuring.

Sanctions program

An assessment of the adequacy of sanctions program, including the suitability of frequency and timing of screening e.g., during onboarding, periodically and/or on transaction is important. Conducting sanctions, Politically Exposed Persons (PEP) and adverse media screening of customer names and transactions should ideally be automated and manual. The screening lists include Office of Foreign Assets Control (OFAC), United Nations (UN) lists, HMT, European Units (EU) list. If you have not invested in technology, these key screening list cannot be overlooked.

Independent testing
As a Fintech, you must ensure to perform and adhere to internal audits, external audits, and regulatory audits quality assurance/quality control. An internal audit department must perform independent and objective assessment to monitor adequacy, effectiveness and adherence to the internal controls, processes and procedures instituted by the management and extant regulations.

Audit functions should adopt a Risk Based Approach of Internal Audit and must be mandated to Audit the AML/ KYC/ CTF. The scope should include a full review of the Compliance Dept. controls, policies, procedures, systems etc.

Conclusion

In summary, because Fintechs are fasting growing, risk is inherent in the industry. However, the most effective and dependable strategy to decrease operational risk is to automate the operations’ activities.

Regardless of the external danger or condition, specific risk control framework implemented as a provisional solution can help to reduce risk. As regulatory scrutiny increases, Fintechs are focusing on optimizing operational risk practices and minimizing potential operational risks. Risk mitigation is an essential responsibility for operations management. Hiring professional risk management assistance and implementing an established and verified risk assessment methodology are first steps in dealing with this.

Lastly, detecting and countering illegal financial activity in established currencies and payment methods is already challenging enough. Tackling financial crime in this space requires strong collaborative relationships with fintechs which are driving the ‘creative destruction’ of the traditional payments model.

The establishment of a clear set of standards for the digital age helps to reduce the inherit risk in the business.