Facing the FCA armed with data
Anti-money laundering (AML) enforcement continues to be a focus for regulators around the world. While the bulk of enforcement action relates to financial institutions, fintechs are finding themselves increasingly subject to scrutiny by regulators and in the media.
Responding to allegations of money laundering can be a daunting experience for any company, but for fintechs, the scale and breadth of the data to be searched is especially challenging. Fintechs frequently scale rapidly and their business can develop and diversify quickly. These changes serve to increase a fintech’s AML risk profile.
As a business grows, an increase in transaction volumes can also result in greater opportunities for products to be misused. This rapid growth may lead to deficiencies in money laundering controls, which are no longer proportionate to the firm’s risks.
These risks were highlighted in the UK’s national risk assessment of money laundering, published in December 2020. The risk assessment noted that criminals may be attracted to fintech companies’ accelerated onboarding procedures and look to exploit vulnerabilities in emerging technologies.
With this in mind, a firm must continuously ensure that financial crime controls remain fit for purpose as its business develops and grows. This was emphasised in the UK Financial Conduct Authority’s review of financial crime controls at challenger banks, published last year. It stated that resources, processes and technology should be commensurate with a firm’s expansion and that a risk-based approach should be taken to AML controls.
However, were these controls to fail and potential issues arise, a firm may need to conduct an internal investigation to understand its exposure to legal and reputational risk and ensure compliance with its AML reporting obligations.
Depending on the nature of the fintech business, e.g., its position in a payment chain, an AML investigation may centre on identification, collection and analysis of customer information including know your customer (KYC) and transactional data, with less of a focus on reviews of emails, chatroom transcripts and contractual documents.
This article considers the steps a fintech might take to investigate AML enquiries raised by a regulator or published in the media. It also highlights how to minimise risk exposure to some areas that can cause particular difficulty.
Setting the scene – identifying individuals with relevant knowledge
Most investigations require input from relevant employees with knowledge of the business, particularly its historical operations. Depending on the nature of the investigation, this may include interviews with compliance personnel, the operations team, system architects, database administrators and other officers to obtain context on the business, understand the circumstances of the transactions under investigation or to clarify where and how relevant data is stored.
Gaps in corporate knowledge can arise in any business, but rapid expansion of operations and/or changes in transactional processing tools may mean that this is a particular issue for some in the fintech sector. For example, a firm might have matured from a founder-led start-up to become a sophisticated business with institutional investors and a more complex governance structure. As a company grows and founders and employees move on, institutional knowledge may be lost.
In parallel, record-keeping processes may have still been developing, particularly during the start-up phase of the business. This may mean it is not possible to get a complete picture of the situation at the time of the alleged misconduct. A key question when scoping the investigation will be identifying any individuals with relevant knowledge and considering whether there is anyone still in the business who can answer questions from when the conduct is alleged to have taken place. Careful consideration should be given to how any gaps are addressed.
Prior to key personnel leaving, fintechs may benefit from producing a corporate history documenting the growth of the business and historical product lines and systems. Such a corporate history can be a necessary part of an investigation report, but it can also be of assistance in and of itself – for example, in terms of providing information to investors.
Putting the jigsaw together – the importance of data
A key initial step in any investigation is to consider the available data. Data on payment flows and payment infrastructure will be integral, but other available data may also assist, for example KYC records on merchants or customers involved in the transactions under investigation.
Fintechs have the advantage over traditional financial institutions in that they are generally not encumbered with archaic systems, though challenges can arise regarding data, for example:
- It is not uncommon for there to be reliance on manual processes at an early stage of some businesses.
- Large volumes are often stored on a patchwork of different systems.
- Rapid growth can mean a firm has outgrown the accounting data management and storage tools in which they recorded their early transactions.
- A change of system can create a loss of data continuity – making it more challenging for firms to perform reviews or investigations.
A comprehensive map or registry showing the various current and former data systems is therefore helpful to target relevant systems and confidently identify the selection criteria for any review.
The final pieces – additional information sources
Specialists performing forensic analysis on the data will seek to identify patterns of suspicious activity, but a company should also consider what other sources will be relevant. An investigation may need to be conducted into specific customers suspected of engaging in money laundering or other criminal activity, which could include a review of public domain information or perhaps engaging a corporate intelligence firm.
A fintech may also take a broader view and consider what other documentary evidence it has to provide context on the findings. This will vary between organisations but may include current and historical financial crime risk assessments, escalations in relation to suspicious activity and internal and external financial crime audits.
The compliance function of the firm is likely to have evolved over time. A summary of the developments can provide useful context that will enable a regulator or investor to understand how compliance has evolved in tandem with the business.
Lessons learned – taking remedial action
Finally, at the conclusion of any investigation there will be lessons to be learned. Gaps in policies and procedures or potential bad actors (e.g. customers or employees) could have been identified or data governance may need to be improved. If this is the case, remedial action will need to be flagged and taken.
A company should also consider whether its investigation findings suggest or confirm criminal activity that requires a disclosure to regulators or the authorities, and how such a disclosure should be made. A proactive approach to investigations will assist with making any such disclosures and minimising disruption to the business.