By Alma Angotti, Gene Bolton, Tracy Angulo, Gregory Schwarz
Guidehouse’s series on Anti-Money Laundering (AML) Considerations in a Digital World tracks new advances in payment services, fintech, and the evolving regulatory environment. One of the greatest changes in the digital market economy has been the role of Money Services Businesses (MSBs). The explosion of digital payment technology allows MSBs to offer customers direct, bank-like services straight from their mobile phones. In the U.S., despite the ever-increasing pace of the development of digital payment systems, corresponding regulations remain stagnant. Current regulations — many of which were first implemented decades ago — did not contemplate, and often cannot meaningfully address, today’s technological innovations.
Recent indication by the U.S. Department of the Treasury (Treasury) suggests that this may change. On April 10, 2023, Treasury published the 2023 De-risking Strategy pursuant to the Anti-Money Laundering Act of 2020 (AMLA). In this study, Treasury focused on financial institutions (FIs) “de-risking” numerous clients by terminating or restricting business relationships indiscriminately among broad categories, rather than analyzing and managing the risk of clients in a targeted manner. Treasury notes that FIs are concerned that certain MSBs are not being held to the same Anti-Money Laundering (AML)/Counter Financing of Terrorism (CFT) regulatory standards as other FIs, which influences de-risking across the market. Considering this, Treasury indicated that the Financial Crimes Enforcement Network (FinCEN) “will conduct a review of Bank Secrecy Act (BSA) regulatory requirements and definitions for MSBs in the context of technological advances, innovation, and changing business models in the traditional finance ecosystem to assess whether some MSBs may be providing services that should be subject to BSA regulatory requirements more in line with bank requirements.”1
While there are multiple areas for consideration, including expansion of the Customer Due Diligence Rule or centralization toward Federal Regulatory Oversight, one key area of focus for Treasury is customer verification. U.S. regulators will likely re-examine the limited prescribed customer verification and due diligence regulatory requirements for money transmitters, or customer verification for digital money transmission.
Verification Requirements for Transactions Not in Person
Verification requirements are ripe for a regulatory refresh. Technology advances have limited the reasoning for certain regulatory exceptions. Money transmitters must collect certain information from a customer for single transactions greater than $3,000, whether the transaction is made in-person or not in-person.2 The law, however, differentiates with respect to verification of that information. Specifically, verification is required at $3,000 for in-person transactions, but if the transaction is not made in person, there is no explicit federal requirement to verify the information collected. In 1995, Treasury discussed this issue in response to public comments to the 1995 Amendment to the BSA.3 Treasury reasoned at that time that where the originator is not present to provide the required information, there is no opportunity to verify it, and, therefore, money transmitters are not required to verify identities.4
This commentary took place before the fintech boom of the past 30 years, as well as the regular use of electronic know-your-customer (KYC) tools, non-documentary methods of verification through electronic databases. In fact, Treasury only referenced technology of the time, “phone, fax, electronic link, or mail,” as the communication channels to conduct transactions not in person. Today most established money transmitters incorporate a requirement to verify identities at a $3,000 threshold (and more often below) for non-in person transactions to: (1) comply with state-level requirements; (2) satisfy regulatory expectations; and (3) establish risk-based controls. As such, it appears possible that this section of the BSA could be updated to create a federally prescribed requirement to verify identities for non-in person transactions.
Possibly Broadening Application of the Customer Identification Program Rule of the USA PATRIOT Act or Lowering/Eliminating the $3,000 Verification Threshold for Certain Business Models Engaged in Account-Like Activity
There are indications of a possible alignment of verification thresholds with bank requirements. For example, FinCEN is actively exploring the use of digital identity solutions to: (1) assist customers in asserting their identity and financial institutions to verify their identity as part of a “Customer Identification Program” (CIP);6 and (2) potentially addressing de-risking by increasing the efficiency and safety of customer identification data storage and processes that banks and MSBs currently use.
Banks and broker-dealers are in the business of maintaining accounts for customers as part of a formal relationship. As such, they are subject to the CIP rule, which requires verification of a customer when opening an account at these institutions. Under the CIP rule, “Account” means a formal banking relationship.7 MSBs, as defined by statute, technically cannot offer “accounts”8 to customers and, in fact, their services are explicitly excluded from the definition of “Account” even if their products are “account-like.” MSBs, especially those in the Convertible Virtual Currency (CVC) industry, however, continue to trend more toward offering users stored value arrangements in account-like wallets.
In its 2019 Guidance,9 FinCEN discussed the concept of ongoing account-based money transmitter relationships in relation to “established customers.”10 Such relationships with nonbank financial institutions may include…ongoing contractual relationships between providers of money transmitting services and business customers.11 FinCEN further reasoned in its 2019 guidance that money transmitters may maintain an account for transactors to store funds or value that substitutes for currency, from which the transactor can instruct the money transmitter to transfer them in whole or in part. As an example, FinCEN applies the concept of account-based money transmission models to hosted and unhosted CVC wallet providers. U.S. regulators, however, are yet to provide more guidance related to account-based money transmission models.
For other account-based digital models, further guidance may be found in the Financial Action Task Force’s (FATF) 2013 guidance13 related to new payment products and services (NPPS). In this guidance, FATF states that certain NPPS entities have similar functionality to a bank account. Specifically, in differentiating between an ongoing-established business relationship with a client versus an occasional-transactional based relationship, FATF recommends looking for the presence of one of five factors, which countries should consider in the application of a risk-based approach to AML/CFT regulation:
Based on trends in the industry and given Treasury’s indication that it may re-examine money transmitter regulations to align more with bank requirements, it seems reasonable to conclude that verification requirements for MSBs may change. For example, for certain types of account-based money transmission products offered by certain MSBs, Treasury may: (1) broaden the definition of Account for the purpose of CIP; or (2) remove or lower the $3,000 threshold in relation to 31 CFR 1010.410 (e).
The exact direction of the regulation is unclear, including whether certain money transmitters will come within scope of the CIP rule. In the absence of a prescribed requirement, MSBs must tailor their program commensurate with the risks posed by the location, value, nature, and volume of the financial services provided by the MSB. Verified sender information may be necessary for an MSB to meet aggregation requirements, to identify fraud and other patterns of illicit activity.
Some in the industry opt to only comply with regulatory requirements as prescribed, to verify at a higher dollar threshold of $3,000 in the U.S. Guidehouse, however, observes the industry has long trended toward a more simplified approach by using stricter standards by verifying identities at lower thresholds, for example, at $1,000 as FATF recommends, or as a precondition to service. It may seem counterintuitive; however, it is often advantageous to simplify the process and adopt stricter standards, rather than have different standards based on the regulations present in each jurisdiction in which the MSB operates. Particularly for those account-based money transmitters operating in numerous jurisdictions with diverse verification requirements, this helps reduce fraud and streamline the global customer experience, require fewer human resources to ensure thresholds are met, and create a more resilient KYC program.
Customer onboarding continues to be one of the most cost-intensive and time-consuming areas of compliance, often slowing down business and causing immense customer friction. As businesses move from traditional in-person and paper onboarding models to digital onboarding models, business should consider vendor solutions to streamline the onboarding process and reduce costs. These solutions have risen to match the growth in digital payments and range from automated verification to screening and even biometric checks. Implementation of these solutions will allow money transmitters to strengthen controls, reduce fraud, and streamline the customer experience.
Guidehouse has and continues to help its clients select and implement automated systems, first and foremost, by determining the solution(s) that is/are fit for purpose and meet the compliance needs of the financial institution. This includes understanding the expected volume of onboardings per day and how a solution fits into existing processes. We do this by assessing and considering prioritization, ease of integration, and whether a solution is comprehensive or if solutions from different vendors will be mixed-and-matched.
Guidehouse can help MSBs assess their compliance programs to navigate these and other regulatory concerns, including developing and implementing updates to operations, policies, procedures, controls, and technology. Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.
1 Financial Crimes Enforcement Network, and Treasury Internal Revenue Service. “Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses.” Financial Crimes Enforcement Network, 2008. https://www.fincen.gov/sites/default/files/shared/MSB_Exam_Manual.pdf. Treasury also indicated that it may update 2009 BSA Manual for MSBs.
2 “31 CFR § 1010.410(E)(2).” n.d. National Archives Code of Federal Regulations. Federal Register. Accessed June 27, 2023. https://www.ecfr.gov/current/title-31/subtitle-B/chapter-X/part-1010/subpart-D/section-1010.410.
3 “Rules and Regulations FEDERAL RESERVE SYSTEM DEPARTMENT of the TREASURY 31 CFR Part 103 Amendment to the Bank Secrecy Act Regulations Relating to Recordkeeping for Funds Transfers and Transmittals of Funds by Financial Institutions.” 1995. GovInfo. Federal Register. https://www.govinfo.gov/content/pkg/FR-1995-01-03/pdf/94-31977.pdf. See Amendment to the Bank Secrecy Act Regulations Relating to Recordkeeping for Funds Transfers and Transmittals of Funds by Financial Institutions, 60 FR 220, Jan. 3, 1995. (Referring to 31 CFR 103.33(f) & (g), which cross references to 31 CFR 1010.410(e)).
4 “§ 1010.410 Records to be made and retained by financial institutions.” 2010. National Archives Code of Federal Regulations. Federal Register. October 26, 2010. https://www.ecfr.gov/current/title-31/subtitle-B/chapter-X/part-1010/subpart-D/section-1010.410. Pursuant to 31 CFR 1010.410 (e), each agent, agency, branch, or office located within the United States of a financial institution other than a bank is subject to the requirements of this paragraph (e) with respect to a transmittal of funds in the amount of $3,000 or more for originators other than established customers…If the transmittal order accepted by the transmitter's financial institution is not made in person, the transmitter's financial institution shall obtain and retain a record of the name and address of the person placing the transmittal order, as well as the person's taxpayer identification number (e.g., Social Security or employer identification number) or, if none, alien identification number or passport number and country of issuance, or a notation in the record of the lack thereof, and a copy or record of the method of payment (e.g., check or credit card transaction) for the transmittal of funds. Under the final rule, if the payment order is not made in person, the originator’s bank is not required to verify the identity of the person or to retain information pertaining to an identification document used for verification but is required to retain a copy or record of the method of payment (e.g., check or credit card transaction) for the funds transfer.
5 “§ 1022.210 Anti-Money Laundering Programs for Money Services Businesses.” 2010. National Archives Code of Federal Regulations. Federal Register. October 26, 2010. https://www.ecfr.gov/current/title-31/subtitle-B/chapter-X/part-1022/subpart-B/section-1022.210.
6 Review of the Department of the Treasury’s De-Risking Strategy. 2023. U.S. Department of the Treasury. https://home.treasury.gov/system/files/136/Treasury_AMLA_23_508.pdf, at pg. 46. Money Transmitters are currently not subject to the CIP rule, but as previously mentioned, are required to collect information at $3,000. If the transaction is in person, that information must be verified.
7 “§ 1020.100 Definitions.” 2010. National Archives Code of Federal Regulations. Federal Register. October 26, 2010. https://www.ecfr.gov/current/title-31/subtitle-B/chapter-X/part-1020/subpart-A/section-1020.100.
8 Per 31 CFR 1020.100 (a), “Account” means a formal banking relationship established to provide or engage in services, dealings, or other financial transactions, including a deposit account, a transaction or asset account, a credit account, or other extension of credit.
9 “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies | FinCEN.gov.” n.d. www.fincen.gov. https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-certain-business-models.
10 “Part 1010—General Provisions.” 2010. National Archives Code of Federal Regulations. Federal Register. October 26, 2010. https://www.ecfr.gov/current/title-31/subtitle-B/chapter-X/part-1010. Under 31 CFR 1010.100(p), an established customer is a person with respect to which the money transmitter has obtained and maintains on file the person's name and address, as well as taxpayer identification number (e.g., Social Security or employer identification number) and to which the financial institution provides financial services relying on that information.
11 “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies | FinCEN.gov.” n.d. www.fincen.gov. https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-certain-business-models at fn. 20.
12 Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and Internet-Based Payment Services.” n.d. www.fatf-Gafi.org. https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Rba-npps-2013.html at page 33.
13 See footnote 5.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.