Fintechs and Regulatory Compliance — A Happily Ever After?

Owen Strijland, Director Risk and Compliance

Ask typical fintech employees what they find energizing in their field of work, and don’t be surprised by the answers: developing cool stuff, working on the go-live, or growing the business by identifying the ideal partners in the market. Ask the same fintech employee whether their heart beats faster when working on regulatory compliance-related projects, and you can expect a less enthusiastic reaction.

Recent regulatory initiatives around open banking (such as PSD2) have opened up countless possibilities for innovation around payments, such as direct payments processing from platforms or applications, split payment technology, data analytics on aggregated bank accounts, and enhanced credit risk modelling. These have helped bring fintechs into the financial mainstream, but they do come with compliance strings attached. As promising as the opportunities may sound, fintechs should not assume there are easy shortcuts to open-banking heaven.

Although PSD2 allows fintechs to participate in the money flow as traditional banks do, it also presents them with an array of regulatory requirements related to anti-money laundering (AML) and countering the financing of terrorism (CFT) – obligations that include developing and implementing effective policies and procedures and require considerable resources to address. In this blog post, we share our insights on how fintechs can overcome the AML challenges related to becoming PSD2-compliant without becoming disheartened in the process.

Can Fintechs Meet PSD2 Requirements and Stay Solvent?

Many fintechs are underestimating the actual cost of being PSD2-compliant. Especially with high-volume, low-margin business models, the cost of compliance can easily eat into profitability. Moreover, many of the technology and data companies providing solutions in this space are used to dealing with larger financial institutions with deeper pockets. A fintech startup may be shocked to learn that the standard list prices for transaction monitoring or customer due diligence solutions equal its first funding round – a discovery that can quickly put the viability of the fintech into question.

Typically, fintech companies start exploring possible solutions for customer due diligence or transaction monitoring during or after they’ve completed the PSD2 regulatory application process.. It’s much more prudent to start exploring possible solutions in this space as early as the business inception phase to ensure the validity of the fintech’s business case. This exploration process, often accomplished with the help of an expert in this space, helps do two things:

  • Identify and select relevant and cost-efficient AML/CFT solutions and technology, and
  • Validate the assumptions in the fintech’s business case.

Many fintech companies, startled by the cost of third-party products, decide to develop their customer due diligence or transaction monitoring solutions in-house. On the surface, this may make sense: Many fintechs have highly skilled developers working for them, and with a little bit of regulatory guidance, this may look like an achievable goal.

In practice, however, we see that the in-house development of regulatory compliance solutions doesn’t always work out for the best. Fintech companies are quite dynamic, especially in the early stages, and their goals and even entire business models can change overnight. Combined with the ever-present work pressure, this fluidity often results in delaying or postponing regulatory compliance projects. Further, fintech employees tend to prioritize exciting development work that is considered an energy gain over compliance work, which is considered an energy drain.

Given these challenges, regulatory compliance projects may be best addressed with the help of a third party. Such collaboration will give fintechs access to a range of solution options, help them identify the best system – one that can adapt to changes and scale with the business – and may end up less costly than going it alone. It will also free up internal resources to focus on the innovative work that is their core competency and ensure that the full universe of knowledge compliance experts bring will be applied to developing the startup’s regulatory obligations. The biggest benefit, however, may be that such relationship will break up the bubble many fintech startups operate in and introduce them to best practices and even new partnerships in the market.

Avoiding the Creation of a Paper Tiger

Most fintechs know that having the right documentation in place is critical to obtaining the PSD2 license. But it is even more important to operationalize the policies and procedures if the organization wants to keep its license in good standing.

This is an area where many fintechs struggle. Often, policies and procedures are developed at a high level, which makes it hard to understand what specific process changes need to be implemented, or how. In other cases, fintechs may adopt standard configuration templates designed by technology companies, resulting in a mismatch between the adopted policy and daily operation. In the worst-case scenario, policies are written and approved, but in practice, nothing is implemented at all.

To avoid creating a paper tiger – risk mitigation policies in name only, which can jeopardize a PSD2 license – the following must be considered:

  • Align policy to goals. Understand the level of rigor required to address financial crime and align policies to that goal.
  • Write policies from a practical standpoint. This may include adding to the high-level policy practical guidance on the types of screenings, customer risk assessment methodology, relevant data points and types of monitoring scenarios.
  • Tap a policy expert. Ensure that the policies are written by someone who understands not only the regulatory and business context the policies are intended to address but also the intricacies of their technical implementation.

To successfully embed policies and procedures and related controls into daily operations, companies may consider automating as many of them as possible. It is best to do so early in the implementation stage, rather than as an afterthought. Finally, companies should facilitate understanding and adoption of the policies among staff by conducting training and making up-to-date documentation available.

AML/CFT compliance may not be the most exciting issue on the minds of fintech CEOs, but it’s one they should not cut corners around if they want to establish themselves as serious players in the financial market. And AML isn’t the only aspect of PSD2 that companies need to address – there are also stringent security requirements, mainly around strong authentication and end-to-end session security, that may require independent assurance over security controls or controls or exemptions. Luckily, the solutions and expertise to address PSD2 requirements are available, and early and thoughtful preparation will position fintech companies as smart and formidable competitors in the market.

Perry Huijgen, Senior Consultant with Protiviti’s Risk and Compliance practice in the Netherlands, contributed to this content.

Add comment