8 Things to Know When Building a Compliance Program

You don’t need to be a compliance expert to build a great business. In fact, it’s probably fair to suppose that most of the people creating today’s most innovative digital products don’t have a background in financial compliance or fraud prevention. This doesn’t mean, however, that robust compliance can be an afterthought. Building a compliance program is an essential part of building products to move money.

Since compliance can be complex, let’s explore the issue at a high-level. This journal will address eight key questions for companies seeking to establish and manage compliance, identify and prevent fraud, and protect their business for the long term.

1. What Is a Compliance Program?

A compliance program is a set of rules, protocols, and procedures an organization puts in place to adhere to government regulations on money movement—namely BSA/AML regulations designed to prevent money laundering and terrorism financing. Compliance programs help ensure that customers have the appropriate people, processes, and tools in place to do this.

A compliance program should be designed to:

• Guarantee adherence to legal requirements and regulations governing financial transactions (see BSA/AML compliance below)
• Protect businesses from becoming victims of money laundering, fraud, terrorism, and other illegal or malicious behavior
• Empower and prepare business teams to deter, detect, and report bad actors to law enforcement, if necessary
• Enable organizations to test, document, report, and analyze their compliance in an ongoing manner
• Evolve as requirements and regulations change

2. Which Laws Govern Compliance in the US?

There are three major pieces of legislation governing finance in the US: The Bank Secrecy Act (BSA), the USA PATRIOT Act, and the Anti-Money Laundering Act of 2020. To learn more about changes to these laws across the years, here’s a helpful breakdown from FinCen.

The Bank Secrecy Act (BSA)

Passed in 1970, The Bank Secrecy Act (BSA)—also called the Currency and Foreign Transactions Reporting Act—was the first significant piece of US legislation designed to mitigate fraud carried out via financial institutions (or FIs). While its original intent was to track money moving in and out of the US, or deposited in financial institutions, the BSA has been updated and amended several times since signed into law by President Richard Nixon.

As it evolved, the BSA came to focus on deterring criminal activity including money laundering, terrorism financing, and tax evasion that leverages the banking system.

Per the BSA, banks and other FIs must identify and document suspicious cash transactions, and help determine the source, volume, and movement of currency that enters or leaves the US.

Today, FIs are required to complete a Currency Transaction Report (CTR) for cash transactions that exceed $10,000 in a single day. For all suspicious transactions, FIs must file a Suspicious Activity Report (SAR) with the Financial Crimes Enforcement Network (FinCEN).

The USA PATRIOT Act

Directly motivated by the 9/11 attacks, the USA PATRIOT Act was implemented in October of 2001. This legislation’s name is an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.” One key goal for the Patriot Act was the detection and determent of money laundering and the financing of terrorism.

The Act expanded on BSA regulations to strengthen customer identification procedures. FIs are thus required to follow KYC (or Know Your Customer) protocol before opening a new account or issuing a loan. This includes verification of identity and cross-checks against lists of dangerous or suspicious persons—FIs may also collect employment information or perform additional due diligence after an account or loan is initiated without notifying the account owner.

Anti-Money Laundering Act of 2020

The Anti-Money Laundering Act (AMLA) of 2020 is the first large-scale update to anti-money laundering (or AML) regulations since the Patriot Act. This legislation aimed to improve the US’s fight against financial crime in several ways. Broadly, the AMLA of 2020 seeks to improve communication, reporting, and responsibility-sharing among stakeholders (and across international borders) where AML and BSA compliance—often called BSA/AML compliance—is concerned.

As an example, previously under the BSA, FIs were responsible for verifying the identity of beneficial owners to avoid serving shell companies (inactive businesses that can be used to facilitate crime). Under the AMLA of 2020, as part of the included Corporate Transparency Act, new businesses are required to register with the Financial Crimes Enforcement Network, saving FIs from more exhaustive customer due diligence (or CDD).

3. How Are Compliance Regulations Enforced?

The Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury, enforces BSA/AML legislation. FinCEN’s mission is to “safeguard the financial system from illicit use, combat money laundering and its related crimes including terrorism, and promote national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence.”

FinCEN is a network (connecting law enforcement, financial, and regulatory communities) and works to fulfill its mission in two ways:

1. FinCEN upholds AML and BSA reporting and record-keeping by FIs.
2. FinCEN supplies law enforcement with financial intelligence and analytics support.

In its duty as a foreign financial intelligence unit (FIU) for the US, FinCEN participates in information exchange with other FIU entities worldwide, including over 100 FIU members of the Egmont Group.

Other significant parties in compliance governance include:

• The US Treasury, authorized by the BSA to require that FIs establish AML programs, as well as comply with reporting and record-keeping requirements.
• Federal Banking Agencies that oversee banking entities operating in the US, as well as foreign branch offices of US banks.
• The Office of Foreign Assets Control (OFAC), with jurisdiction distinct from the BSA that allows OFAC to examine bank procedures and assess risk management. Specifically, in partnership with allied governments, OFAC “administers and enforces economic and trade sanctions based on US foreign policy and national security goals,” including those related to targeted foreign countries, terrorism, narcotics, and weapons of mass destruction.

4. What Are the Dangers of Compliance Failure?

Perhaps the most significant downside of compliance failure is the potential cost.  Businesses can be subject to heavy fines and sanctions or even lose a license for faulty compliance—FIs can lose a charter. In 2021, for example, FinCEN issued $1.6B in fines to 55 companies and banks for money laundering.

A few examples of potential fines and penalties for compliance failure:

• For individuals convicted of money laundering, the fines can reach up to $500,000—not to mention 20 years in prison and potential forfeiture (18 USC 1956)
• Individuals (including bank employees) that willfully violate BSA or BSA regulations can be hit with a fine of up to $250,000, or five years prison time, or both (31 USC 5322)
• In a recent case, BitMex agreed to a settlement of $100 million in fines—BitMex was charged by FinCEN and the Commodity Futures Trading Commission (CFTC) for BSA violations made by its three founders and first employee

In addition to fines, compliance failure can cost businesses brand reputation and trust.

And while newer FinTechs may occupy a challenging position—between breaking new molds and adhering to established rules—they’re not the only ones that struggle with compliance.

Traditional FIs still miss the mark: Money-laundering cases at Danske Bank and Deutsche Bank shine a light on the need for ongoing vigilance for all parties involved in finance.

Data also shows that FinTechs are building greater brand trust than traditional FIs—a foothold organizations wouldn’t want to lose on account of inadequate compliance.

5. Does My Business Need to Build a Compliance Program?

Simply put, compliance requirements apply to all businesses, either directly or indirectly.

Compliance regulations apply directly to businesses considered FIs, including banks, security brokers, money service businesses, futures commission merchants, commodities brokers, and mutual funds.

Indirect requirements apply to all businesses that work with banks. In order to establish and maintain a relationship with a bank, businesses are necessarily subject to underwriting. Because FIs must strictly comply with BSA/AML regulations, including KYC and KYB (Know Your Business), every business is subject to scrutiny regarding risk and compliance for transaction banking. Simply put, without a compliance program, you’ll have trouble getting onboarded by a bank.

Since Modern Treasury helps facilitate money movement for organizations of all kinds, we’ve learned firsthand about the risks, costs, and challenges of building and running compliance and fraud programs at scale. In response to the needs of customers across industries—from FIs and marketplaces to healthcare and real estate—Modern Treasury released our Compliance product in 2022, a full-scale, out-of-the-box payments compliance solution.

6. What Are the Primary Challenges of Building a Compliance Program?

Compliance can be difficult for businesses to establish and uphold for a number of reasons:

• Compliance is complex, with different regulations at the state, federal, and international level that regularly change
• Compliance is not the core competency for most companies
• Companies need to purchase, integrate, and operate a suite of different tools, each of which requires people and attention
• People and attention are rare at fast-growing companies; compliance projects get de-prioritized because they are not as core to the business
• Compliance systems built by stitching things together are brittle

While building a compliance program requires an upfront investment, the outcome can be well worth the effort. Not to mention that new technology featuring automations and integrated tools makes the process much easier. Plus, you get direct control over your program—and thus, your risk.

7. What Are the Essential Elements of a Compliance Program?

Per the BSA, a successful compliance program includes the following five “pillars":

1. A designated compliance officer
2. Internal policies to ensure ongoing compliance
3. Employee training for appropriate personnel
4. Independent testing and auditing
5. In-depth risk assessment

In order to build a compliance program that adheres to legal requirements, companies that build products to move money need to consider user onboarding, transaction monitoring, and case management. For compliance solutions, key features should include:

• KYC identity verification with sanctions and adverse media checks. Proper KYC can also help identify fraud with phone and email verification, bank risk scoring, and device and behavior intelligence.
• Continuous transaction monitoring (ideally with a single line of code) to guarantee that all transactions are tracked for fraud and money laundering risks
• Case management tools to streamline the manual review process and provide an audit trail for oversight

Other important features generally include an embeddable onboarding flow that doesn’t store personally identifiable information (PII)‍, risk assessment with consortium machine learning models and a rules engine, and role-based access control (RBAC) for administrators.

8. How Can I Get Started?

Until now, there has not been a single solution with integrated compliance technology and payment operations capabilities.

Compliance from Modern Treasury was designed to address the complexities of BSA/AML compliance and fraud prevention—it’s quick to integrate, easy to use, and protects businesses from costly compliance violations and fraud so they can get to market faster. Compliance is now available to customers via early access release—get in touch to learn more.