A regular source of frustration for startups who move money for customers is trying to understand the rules that banks impose on those clients they deem to be third party senders (TPS), or as banks call them, third party payment providers (TP3’s). A third party sender is a company that uses its own bank account to make or receive payments on behalf of its customers or users.
An example of a third party sender could be a bill payment company that helps you pay suppliers. The bill pay service, let’s call them Billy.com, debits your bank account, your funds settle into their account and then Billy.com remits to the supplier on your behalf. Another example is an eCommerce marketplace that allows people to sell used goods and be paid through the platform rather than directly from the buyer.
In both examples the third party sender sits in the middle and facilitates payment from one user to another.
Why is This a Challenge for Banks?
Banks are required by law to meet stringent standards commonly referred to as KYC (Know Your Customer) and AML (Anti-Money Laundering), ensuring their accounts are not used to facilitate illegal activities.
To comply with KYC regulations, banks need to understand who their customers are, what type of businesses they run, who are the beneficial owners of the business, and whether the payment activity is consistent with the type of business.
In simple terms, money laundering is the act of making money obtained from illegal activities appear to have come from legitimate sources. Banks face significant fines, sanctions, and even potential loss of license for not sufficiently mitigating the risk that its accounts are used for illegal purposes. Compliance with these rules becomes more challenging when a customer is using their account to make payments for third parties. The bank has limited or no visibility to who the third party is, making it difficult to meet its obligations to regulators and law enforcement.
The goal for founders and payment teams is to give your bank confidence that your company fully understands the risks that it (and the bank) is exposed to and that you have an effective program to mitigate those risks.
The bank is at least partially relying on your processes to mitigate the risks for both you and them.
What Do Banks Require of Their TPS Customers?
Specific requirements will always vary from bank to bank, but broadly all banks will expect that TPS customers have their own program to address three main concerns:
Do You Know Who Your Customers Are?
The bank wants to see that you have your own KYC program to identify and diligence your customers. You will likely need to collect (and carefully protect) personal information, identification or addresses that allow you to scan and cross check with common, government sanction lists. Thankfully, there are many API based services that can help you comply with the most common lists.
If your customers are businesses, you may need to collect additional information to understand who the actual owners of the business are.
The challenge for small companies is to collect the appropriate information, keeping banking partners satisfied, while maintaining a pleasant customer experience.
Transaction Monitoring: Can You Recognize Suspicious Activity?
Banks understand that you didn't go into business with the intention to facilitate illegal activity, but that doesn't mean that bad actors can’t, or won’t, manipulate your platform to move money for illicit purposes.
Your bank wants to be sure that you understand what suspicious activity looks like and that you have a reliable way to detect it. An example might be a customer repeatedly sending transactions just below the threshold that requires a bank to report to authorities. This could be monitored with a filter that alerts for repeated transactions within a short time period. Setting transaction monitoring parameters goes back to your KYC efforts. Do you understand what is normal activity for your customers and your business?
Keep in mind that criminal minds are constantly evolving and so should your program.
Oversight, Review, and Audit
This is an often neglected part of the effort to build a compliance program, but is one that is critically important to your bank partners. Creating a well written policy and plan is great, but the most important part is to execute the plan and regularly review it to test its effectiveness.
Some important considerations once suspicious activity is flagged;
- Who investigates suspicious transactions and approves, rejects or escalates for review?
- Who are the appropriate escalation points for additional review?
- How are reviewed transactions logged and tracked throughout the process?
- Is there an independent audit (internal or external) of the process on at least an annual basis?
Creating an effective compliance program does require an investment of time and company resources but is a critical component to launching a business that relies on moving money. The good news is that there are a number of SaaS providers that allow you to build quickly and minimize the inconvenience to your customers.
Finally, lean on your partners at Modern Treasury and your bank team. We’re all here to help and share our experiences.