Anti Money Laundering (AML) in Remittances, Dataflows and Privacy
What is AML?
Anti Money Laundering, or AML, are a set of processes and controls that financial institutions undertake to detect, prevent and or report money laundering: that is, transactions which hide the source of money: from the global finance system. AML is an important aspect of electronic money transactions and digital payments, and is essential to stop the funding of terrorism.
Kanchan Kumar is Co-founder & CEO of Remitr, which aims to bring simplicity, convenience and predictability to international banking and payments for small businesses
Excerpts of transcript (Edited for readability)
The most weird part about this, me presenting and talking about KYC AML, CTF (Counter-Terrorism Financing), privacy all of that is that it was just a few years back that I was a customer standing on the other side of the table… I’m not here as an expert. I’m here purely as someone who has learned from first principles and tried to implement doing things ground up.
I will give you a quick introduction of Remitr — a B2B payments platform. We are an alternative to wire transfers, cheques, bank wizards, we see us as catalysts to global commerce. We are focused on small businesses, because we believe that small businesses need a lot more support in digital payments and making money move faster. We typically service customers in Canada and US to send payments any day in the world and to receive payments from customers in the US, UK and Europe.
The part which is very important we want to talk about today is how we went about building our KYC AML, CTF fraud and currency control compliance practice. So what really is compliance compliance in very simple words is firstly down saying what would you do? And how do you do it? That’s the most important part because that drives into the kind of documentation that you prepare. . So compliance does not start till the time we actually lay out the entire documentation, then you will train your team to follow whatever is mentioned as policies and procedures because it’s not about one person. It’s about the entire process being sensitized to the concept of compliance and everyone taking compliances just as seriously as your compliance department will take it, which basically means it starts with every customer facing function, including the person who sells the service must understand compliances the third part comes in is doing what you said you would do, which basically means that if you said this is how you do customer KYC or this how to follow the through the process of customer onboarding or transaction monitoring, you are doing exactly what you wrote.
Regulators do not come and see on a real time basis most of the places on what you are doing, which basically means that they will come and see what you did when they do an audit. So, as a precursor to that you must keep a record of everything that you did.
Get audited by a reputed external auditor for your regulatory compliance practices, which is not just when it is mandated by the regulator because it is our obligation to maintain or to comply with the policies and procedures that we are laid out. And then periodically review your policies, periodically review your implementation, take the audit report seriously, go ahead and revise your policies and procedures. But the most important part is that there are so many terminologies that we’re going to talk about here today, and I’m sure many of you will already know about this. The KYC is the most important part of the entire piece. Better, you know your customer, lowered anti money laundering or countering terrorist financing risks is there because you have possibly established the credentials of the customer. So you can Trust the customer a bit more. It’s called a risk based approach.
But that’s what really helps in keeping most of the companies being efficient about compliance. Otherwise, if you do not know your customer then you have to look at every transaction with the same degree of detail. And you would ask for a lot more data which is neither efficient for the customer nor for yourself as a business.
Before we even start processing the first transaction, privacy itself has got two components. In usual course privacy is about personally identifiable data PII. However, when you talk about a payments business privacy has another dimension which is a financial data we capture and keep good details of bank account of the senders and recipients, their financial transaction sometimes their documents which the travel which is possibly the underlying documents such as invoice or purchase order, which has to be taught sometimes even agreements. Now, these are data which is sensitive so you cannot really have any way in which this data is made available to anyone even within your organization forget about outside other than the person who needs to know this data.
So it’s simply important to lay down the policies around privacy, which basically talks about full disclosure on what data you’re going to be capturing. How are you going to prove this data who would have access to this data and in what circumstances, you could, you could ask us to forget yourself, or the customer could come and say, forget me, like the GDPR says, and in what cases you can and how you can go and reach out to the customers.
The other aspect which is extremely important for privacy is data localization. worldwide. The data localization movement is going on where every country wants to ensure that their data remains within the geographical boundaries. So for example, a country in the EU would want data to remain in the EU because they know that if they need something they could actually get their hands on that data. But when you talk about data localization and marry it with cross border payment, then you’re dealing with the data localization requirements of two different countries. So, how do you really deal with the conflict of your customer being in one country and you have one data localization to follow, but the recipient of the money is in another country and you also have data localization to follow for that country. So how do you deal with that?
Wherever the data is stored for the customer, has to be where the customer is. So if your customer is in Europe, customer data must be stored in Europe, but the transaction cannot flow without the data along with tech, because it is not physical cash which is flowing. It’s a digital transaction which flows which must have the sender and the recipient details. So the transaction data has to flow always across the country. And data localization does not apply to that. But what really applies is how that is stored. So when it reaches a particular country, and you are regulated in that country, then that part of the data has to stay in that country, you cannot take the data and say, data moved from, let’s say, India to Europe, and now I’m going to store that in US.
The other part of data localisation, the other part of privacy really is the right of the customer to be forgotten. Now imagine a customer comes to your platform, does a transaction. And three months down the line, the customer comes back and says, “Hey, please forget me. I don’t want to deal anything with you.” On the other hand, your regulator says that all transaction data with complete details have to be stored for seven years or different countries have different rules along with that. What are you going to do? Are you going to delete the customer data from the details of the transaction? No, you cannot because then you’re not complying with your regulator. It’s a pretty straightforward rule again here: The customer says you forget me you, you remove all customer data, the transaction data stays. What it basically does is that you cannot ever contact the customer again, you cannot look up the customer again. But we A regulator comes back and ask you for the detail of a transaction, you should be able to furnish all the details, who sent the money to whom At what point in time
The policies or procedures of KYC AML and CTF is something which is best kept as detailed as possible. Detail is not only just what you capture, but also how you capture because the procedures are as important as much as policy is.
It’s very common for early stage Fintechs, to really come and say, Hey, I have a consultant who’s gonna write the policies and procedures for me. It’s great. All of us don’t know this. So we must get experts to help us draft this. But as someone who owns that policy document, as well as the implementation of that in the system, we must know clearly every line which is written there, and how that translates into our operations.
When the audit happens when you regulator comes, the first thing they would start by reading your policies and procedures and say, Okay, show me this is how you did this. And if you read anything different, you are non compliant to your own policies and procedures.
It is extremely important here to talk about risk assessment: it really sets the framework for how you are going to risk rate your customers, how are you risk rating your own operations or a transaction, how you define it. If a particular transaction is high risk or low risk, what industries would you deal with? How do you mitigate the risks which are associated with your employees, your physical location? If you have physical locations? How do you mitigate the risks which are around your, your software providers, you’re using certain data sources? And how do you validate and ensure that your data sources are right? Just to give you an example, when we talk about AML, one of the things that you need to do is to do watchlist checks. There are watch databases which are available, you must test against that. Now, you’re using one particular provider which gives you a feed for the data for every person that you onboard or you send money to, you run against that. And you’re assuming that the data is complete and always updated. But what if it is not? whose responsibility is it? It’s not your data provider’s responsibility, it is your responsibility. Which means that you want to ensure that you test that as well periodically to ensure that the data that you get is actually correct data. And it is complete data, it is updated data.
Business KYC is very different from individual KYC. What you do in individual KYC is a subset of what you do in business KYC. Because when you deal with businesses, you are also dealing with individuals who own or run those businesses. Many a times, we confuse ID verification with KYC. ID verification is one small part of KYC. It’s an important part, but it’s not everything. So what all goes into our elements of KYC starts with company constitution, whether it’s a corporate entity or a partnership? Different countries have different kinds of constitutions: in the US you would have a C Corp and an escort, some countries you would have an LLC, one person company, you would have proprietary structure, you would have sole proprietors, some countries have registered sole proprietor. So, dealing with sole proprietors is another challenge because you must understand and ensure that you understand and you have taken enough documentary proof, to say that this person you are dealing with is using your service to process business payments and not individual payment, because if you’re a business payment company and your policy says you will process it with only four businesses, then you cannot take individual transactions.
Decision of incorporation is extremely important to capture, what you need to do is that you need to ID the authorized person who’s going to be using the system, which may or may not the director or the owner of the company, you must get authorization from the director and the person who was giving that authorization, which is typically a director on the board. And again, different jurisdictions have different regulations around it. What is the nature of business, does that fit into your risk profile or not? What are the kind of transactions which they would use your system for?
Many times watchlists checks are actually gibberish data. There’s hardly any detailed actionable information in that. But what really comes out much more than that is web searches and adverse media reports. So you must subscribe to adverse media reports databases, which basically captures data about financial crime reported anywhere in the world. And you have to build your own algorithms to figure it out. How do you really get that? Because one of the biggest challenges AML is false positive.
Let us say, if you were to search for Kanchan Kumar. In the adverse media report, you would find some bootlegger somewhere in the world whose name is Kanchan Kumar who was arrested, or some guy who cheated someone offloaded a company whose name was Kanchan Kumar. How do you know it’s not the same person, right? You cannot go with that assumption. No, they are not the same, which basically means you have to build a profile of your customer and then match and see whether this person is similar to that person or not, do I even have a reason to suspect. So, not working on false positives right from the beginning could actually create a lot of compliance, increase a lot of compliance costs and create a delay in the entire process.
It comes back to knowing your customer. If you knew your customer very well: say your customer is a pizza chain and the beneficiary happens to be a steel manufacturer then you must know what is happening and why are you settling payment? Was the manufacturer in some other part of the world? Because once you dig into that, it gets into what is called enhanced due diligence for the transaction. So you ask the customer, why do you have to send payment to this company then you realize that okay, they were getting the kitchen equipment from there. So you say, Okay, this is fine. You could go ahead with that.
The most important part is transaction monitoring. Transaction monitoring comes out in multiple ways. You have to understand what is the value and purpose, why the same payment is being sent. The biggest challenge in AML really is placement and layering. Not getting the details of that; but just sufficient to know that placement is a way for ill gotten money to be placed into an account, which seems legit. And layering is to hide.
To avoid being directly correlated with where the money comes from, they have to layer that transaction routed through multiple accounts before the transaction initiates at your place. So you would think the money is coming from the sender A, but possibly, the trail of that money started much earlier.
That’s the biggest challenge in AML. I don’t think there’s a straightforward answer to that except that know your customer extremely, very well. And their business. You know them, what is the volume of transactions? What is the revenue typically like, what kind of payments they make, and hence that will let your system decide whether this looks like a legit transaction or does not look legit. Again, enhanced due diligence comes into that.
Reporting your transaction is something which is extremely critical because it’s not only your responsibility to do what you did, but if you ever had a cause of suspicion, you must note what is the cause of suspicion and then report it to your regulator.
What was the cause of suspicion? When did that happen? How did you detect it, and then the transaction detail, each regulator would have different ways to get the transaction. There are two kinds of reporting: accounts based suspicion and transaction based suspicion.
Accounts based suspicion means when you’re trying to open an account or someone trying to open an account, you’re suspicious of that account itself, or the account itself has started behaving suspiciously. Or when the account was opened, everything was fine, but a particular transaction looks suspicious, you must report that.
Typically reporting means providing the details of who the sender is, what was declared purpose, what was amount, what was the method of payment, and when, where was money headed to.
Global nuances for this are really fascinating. Because while every country, every regulator has the same goal of stopping or preventing money laundering and preventing financing of terror. But the way they go about is extremely different. That starts with a licensing mechanism.
So licensing, for example, in the US is every state you have to be licensed if you are going to take customers from that state. Canada there is a federal license and there’s a Quebec province which requires you to be licensed separately. UK you could get an FCA license: very progressive regulator. Until Brexit happened, you could just use that license across Europe. In Europe you get one license that works across the entire Europe, UAE your central bank gives you a license but you also have three other freezone regulators which will give you a license, but there are nuances of what you can do and what you cannot do within that. Singapore, over a period of time has become very progressive with the license, particularly when it comes to being FinTech friendly, the concept of sandboxes has come in.
But what is most important to really note is that each one of them have their own nuances. Just because you’re licensed in one geography it does not mean you know everything about regulations there. No, you still don’t know a lot about that particular country, because the nuances of that country and the business environment is very different. And the regulators have kind of tweaked the global standards to suit their environment and their risk appetite.
How do you go about picking what tools to use? Believe me, if you do one Google search of KYC AML, you will have at least six pages of response, of different companies which will show up on Google search. It’s not the same product, you cannot blindly go and pick the most popular product. You have to figure out what exactly you need, what are your key challenges of your business and pick products accordingly. If you’re a large corporate, you could go ahead and pick the most mature bloated product. The reason I’m saying bloated is not from a negative sense, but they have everything in it, because they give you out of the box solution, including case management, workflow management, everything built into it. If you’re a FinTech: bad idea. Pick what is the best that you can’t solve yourself, or what you think is not core to you, and go and find which particular provider gives you that particular functionality and integrate with that.
We picked up all the data sources, but we never let any of those providers tell us as to what is a score. We did, and we do our own scoring depending upon the rules and criteria that we can define and we can tweak over a period of time. So it is extremely important to pick the tools and the products that will fit into your platform.
Ultimately, remember, it’s you who is responsible to the regulator, not the tools.
Further questions and comments here: https://hasgeek.com/cashlessconsumer/aml-remittances/