Forming an effective financial compliance program requires close collaboration between sponsor banks and their FinTech or embedded banking partners. Once a product is up and running, there are a whole host of compliance operations tasks that must be managed as new end-users are onboarded and begin conducting transactions.

Compliance operations personnel and the compliance tools at their disposal work hand-in-hand to protect the system from bad actors.  

Before finalizing a partnership together to launch a new product, it is crucial for all of the parties involved to align on the specific roles and responsibilities for each compliance operations workflow.

In fact, interagency guidance for banks on managing third-party risk highlights that these roles and responsibilities need to be defined in the contract to ensure there is upfront alignment and contractual accountability.

Once it is understood who will be responsible for what tasks, FinTechs and companies building embedded banking products need to designate a compliance operations team who will handle the ongoing responsibilities and interface with the banks’ compliance team. While this compliance operations team can be either in-house or outsourced, they must have the knowledge and expertise to be able to anticipate and understand compliance obligations. 

Even though both FinTechs and banks share day-to-day compliance operations responsibilities, it is the bank that bears the ultimate regulatory responsibility of making sure these workflows are compliant and working as intended. Practically speaking, this means that banks need to have continuous oversight over the entire process, as well as the ability to conduct routine monitoring and assessments. 

A sponsor bank’s oversight starts with gaining alignment with their FinTech partner on the policies and procedures for each compliance operations workflow. Policies and procedures are meant to outline how the workflow functions, who plays what role, and what controls are in place to ensure it functions correctly. During the initial phases of a bank-FinTech relationship these policies and procedures need to be thoroughly reviewed, understood, and approved by the bank.

In this guide we walk through the compliance operations workflows that are commonly performed when operating a FinTech product and provide insights into the roles and responsibilities between banks and their partners. While this guide provides a roadmap for what compliance operations tasks need to be considered, every product will have its own intricacies and will require a tailored set of policies and procedures.

‍

End-User Onboarding

When a new end-user is onboarded, they go through a series of checks to ensure individuals and businesses are legitimate and accurately representing themselves. This process is called “Know Your Customer” (KYC) for consumers and “Know Your Business” (KYB) for business end-users.

A combination of automated technology and manual reviews of flagged applicants are both used to stop bad actors from accessing the system. 

‍

Bank Responsibilities

Before a product is ever launched, banks are responsible for setting and approving the initial KYC/KYB standards and procedures. The use case, geography of the end-users, bank risk appetite, and many other factors are all considered when approving or denying a new end-user application.

Once the product is live, while banks typically do not execute the day-to-day compliance operations tasks, they do need to maintain constant oversight to ensure the processes are being conducted correctly. This includes performing routine assessments and monitoring of the end-to-end onboarding process.

‍

FinTech Responsibilities

FinTechs are responsible for actioning applications for applicants that are not automatically approved and flagged for further review during the initial onboarding process. 

Common reasons why an applicant would be flagged for manual review include mismatched personal details, such as date of birth or address, or discrepancies in business documentation like TIN verification. When one of these cases arise, compliance personnel at the FinTech must conduct an investigation to determine if the applicant should be approved or declined. This often involves requesting and reviewing additional documents from the applicant.

Throughout the investigation, the compliance operations personnel determine if the applicant’s identity can be verified according to regulatory standards and bank-approved procedures to ensure that no red flags exist, indicative of fraudulent onboarding. This process is necessary to address false positives and ensure bad actors are unable to access the system.

‍

Fraud Monitoring

Once an end-user is onboarded, all of the transactions and activity they conduct must be continuously monitored to ensure they are not engaging in fraudulent activity. An effective fraud monitoring system helps to protect end-users from being victims of fraud and also protects the FinTech and/or bank from accumulating fraud losses. 

‍

Bank Responsibilities

Similar to a banks’ responsibilities in the end-user onboarding workflow, banks’ key responsibilities for fraud monitoring are:

1. Ensuring fraud rules are established with the appropriate coverage based on the program offering and attributes.
2. Reviewing and approving the thresholds of when a transaction should be flagged for fraud. These thresholds need to be tailored to expected user behavior and the banks’ risk appetite. Fraud monitoring technology is used to automatically monitor all transactional activity and flag any that go beyond the thresholds, or occur outside of the defined program parameters for location and activity. 
3. Ongoing oversight with periodic testing of fraud cases to ensure compliance with protocols and, when required, manually approve high-risk transactions.

‍

FinTech Responsibilities

The FinTech’s compliance operations team is responsible for investigating all transactions that get flagged for further review. Common reasons for why a transaction would be flagged are:

• The amount of the transaction exceeds the limit set by the bank and FinTech
• Suspicious source of funds
• Rapid money movement into and then out of the platform

Once a transaction is flagged, it is automatically declined. It is then up to the FinTech’s compliance operations team to determine if the transaction is legitimate and therefore should be allowed, or if it was declined on a valid basis. Depending on the reason for the decline, the compliance operations team may take additional actions if there is evidence of account takeover or stolen financials.

In the investigation of the transaction, the compliance operations personnel attempts to make sense of why the transaction occurred. Is there legitimate rationale for this transaction or is the only logical answer that it is fraud? This may require asking the end user additional questions to learn more about the purpose of the transaction.

If the investigation results in the transaction being deemed legitimate, then the compliance operations personnel can allow the transaction to be completed. If the transaction is instead deemed to be indicative of potential fraud, the end user's account and card may be frozen to prevent further activities. Depending on the volume and dollar amounts associated with potential or confirmed fraud, a referral may be made to the bank, from which they will determine if a suspicious activity report (SAR) needs to be filed.

‍

Anti-Money Laundering (AML) Monitoring

All transactions need to be monitored to ensure end-users aren’t using the banking product for money laundering or other financial crimes. Both AML technology and compliance operations personnel work together to monitor transactions that are conducted through the program.

Transactions may be flagged for money laundering for a variety of reasons, such as:

• Rapid funds movement
• Rapid pass through of funds
• Excessive cash deposits 
• Wires to countries that are high risk

For AML responsibilities, this can vary depending on how the relationship and contract is structured between the FinTech and bank. Both parties will play a role, but who plays what role varies on a case-by-case basis. 

In many instances, the bank owns much of the AML transaction monitoring. Below we outline the typical roles and responsibilities in this situation.

‍

Bank Responsibilities

In the product setup phase, banks will need to first set AML transaction monitoring rules and thresholds so they are altered when suspicious activity occurs. Additionally, these rules and thresholds need to be routinely evaluated as end-user risk profiles, regulatory environments, and financial crime typologies change. 

When an AML alert is triggered, the bank must then investigate the transaction to determine whether it was a false positive or is in fact indicative of money laundering activity. 

The banks’ compliance operations team looks at why the transaction was initially flagged and then evaluates the transaction to understand if it is logical for the end user. The bank will need to understand where the money is coming from, why it is moving in this particular way, and if it is expected activity in order to determine if the account activity is potentially suspicious. Additional information or documentation may be requested from the end-user as a part of the investigation. 

Once the alerted activity is thoroughly investigated, a final determination is made. Either the activity is logical and well substantiated, or there are additional concerns that may merit a suspicious activity report (SAR) being filed. Depending on the activity reviewed, and if it is recurring, the bank may make the decision to off board a user in tandem with a SAR filing.

‍

FinTech Responsibilities

As AML cases are opened by the bank, the FinTech will be responsible for interfacing with the end-user to request additional information or rationale for specific transactions that may be deemed suspicious. 

SLAs outlined in the contract between the bank and FinTech that outline how this process works and how quickly the FinTech must reach out to the end-user when an investigation is being conducted.

‍

Managing Disputes

End-users are able to dispute transactions that are made on their card or account for a variety of reasons, such as the transaction containing the incorrect amount, duplicate transactions, or fraud.

When an end-user notifies a FinTech about a dispute, the FinTech must have the ability to manage and resolve these disputes in compliance with regulations, as well as card network rules.

‍

Bank Responsibilities

While banks rely on the FinTech’s compliance operations team to manage the dispute process, banks play the important role of ensuring the dispute process is working correctly and that all regulations are being adhered to. 

This involves reviewing and approving the initial policies and procedures that detail out how the FinTech will handle dispute cases. Then once the product is live, banks must also periodically review and audit the process to ensure those policies and procedures are being followed properly.

‍

FinTech Responsibilities

A FinTech’s compliance operations team typically manages the dispute process end-to-end.

Once an end-user initiates a dispute, the FinTech’s compliance ops team first investigates the dispute to determine if it is eligible for a chargeback. During this investigation the FinTech may request additional documentation from the end-user. 

If it is determined that the dispute is eligible, the compliance operations personnel then initiates a network chargeback by sending a notice to the acquiring bank through the card network. At this time the merchant is notified of the chargeback and they are able to accept or dispute it. 

If they accept it the chargeback is finalized and the transaction is reversed. If the merchant disputes the chargeback then a series of back-and-forths begin to bring the case to resolution. 

‍

Conclusion

Clear, well-defined roles and responsibilities for all of these compliance operations workflows will set banks and their FinTech partners up for success from the get go. While a strong initial foundation is necessary, it’s important to also recognize that, in banking and compliance, change is inevitable. Products can evolve, end-user behavior can shift, or new regulation can be passed.

These compliance operations workflows, and the policies and procedures behind them, need to be continuously evaluated and, if necessary, modified to make sure they are as up to date as possible. 

When banks and their partners are aligned every step of the way, from launch to scale, they can more effectively mitigate risk, maintain compliance, and most importantly protect the consumers and businesses using the product.