BNPL companies: Tips for buy-now-pay-later AML compliance

The buy-now-pay-later (BNPL) credit market is growing rapidly. Research suggests that up to 42% of global credit customers are interested in BNPL products while in the US alone, customers are expected to make almost $100 billion in retail purchases in 2021 – up from $24 billion in 2020 and $20 billion in 2019. That dramatic growth, and widening access to BNPL products, has prompted financial regulators to scrutinize the BNPL short-term credit sector more closely, reflecting concerns that criminals may be able to use BNPL companies to launder illegal funds quickly, and in large amounts. 

With customers more likely to make one-off purchases using BNPL credit services, it is important that firms are able to address risks they face at the point of sale – and in particular the potential for international customers to use their services to avoid sanctions. This means that BNPL companies should focus on their sanctions compliance risk, enhancing their search algorithms and name matching capabilities, and the speed at which they update their solutions with the latest sanctions data. 

US state regulators are now litigating BNPL cases, and BNPL regulations are being introduced in jurisdictions around the world. With that in mind, it is crucial that service providers understand the challenges of their BNPL compliance environment, and how to prevent money launderers from misusing their products.

Sanctions risks for BNPL companies

Under Financial Action Task Force (FATF) recommendations, banks and financial institutions should implement a risk-based approach to anti-money laundering compliance. A risk-based approach requires firms to assess their customers at onboarding and throughout the business relationship, and then deploy a compliance response commensurate with the risk that those customers present. Higher risk customers should be subject to more intense AML compliance measures, while lower risk customers may be subject to simpler measures. 

In the context of sanctions compliance for BNPL companies, risks may be represented by customers in high-risk jurisdictions or customers that present with naming ambiguities such as nicknames or unusual spelling conventions. The availability of data should also be a risk concern: customers with low-quality identifying information, or that are difficult to search for because of incomplete data should be characterized as high risk.  

With those factors in mind, firms should monitor high risk customers’ transactions closely to ensure they are not doing business with sanctions targets. Ideally, firms should seek to perform these searches with the benefit of smart sanctions screening technology, adding automated speed and accuracy to their compliance obligations and reducing the potential for human error.

Real-time updates

The sanctions landscape changes constantly, with new designations added and withdrawn from lists regularly. Over the course of the Trump administration (2017 to 2021), for example, 3,900 sanctions designations were made. This is unlikely to change substantially under President Biden. In order to prevent criminals from taking advantage of administrative blindspots, BNPL firms must be able to keep up with the pace of sanctions change.. 

In practice, this means that BNPL firms must implement a technology solution that delivers real time updates when new sanctions designations are made. Ideally smart financial crime technology solutions not only expand the speed and scope of searches, but use fuzzy logic to make decisions about ambiguous names as they are added, and incorporate peripheral data such as adverse media as it is introduced to the ecosystem.

BNPL companies and name-matching

In a competitive market environment, the onboarding process is crucial: BNPL Companies must be able to match the names of new customers to the relevant sanctions lists quickly, or risk creating negative user experiences and losing those customers to competitors. Conversely, a less intensive name-matching process may result in blindspots, with firms missing potential matches and being exposed to criminal liability.  

Given the compliance risk, BNPL firms should implement a search algorithm that matches customer names to the relevant sanctions lists quickly and efficiently. The algorithm should be able to account for the specific sanctions challenges mentioned above, including regional naming conventions, non-Latinate spellings, nicknames, and aliases.  

• The name matching process can also be enhanced by technology in order to:
• Perform real time sanctions name checks
• Reduce noise to account for duplicate names, regional spellings and naming conventions. 
• Consolidate multiple data points from different sources (eg. different sanctions lists)
• Set up risk categories for individual customers
• Prioritize higher risk customers for enhanced checks

Customer due diligence

BNPL companies must establish and verify their customers’ identities with suitable due diligence measures in order to build accurate risk profiles. Customer due diligence (CDD) should be performed during the onboarding process, and usually requires firms to acquire specific identifying information, including names, addresses, and dates of birth. Following a risk-based approach, after performing risk assessments BNPL firms should subject higher risk customers to enhanced due diligence measures, requiring a broader or more detailed selection of identifying information. 

Since many BNPL firms offer digital services, they must account for the anonymity of their online customers. In practice, this means that BNPL companies should require customers to provide digital identification. This may mean acquiring electronic copies of official documents such as passports or driving licenses, or implementing biometric verification methods, such as face, voice, and fingerprint scans.

Ongoing monitoring for BNPL companies

The BNPL landscape is changing rapidly with new regulations being introduced or considered by numerous financial regulators. With that in mind, BNPL firms must aim to be proactive about the compliance risks they face and should seek to monitor their customers, and their transactions, on an ongoing basis. 

Ongoing monitoring is a way for firms to ensure that they are made aware of changes to their risk exposure as soon as possible. Customer risk profiles, for example, may be affected by numerous variables, including sanctions designations, changes to PEP status, and involvement in adverse media stories.

Understanding buy-now-pay-later regulations 

While the US is yet to introduce BNPL-specific regulation, it is likely that the short-term credit services that BNPL companies offer will be subject to new oversight in the near future. Regardless of new legislation, BNPL firms should also understand how existing AML/CFT regulations affect their compliance obligations. 

The most significant recent piece of AML legislation in the US is the Anti-Money Laundering Act 2020 (AMLA) which came into effect on January 1st 2021. AMLA was implemented to strengthen the US’ AML/CFT infrastructure and includes measures that reflect the risks of the modern fintech landscape (including BNPL services) and emerging criminal methodologies. Key aspects of AMLA that BNPL firms should consider include:

• Increased money laundering penalties for employees of obligated firms that are convicted of AMLA violations. 
• The introduction of an information sharing framework for firms with foreign branches, subsidiaries, and affiliates. 
• Beneficial ownership requirements for firms registered in the US – with increased fines and criminal sentences for noncompliance.

AML Compliance for BNPL Companies

To learn more about how our solutions can help BNPL companies deliver a comprehensive AML program, request a demo today.

Request a Demo