Fintech Regulations - 2023 Guide

Fintech is a diverse and growing financial sector. As innovations change the fintech money laundering landscape, regulators must adapt to keep pace with fintech regulation, introducing new compliance measures to meet the challenge of emerging technologies and criminal methodologies. 

The elevated criminal risks associated with fintech services mean that firms must think carefully about their regulatory environments. They must ensure that their anti-money laundering (AML) solutions and counter-financing of terrorism (CFT) measures meet their compliance obligations.

Fintechs are expected to implement AML/CFT programs in alignment with the Financial Action Task Force’s (FATF) 40 Recommendations. These set international standards for money laundering (ML) and terrorist financing (TF) countermeasures covering the criminal justice system, law enforcement, fintech regulation, and international cooperation.

The importance of regulation for fintechs

While robust fintech regulation protects users and ensures the safety of their payments, the fundamental importance of fintech regulation lies in its ability to mitigate the risk of money laundering and terrorist financing.

Regulators expect service providers to treat financial compliance as an integral part of risk management. But each firm must implement a unique solution that meets its needs. With this in mind, firms must consider what measures and controls they need to achieve compliance with fintech regulations and how this solution will be refined over time.

In addition to providing protection and meeting compliance obligations, fintech regulations can:

• Help establish trust between fintechs and their customers
• Stimulate market competition by creating a level playing field
• Encourage and facilitate company growth through additional services or international expansion

What risks are fintech companies exposed to?

Fintech products and services typically offer customers faster and more efficient banking experiences. But, at the same time, they often disrupt markets, creating regulatory uncertainty and opportunities for criminals to exploit compliance blind spots.

Among the top risks currently faced by fintechs are:

1. Data privacy breaches – Fintechs can be more susceptible to data breaches due to their digitized operations. Firms must maintain their cyber security protocols to a high standard to mitigate this risk.
2. Money laundering – Money launderers may exploit the cross-border connectivity fintech services offer to transfer illegal funds to higher-risk jurisdictions with fewer or less stringent AML controls than their accounts of origin.
3. Cyber attacks – Fintechs can become prime targets of cyber attacks due to the nature of their operations and the large amounts of data they hold. To protect their business, fintechs should ensure their cybersecurity measures and procedures are effective against phishing attacks, ransomware, malware attacks, and insider threats.
4. False customer identities – Since fintech services are accessed over the internet, criminals can take advantage of the anonymity benefits of online transactions, submitting incomplete, misleading, or false information to conceal their identities and avoid AML controls.

The fintech regulatory process

The FATF requires member states to establish national bodies responsible for domestic financial institutions’ AML/CFT compliance, including fintech service providers. In addition to collecting and analyzing suspicious activity reports and investigating violations of fintech regulation, these bodies are responsible for issuing operating licenses. 

To obtain an operating license, fintech service providers need to demonstrate that they meet a set of AML/CFT criteria, including: 

• Governance arrangements, such as appointing a Money Laundering Reporting Officer (MLRO) and defining the AML/CFT responsibilities of senior management 
• Internal AML/CFT control mechanisms, including written policies and procedures 
• AML/CFT training programs for employees at all levels of authority 
• Business-wide AML/CFT risk assessments procedures 

Core Regulatory Responsibilities

The AML/CFT ecosystem shown above shapes five core fintech regulation responsibilities:

1. Appoint a senior figure responsible in law, known as the Money Laundering Reporting Officer (MLRO).
2. Undertake an appropriate range of Customer Due Diligence (CDD) and Know Your Customer (KYC) measures to ensure the identity and behavior of the clients throughout the client life cycle. 
3. In undertaking CDD, firms sometimes find reasons for concern – possibly a name on a watchlist or unusual or suspicious behavior patterns. If this happens and further checks do not provide comfort, firms must report their concerns to the authorities through authorized channels.
4. To help regulators and law enforcement, fintechs are expected to maintain records on AML/CFT operations for a minimum period.
5. Obligated entities must undergo a registration process with responsible regulatory bodies.

Types of fintech licenses

Depending on the products and services a fintech offers and where in the world they are available, various licenses must be acquired. If a fintech decides not to apply for a license, it can outsource certain activities to a company with a license. Depending on the type of license applied for, fintechs may be subject to additional regulatory requirements such as AML, risk management, staffing, and capital reporting requirements. A list of some common fintech licenses are listed below:

• Extended banking licenses allow fintechs, specifically digital-only banks, to operate under the full banking license of a mainstream traditional bank (also known as a “parent bank”). When operating under an extended banking license, fintechs remain distinct from their parent bank with a unique brand and service offering. 
• Electronic money licenses allow e-money institutions (EMIs) to operate and disburse electronic money by offering digital payment services and products such as debit cards, standing orders, direct debits, and foreign currency exchange. While licensed EMIs cannot use the term “bank” in their name or marketing materials, e-money licenses issued in EU countries have “passporting rights,” meaning they can offer their services throughout the EU and the European Economic Area. In contrast with a full banking license, licensed EMIs cannot offer interest-bearing accounts or standalone lending products like personal loans or mortgages.
• Payment institution licenses allow payment service providers (PSPs) to offer the same digital payment services and products as EMIs but do not permit the issuance of e-money. In the EU and the European economic area, the activities of payment institutions are regulated under the Payment Services Directive 2 (PSD2). 
• Money transmitter licenses are required under regulations pertaining to non-bank businesses that let customers store, transfer, and exchange funds, also known as money service businesses (MSBs). In the US, MSBs are regulated under the Bank Secrecy Act (BSA) and must register for a money transmitter license according to the laws and requirements that vary among each state.

Fintech regulators and regulations across the world 

Countries with diverse legal, administrative, and operational frameworks and different financial systems must take different measures to counter these threats. Fintech firms will find a range of regulatory nuances in other parts of the world.

Fintech regulation in the UK 

The Financial Conduct Authority (FCA) is the UK’s primary financial regulator. The regulator sets out AML/CFT compliance requirements for UK firms under the authority of the Proceeds Of Crime Act 2002, the Money Laundering, Terrorist Financing and Transfer of Funds Act 2017, the Payment Services Directive 2 (PSD2), and the Terrorism Act 2000. 

The FCA is increasing its focus on fintech regulation. In 2022, it warned of financial crime control weaknesses in UK challenger banks, a significant contributor to the UK’s fintech ecosystem. The review noted patterns of inadequate due diligence, enhanced due diligence, and suspicious activity reporting at challenger banks. 

In July 2022, the FCA also announced final rules for the new Consumer Duty (PS22/9), which will be implemented across the open services of FCA-regulated firms by July 2023. These rules aim to introduce a higher standard of conduct and clearer focus on customers’ interests.

It means that all financial services firms, including fintechs, must act in good faith towards customers and help them pursue their financial objectives by providing products and services they fully understand.

UK fintechs providing trust services must also adhere to the UK electronic Identification, Authentication, and Trust Services (eIDAS) Regulations. As an amended form of the EU eIDAS Regulation, the legislation establishes various types of digital evidence (e.g., electronic seals, time stamps, and electronic signatures) to ensure electronic business interactions are safer, faster, and more efficient.   

Fintech regulation in Europe

Each piece of EU legislation covers only some aspects of fintech regulation. Fintech firms providing financial services such as lending, financial advice, insurance, or payments must comply with the same laws as other firms offering those services.

The mechanisms used to harmonize AML/CFT legislation across EU member states are known as the Anti-Money Laundering Directives (AMLDs). The money laundering directives are published periodically and updated to reflect the current money laundering, terrorism financing, and criminal risks facing financial markets. The most recent version is the “new 6AMLD.” It focuses on repealing aspects of previous directives, transferring requirements for countries, and introducing changes to better align the practices of domestic supervisors and financial intelligence units  (FIUs).

Aimed at enhancing trust in electronic transactions, the EU has two standards in place: EU eIDAS Regulation and the Payment Services Directive 2 (PSD2). As discussed above, the eiDAS regulation “is a key enabler for secure cross-border transactions.” It ensures that all 27 EU member countries mutually recognize each other’s notified electronic identification schemes, thus increasing the level of security of transactions for fintechs and other businesses.

While eIDAS applies to any business, PSD2 rules are specific to EU banking/financial services institutions. It was adopted by the European Commission in 2015, replacing the original Payment Services Directive of 2007. One of its most significant legislative effects, PSD2 enables third-party access to bank account information.

In October 2022, the EU endorsed and published approved text for its European crypto assets regulation – the Markets in Crypto Assets (MiCA) law – likely to take effect in 2024.

MiCA will introduce a crypto licensing framework and establish requirements for stablecoins and crypto exchanges. This will include a requirement that authorized crypto asset service providers can only perform provision of services in crypto assets. The definition of crypto assets is likely to be broad to help regulation keep pace with the rapidly developing market.

Fintech regulation in Germany 

BaFin, the Federal Financial Supervisory Authority, supervises compliance with Germany’s Money Laundering Act. BaFin issued warnings to numerous German fintech service providers after audits revealed deficiencies in their AML/CFT processes. 

BaFin’s scrutiny included the bank N26, which was found to have deficiencies in its IT monitoring and customer due diligence processes. BaFin eventually issued N26 with a €4,250,000 administrative fine and imposed limits on its onboarding of new customers. 

Fintech regulation in the Baltics

AML in the Baltics – Latvia, Estonia, and Lithuania – has become increasingly important as the countries have become fintech Hubs. While this has made them attractive destinations for startup fintechs and others expanding into Europe, it puts them at risk of illicit financial activity due to their relations with countries such as Russia. 

Fintech compliance teams should become familiar with the EU’s AML regulations and sanctions, Estonia’s Financial Intelligence Unit, the Financial Intelligence Unit of Latvia, and Lithuania’s Financial Crime Investigation Service. 

Fintech Regulation in the United States

The Financial Crimes Enforcement Network (FinCEN) is the US’ primary financial regulator and works to ensure that banks and financial institutions comply with its primary AML/CFT law, the Bank Secrecy Act, and subsequent legislation, such as the Patriot Act. The US Office of Foreign Assets Control (OFAC) serves a similar regulatory function for enforcing US economic sanctions. 

FinCEN and OFAC have been adjusting to optimize their approach to fintech compliance. In particular, both regulators have focused on the criminal risks associated with virtual assets. FinCEN has released advisories on criminal typologies related to cryptocurrencies, while OFAC has issued its virtual currency guidance and even implemented sanctions against virtual currency wallet addresses. 

Fintech regulation in Canada

AML for Canadian fintechs means firms must abide by public and private legislation at federal and provincial levels, the same as banks and other FIs. Canadian AML requirements include the Canadian Payments Act, Payment Clearing and Settlement Act (Canada), Bank Act, and the Bills of Exchange Act (Canada). 

Certain laws and regulations in Canada are specifically relevant to fintech service providers. These include the Personal Information Protection and Electronic Documents Act (PIPEDA) which protects personal information handled by private sector firms, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). 

Canada’s main financial regulator is the Financial Transactions and Reports Analysis Centre (FINTRAC), responsible for identifying ML/FT.

Fintech regulation in Singapore

Singapore has become an increasingly important player in the fintech world, and AML/CFT for Singaporean fintechs has developed as a result.

The Monetary Authority of Singapore (MAS) supervises compliance with Singapore’s Corruption, Drug Trafficking, and Other Serious Crimes (Confiscation of Benefits) Act (CDSA). MAS sets out compliance standards for financial institutions in Singapore and issues regular guidance. 

In 2020, Singapore introduced the Payment Services Act (PSA), which brought payment service providers and fintech firms under the scope of the city’s AML/CFT regulations. It introduced requirements for fintech firms to obtain a MAS operating license. 

In 2022, Singapore passed the Financial Services and Markets Bill. The bill introduced new rules that enhance the regulation of digital token service providers for ML/TF risks and gives lawmakers the power to deny licenses to operators the country deems unfit.

Fintech regulation in Hong Kong

The Hong Kong Monetary Authority (HKMA) is Hong Kong’s central bank and financial regulator and sets AML regulations. HKMA requires that firms take a risk-based approach to AML in line with the FATF and the Asia Pacific Group on Money Laundering (APG). 

While Hong Kong does not employ any specific fintech regulation, fintechs must comply with anti-money laundering in Hong Kong and are subject to particular laws depending on their functions. 

Fintech firms that carry out any “regulated activities,” as defined by the Securities & Futures Commission (SFC), must be licensed by that body; money lenders are subject to the Money Lenders Ordinance. And payment systems firms and retail payment systems providers must be licensed under the Payment Systems and Stored Value Facilities Ordinance (PSSVFO).

Fintech regulation in Australia

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s primary financial intelligence agency and regulator, tasked with ensuring compliance with AML/CTF rules in Australia and preventing other financial crimes. 

The primary AML rules in Australia are part of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. While there are no specific AML regulations for Australian fintechs, the country’s fintech sector grew dramatically between 2020-2021, with investor funding soaring by 253%, compared to a global average of 45%.   

Fintech firms must comply with the existing AML/CTF framework and the licensing and reporting regulations it imposes. They should treat data privacy as a priority, as it is regulated at territorial, state, and federal levels.

AML Guide for FinTechs

To find out more about fintech regulation and compliance around the world download the AML Guide for FinTechs, or get in touch to schedule a demo.

Download the guide

Appointing a fintech MLRO

Following FATF guidance, jurisdictional fintech regulations typically require the appointment of an AML/CFT compliance officer, commonly referred to as a Money Laundering Reporting Officer. 

An MLRO is appointed to oversee their firm’s AML/CFT program, communicate with senior management, and liaise with financial authorities. In addition, the MLRO is involved in developing a firm’s internal AML/CFT policies, filing AML/CFT reports, and training compliance staff. 

Given the regulatory importance of the role, MLROs should have sufficient expertise and authority to carry out their duties competently. This means appointees should have extensive knowledge of AML/CFT regulations and the fintech landscape and display personal honesty and integrity. 

With those factors in mind, fintech firms should consider the following factors when appointing an MLRO: 

• Candidates must be assessed to ensure they are capable of performing their duties
• Any potential MLRO conflicts of interest should be disclosed
• Internal AML/CFT policies should be codified in writing 
• MLROs must have clear communication channels with senior management figures and with financial authorities 
• Firms should implement an independent audit function to gauge the effectiveness of their AML/CFT compliance solution 

Fintech AML and KYC

While AML and Know Your Customer (KYC) requirements vary, specific essential requirements are common across jurisdictions. With that in mind, firms should put the following measures and controls in place as part of their AML/CFT compliance solution and help future-proof against evolving fintech regulations: 

• Identity verification: fintechs must acquire identifying data about their customers as part of the due diligence process. Higher-risk customers may be subject to KYC enhanced due diligence procedures. 
• Risk assessment: Fintechs must conduct a customer risk assessment to build a risk profile for each customer. After collecting due diligence data, the profile will inform subsequent compliance decisions regarding the customer’s financial behavior. 
• Transaction monitoring: Fintechs must conduct AML transaction monitoring on their customers on an ongoing basis to look for suspicious activity. This might include unusually high volumes of transactions, transactions with high-risk countries, or transactions that don’t match a customer’s risk profile. 
• Sanctions screening: Fintechs may engage with customers worldwide and must ensure they are not doing business with customers subject to international sanctions. Accordingly, fintechs must build sanctions and watchlists screening into their compliance solution and check their customers against the relevant international sanctions lists. 
• PEP screening: Politically exposed persons (PEP) pose a higher money laundering risk. Given the potential for PEPs to avoid AML scrutiny, fintechs must establish their customers’ PEP status by screening by screening at onboarding and throughout the business relationship.
• Adverse media monitoring: Media stories often indicate AML/CFT risk changes before official sources confirm that information. Accordingly, the fintech AML process should include negative news screening/adverse media monitoring taking in screen and print media along with online sources.

Fintech reporting

When fintechs detect potential criminal activity, often from existing money laundering typologies, they must inform the relevant authorities by submitting a suspicious activity report (SAR). Fintech compliance employees should be familiar with the SAR process to ensure timely submission. The process should be straightforward, clear, and informed by MLRO and senior management input. 

The administrative demands of fintech regulation mean that firms must integrate technology solutions capable of managing vast amounts of customer and transaction data. AI-driven smart technology solutions should add speed and efficiency to core AML processes, help fintech firms adapt to changing regulations, and rapidly manage increasingly sophisticated criminal methodologies. 

Protect your business and your customers from criminal risks with our fintech AML compliance checklist:

Read our AML guide for fintechs to ensure your business keeps on track with fintech regulation.