A Guide to Anti-Money Laundering for Crypto Firms

FinTech Regulation: What You Need to Know

AML Compliance Knowledge & Training

FinTech is a diverse and growing financial sector. As innovations change the FinTech landscape, regulators must adapt to keep pace, introducing new compliance measures to meet the challenge of new technologies and criminal methodologies. The elevated criminal risks associated with FinTech services means that FinTech firms must think carefully about their regulatory environments and ensure that their anti-money laundering (AML) and counter-financing of terrorism (CFT) measures meet their compliance obligations.

FinTech products and services typically offer customers faster and more efficient banking experiences but, at the same time, often disrupt markets, creating regulatory uncertainty and opportunities for criminals to exploit compliance blindspots. Regulators expect service providers to treat financial compliance as an integral part of risk management – but it is important that each firm implements a unique solution that meets their needs. With this in mind, firms must consider what measures and controls they need to implement to achieve compliance, and how the solution will be refined over time. 

Read our guide to FinTech regulation to ensure your business understands its compliance responsibilities.

The FATF Standards For FinTech Compliance

FinTechs are expected to implement AML/CFT programs in alignment with the Financial Action Task Force’s (FATF) 40 Recommendations. The recommendations provide the foundation for AML/CFT regulations in all FATF member-states – each of which must transpose their requirements in domestic legislation. 

The 40 Recommendations cover fundamental AML principles, including the need for member states to:

  • Treat money laundering as a crime
  • Establish a national financial intelligence unit (FIU)
  • Implement risk-based AML/CFT compliance requirements in domestic legislation
  • Introduce requirements for firms to perform customer risk assessments and monitor customers’ financial activity
  • Introduce suspicious activity reporting (SAR) requirements
  • Contribute to international anti-money laundering efforts 

There are currently 37 member countries that are guided by the FATF, along with the European Commission and Gulf Cooperation Council. These set international standards for ML/TF countermeasures covering the criminal justice system, law enforcement, fintech regulation and international cooperation. 

FinTech Registration and Regulators 

The FATF requires member states to establish national bodies that are responsible for the AML/CFT compliance of domestic financial institutions, including FinTech service providers. In addition to collecting and analyzing suspicious activity reports and investigating violations of FinTech regulations, these bodies are responsible for issuing operating licenses. In order to obtain an operating license, FinTech service providers will need to demonstrate that they meet a set of AML/CFT criteria, including: 

  • Governance arrangements, such as appointing a Money Laundering Reporting Officer (MLRO) and defining the AML/CFT responsibilities of senior management. 
  • Internal AML/CFT control mechanisms, including written policies and procedures. 
  • AML/CFT training programmes for employees at all levels of authority. 
  • Business-wide AML/CFT risk assessments procedures. 

Core Regulatory Responsibilities

The AML/CFT ecosystem shown above shapes five core fintech compliance responsibilities:

  1. Appoint a senior figure responsible in law, known as the Money Laundering Reporting Officer (MLRO).
  2. Undertake an appropriate range of Customer Due Diligence (CDD) and Know Your Customer (KYC) measures to provide assurance about the identity and behavior of the clients throughout the client life cycle. 
  3. In the course of undertaking CDD, firms will sometimes find reasons for concern – possibly a name on a watchlist, or unusual or suspicious patterns of behavior. If this happens and further checks do not provide comfort, firms must report their concerns to the authorities through authorized channels.
  4. In order to help regulators and law enforcement, fintechs are expected to maintain records on AML/CFT operations for a minimum period.
  5. Obligated entities are required to undergo a registration process with responsible regulatory bodies.

Global FinTech Compliance Landscape

As countries have diverse legal, administrative and operational frameworks, and different financial systems, they cannot all take identical measures to counter these threats, and FinTech firms will find regulatory nuances in different parts of the world.

FinTech Regulation in the UK: 

The UK’s primary financial regulator is the Financial Conduct Authority (FCA). The regulator sets out AML/CFT compliance requirements for UK firms under the authority of the  Proceeds Of Crime Act 2002, the Money Laundering, Terrorist Financing and Transfer of Funds Act 2017, and the Terrorism Act 2000

The FCA is increasing its focus on FinTech compliance. In 2022, it released the results of a review on financial crime controls at challenger banks – which are a significant contributor to the UK’s FinTech ecosystem. The review noted patterns of inadequate due diligence, enhanced due diligence, and suspicious activity reporting at challenger banks. 

FinTech Regulation in the Germany: 

The Federal Financial Supervisory Authority (BaFin) supervises compliance with Germany’s Money Laundering Act. BaFin has recently issued warnings to numerous German FinTech service providers after audits revealed deficiencies in their AML/CFT processes. 

BaFin’s scrutiny included the bank N26, which was found to have deficiencies in its IT monitoring and customer due diligence processes. BaFin eventually issued N26 with a €4,250,000 administrative fine and imposed limits on its onboarding of new customers. 

FinTech Regulation in the Baltics

The Baltic countries of Latvia, Estonia and Lithuania have become attractive destinations for startup FinTechs and others expanding into Europe, but are at risk of illicit financial activity due to their relations with countries such as Russia. FinTech compliance teams should become familiar with the EU’s AML regulations and sanctions as well as Estonia’s Financial Intelligence Unit, the Financial Intelligence Unit of Latvia and Lithuania’s Financial Crime Investigation Service

FinTech Regulation in the United States:

The Financial Crimes Enforcement Network (FINCEN) is the US’ primary financial regulator and works to ensure that banks and financial institutions comply with its main AML/CFT law, the Bank Secrecy Act – along with subsequent legislation, such as the Patriot Act. The US’ Office of Foreign Assets Control (OFAC) serves a similar regulatory function for the enforcement of US’ economic sanctions. 

Both FINCEN and OFAC have been adjusting to optimize their approach to FinTech compliance. In particular, both regulators have focused on the criminal risks associated with virtual assets: FinCEN has released advisories on criminal typologies associated with cryptocurrencies while OFAC has issued its own cryptocurrency sanctions guidance, and even implemented sanctions against cryptocurrency wallet addresses

FinTech Regulation in Canada

FinTech firms in Canada must abide by public and private legislation at federal and provincial levels, the same as banks and other FIs. Canadian AML requirements include: the Canadian Payments Act, Payment Clearing and Settlement Act (Canada), Bank Act and the Bills of Exchange Act (Canada). Certain Canadian financial regulations are specifically relevant to fintech service providers. These include the Personal Information Protection and Electronic Documents Act (PIPEDA) which protects personal information handled by private sector firms, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Canada’s main financial regulator is the Financial Transactions and Reports Analysis Centre (FINTRAC), which is responsible for identifying ML/FT.

FinTech Regulation in the Singapore:

The Monetary Authority of Singapore (MAS) supervises compliance with Singapore’s Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA). MAS sets out compliance standards for financial institutions in Singapore and issues regular guidance. In 2020, Singapore introduced the Payment Services Act (PSA) which brought payment service providers and FinTech firms under the scope of the city’s AML/CFT regulations, and introduced requirements for FinTech firms to obtain a MAS operating license. 

In 2022, Singapore announced that it was considering a Financial Services and Markets Bill. The bill would introduce new rules that would impose cryptocurrency regulations on service providers operating in Singapore. 

FinTech Regulation in Hong Kong

The Hong Kong Monetary Authority (HKMA) is Hong Kong’s central bank and financial regulator and sets AML regulations. HKMA requires that firms take a risk-based approach to AML in line with the FATF and the Asia Pacific Group on Money Laundering (APG). While Hong Kong does not employ any specific fintech regulation, fintech firms are subject to certain laws depending on their functions: Fintech firms which carry out any ‘regulated activities’, as defined by the Securities & Futures Commission (SFC), must be licensed by that body; money lenders are subject to the Money Lenders Ordinance; and payment systems firms and retail payment systems providers must be licensed under the Payment Systems and Stored Value Facilities Ordinance (PSSVFO).

FinTech Regulation in Australia

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s primary financial intelligence agency and regulator, tasked with preventing ML/FT and other financial crimes. The primary AML rules in Australia are part of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. There are no specific fintech regulations in Australia, but fintech firms must comply with the existing AML/CTF framework and the licensing and reporting regulations that it imposes. Fintech firms should treat data privacy as a priority, as it is regulated at territorial, state, and federal levels.

AML Guide for FinTechs

To find out more about fintech regulation and compliance around the world download the AML Guide for FinTechs, or get in touch to schedule a demo.

Download the guide

Appointing a FinTech MLRO

Following FATF guidance, jurisdictional FinTech regulations typically require the appointment of an AML/CFT compliance officer, commonly referred to as a Money Laundering Reporting Officer

An MLRO is appointed with a duty to oversee their firm’s AML/CFT program, communicate with senior management, and liaise with financial authorities. In more detail, the MLRO is involved in the development of a firm’s internal AML/CFT policies, the filing of AML/CFT reports, and with the training of compliance staff. Given the regulatory importance of the role, MLROs should have sufficient expertise and authority to carry out their duties competently, which means appointees should have extensive knowledge of AML/CFT regulations and the FinTech landscape, and display personal honesty and integrity. 

With those factors in mind, FinTech firms should consider the following factors when appointing an MLRO: 

  • MLRO candidates must be assessed to ensure they are capable of performing their duties.
  • Any potential MLRO conflicts of interest should be disclosed.
  • Internal AML/CFT policies should be codified in writing. 
  • MLROs must have clear communication channels with senior management figures, and with financial authorities. 
  • Firms should implement an independent audit function to gauge the effectiveness of their AML/CFT compliance solution. 

FinTech CDD and KYC

While due diligence and Know Your Customer (KYC) requirements vary, certain key requirements are common across jurisdictions. With that in mind, FinTech firms should put the following measures and controls in place as part of the AML/CFT compliance solution: 

  • Identity verification: FinTechs must acquire identifying data about their customers as part of the due diligence process. Higher risk customers may be subject to enhanced due diligence procedures
  • Risk assessment: After collecting due diligence data, FinTechs must conduct a customer risk assessment in order to build a risk profile for each customer. The profile will be used to inform subsequent compliance decisions regarding the customer’s financial behavior. 
  • Transaction monitoring: FinTechs must monitor their customers’ transactions for suspicious activity on an ongoing basis. Suspicious activity might include unusually high volumes of transactions, transactions with high risk countries, or transactions that don’t match a customer’s risk profile. 
  • Sanctions screening: FinTechs may engage with customers from all over the world and must ensure they are not doing business with customers that are subject to international sanctions. Accordingly, FinTechs must build sanctions and watchlist screening into their compliance solution and check their customers against the relevant international sanctions lists. 
  • PEP screening: Politically exposed persons (PEP) pose a higher money laundering risk. Given the potential for PEPs to avoid AML scrutiny, FinTechs must establish their customers’ PEP status by screening at onboarding and then throughout the business relationship.
  • Adverse media monitoring: Media stories often indicate changes in AML/CFT risk before that information is confirmed by official sources. Accordingly, the FinTech AML process should include adverse media monitoring taking in screen and print media along with online sources.

Fintech Reporting and Compliance

When FinTechs detect potential criminal activity, they must inform the relevant authorities by submitting a suspicious activity report (SAR). Fintech compliance employees should be familiar with the SAR process to ensure timely submission. The process should be straightforward and clear and be informed by input from the MLRO and senior management. 

The administrative demands of FinTech regulation mean that firms must integrate technology solutions capable of managing vast amounts of customer and transaction data. Smart technology solutions should not only add speed and efficiency to core AML processes but help FinTech firms adapt to rapidly changing regulations and manage increasingly sophisticated criminal methodologies. 

Protect your business and your customers from criminal risks with our FinTech AML compliance checklist:

AML Compliance Checklist for Early-Stage FinTechs


Are you an early stage FinTech and need a KYC and AML solution?

Discover ComplyLaunch™, our automated solutions package for early stage FinTechs.

Learn more

Originally published July 13, 2021, updated October 11, 2022

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2022 IVXS UK Limited (trading as ComplyAdvantage).