Online and alternative lending has opened up credit to a wide range of individuals and businesses who may not meet the traditional definitions of creditworthiness laid out by banks and traditional lenders. They have also brought valuable innovation and new efficiencies to an area of finance that had stayed very close to its face-to-face, paper-based history, even as other banking services modernized.
Nevertheless, online lenders should make careful efforts to meet Know Your Customer requirements by performing Customer Due Diligence (KYC/CDD). The best practice is to follow all key due diligence requirements for lenders no matter what forms of online lending are offered. Regardless of regulation, following guidelines designed to prevent money laundering helps mitigate risk.
Despite the risk management benefits, online lending startups often struggle with the details of KYC/CDD because they lack the experience of banks that have originated and closed loans for many years. This gap exposes online lending startups to risks of anti-money laundering (AML) investigations and penalties.
This article will cover what online lenders need to know about KYC/CDD, the elements of a successful program, how to meet FinCEN rules for establishing customer identity and preventing money laundering, and how to mitigate the risks and penalties associated with non-compliance.
What You Need to Know
Know Your Customer and Customer Due Diligence
Terrorists, criminals, and other bad actors can potentially use legitimate financial platforms to fund illicit activity or launder proceeds from such activity. National and international authorities have developed a wide range of mechanisms to interdict illegitimate use of financial platforms by spotting and stopping suspicious activity such as money laundering. While these mechanisms are not foolproof, they serve a very worthy purpose.
The Role of FinCEN
In the United States, the governing law is the Bank Secrecy Act (BSA). It is enforced by the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury. While the BSA was passed in 1970, current provisions have been heavily influenced by amendments passed after the September 11, 2001 terror attacks and the resulting USA Patriot Act.
Needless to say, FinCEN takes its responsibilities very seriously. It has the power to investigate and enforce a wide range of AML provisions. It may take enforcement actions, including civil money penalties levied on companies, partners, directors, officers, or employees who participate in violations. It can even make criminal referrals for further investigation and prosecution.
Compliance with registration, recordkeeping, and reporting requirements is an essential component of FinCEN’s concern. The strength of compliance programs affects whether and how seriously FinCEN pursues potential violations, as well as how severely it penalizes violations.
Elements of a successful program: FinCEN CDD (Customer Due Diligence) Rules
FinCEN CDD Rules require financial institutions and entities acting as such (including online lenders to establish and maintain written policies and procedures that are reasonably designed to meet four money laundering prevention goals. They must:
- Identify and verify the identity of customers
- Identify and verify the identity of the beneficial owners of companies opening accounts
- Understand the nature and purpose of customer relationships to develop customer risk profiles, and
- Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information
How to Meet FinCEN Rules for Establishing Customer Identity
As the phrase “Know Your Customer” implies, online lenders must capture a borrower’s identity. In the U.S., Social Security Numbers or Federal Tax Identification Numbers are among the most commonly used identifiers to prove that customers are who they say they are. Online lenders must also capture primary physical addresses, and potentially, information that can be used to gauge customer risk, such as foreign residency, holding foreign assets, complex ownership structures, or the nature of assets used as collateral.
FinCEN does not establish firm requirements for such information. Instead, they focus on policies, procedures, and processes. FinCEN wants to ensure that lenders design reasonable and effective mechanisms that financial institutions follow appropriately and in good faith.
In other words, the lender is responsible for determining what information is adequate and appropriate, given the nature of their business, their customers, and potential customer risks. Having this sort of latitude means greater flexibility, but it also raises the bar in matching specific KYC/CDD requirements to the nature of a business and its risks.
Meeting such requirements takes specific expertise. At InnReg, we work closely with online and alternative lenders to identify potential KYC/CDD risks. We start with our clients’ fundamental business model, systematically map out the customer identity risks, then define the strategy and workflow needed to onboard new customers in a safe and compliant manner.
Monitoring Transaction Risk
As FinCEN’s four goals demonstrate,KYC/CDD efforts do not stop once a customer opens an account. Depending on customer risk or on the nature of certain account transactions, lenders may also need to carry out ongoing monitoring of a customer’s account.
A few examples highlight areas of potentially suspicious activity:
- A customer begins making loan payments from a suspicious source of funds, such as a non-U.S. bank account, a second loan or line of credit, a cryptocurrency account, etc.
- Loan payments are made from a third-party account not identified during the KYC/CDD process or not directly linked to the borrower
- A line-of-credit loan starts to see unusual activity, such as a high volume of small debits and credit transactions, or large transactions well outside historical transaction amounts
In other words, online lenders must build and maintain robust processes to flag suspicious activity, pause or prevent suspicious loan account payments or withdrawals, and follow reporting protocols, including using the BSA’s E-Filing system to submit formal Suspicious Activity Reports as warranted.
InnReg’s approach to monitoring and reporting suspicious activity is an integral part of its model for back-office operations, whether as a fully-outsourced provider, as a provider of self-contained surveillance, anti-manipulation, and suspicious activity monitoring, or as an advisor.
In any scenario, a simplified workflow is key to minimizing steps without sacrificing the accuracy of critical functions. Lenders’ monitoring approaches must mitigate risk, increase efficiencies, lower operational costs, and support the needs of the business both while launching and while growing.
Additional Considerations: Fair Lending and Data Privacy for Online Lending
While fair lending practices and data privacy practices are separate topics, they do bear mentioning in the context of KYC/CDD. No compliance practices should exist in isolation.
With respect to fair lending, lenders must ensure that information they collect to determine customers’ identities will not be used to make biased lending decisions. An obvious example would be building automated approval rules that disfavor or reject loan applications from primarily minority zip codes.
With respect to data privacy, lenders must also take adequate measures to protect both applicant and customer data, especially since applications require personally identifiable information (PII), including confidential financial information.
In both cases, the compliance requirements speak to the importance of taking a holistic approach to collecting, reviewing, processing, and storing customer data.
Non-Compliance Risks and Penalties
In the most extreme cases, FinCEN can determine personal liability and make referrals to criminal courts, entailing steep fines and potential prison sentences for company executives and personnel. Earlier this year, FinCen shocked industry watchers by levying a former U.S. Bank risk officer with a $450,000 fine for AML violations, on top of an earlier $613 million settlement with the bank itself.
In addition, regulations can change. While the threshold for transaction reporting today is $3,000, a proposed rule change would lower that to $250 for international transactions. Lenders, along with all financial service providers, bank and non-bank, must always be prepared to assimilate regulatory changes into their existing processes and compliance programs.
As mentioned, KYC/CDD can present significant risks. Improperly vetted customers can use an online lending platform to launder money or fund illicit activities from terrorism to human trafficking to the drug trade to poaching endangered animals. By following best practices and key due diligence requirements for more traditional lenders, online lenders can avoid the risk of unintentionally enabling such activities. Building and maintaining robust compliance processes is the best approach for online lenders to preserve the legitimacy and legality of their innovative platforms and business models.
If you are an online or alternative lender with questions about your Know Your Customer and Customer Due Diligence processes, feel free to reach out to InnReg for a complimentary consultation. We will be happy to answer your questions and highlight potential areas of risk.