As anti-money-laundering challenges escalate and new liability shifts loom on the horizon for 2024, fintechs must be prepared. Proactive measures are crucial for establishing a firm foothold in the fintech landscape. Reactive approaches will only leave businesses vulnerable to attacks and financial losses.
In a recent PaymentsJournal podcast, Matt Herren, Director of Product Management at CSI, and Jennifer Pitt, Senior Analyst of Fraud and Cybersecurity at Javelin Strategy & Research, delved into how the regulatory landscape has evolved, the importance of security for growth, and the proactive vs. reactive approach to risk mitigation.
The Evolution of Regulation
From the start, fintechs functioned within a less stringent regulatory environment. However, even then, they were obligated to adhere to anti-money-laundering (AML) and know-your-customer (KYC) regulations. As fintechs expand in scale and impact, new regulatory frameworks have emerged to address issues such as data privacy and security.
“The regulatory landscape for fintechs is in an emerging evolutionary state right now,” Herren said. “It might be less stringent than banks, but as they grow—and their services become more complex—it’s an inevitability to be subjected to additional levels of scrutiny.”
FinCEN publications, issued by the Financial Crimes Enforcement Network, regularly communicate new or revised regulations for financial institutions to remain in compliance with AML and Combating the Financing of Terrorism (CFT) rules. Some regulations, including the Customer Due Diligence (CCD) rule, have included FIs and non-banks. This requires FIs and fintechs to authenticate the identities of their customers to stop money laundering and terrorist financing.
“We’re also going to see a shift toward the FRAML (fraud and anti-money-laundering) framework,” Pitt said. “The convergence of fraud and money laundering are often intertwined with money mules or predicate crimes. Regulatory aspects of fintechs are going to have to incorporate a FRAML framework—not only with the actual fintech products but also investigations on both fintech providers and financial providers.”
Shifting Fraud Liability
Faster payments have brought about heightened concern regarding fraud risks, allowing malicious actors to exploit vulnerabilities. Although new fintechs seek rapid customer expansion, it’s crucial to complement growth strategies with robust security solutions. Failure to do so could undermine customer trust and jeopardize long-term success.
“You see startups, upstarts who are in customer acquisition mode—they’re not necessarily thinking about these [fraud liability] things,” Herren said. “But subsequent fines and lawsuits, they really do have an impact down the line because they’re not able to keep going. A suspension of operations to a company that’s 18 months old is essentially a death sentence.
“Any organization in that situation has to be thinking, ‘You know what, what would happen if we were to encounter that and try to avoid it on the upfront?’”
In most of these fraud incidents, consumers are stuck in the middle, losing large sums of money without a resolution. Understandably, they’re looking for better protection, and one way to give it to them is through a collaboration with FIs.
“We’ve seen the fraud, the consent orders come through banks recently, but there’s also been fintech fraud and money laundering,” Pitt said. “You look at the NFT (non-fungible token) and cryptocurrency space, at some of the online platforms like Venmo, PayPal and GoFundMe, and there is a lot of fraud that’s happening with that, and customers are really not happy about that.
“In the U.S. we’re going to start to see some fraud liability shifts like there is in the UK. It might be shared liability, but we’re at least going to see everything get back to a more customer-oriented realm of servicing people. If that means giving a partial reimbursement one time, then that’s the general direction we’re going to go in.”
Security First, Then Growth
When new businesses come to the fore, fraud is seldomly on their immediate radar. However, this could be a costly mistake, leaving the organization vulnerable to fraud attacks. It’s a balancing act to juggle customer acquisition and security—but a necessary one.
“They know there’s trade-offs in being too aggressive in their fraud mitigation, and so often they seem to err on the side of, ‘We’ll figure it out later and let’s get the customer onboarded,’” Herren said. “I’m a huge advocate for balancing false positives, but if your organization is only focused on successful onboarding, it may be easy to overlook some of the details around assessing risk.“
When it comes to fraud prevention, it really is about a shift in priorities. It’s better to make the necessary investments from the beginning rather than implement anti-fraud solutions down the line.
“Fintechs and financial providers can really cost-effectively do that if they just creatively shift around their resources,” Pitt said. “If more resources are focused on the detection and prevention of fraud, you’ll have less fraud to investigate.
“You can shift some of those investigators toward the detection or shift your detection models away from people and shift it more toward the AI, machine learning aspect, once the security issues are kind of figured out.”
Mandating Multifactor Authentication
With regulatory bodies and governments cracking down on fraudulent attacks, the reliance on passwords alone is diminishing in efficacy against these threats. As a result, mandating multifactor authentication will become crucial.
“We’ve seen a lot of data breaches,” Pitt said. “Some of what’s come out of the investigations is that companies are not securing their information well or employees are clicking on that email, or victims of social engineering attacks.
“Making sure you’re having end-to-end encryption with all of your data, all your information, making sure security policies, compliance policies are in place and understood by all fintech and financial provider employees is going to be essential.”
Being Proactive vs. Reactive
Taking a proactive approach to risk mitigation is far more advantageous for businesses when it comes to compliance. It is more cost-effective, and implementing security protocols from the outset could also prevent data breaches, potentially saving organizations from legal fees, hefty fines, and reputational damage.
“Risk mitigation and compliance are about business success more than anything else,” Herren said. “Including them at the foundation of what you do is also going to keep you from having to try to shoehorn a process in after the fact, either by regulatory decree or in the wake of a major event, either a loss or a fine.
“Starting off with active monitoring is going to be far easier and it’s going to have the added benefit of data that you can glean insights into your processes as well.”
When organizations choose to play catch-up to compliance measures, this can lead to myriad problems, such as inefficiencies, hurried decisions, and greater costs due to the poor planning of strategies. Reactive responses can ultimately hurt an organization’s image, reflecting a lack of foresight with stakeholders.
“Part of the issue with being reactive is we’re already behind the curve,” Pitt said. “An incident happens, we learn from our mistakes, they make regulatory changes or implement mandates, and then we go on. The problem is we’re basically playing games of whack-a-mole, and we’re behind the curve.
“Fraudsters are way ahead of us and thinking forward. One of the key things going forward is to hire forward-thinking people who can think several chess moves in advance on, ‘This is what fraud and money laundering are going to look like in the future, you know, five to 10 years down the road.’”