High-Risk Compliance for BaaS and Correspondent Banks

High-Risk Compliance for BaaS and Correspondent Banks

  • Starting from January 1st, FinCEN introduced a new regulation, AMLA, which requires banks to conduct KYCC, which affects correspondent and BaaS banks the most
  • Compliance is about “being trackable” (the ability to trace, “follow the money”) 
  • No perfect KYC at onboarding will protect you from fraud 
  • No one is 100% bad or good: there's your (lack of) focus on the customer 
  • The regulator doesn't require you to ‘know the Truth,’ or ‘to not make mistakes’

"Simply forget about KYC; let anyone who desires a bank account have one, and use AI/ML to track the bad actors," said David Birch , and  he was correct. Soups Ranjan made a similar comment to me recently about working with high-risk clients - "KYC is just the simplest part, the real interest starts afterward."

Regulators aren't focused on the "truth" - what matters to them is that you've considered these types of risks. Compliance is often wrongly seen as a mechanism to differentiate good people from bad. In reality, compliance is about "being trackable" (the ability to trace, to "follow the money") through a set of dynamic parameters over time. It's vital to realize that no perfect KYC at the onboarding stage can safeguard you against fraud and scammers: only about 20% of malefactors can be caught upon registration.

No individual is wholly bad or entirely good; broadly speaking, compliance isn't about "preventing September 11 from happening" but rather, when something does happen, it's about "quickly identifying who is involved." There's no black and white in this - it's all about focusing on the customer, understanding them, the risks they bring, and how to monitor and manage those risks effectively.

Everyone has seen films where the FBI or other special services, exhausted from chasing a hacker, eventually propose they switch sides to assist in catching other hackers and criminals. So,  why don't compliance departments hire individuals convicted (or currently imprisoned) for 'money laundering'? They understand compliance and can immediately spot suspicious patterns far better than any specialist. The same applies to risk and the creation of new credit products - instead of seeking advice from pampered business school graduates, who recommend stepping out of one's comfort zone while sipping 18-year-old whiskey in a vintage leather chair, why not consult those who have long been living outside their comfort zones?

Or how about something akin to "ChatGPT for the financial sector"? It's no longer challenging to develop a new AI. The crucial part is gathering high-quality big data to train this AI, which we have as we store unique data about transactions, onboarding, and EDD data.

As for banks (and licensed fintechs and digital banks): no regulator prohibits them from dealing with cryptocurrencies, cannabis dispensaries, foreigners, NGOs, PEPs, digital nomads and online influencers, Russians, and another 550 million people in 15 sanctioned countries, churches, contemporary art galleries, homeless individuals, and former prisoners… The regulator simply states: 1, if you wish to work with these groups, inform us; 2, and demonstrate that you're prepared for it. 

"Follow the money" - remember, a 100% bad client never walks in and instantly does something terrible. In reality, it's initially decent individuals carrying out normal actions and transactions until an "anomaly" occurs. In 99.99% of cases, the anomaly is detected after the fact, necessitating a swift and efficient rewind. 'Truth' often hinges on the Hypothesis, which defines your risk tolerance.

I launched my previous startup, ArivalBank.com, five years ago. From the outset, the main challenge for Anastasia Cavallini, CAMS, AMLCA , Justinas Kaminskas , Alexandre Pinot, CAMS , and Sandra Ameziane  was compliance, followed by establishing better correspondent banking relationships. This was a common issue faced by many in the fintech industry, including various BaaS platforms, digital banks, European EMIs, Asian e-wallet giants, IFEs, MTs/MSBs, and brokers. We secured our banking license in the US for ArivalBank.com in May 2021.

Then began the second phase: correspondent banking is not solely about payment rails; it also requires orchestrating compliance systems and understanding US regulatory requirements (as the primary route for correspondent banking services). We accomplished this ourselves, securing our US banking license and establishing daily operations with the Federal Reserve Bank of New York and FinCEN. We connected five banks in the correspondent banking chain, not just for payment rails, but also for orchestrating compliance in a "rely on" mode. By serving international clients from 26 countries, primarily from the US, UK, and EU, I've learned how to satisfy the requirements of bank partners and their regulators in key markets. 

What could be done differently? You could integrate compliance to prevent transactions from becoming stuck, a significant issue for all correspondent banking providers. The main bottleneck in correspondent banking and BaaS is compliance - there's a lack of trust and understanding between parties, causing inquiries or concerns to halt the flow. In the worst-case scenario, when additional information is needed for a transaction or client, there's no seamless process for correspondent or BaaS banks, bank clients, and end-users to communicate and share information.

Compliance is often misunderstood as a binary determination of a person's character—good or bad. In reality, compliance focuses on creating a system capable of tracking financial activities ("following the money") through a set of evolving criteria over time. A crucial insight is that flawless Know Your Customer (KYC) processes at the initial stage of onboarding cannot entirely safeguard against fraud and scams; indeed, only 20% of fraudulent activities can be detected at this stage. The remaining 80% are identified during transaction monitoring. This necessitates the establishment of onboarding parameters that act like a "net," designed to detect anomalous behavior patterns during subsequent transactions, thereby enabling faster identification and the ability to "rewind" to trace connections.

Understanding the history (and purpose) of compliance is vital: its aggressive enforcement largely began post-September 11, 2001, as an effort to disrupt the financial networks underpinning terrorist activities. The assumption is not that compliance will prevent all illicit activities—human behavior is too complex for such a guarantee. Instead, when such activities occur, the goal is to swiftly identify and understand the parties involved. Criminals often mask their transactions through layers of legitimate activities performed by unsuspecting individuals, making it nearly impossible to label someone as definitively bad at the point of onboarding. However, by setting up systems to notice anomalies or backtrack to identify accomplices, it is possible to significantly enhance the effectiveness of compliance efforts.

Regulators, for their part, do not expect infallibility in identifying the inherently "good" or "bad." In fact, a record of no mistakes can be a red flag, prompting further scrutiny and audits. When errors do occur, regulators are interested in:

  • Who identified and reported the error—was it the institution, a client, a partner, or the regulator themselves?
  • The promptness of the response—was the issue addressed immediately, or was there undue delay?
  • Whether there was prior consideration of the risk type involved—even if the controls failed—or if the risk was entirely unforeseen.
  • The planned corrective actions—generic responses might indicate a likelihood of recurrence, while specific, well-considered actions demonstrate a deeper understanding of the issue.

For institutions like ArivalBank.com, engaging with high-risk clients or operating within risky geographies and sectors requires a forthright acknowledgment of these increased risks and an assertion that managing them is not just a side task but a core specialization. Institutions must:

  • Be transparent about their engagement with high-risk profiles, acknowledging it as a deliberate business choice.
  • Conduct thorough risk analysis related to specific geographies and industries, detailing the unique challenges they present.
  • Describe how they plan to mitigate and manage these risks through processes, technology, training, additional data sources, and an increased number of screening questions.

Ultimately, if an institution can convincingly address these points, regulators will authorize them to proceed, monitoring for SARs (Suspicious Activity Reports) and, paradoxically, "mistakes." These errors, while not desirable, are part of the iterative process of refining compliance systems, risk profiles, and controls, thereby enhancing overall regulatory understanding and effectiveness.

In the context of Nansen.ID (Metastate Ltd) , our approach is not to indiscriminately accept all applicants based on notions of charity or benevolence. Instead, we advocate for banks and fintechs to embrace additional risks while demonstrating how to engage in more thorough vetting processes. Here's how we aim to exceed standard practices:

  • Utilizing Unconventional Databases: We access a broader range of local and often unofficial databases not integrated with major compliance providers like Onfido , Veriff , ComplyAdvantage , Sumsub , or Signicat . These include databases maintained by entities such  as Navalny's Anti-Corruption Foundation, known for its anti-money laundering efforts; Khodorkovsky's Dossier; the Ukrainian “Peacemaker” database detailing war instigators and collaborators; and databases maintained by the international association of investigative journalists, including OCCR and Pulitzer Prize recipient Olesya Shmagun . Additionally, we leverage resources from the sanctions group at the Treasury and the US Senate, led by former US ambassador to Russia Michael McFaul . These sources offer rich data sets that are eagerly shared yet largely overlooked by compliance services focused on low-risk profiles.
  • Asking More Questions: Beyond the standard inquiries, we delve deeper into an individual's employment and sources of income, aiming to gather detailed information to form a more complete understanding of their financial background.
  • Incorporating Affidavit Questions: Recognized in jurisdictions with British legal traditions, affidavit questions add a legal layer to the vetting process. These aren't limited to queries about corruption and money laundering typically seen in visa applications; we also explore political stances, such as support for Putin/Lukashenko or views on the conflict with Ukraine. Lying in response to these questions is tantamount to perjury, highlighting the seriousness with which they're treated. Some banks have already begun to include such probing questions in their processes, albeit quietly.
  • Leveraging Social Proof: We encourage applicants to provide references from 3-5 individuals who can attest to their reliability, akin to the vetting process for employment or visa applications. This approach not only enriches the applicant's profile but also creates a network of accountability. In cases of fraud, this allows for a broader investigation into both the recommenders and those they've endorsed.
  • Requesting a List of Relatives too: Given that politically exposed persons (PEPs) and others may launder money through family members rather than directly, compiling a list of relatives becomes an essential step in understanding and mitigating risk.

We don't just open our doors wider; we also refine our lens, enabling a deeper and more nuanced assessment of risk. This comprehensive approach doesn't seek the impossible task of discerning the "Truth" about an individual's nature. Instead, it ensures that we've thoroughly considered the types of risks presented and have made diligent efforts to document and verify them, thereby strengthening the integrity of our compliance processes and contributing to a safer financial ecosystem.

By adopting these measures, inspired in part by David Birch's initial proposition, "currently, banks and fintechs conduct customer due diligence (CDD) at entry and again at set annual intervals; this is costly (some banks spend over $500 million a year!), outdated, and often unpleasant for customers. A new paradigm — using automation and integrations for continuous or perpetual KYC (pKYC) — makes much more sense in today’s world. Implementing pKYC requires solving problems in technology, data management, operations, and user experience, but promises to dramatically reduce fraud and operational costs. Companies that enable this — which see pKYC as a way to solve compliance issues but also to strengthen customer value and LTV — stand to reap immense rewards." "Compared to consumers, B2B identification data is naturally more disparate. Business identification is indeed a vast topic, and we’re just touching the tip of the iceberg in how enterprises unlock the context needed for more efficient money management. Many of the opportunities discussed in this letter — the shift to continuous pKYC, the potential for opening networks in credential issuance — are likely even greater in B2B than in B2C."

In designing a robust architecture for compliance and data handling, the goal is to establish a system that initially allows for the collection of basic information (at a minimum, the name, email, and mobile number) and the capability to incrementally gather more data without repetitively querying the user. This approach positions you as an AGENT where users delegate their rights and consent for the Collection, Storage, Processing of data, and Transfer to third parties—but only at their explicit request. In the banking context, this translates to acting on the customer's behalf, managing account openings/closures, and transaction handling as if you were an extension of the bank itself.

Looking forward, the objective is to evolve into both a Data Processor and Data Controller while pursuing SOC1/SOC2 certifications. Regulators generally disapprove of indiscriminate data collection without a clear purpose. Thus, providing a well-defined rationale for data collection facilitates regulatory compliance—this is particularly relevant when partnering with banks, as it enhances clarity and transparency.

The ultimate aim is to simplify compliance-related processes, enabling users to preemptively respond to inquiries, securely store their responses, and readily provide necessary information as needed. However, the decision to approve or deny services rests with each individual provider, even though we may assist by providing results from blacklist checks. This segregation of decision-making is a critical requirement in the U.S., with the EU still deliberating its stance.


With all that's been happening in Russia, Ukraine, and Belarus, the big question isn't just about how to keep onboarding clients who don't vibe with Putin and the war on Ukraine, especially those with Russian roots or passports. As Alex Nikityuk (from Revolut mafia) from YC-backed Maroo wrote here: due to recent events in Russia, Ukraine, and Belarus, the issue has arisen not so much of how to continue onboarding clients (who disagree with Putin and the war with Ukraine) with Russian passports or roots, but rather how companies like Deel, Revolut, and many others should offboard such clients. And here, the question's cost is not theoretical - companies have already spent money attracting customers and their onboarding. In this context,  the EU is actively discussing the problem of opening (and closing) accounts for innocent customers (by the way, did you know that in sanctioned countries live more people than in the EU?). And it seems that what Nansen.ID is doing now is important not only in the context of Russia (Belarus and Ukraine), but also in 15 sanctioned countries where 550 million people live. Have you ever thought that not all people there support their regimes? And by "fanatically" disconnecting them from banking and other online services, we are not solving the problem, but only exacerbating it: locking the "disagreeing" inside their countries, leaving their assets to fuel the local economies, not allowing talented and active young entrepreneurs and scientists to leave these countries, weaken them by this, and strengthen the economies of the host countries?

In this context, the efforts of Nansen.ID are particularly relevant, extending beyond the immediate situations in Russia, Belarus, and Ukraine, to encompass 15 sanctioned countries home to 550 million individuals. It prompts a critical reflection: not everyone in these countries supports their government's actions. Cutting off access to banking and online services not only fails to address the underlying issues but exacerbates them. It isolates dissenters, retains their assets within these regimes, and prevents the emigration of innovative and active minds that could otherwise contribute to weakening oppressive governments and bolstering the economies of welcoming nations.

P.S. Here are two additional insights:

The notion that all Russians and Belarusians support Putin and Lukashenko is an oversimplification often held by compliance officers in banks from developed countries. This generalized perception can inadvertently push such clients towards banks involved in laundering "dirty money," unregulated cryptocurrencies, and crypto exchanges lacking proper compliance measures. It's vital to differentiate between rigid, "by-the-book" compliance and adaptable, self-learning compliance systems. For example, consider the scenario of accepting clients with past convictions, especially for economic crimes and money laundering. A traditional compliance officer might outright reject such prospects. However, a more nuanced approach reveals a broader opportunity.

In the U.S. alone, 80 million individuals with criminal records face barriers in opening bank accounts, renting apartments, and enrolling their children in schools, due to pervasive background checks. This statistic suggests that addressing and rehabilitating first-time offenders could significantly reduce overall crime rates. The "Scandinavian model," with its focus on support and rehabilitation, highlights the potential for integrating ex-offenders into society and the workforce, including the compliance sector of financial institutions.

Consider the innovative approach of ' '70 million jobs,' a Richard Bronson ‘s startup negotiating with corporations to hire ex-convicts, ensuring a double-check system for genuine rehabilitation and offering a second chance for these individuals. This model of collective responsibility and the potential for a digital bank specifically catering to ex-convicts illustrates the complexity of compliance and the need for a more inclusive, understanding approach.

Another point worth discussing is the concept of "consistency" and "inheritance" in the transition from onboarding to AML and transaction monitoring. This involves understanding and anticipating certain architectural nuances. For instance, categorizing contacts of bank customers as "Almost-Customers" and individuals who have transacted with bank customers but are not themselves customers as "Near-Customers" can refine AML monitoring strategies. Incorporating these segments into compliance processes, transaction monitoring, and marketing efforts demonstrates the intricate balance between innovative customer engagement and rigorous compliance adherence.

Revolut's practice of analyzing customer contacts for potential outreach and compliance implications exemplifies the proactive approach required in modern banking. This methodology not only enhances customer experience and potential customer acquisition but also integrates compliance and operational efficiency seamlessly.

Such strategies underscore the importance of a sophisticated, forward-thinking approach to compliance, customer engagement, and the utilization of data for both security and growth. As the financial industry evolves, the intersection of compliance, technology, and social responsibility becomes increasingly crucial, necessitating innovative solutions that address the nuanced challenges of today's banking landscape.


Alexandre Pinot, CAMS

Co-Founder @ AMLYZE | Co-chair of Board @ ACAMS Baltics Chapter | Founder @ Fin-Ally

9mo

Challenging task indeed Vladislav, and multiple regulators accross the globe are realizing that for BaaS correspondent and other intermediated types of relationships, many players did not manage to get it right (see decisions for Railsr, Solaris or Modulr for example). And I very much agree on the fact that as long as we have both clean data AND the right amount of it, we should definitely leverage the capacity of AI to make these processes smoother. One of the current roadblock in this regard is the increasing (and in my opinion legitimate) stringency of data protection and privacy requirements…but maybe synthetic data could be a solution here 💡😉

Cedric Charpenet

Helping founders get sales right | Growing the best sales community | Sales Coach | Sales Advisory

9mo

Ensuring compliance is key in the fintech industry, great insights!

Sebastian G.

All-in-One AI Automation Infrastructure: From Lead Generation to Appointment Booking, featuring AI-driven SMS, AI-powered emails, and inbound and outbound voice AI agent calls.

9mo

Navigating compliance challenges in the fintech industry is definitely a common uphill battle. Good insights shared!

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics