The Financial Conduct Authority released an interesting soft study on the incidents of derisking affecting companies in the UK and pursuant to the study, MSB, charities and FinTechs are the three business client groups whose bank accounts are most frequently closed because they are too risky for the bank (a practice known as derisking). No business, least of all a FinTech, can survive for very long without a bank account.
By way of background, banks are required by complicated anti-money laundering, counter-terrorist financing and sanctions laws to implement robust legal compliance programs that include, inter alia, the appointment of an experienced compliance officer, the undertaking of a geographically tailored risk assessment, regular company wide training, and a reporting regime for suspicious transactions tied to enumerated predicate offenses under national criminal law statutes, tax statutes, terrorism statutes, UN Conventions, sanctions statutes, and anti-corruption statues, and the reporting of certain transactions. The requirements are based on national laws and vary by country.
The costs of compliance for any reporting entity is at least $1 million per year, regardless of the size of the entity. Across the board, reporting entities in most countries agree that that is the baseline cost and it goes up based on the size of the financial institution. Large banks have compliance costs in the tens of millions of dollars per year. The costs is the same, in terms of a baseline amount because all reporting entities regardless of size have similar basis requirements that are costly to implement.
Diving into the minutia of costs, banks in the survey disclosed that it costs them annually between $4,200 to $6,400 (converted to CDN) per account holder to meet its AML / CTF compliance obligations. Those costs are not being passed onto the actual bank clients but rather are absorbed by the banks as part of its costs of operations. A FinTech paying $4,200 to $6,400 per month for the actual costs of compliance would have to raise money to match the actual costs of doing business. Based on many financing documents in the FinTech space, a number of FinTechs pay large monthly management fees to their insiders and next to nothing for legal compliance. That makes the FinTech risky for any bank or investor.
The AML / CTF requirements are similar across all reporting sectors, whether the reporting entity is a casino, a bank, a stock broker, a realtor or an MSB or a FinTech that is a reporting entity, and the costs incurred by each group should also be the same to comply with AML / CTF law. But its not. Typically, only land based casinos, some investment firms and banks tend to implement the full suite of AML / CTF legal requirements. The rest of the sectors of reporting entities fall short.
And so the derisking problem is this: all companies (including charities, MSBs and FinTechs), have to have banking relationships and bank accounts for their business and to complete financial transactions on behalf of their customers. The banks who provide those banking services are on the hook for AML / CTF compliance failures for banking the little players and therefore carry the risk of the banking relationship. The risk is a regulatory risk,  a civil liability risk and a risk of criminal liability for AML / CTF failures, not only of the bank but also of its officers and directors. As noted in the study, banks also have a real concern with the media backlash and reputational damage to them if  it were to emerge that banks participated in banking a FinTech that was involved in a financial crime scandal, or funded a terrorist organization inadvertently by not being familiar with well-known typologies.
FinTechs that onboard customers and conduct financial transactions do not spend $4k – $6k per customer per year, like banks do, in AML / CTF compliance costs. For banks, that means that the bank now has a double compliance burden of being concerned with its own compliance and the compliance of the FinTech and thus its costs escalate.
In the banking relationship, FinTechs are essentially asking banks to trust that the FinTech management will be legally compliant in respect of AML / CTF. Banks are saying: “No, show us on paper that you know what AML / CTF involves so that we have comfort that your FinTech is not a risk to us.” AML / CTF compliance lawyers working at banks are not willing to lose their job, pay a huge fine or be prosecuted for a FinTech’s AML / CTF failures.
Every bank does a risk assessment of a FinTech, which they will never share with you if you’re a FinTech but you can rest assured that if you are derisked, its because your startup, your management team, or your control systems (or lack thereof) was deemed too risky to the bank. Sometimes its not the FinTech that is risky but its the people behind a FinTech financing that are of concern to a bank, such as unlicensed individuals who raise money for startups and take financing fees off the books. Banks are also adverse to banking FinTechs that have ties to jurisdictions associated with offshore gambling operations that operate in some countries illegally.
FinTechs that do not know AML / CTF law or who know it but fail to comply because they costs are prohibitive for a startup or because they prefer to use their financing funds for other purposes, are too risky for a bank to bank and consequently they are derisked and their bank accounts are terminated.
I’ve heard from a number of chiefs of innovation at the world’s largest banks in the leading FinTech cities that FinTechs often approach them to partner or for investment without having spent time understanding the legal environment in which banks operate, and often they have already developed sophisticated tech that may be amazing but which a bank could never use because it would not mesh with the law. A FinTech that invests in tech but not the legal requirements for applying that tech is risky to a bank and signals that its house is not in order.
Many FinTechs operate with contracts in place with banks whereby, if they are partnering with a bank, the AML / CTF obligations remain with the banks, rather than the FinTechs. Others have no contracts in place and the banks in those partnerships have decided that since FinTechs are not registered as reporting entities, or registrable with the FIU, AML / CTF laws are suspended in respect of those transactions (although that is not the law). Many other FinTechs and banks are struggling to carve out the obligations in respect of AML / CTF to ensure that responsibilities and liabilities are clearly defined and that the risks are borne by one of the parties for AML / CTF failures.
In addition to contractual risk allocations, the solutions may be to pass on the actual costs of compliance to each business customer so that banks quit derisking and the FinTech carries the true costs – a move supported by the UK government in the study; and to have a regulatory sandbox to allow FinTechs to innovate in a controlled bubble where there is no potential harm to the financial system by their failures to comply with AML / CTF law because their financial transactions are limited in volume and transactional number, and subject to different oversight.
You can read the report here. You can read about the downside of FinTechs and terrorist financing here.