Okay -- kids are asleep. Dishes are done(ish). Time to break down this super cool AML development for US banks and FinTech. Thread follows this message.

https://twitter.com/regulatorynerd/status/1285635800852553729

We'll start with a question -- what does every product manager and product-mided ally inside a bank or FinTech hate?

It's "friction." And most product managers in FinTech have come to learn, loathe and then accept the friction that occurs with "know your customer" or KYC (KYB for businesses).

Innovative co's have reduced friction in consumer financial services. Staged onboarding, last 4 SSN matching, mitek and jumio for ID verification . . .

But KYB hasn't seen the same innovations. Infact, KYB in banking and FinTech has gotten more onerous over the past 10 years.

The reason for this -- and it's a good one -- is anti-money laundering requirements. The U.S. government, through the Financial Crimes Enforcement Network ("FinCEN") has established rules to help bring more transparency to privately owned companies.

In 2016, FinCEN finalized a rule titled "Customer Due Diligence Requirements for Financial Institutions." This rule would set in motion a series of changes that would ripple across onboarding standards in banks, SMB services, payment processing and neo-banking.

But before we get into FinCEN's 2016 rule, it's helpful to know why FinCEN published it. For that, we go back to 1989 to the 15th G 7 Summit. Something so boring, they didn't even post the Summit's picture with all the heads of state. So this pic of Paris will have to do.

At the event, the G 7 leaders agreed to stand up a a special task force to counteract the threat that money laundering posed to the established world's banking system. That task force would be the X-men.

No just kidding -- it's the Financial Action Task Force -- a trans-national body that coordinates on anti-money laundering standards. The work of this body, which now includes members from Asia and Latin America, sets the floor for the KYC standards we see around the globe.

The U.S. has long held an important role in setting FATF standards, and for good reason. We enacted three different anti-money laundering statutes since the 1970s. Known collectively by the name of the first statute, they and successor legislation is the Bank Secrecy Act.

So there we are, with all our American exceptionalism. We even had the USA PATRIOT Act from 2001 to point to, where we formally started to regulate money services and prepaid card businesses. But something happened in the mid 2000s.

FATF regularly issues reports on each country's compliance with AML standards. And in 2006, we and our American exceptionalism got rightfully called out for not holding up our end of the bargain.

The issue? We did nothing to identify beneficial owners of private businesses.

If you're wondering why an anti-money laundering standards organization might be upset that the U.S. hadn't been tracking or identifying beneficial owners of private companies in the banking system, now is a good time to refresh on the Panama Papers.

en.wikipedia.org/wiki/Panama_Pa…

Ah, you're back - the issue is that I can create a company, be the front man and have anyone as a business partner. If no one asks who my partner is, banks, my payment processor, the IRS all don't know who's benefiting financially. That's how terrorists and oligarchs hide money.

To address this, the US, through FinCEN, embarked on a 10-year odyssey to force financial institutions to collect beneficial ownership information from privately-held companies.

The banks and others rightfully complained -- why are we being deputized to clean up for a policy error by Congress and parts of the Treasury Department?

FinCEN responded by saying tough cookies. In its own estimates, it would only take an extra 15 minutes per beneficial owner to open an account. So only an extra hour for a business with four owners + a non-owner control person.

To give the industry plenty of time to prepare, FinCEN set a two-year implementation deadline. By May 2018, every U.S. financial institution would need to collect the name, address, DOB and SSN from every new private business customer's 25%+ owners and one control person.

Like college students, the industry waited until close to the deadline to build compliance programs. Folks forgot about payments, which led to a bunch of awkward conversations and arguments between ISOs and their bank processors. Onboarding standards increased to meet the rule.

So that leads us to this week's defense spending bill, which deals with funding national defense and a host of other initiatives. On Monday, the House approved a "rule" on how to pass the defense spending bill. Tucked into the rule was a gift to U.S. financial institutions.

Behold! The Corporate Transparency Act of 2019 (err . . 2020)

The Act requires private companies to report their beneficial ownership information to the government. Finally mandating sunshine into a well of . . . well who knows -- we've never really looked before!

(J/k - we know there's going to be lots of money laundering)

So here's where the gifts to the financial institution start to come into play. FinCEN can disclose all that information it collects to . . . banks! To help them meet their due diligence requirements under the Bank Secrecy Act!

And it gets better (for the financial institutions). FinCEN has to rewrite that pesky 2016 rule that makes them collect all that beneficial ownership information. They have to "reduce any burdens on financial institutions that are [due to this law] unnecessary or duplicative."

So what does this mean for FinTech companies?

(bet @iankar_ thought I was going to slip and write FinTechs)

It really depends on a few things.

The first is what FinCEN does with that big data base and its resultant diligence rule from 2016.

Can the data be accessed in real time to satisfy KYC? Will it have an API? What does the "consent" from the customer look like?

A slow, rickety and rate-limited database that has the operating hours of the ACH system will keep any of this from benefiting the industry or law enforcement.

But a fast, real-time, non-rate-limited solution that banks can ping to get data? That could shut out bad actors.

The second issue hinges on who FinCEN will define in as a "financial institution." In the initial rule, banks and other large financial institutions got scoped in. But money services businesses -- which is how payment focused FinTechs have long classified themselves -- were out.

That was good in that Venmo, Square Cash and PayPal didn't need to collect beneficial ownership information to offer an ACH-based or on-us wallet payment system. But it also meant they couldn't participate in any reliance KYC sharing structures the industry might have stood up.

No information sharing systems were stood up in 2018, so they didn't lose out then. But a narrow definition of financial institutions that excludes money services businesses would block FinTech payment companies from accessing the new FinCEN KYC database.

FinTech lenders are also on the outside looking in. FinCEN has long held the power to loop us in via rulemaking, but they did mortgage companies and then kind of stopped.

Because of credit sponsorships, lots of FinTech lenders have formal AML programs and compliance officers anyway. So compliance with a formal, MSB-like AML regime wouldn't be a heavy lift.

But until that happens, FinTech lenders will also be blocked from directly accessing this new and important fraud tool. All because they're not technically "financial institutions" under existing FinCEN rules.

So will the private sector of banks and bank service providers rise to this interesting business challenge and help FinTechs (oops, sorry .@iankar_ ) access the new KYC database?

Looking at EWS, probably not.

For those who haven't had the pleasure of ramming your head into a brick wall -- that's kind of what its like trying to be a FinTech looking to access EWS.

EWS or Early Warning Services is a commercial database of bank account information from most of the U.S. banks and credit unions. They get daily info on account ownership and also status of funds.

Why is EWS so frustrating? First, they run a give-to-get model. So if you're a FinTech and you just want to buy data for cool KYC and compliance reasons, you need to turn over all your existing historical customer data.

It would generally make sense, except that EWS is turning away steady revenue by forcing smaller FinTechs into data sharing quid-pro-quos. Oh, and you still have to pay them.

(If you've ever asked EWS, or its bank handlers, to just sell you the data -- you'll get the brick wall joke a few tweets earlier)

EWS also stinks because its protected by the FCRA. Some banks and retailers use the data to see if they should grant consumers a financial service. Like check cashing or ACH processing. That act is an "eligibility decision" which means the whole damn database is FCRA covered.

Now I like the FCRA - it lets us fight inaccuracies in our credit reports. But EWS is dumb by taking data that could be clean, tainting it and never building an untainted database. The big 3 all have untainted data that's similar for address/verification. EWS is missing out.

A while back, someone else who repeatedly ran their head into the EWS brick wall started GIACT to buy and then resell EWS data. But its still limited. E.g., there isn't really fuzzy matching -- instead you get a "no" (match) or a "conditional verification" response.

Why are we talking about EWS? Because its the cautionary tale for FinTechs about how we might be able to access the FinCEN database. If the banking industry can botch making EWS a modern KYC tool, they're highly likely to do it again with this new government database.

So here's hoping Congress doesn't pressure FinCEN to freeze out FinTechs. And here's hoping the forward looking policy folks at FinCEN and Treasury get to steer this new rule. There are some great folks in the agency, and they have gone out of their way to go deep on tech.