Know Your Customer and Your Obligations
In the Age of Real-Time Rails and Open Banking
Jennifer Arnold & Charlene Sebastian | October 2021
Originally Published by the National Crowdfunding &FinTech Association (NCFA), FinTech Confidential October 2021
Canada’s innovation landscape is evolving like never before. With Payments Modernization, Open Banking, and the approval of Canada’s first crypto-asset custodian, Canadian regulators are also stepping up to the plate, ensuring protection for consumers. This means constant and rapid adjustment of regulatory frameworks to ensure regulations reflect the nuances that innovation brings, while addressing customer demand for advanced technology and simplified experiences through leveraging digital options.
That can make it hard for startups and even established organizations to keep up with the changes, let alone ensure that they have the right tools and resources to operationalize complex legislative requirements.
When it comes to compliance for FinTech, Security and Data protection often take the lion’s share of focus and can eat up a significant chunk of capital along the way. For example, the average cost of SOC 2 Type 2 compliance, a precursor for the vendor management process, ranges from $30-40K – not including the costs to get there, which can be well over $100K.
But wait, there’s more!
The mainstream adoption of virtual assets in the retail consumer space (e.g., cryptocurrencies, NFT’s and the like), coupled with modernized payment rails and consumer directed finance, points to a likely increase of entrants into the payments market – a historical “sweet spot” offering for startups. Along with this comes an increased focus on consumer protection while trying to balance innovation and competition.
This is the driver for the new Retail Payments Activities Act (RPAA), passed on June 29, 2021, and continued updates to the Proceeds of Crime (Anti-Money Laundering) and Terrorist Financing Regulations (PCMLTFR).
What do I need to know?
The RPAA defines the nature of a Payment Service Provider (PSP) and requires PSPs to register with the Bank of Canada who will administer and enforce the RPAA, including financial penalties for violations.
A PSP is defined as “an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity” and covers “any retail payment activity that is performed by a payment service provider that has a place of business in Canada…(or) performed for an end user in Canada by a payment service provider that does not have a place of business in Canada but directs retail payment activities at individuals or entities that are in Canada.”
While there are some exceptions, this aligns directly to the FINTRAC definition of a Money Services Business (MSB) including services dealing with virtual currencies. This evokes the requirement to also register with FINTRAC and directly connects a PSP to the obligations outlined in the PCMLTFR for an MSB. It’s important to note that the PCMLTFR already accounts for Money Services Businesses (MSB’s) and Virtual Asset Service Providers (VASP’s) and has for several years.
If you are unsure whether you fall under these categories, please reach out to us and we’d be happy to review the criteria together.
What are my obligations under the PCMLTFR?
In short, MSB’s must set up a compliance program that consists of knowing your customer (KYC - verifying their identity) and conducting a risk assessment of your customer base to determine the level of due diligence and ongoing monitoring required. Risk assessments should be updated regularly to and in accordance with detailed FINTRAC guidance.
In addition to screening for Sanctions compliance and Politically Exposed Persons (PEP), there are multiple reporting requirements depending on the types of transactions conducted and in relation to customer risk. There are also special requirements when certain types of transactions are above a specified monetary threshold.
Wow, that sounds like a lot. What’s this going to cost?
It depends. Factors like customer risk, volume, and velocity of transactions weigh into the costs of establishing a compliance program.
...but making sure you get it right, protects you from fines. FINTRAC actively enforces penalties for violations, and if the US and UK examples are any indicator, monetary penalties are positioned to grow. Even a small fine can cripple a smaller firm.
Trust is also a huge factor in influencing retail adoption for new entrants, especially for newer players in the crypto space. An enforcement action can have significant reputational risk, something a startup may never recover from.
Fines in 2021 so far…
What can we do about it?
What we do know is that leveraging established Regulatory as a Service tools like MinervaAI can help you deliver on your obligations and are proven to be much more effective and efficient than traditional methods alone.
Firms like MinervaAI are led by professionals with deep knowledge of the regulations, the investigations process, and the machine and deep learning expertise to “plug and play” into your existing technology and process ecosystem. AI innovations coupled with cloud scalability allows investigators to do in minutes, what would traditionally take hours and days to do.
Compliance doesn’t have to be scary or slow down customer onboarding. In fact, having an efficient and accurate risk assessment process upfront, with automated ongoing monitoring behind the scenes, ensures that your customers will be able to transact without interruption.