Financial Institutions’ compliance officers and teams should be concerned that Open Banking may render their existing AML/CTF and KYC compliance programs inadequate. Open banking is evolving around an ecosystem of third-party providers (TPPs). These companies interface with FIs’ systems – via any method from regulated Open Banking APIs to unmonitored screen scraping – in order to access data or transactional functions. They provide added services to customers ranging from personal budgeting and spending alerts to personal funds transfers and cryptocurrency wallets.
What is Open Banking?
Open Banking is a term that describes an FI sharing customer and product data, as well as transfer and payment functions, with third parties via application programming interface (API). In some markets, like the EU, Open Banking is mandated and regulated. In other markets, like Japan, Open Banking is mandated and APIs are specified, but FIs are not mandated to participate. In markets like the US, Open Banking is neither mandated nor regulated, but is advancing, nonetheless.
AML experts are concerned about this model because TPPs can limit an FI’s visibility into how funds flow in and out of its systems and through the ecosystem. AML compliance has not traditionally focused on monitoring this type of network. AML/CTF compliance programs should be evaluated for whether they can address the specific risks Open Banking presents.
Here are 8 risks compliance managers should keep in mind when evaluating AML/CTF compliance programs for Open Banking:
1. Customer data screen-scraping widespread
Many TPPs have used customers’ login credentials to screen-scrape data from banks’ customer web portals and apps, sometimes without the bank’s knowledge. Screen-scraping is considered non-secure, may fall outside the defined scope of existing AML rules, and its use has been to a large degree restricted in the EU. Where it is less regulated, banks must consider how to govern this widespread practice.
2. Disordered markets create more AML challenges
In markets that are not regulated, compliance officers may face a disordered but expanding TPP ecosystem. Without API standards, centralized databases, and clear AML/CTF compliance rules for TPPs, it will be even more difficult to gain full visibility into how money flows across accounts, borders, FIs and fintechs. This creates new opportunities for placement, layering and integration of funds, especially where TPPs are not held to specific AML/CTF and KYC standards. Sanctions screening is also difficult to conduct without visibility into funds origins or final destinations.
3. AML plans needed when API technology fails
A large ecosystem of API providers has emerged to support fintechs across many business processes, including KYC and AML checks. Different API providers can specialize in distinct services. Where many may provide what they productize as KYC APIs, not all will also provide AML/CTF checks. Fintechs therefore may use combinations of API providers. FIs will need to consider standards and procedures to address technology failures, like API unavailability, and inadequacy.
4. Increased exposure to crypto threats
Open Banking includes new, known AML/CTF threats like money laundering conducted through cryptocurrency exchanges. Some crypto exchanges are even designed to attract financial criminals because they can offer anonymity and obscure the source of funds. Know your partner (KYP) processes, regulated or otherwise, must be enhanced to monitor the crypto domain for AML/CTF and sanctions compliance.
5. Ecosystem requires ongoing vetting
There are concerns that a TPP could be vetted as an AISP – those that only read and gather account information – but later become a PISP – providing payments and transfers, without being authorized or becoming AML/CTF compliant. Vetting the ecosystem for compliance will be an ongoing process for FIs because the whole ecosystem will grow and change.
6. Mandatory API access means FIs take on risk
In some regulated markets, like the EU, FIs must provide API access to any registered TPP that requests it. Enforcing compliance across hundreds or thousands of potential TPPs will be challenging. FIs are “all in” for Open Banking risks in markets where API access is mandatory.
7. Ecosystem-wide AML transaction monitoring may be needed
AML transaction monitoring is more complex in an ecosystem. An FI may see funds’ last hop into their accounts but have no visibility into or across TPPs and other FIs which the funds have previously transited, potentially including their own systems in cases of customers hopping in and out again. FIs must be able to understand chains of transactions across the ecosystem to ensure AML/CTF and sanctions compliance.
8. Know your partner (KYP) adds time, effort, and program scope
FIs must determine, based on regulated rules or its own process, whether any TPP meets AML/CTF and KYC requirements. The burden is on FI compliance officers to expand AML programs to cover the TPP ecosystem and to define, evolve, and enforce standards against which any TPP partner must be held over time.
Open Banking has become a reality for FIs in both regulated and market-driven geographies. Its emergence and basis in an ecosystem model mean money launderers and other financial criminals will find ways to exploit it. To operate with Open Banking’s new demands in mind, FIs should consider these and other emerging risks as they augment financial crimes compliance programs to address Open Banking head on.
To learn more about Open Banking, its AML compliance risks, and how Open Banking regulations are developing worldwide, please read our whitepaper: Open Banking Impacts for AML/CTF Regulatory Compliance.