As Third-Party Payment Processors Surge So Does Their AML Obligation

Third-party payment processors (TPPPs) play an increasingly important role in the electronic payment ecosystem, making it easy for merchants to accept and process various forms of payment (credit cards, e-checks, and recurring payments) from customers. Leading TPPPs (i.e. PayPal, Square) process huge volumes of payments annually. For example, in the second quarter of 2023, PayPal’s total payment volume had grown by 10.8 percent compared to the same quarter of 2022 and was generated through over six billion transactions.

Unlike merchant accounts, which have a lengthy application process and can take days to weeks to establish with a bank, most third-party payment processors approve applicants within minutes. Such speed and access afforded by TPPPs comes with inherent risks for financial crime. And, unlike traditional banks, TPPPs do not have a robust compliance foundation baked into their operations.

Regulations and Inherent AML/CFT Risks

In the European Union, third-party processors are considered AML-regulated institutions and therefore must follow the Anti-Money Laundering Directives (AMLD) and the Payment Services Directive (PSD2).

Last summer, the European Banking Authority (EBA) published its report on money laundering (ML)/terrorist financing (TF) risks associated with payment institutions. The EBA’s report found that “ML/TF risks in the payment institutions sector may not be assessed and managed effectively.” In particular, the EBA found that “AML/CFT supervisors across Europe consider that payment institutions, as a sector, represent high inherent ML/TF risks. At the same time, the systems and controls payment institutions put in place to mitigate those risks are not always effective.”

But, in the US, payment processors generally are not subject to BSA/AML regulatory requirements. With that said, the Federal Financial Institutions Examination Council states that: “Payment processors pose greater money laundering and fraud risk if they do not have an effective means of verifying their merchant clients’ identities and business practices. Risks are heightened when the processor does not perform adequate due diligence on the merchants for which they are originating payments.”

Close the Door to AML Risk

Voltaire said, “With great power comes great responsibility.”

For financial criminals, TPPPs offer the perfect blend of speed, anonymity, and lack of oversight leaving the door to AML risk wide open. As we have seen recently in the Crypto space, rather than wait for new regulations or potential fines, processors should still have AML measures in place, given the general vulnerability to money laundering and other financial crimes. Rather than draw the attention of regulators over weaknesses in controls, TPPPs can be proactive and view AML as a competitive advantage for business success.

Payment processors pose a greater AML risk if they do not have a clear and effective way to verify their merchant clients’ identities. The risk is even greater when the TPPP does not perform adequate due diligence on the merchants that are originating payments.

Prioritize AML for Business Growth

If you consider the growth drivers for TPPPs, the need to automate AML compliance under the backdrop of cost-efficiency becomes clear.

Payments volume growth: Monitoring each new payment becomes more complicated as new merchants multiply and transactions grow. According to a KPMG report, some banks spend up to US$500 million each year in an effort to improve and manage their Know-Your-Customer (KYC) and AML processes. The average bank spends around US$48 million per year.

Geographic expansion: Many foreign jurisdictions operate differently from one another. The resources required to check all data to identify potentially fraudulent information and match business information can be overwhelming when using a people-based approach. The Federal Reserve recently wrote, “Compliance with anti–money laundering and anti-terrorism financing regulation is often cited as one of the most persistent challenges in cross-border payments. High cost and complexity related to complying with regulatory standards for various global jurisdictions have reduced correspondent banking relationships that, as a result, erode access to services.”

Introduction of new products: Each new product offering brings its unique compliance requirements around KYC and due diligence. Corporate onboarding requires the handling of much higher volumes of documents, and unlike with consumers, onboarding cannot be performed via a simple phone app.

Customer experience: Speed and agility are fundamental requirements for TPPPs, but it takes a human reviewer 2-3 minutes, on average, to review a single sanctions exception. Automation enables real-time reviews of sanctions alerts to ensure transaction speed, great customer experience and sanctions risk mitigation.

Employee experience: Employee burnout and employee experience have become very real and serious issues for compliance teams. Even for fully staffed and trained teams, the time-consuming and repetitive nature of AML work represents a threat of costly human error and high turnover.

Automating AML at Scale

So, you’ve now decided that your TPPP wants to get ahead on AML compliance, now what? Here are three best practices for a successful transition.

  1. Design a volume-independent compliance program that can easily scale. Programs that can scale up (and down) automatically deliver more robust, timely and cost-efficient compliance.
  2. Leverage a central platform that manages the compliance program. You want to have all your compliance-related systems and data connected to maximize efficiency. You can use platforms that merge different applications, documents and other data while using native AI and machine learning (ML) to ensure efficient information-sharing across your connected systems.
  3. Implement a cost-effective global operating model. The tools available to solve compliance problems have greatly improved in terms of cost efficiency and capability over the past decade. AI-enabled solutions are cost-effective, location-agnostic and highly scalable across the enterprise.

WorkFusion pre-built AI Digital Workers are a perfect fit for TPPPs that are scaling fast and working across multiple jurisdictions. For example, Evelyn is an AI Sanctions Screening Alert Review and Adverse Media Monitoring Analyst that delivers an immediate and tangible impact by automating many of the time-consuming, error-prone tasks related to adverse news and sanctions alert review. Then there’s Tara, an AI transaction screening analyst that protects against processing payments by sanctioned organizations and individuals.

To see both Evelyn and Tara in action, click here to request a demo.


Share this article