Empowered by “Web 2.0” and built on the foundation of social media, a new wave of companies is taking shape, described as “next generation” businesses. Companies with names like AirBnB, Uber, Lyft, and Square are raising new compliance and regulatory challenges.
Many are non-traditional, dabbling in virtual currencies or engaging in peer-to-peer transactions, or are part of the “sharing economy,” where users lend and borrow cars, boats, houses, and vacation spots. These companies face unique money laundering and financial transaction risks that traditional online companies haven't had to deal with.
In a traditional venture, money laundering controls only look at one side of the transaction; many of these companies demand a dual-sided approach. In some ways the risk profile for some of these companies is mitigated because the cash amounts exchanged are often small. In other ways, however, risks are enhanced because they deal in, and with, non-traditional financial services. Their social media component can also open the door for international scammers who target users.
Reputational risk also has a very clear-cut financial impact on these types of business. To share, customers must trust that they are protected. If that's not the case, they take their money elsewhere.
“A lot of these companies are very altruistic in their outlook,” offered one insider at a growing company in the space. “The sharing economy is something that they are looking to build bridges using technology between people. If they didn't have Facebook or LinkedIn they would never be able to make these connections with people around the world. Once they reach a critical mass, everything rapidly accelerates and their bank takes notice of the fact that they are really moving a lot of money all of a sudden.”
Federal and state regulators also take notice and may try to “shoehorn” them into the same oversight afforded to money services businesses or money transmitting. “But really, the business model is not a perfectly congruent fit for what a traditional money services business does,” the executive said. “There's not a good fit between the regulatory regime and their business model. We are still trying to figure that out.”
A big risk is that these cutting-edge companies are fresh bait for fraudsters.
“The way trends usually go with these new types of businesses and business models is that you have a high degree of fraud right off the bat because you are trying to get so much business that you are not afraid to take any of it on,” says Micah Willbrand, director of risk and Payments for BankersAccuity, an international firm that provides financial services based compliance and risk reduction solutions. “Fraudsters, early on, use that to run stolen credit cards through and everything else until they get their risk and compliance systems in place.”
A notable example of an attack on a new business model: When PayPal launched in 2009, its brand new business model attracted scammers in droves. At one point, it lost hundreds of thousands of dollars a day through stolen credit cards and compromised bank accounts.
Willbrand cites other cautionary tales. He tells of easyJet, a British airline carrier that has grown to be the busiest airline in the United Kingdom. When it first launched with inexpensive flights in 1995, it was besieged by a large number of no-shows for booked seats. Fraudsters accustomed to going to gas stations to run the credit cards that they stole, instead went online and bought cheap fares just to make sure the cards worked.
He also recently spoke to investigators who were involved in investigative work following the so-called 7/7 suicide bombings that rocked London in 2005. The funding of that terrorist plot was apparently well-planned, and followed many of the same traits more current fraud takes. When applying for loans that would eventually be diverted to their plot, they always went to the bank at the end of the month. “They knew at that point, going in for an auto or unsecured business loan, that the marketing and sales departments probably hadn't hit their quotas and they would push the compliance guys harder to get the loans through as it got closer to 5 p.m. on a Friday.”
“The way trends usually go with these new types of businesses and business models is that usually you have a high degree of fraud right off the bat because you are trying to get so much business that you are not afraid to take any of it on.”
Director of Risk and Payments,
The lesson, he says, is that ambitious companies may be tempted to take on any and all business they can, but if they lack adequate risk controls this can be an Achilles' heel.
A vicious cycle may emerge. “In the beginning you have these drive-by transactions as they always go after the easy guys first,” Willbrand says. “The businesses finally start to get some revenue, put risk programs in place and dial back on fraud, but as they get more sophisticated, they face more sophisticated schemes.”
“The particular challenges a lot of these companies are facing happens to be what are the regulations, how do they actually get bank accounts, and what do they actually have to do to stay in business from a risk mitigation perspective,” says Brian Stoeckert, ?chief strategy officer at CoinComply. An executive board member of the Northern California chapter of the Association of Certified Anti-Money Laundering Specialists, his firm offers compliance solutions for virtual-currency exchanges.
Below is a graph describing how the Liberty Reserve, a digital currency firm recently sanctioned by regulators for facilitating money laundering, operated.
Source: Financial Crimes Enforcement Network.
Many next-generation businesses come from a technology background, not a business one, Stoeckert says. Some may not even have a fully buttoned-down business plan. Because “there is an arms race to get the product built and launched as fast as possible,” risk mitigation back-end work can take a backseat, he says. “Maybe your initial funding round was $100,000 or $250,000, it is all product based, and now someone is going to tell you that you can't get a bank account until you do all this other stuff. Well, they don't have the subject knowledge to put this together and they have to hire third-party consultants or advisers to help them build up.”
Stoeckert's particular focus, virtual currency, is a growing transaction model for cutting-edge companies. It too is under the regulatory spotlight.
The Treasury Department's Financial Crime Enforcement Network, FinCen, recently issued guidance for firms that issue or exchange virtual currencies, notably the popular bitcoin. Those that fit the criteria for being money-transmitters, must register with it, comply with a slate of regulations including Bank Secrecy Act requirements for “know your customer” screens and anti-money laundering functions like checking a customer's name against sanctions lists or monitoring for red flags and suspicious transactions. This can be difficult in an online world where face-to-face transactions don't take place. CoinComply's system uses verification methods that may include using Webcams and facial-recognition software, depending on how a particular AML program is structured.
Beyond the government, banks and venture capitalists are demanding operational programs of this sort. For companies that don't have adequate capital reserves, “they may not be in the best position to be able to stand up to exactly what the regulatory and banking system is asking them to do.”
Getting the bank accounts needed to be fully operational, he says, “is not as simple as going down, forming a corporation, and obtaining a business banking account. If they think you might count as a money service business, there will be a list of requirements you will have to do as part of the account opening process."
Another potential pitfall is that young companies often cannot resist the lure of international business. Traditional companies typically grow organically from the domestic side and then expand internationally. “What's happening now is that there is a lot of international activity that is looking for a domestic home,” Stoeckert says. “It's the inverse of what would otherwise happen.”
Given the risks they face, what should these emerging companies do?
Vigilance is crucial, says Ferhan Patel, chief compliance officer and director of global risk and compliance for Payza, a global online payment platform. “The various fraud scenarios that we monitor on a weekly basis are incredible,” he says. “For someone in a developing nation, if they make $10, or $100 each time, they consider it worth the risk that they are putting in because they are sitting behind a computer thinking no one will be able to catch them. The reward outweighs the risk.”
Crooks may not just steal credit card information. They may also try to manipulate currency exchange rates, or alter IP addresses, he says. Red flags may be an unusual pattern of log-in attempts, whether in number or location.
That vigilance, Patel says, has to extend to social media sites. On a frequent basis, he will find videos posted to YouTube and Vimeo that purport to be instructions on how to hack into his systems. Most are fishing for an individual who, by turning to a hacker, gets hacked themselves. With constant monitoring of video and social media sites, he can respond quickly and remove the offending content to protect those who may become victims.
Patel stresses the value of mentoring and industry collaboration. He suggests finding external expertise, whether it is paid consultants, free advice, or through a business group such as the Stanford University based BayPay Forum, which networks payment professionals.
“You might know about technology, but you need to find someone who understands the payment space inside out and can help you avoid pitfalls along the way,” he says. “You can't just read about compliance online. You may not realize what it actually means in application or in practice. Anyone who is starting up, whether venture backed or privately backed, should be networked and find other people in the same space.”