Will Lawrence

Financial Crimes Enforcement Network, US Treasury is on a roll publishing another Notice for FIs. This one is re: sextortion. Alison Jimenez has done a lot of research on this topic over the years. So check her posts out. Below I dive into some takeaways for every FI - tradFI or not. As a side note - the AI-enabled aspect (pg. 7) of sextortion is alarming and should serve as notice to every parent and caregiver. While most of this should be caught by involved and watchful parents, there are some aspects of financial extortion that can and should be caught by an FI. ⚠️ There are a few glaring issues that make this very difficult for tradFIs to fully operationalize - the lack of regulation/enforcement on the biggest P2P rails from a travel rule perspective (Zelle??)... no/little info on senders/receivers. As well as unregulated (AML) payment processors that are responsible for the facilitation of CSAM purchases. Add to that the prepaid card issues (regulated only at a $/use threshold) and again, this burden to detect and report is completely on banks/credit unions. 1) As noted in every other Notice/Advisory post from the last few years - if your FI does not have an AML system that provides you with the tools to operationalize the red flags found on pgs. 8-9, you'll need to remedy that. There are very clear starter rules with some conditions... having a rapid transfer in/out rule that you cannot add conditions to will not get you where you need to go. Reach out if you need some suggestions on what AML systems are top of the line. Starter data to implement, some need multi-conditions, some don't: a) ages of customers (joint and primary); b) jurisdictions of concern (in order: Cote d’Ivoire, the United States, the Philippines, Monaco, Burkina Faso, the Dominican Republic, Kenya, Benin, and Nigeria); c) description keywords in ACH fields and in wire fields ("delete the pic", "please stop", "for orphans", "for family"); d) description searches for prepaid card purchases, transfers to CVC; e) signs of a pass-through account (i.e. - no reason to send funds to your FI, only used to obfuscate trail) 2) For every FI - bank or credit union. Pgs. 3-4 and 8 have a copy/paste section that should be on your customer facing website. Should also be easily seen from the online banking platform as well, especially if your platform allows minor accounts to log-in and send wires or P2Ps (yes, even Zelle). Heck, if there is a minor on an account (primary or joint), it would be better to have a pop-up box warning against sending money under duress. 3) Prepaid card MSBs - I know most are not in the business of monitoring beyond cash. If anything, this type of crime should be immediately operationalized and use 314(b) to contact the FI that funded the prepaid card if you have questions. 4) MSBs that allow P2P and also sell prepaid cards... you should be looking across your data silos. No excuses. #ifollowdirtymoney

151

13 Comments

Announcing Trustpair and Nacha Partnership | Strengthening ACH Security Ahead of 2026 Trustpair is now a Nacha Preferred Partner for Account Validation, Fraud Monitoring, and Risk & Fraud Prevention. This partnership couldn’t be more timely. As ACH volumes surge in the U.S (B2B Payments on ACH Network increased 10% last quarter vs 2024) the stakes have never been higher for corporates. And with the new Nacha fraud-monitoring rules coming into force in 2026, every ACH participant will need stronger, risk-based controls to keep payments secure. What’s changing in 2026? From March to June next year, Nacha will require ODFIs, RDFIs, third-party providers, and originators to implement more rigorous, risk-based processes to detect fraudulent ACH entries. Every participant in the network is concerned, not just financial institutions. That’s where Trustpair brings immediate value. Our platform verifies bank account ownership, detects anomalies and fraud, and continuously monitors vendor data across the entire P2P lifecycle. By automating account validation and fraud detection, we help organizations: • Achieve a zero vendor payment fraud target • Cut 90% of time spent on manual controls • Strengthen compliance with the upcoming Nacha rules As wire transfer and vendor fraud grow, amplified by AI-generated attacks and deepfakes, protecting every payment is a strategic imperative. Joining forces with Nacha reinforces our shared mission: making ACH payments safer, smarter, and more resilient for every corporate in the U.S. ➡️ Want to understand what the 2026 Nacha rules change for your organization in terms of fraud prevention? Drop me a message - happy to walk you through it. In the meantime, get more information on the partnership: https://lnkd.in/epH5yra2 #ACH #Nacha #FraudPrevention #B2BPayments #Trustpair Amy Morris Dawn Smith Jeremy Leleu Michael Cloherty Driss Alaoui Mrani Sean Singleton Jacob De Leon Trent Moldenhauer William Petronzo Theodore Nadeau Philippe Alvarez

57

2 Comments

News from BaaS Island! Hatch Bank, a California-chartered BaaS sponsor bank with $118 million in assets, has entered into a consent order with the California Department of Financial Protection & Innovation. Hatch's most notable fintech partner is Wisetack. You may recall that it also worked with HMBradley, which it forced to stop taking on new accounts in 2021 because Hatch was unable to accommodate the neobank's rapid growth. The California DFPI consent order is the result of a March 4 2024 exam (FDIC + DFPI), which found unsafe/unsound practices and BSA-AML violations tied to Hatch’s third-party-fintech business model. Among other things, the consent order requires the bank to: - Redo its written enterprise money laundering and terrorist financing risk assessment so it accurately reflects the bank's fintech partners, customer types, volumes, and geographies. This must be done within 60 days. - Write or overhaul policies for: internal controls, alert review & SAR process, customer due diligence, transaction-monitoring model validations, and staffing adequacy reviews. This must be done within 90 days. - Periodically review every vendor or fintech partner that supplies BSA functions (KYC, monitoring, case management, etc.) and review internal staffing head count and skills to ensure that they are sufficient to meet the compliance and risk management needs of the bank based on projected partner and transaction growth. - Obtain written approval from the California DFPI before engaging in any new lines of business or establishing any new branches or other offices. For the most part, the Hatch Bank consent order is consistent with the orders that other BaaS sponsor banks have entered into with regulators over the last couple of years (correct BSA/AML deficiencies, increase board oversight, etc.) From what I can tell, the big differences with this one are, A.) the timelines (60 days for the risk assessment and 90 days for the full BSA/AML program is fast, relative to other orders), and B.) the California DFPI taking the lead. That last point is worth emphasizing. Consent orders for state-chartered BaaS banks are usually issued jointly by federal regulators (either the Fed or the FDIC) and state regulators. This is the first one that I have seen issued solely by a state. Perhaps a parallel order is forthcoming from the FDIC, but if not, it may indicate that the states (particularly California and New York) are preparing to take on more of a leading role in supervision and enforcement over the next four years. As for Hatch Bank, I'm guessing 2025 will be a year of remediation and strategic reevaluation. It's worth noting that the executive who led the transformation of Hatch into BaaS sponsor bank (Jer Wood) left in January of 2024 and is now the head of lending strategy, partnerships, and operations at Cash App.

99

10 Comments

Most fintechs don’t think much about audit trails. Until a regulator asks for one. That’s when missing logs turn a small oversight into a major problem. A compliance audit trail isn’t just recordkeeping. It’s how you prove your controls actually work. Every approval, policy update, or AML review should leave a traceable path. Without that, regulators and even your bank partners can’t verify your compliance story. Read our article to learn more: https://lnkd.in/e4yJ2aSp 

5

VAMP = Winter is coming Heard through the grapevine, a processor terminated 2,600 higher risk merchants. That’s the largest batch to date but those numbers will explode by Oct 1st. On a different note, the new VAMP rules are not specific about timing. How is the VAMP Fraud Ratio calculated over time? Is it like chargebacks and whatever hits in the month from the first through EOM? Or is it a rolling 30-day period? What happens when a TC40 is reported late? For example, a transaction from January gets a TC40 but it’s not reported to the acquirer until May? Is that applied retroactively to Feb or count against May’s Fraud Ratio calculation? What I heard from sources close to Visa is “nothing is finalized but we’re working on it”. VAMP could result in 250,000 merchants getting terminated simply due to poorly designed parameters and bad luck.

12

🔎 AML/BSA Situational Scenario Imagine this: Your fintech has grown quickly over the last 12 months. Transaction volume has doubled. You’ve expanded into new states under your money transmitter license. Alerts are up. The team is stretched. Then you receive notice of an upcoming regulatory review. On paper, you have: ✔ An AML policy ✔ A transaction monitoring system ✔ SAR filings up to date ✔ A designated compliance contact But internally: - Monitoring thresholds haven’t been revisited since launch - Alert quality has declined as volume increased - Documentation is inconsistent across investigators - The risk assessment doesn’t reflect new products or geographies - Board reporting is limited to high-level metrics This is where situational risk becomes real risk. AML/BSA programs rarely fail because nothing exists. They struggle because growth outpaced structure. Early, sustained growth requires: • Intentional governance • Continuous right-sizing of controls • Clear escalation paths • Monitoring tuned to real risk • Executive-level oversight aligned with licensing obligations This is where a fractional CCO can make a meaningful difference. A fractional Chief Compliance Officer provides: ✔ Strategic oversight during periods of expansion ✔ Alignment between AML controls and business evolution ✔ Proactive exam and partner-bank readiness ✔ Stability and executive judgment without full-time overhead For early-stage and growth fintechs, the right leadership at the right time can prevent small gaps from becoming major findings. Strong growth isn’t just about scale. It’s about stability. #AML #BSA #FinCrime #ComplianceLeadership #ChiefComplianceOfficer #FinTech #Payments #MoneyTransmitter #MTL #RiskManagement #TransactionMonitoring #RegTech #FinancialCrime #FinancialServices

1

Banks already have solid cores.
They’ve got APIs, compliance, and decades of reliability. What’s missing isn’t another system — it’s the intelligence layer that sits between intent and execution. When a customer says, “make sure I don’t overdraft this month,” the bank already knows: - Balances across accounts - Upcoming bills - Spending history - Available credit But nothing connects that knowledge to action.
Everything still waits for a human click. The intelligence layer would: - Monitor balances in real time - Predict cash flow gaps - Move money automatically within limits - Explain every action it takes It’s not about replacing bankers.
It’s about letting the infrastructure be as smart as the people who run it. The data’s there. The rails are there. The policies are there. What’s missing is orchestration. Where else in banking does knowledge exist but action doesn’t?

7

One myth I'd like to bust (and that I hear a lot) is that bank and fintech compliance teams are allergic to innovations like AI. The reality is that they are wary of overly relying on unproven or untested technology. I think that's the right approach; those of us offering new solutions have the obligation to alleviate these concerns.

39

1 Comment

One of the core learnings for the future of money was figuring out how to embed the licensing directly into the currency itself. Identity, compliance, regulatory infrastructure—all of it lives in the token. A fintech can drop in a single line of code and suddenly they've got full banking functionality. FDIC insurance. ACH rails. Bill pay. Payroll deposits. All without touching a single state license application. It's like giving developers access to the entire US banking system through an API. The business model flips too. Instead of fintechs paying processing fees, they earn revenue on balances. We're talking 2.25% on deposits they bring to the platform. Zero licensing burden, zero compliance headaches, and they're making money from day one. We've already got 100,000+ users holding USBC through Uphold. As part of our vision for tokenized deposits, they would be earning 5.25% yield—actual bank interest, not some rewards gimmick that regulators are going to shut down.

47

3 Comments