Understanding AML requirements for payment processors

The payment processing industry is growing at a projected rate of 13.7% annually and expected to reach $146.45 billion by 2030. But along with growth comes increased risk of transaction laundering, a form of money laundering in which legitimate merchants process payments for illicit purposes on behalf of a third party.

Payment processors are increasingly subject to Anti-Money Laundering (AML) requirements. Whether it’s a legal requirement or a best practice, understanding how to protect your payment processing company from fraud, money laundering and other financial crimes is critical to operations.

What is a payment processor?

Payment processors play a vital role in securing and transmitting payment data between merchants and financial institutions. After receiving credit or debit card information from a merchant’s payment gateway, the processor checks for authorization from the bank or card network. If the payment is authorized, the processor informs the customer’s institution to send funds to the merchant’s institution.

There are numerous payment services, such as payment gateways, and regulations vary depending on the service. Checking local rules for payment services is necessary to ensure you have the correct compliance procedures and licensing.

U.S. AML requirements for payment processors

In the U.S., the Bank Secrecy Act (BSA) generally does not subject processors to AML requirements. But the Federal Financial Institutions Examination Council points out that, “Payment processors pose greater money laundering and fraud risk if they do not have an effective means of verifying their merchant clients’ identities and business practices.”

Payment processors that neglect AML requirements and proper due diligence often face heightened risk and banks that are unwilling to do business.

“U.S. financial institutions now expect the PSPs (payment service providers) forming part of their network to have strong controls for AML, sanctions, and antifraud,” according to McKinsey Insights.

Additionally, the ENABLERS Act, a bill making its way through the federal legislative process to further combat money laundering, includes payment processors. While not a legal requirement yet, compliance best practices for payment processors operating in the U.S. mirror those of regulated financial entities.

Canada AML requirements for payment processors

Canada has changed its reporting requirement for payment processors. On April 27, 2022, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) retracted its exemption for certain merchant servicing and payment processing providers and now regulates them as money services businesses or foreign money services businesses. Those companies now must comply with electronic fund transfer obligations.

Understanding who you are doing business with is now a legal requirement for payment processors in Canada.

EU AML requirements for payment processors

In the European Union, payment services are under the AML directives and the Payment Services Directive and are considered regulated institutions.

The global trend toward more AML regulations is already affecting payment processors. Ensuring third-party payment processors’ AML risk assessments and controls are effective can simplify compliance.

Implementing robust AML practices

There are fundamental requirements for AML. Those include:

• Written policies
• Designated compliance officer
• AML training
• Ongoing review processes

Sanctions screening

A thorough screening program includes checks on sanctions and politically exposed person (PEP) lists. Watchlists are constantly updated with new names, so the sanctions and PEP screening should be done in real time to adhere to Know Your Customer (KYC) requirements and enhance customer onboarding.

Transaction monitoring

It’s also important to understand account activities and take appropriate actions when questions arise. Transaction monitoring includes keeping accurate records, filing reports if transactions exceed a set threshold and reporting suspicious activities that might indicate money laundering or other criminal activities.

But an AML compliance program is not just about preventing bad actors from creating accounts or propagating illicit activities through your system. Sustainable, effective programs also provide quick customer onboarding while controlling costs.

Automated workflows, effective merchant risk management and KYC processes can help strike a balance between fast onboarding and strong security. According to the Aite group, there’s a seven-step process to successfully onboard a merchant:

• Prescreening
• Merchant KYC/identity verification
• Merchant history check
• Business and operational model analysis
• Web content analysis
• Information security compliance
• Credit risk underwriting

Solid AML compliance also creates payment fraud management processes that help prevent losses, protect the organization and ensure operations are smooth, secure and scalable. A 2022 payments fraud study found that merchants spend an average 10% of eCommerce revenue managing fraud, so the cost savings can be substantial.

Payment processing is an industry with growing opportunities and increasing regulatory scrutiny. Sound AML compliance practices can lead to stable, audit-friendly operations that appeal to banking partners, merchants and regulators.