Alviere Experts Series: Managing the three pillars of risk

What does it mean to work with a licensed, regulated embedded finance provider? It can make the difference between long-term success or failure of a financial program. The technology that underpins the ability to offer a financial product is one aspect of the solution. The program itself, understanding and managing risk and compliance, is another. In this video series, we'll explore the different facets of risk and regulatory compliance with our Chief Compliance and Risk Officer, Jorgen Norgaard.



Q: When offering financial services, we know it's important to reduce your risk exposure. So in your opinion, what are some areas that companies should focus on to mitigate risk exposure as they launch and scale their program?

That's an excellent question. Companies have to consider at least three pillars.

The first pillar would be at the product level. If they're going to do a cart management program, a wallet program, or if remittances only, each of these products have very specific regulatory requirements in terms of communication to the end user, the consumer.

They need to have certain disclaimers. Users need to access the privacy policies and agreements in place. Also, you have to be able to communicate promptly to the user that the transactions have been completed. In that product pillar, we have all the expertise in our teams are absolutely subject matter experts in delivering these backend solutions. And then tailor-making them for each of our enterprise clients because all the products — although they are top-level the same — the moment you go into the details based on the market segment that our clients are going after, that might trigger certain requirements. All the work to comply with the regulatory framework that protects the consumer, it's being done by us. 

Our second pillar: Is the product is up and running? Now we're going to run a marketing campaign for this. That's another piece that also has significant regulations in the financial space about how you communicate what the product does. You have to communicate clearly what the fees are for the product. You have to communicate when,  let's say it's a remittance, when those funds will be delivered, and you have to document and provide that. So we have a very stringent process for reviewing all the advertising that's being produced by our enterprise clients. It's a joint effort. They produce it and we review. We even submit approval to our sponsor banks as well, in some instances, depending on the type of product.

The last pillar is continuous monitoring from the financial crimes standpoint. Every time a user gets onboarded, of course, they're going to go through KYC, a know your customer process.

Once the users are in our system, all the transactions that flow through will be examined from two perspectives: From a money laundering standpoint, and from a sanctions standpoint. We continuously fine-tune those rules to ensure that we only detect and capture what are called bad actors in the system. And that's an ongoing interactive process, because we have to understand clearly the product, the geography, the channels they're going to be using, as well as the end user typology. That is, who is using the product to ensure it's fit for purpose. Because that also drives everything behind the rules and scenario creation for, let's say, the money laundering rules. You're going to imagine, okay, this is X person. They're going to be doing this number of transactions in a period of time. That's establishing normal behavior. From there you can determine what is not a normal behavior as a defining element to trigger alerts in the system.

Q: It's important for us to break down risk management and risk exposure into three areas. There's consumer management, marketing compliance, and managing financial crimes. Let's talk about the first one, consumer management. How do you manage risk in that area?

We have to consider the legal requirements when we set up a consumer in our systems, be it for remittances or prepaid cards. And that comes through having the right disclaimers, the right terms and conditions. We're enabling our system to give notifications to the consumers as needed. We also provide them with a customer care system where they can reach us if they think there's any error or omission in their transaction.


Q: In terms of marketing compliance, how should companies look at staying in compliance when it comes to marketing their products to consumers?

Marketing compliance is becoming a hot topic currently. Fresh off the press, the CFPB rule issued today is very clear about how companies should be very clear in their advertising and not give any false or misleading statements that could lead the consumer to think, for example, the transactions they're going to conduct are free.

And then in the small T's and C's, you might see “we're going to charge you these fees or something will happen.” So regulators are very keen on that right now. And they've actually issued several enforcement actions against certain companies because of what they call misleading advertising.


Q: The third one, financial crime management, how do you look at the right way to approach financial crime management?

All Alviere systems are tailored to the different types of end users we have depending on the program we're running. So we're really keen on not creating undue friction. But every customer from the moment they get onboarded, where they get screened for different platforms through to when they start transacting, will be going through our anti-money laundering platforms and sanctions.

Q: I
n terms of controlling the compliance component of a program, we say that we own the compliance controls. Could you give a little explanation as to what we mean by that?

As a licensed entity by the state regulators as a money transmitter, we are the owners of all the compliance controls we put around our processes. What do we mean by that? We're defining the controls that need to be put in place from a consumer protection standpoint.

From an anti-money laundering and fraud protection standpoint, we share this risk with our enterprise clients, defined through conversations to understand the risk appetite, how restrictive or how open these controls need to be, and then we work together with them, always within the regulatory framework to get things done.


Q: There are different levels of KYC that you have to get from your customer depending on the type of program. So talk us through what KYC is at a high level, and how it varies between different programs. For example, a remittance program versus a debit card program.

As a financial institution, we are mandated by FinCEN to keep a know your customer (KYC) program. And that is also driven by what they call the customer information program (CIP), where there are minimum data requirements we need to capture from our clients. So the difference across a program is defined by the type of product. If you have a remittance-only product, that requires just the name, date of birth, and address of the person sending the money. Very simple. We will only screen those against sanctions. And the reason behind that, is that the remittance programs usually don't require the user to open an account to send funds. 

Prepaid card programs will have a formal account with us through our sponsoring bank. And under our regulatory framework, that does require what's called a full KYC. By that we will be getting full name, date of birth, social security number, or if they're non-residents, they may have a tax identification number. And we will work with that to comply with the regulatory framework.

Q: Can you touch on balancing KYC requirements with user adoption goals? You don't want too much friction for the user, but you also want to make sure that you're in compliance. How do you balance KYC requirements with user adoption goals?

Obviously we always want to meet all the regulatory requirements in terms of knowing your customer, but that needs to be meshed with how to reduce the friction for the user. If you think about it, if there's a very strict, and even manually-driven, process for KYC, that will make the user journey very difficult.

During the process, users will need to supply documentation, again depending on what they're trying to do.  With a platform like Alviere, we try to make this very easy. We fulfill our minimum customer identification program (CIP) KYC requirements when they access the app, the minimum data they have to upload. And then in the documentary piece, what we actually do is simply request a selfie and a picture of the back and front of their ID.

That makes it simple as our backend third-party vendors will verify the user information. Our aim is to make it as simple and easy for the customer to come onboard while still gathering all the right information we need. And then we have top-tier vendors at the backend who can actually provide us with identify verification assurance.


Q: What guidelines do we follow to ensure consumer data protection and consumer rights?

The U.S. is following the lead given by Europe and the GDPR when it comes to consumer right protections, but governed by state law. There are currently 15 states with state-specific privacy rights laws, and we follow all of them. Usually what we do is we take the most strict decision across all the states and that's the one we put in place for Alviere. So it's a policy to apply the utmost care of data privacy of our clients and their customers, and that means from a system standpoint having the right controls, the right audits, consistently reviewing those, and fulfilling all those statutory requirements that we have to meet.


Q:  What are some of the biggest mistakes you see companies make as they bring these new financial products and services to market?

The end of 2023, and now 2024, had a rash of enforcement actions against some fintechs. A lot has to do with the lack of awareness of their obligations in the regulatory landscape. Banks are being held responsible for what their fintech partners have not done.

This is where these big mistakes can come in. If you are an enterprise client and you work with a company similar to Alviere, but this company doesn't have money transmitter licenses, this company doesn't think that it's their obligation to have the compliance program or fraud program, it will come back and bite them as is happening now to the banks in this space.

We ensure that every product and every service we launch meets all regulatory requirements. And we understand that that's the right way to go in the long-term to have sustainable growth. Because many people believe ease to implementation will lead to rapid growth. Truth is, that ease to implementation without the right controls will lead to an enforcement action down the road. The companies are then going to be in a world of pain where you will even see their customer’s brand reputation being tarnished because they launched a product that did not meet the regulatory requirements.


Q: For large enterprises who have segments of their customer demographics who are underbanked or unbanked, how can they, if they choose to work with Alviere, leverage our ability to be a card program manager and our money transmission licenses to help cater to those underbanked and unbanked customer needs?

One of the advantages we have is we can develop the specific products that large enterprise clients need to open access to these segments. As an example, you could build up a prepaid card program with wallets, which is connected to one of our vendors like Visa ReadyLink, whereby the end user customer can go into a bodega or a 7-Eleven, and use cash for remittance or to fund a debit card. That means that they become part of the formal economy where they can do internet retail, they can use the card for other purchases, they don't need to carry all that cash in their pocket. It's a much safer way. Even our wallets are FDIC-insured on a pass-through basis as well. So our enterprise clients can give them the added benefit that if something were to happen to the bank, their money would be saved.


Q: For companies exploring embedded finance technology, what would you recommend them doing for their due diligence in terms of the compliance?

Look at companies that are licensed by the states as money transmitters. These companies have to meet the minimum requirements for those MTLs, meaning they need to have a compliance program in place, an anti-money laundering policy in place, a sanctions policy in place, as well as the consumer protection policies.

Second, ensure that those licenses are nationwide, not just a few states, because you want to get the most coverage. I would also say that embedded finance buyers should understand the culture of the provider company. Do they have what is called a culture of compliance? How seriously do they take it?

Any company doing their due diligence should talk to the provider’s chief compliance officer to understand their policies, the structure, and how seriously they take the responsibility, because it's a key component for the success of financial products. And of course, the best one is Alviere, so they should just be coming to us.

Written by Alviere