In July of 2023, the United States Federal Reserve Board launched FedNow. It’s a new real-time payments rail that’s being made available to financial institutions across the country. It offers near-instantaneous crediting and debiting for financial institutions. And it’s available 24 hours a day, 7 days a week, 365 days a year.
But it’s not without risks. A platform where transactions are completed so quickly that they’re near impossible to halt or reverse will likely be attractive to criminals. Bad actors can try to intercept payments or hijack accounts to send money to their own accounts. Irreversible real-time payments are also a prime avenue for criminals to launder money.
Thus, the US Federal Reserve is imposing new regulatory requirements on financial institutions wishing to offer FedNow as a service. Fortunately for US FIs, most of these rules are things they already do in accordance with US law or as federally licensed banks. We’ll explain in the following article.
FedNow Compliance Requirements: AML & Sanctions Compliance
As FedNow is a new payments service—and one offered by the US government, no less—it requires financial institutions that offer it to comply with certain regulations. Fortunately, at the core of FedNow compliance are things that most FIs are already equipped to handle.
One is the Federal Reserve’s Payment Service Risk (PSR) policy, a capital adequacy and risk management policy. It involves FIs responsibly borrowing credit from the Federal Reserve to fund overdrawn accounts to avoid penalty fees and other consequences.
Other requirements include the following:
Have an Adequate AML Compliance Program
As a service of the US government, FedNow requires financial institutions that adopt it to have sufficient anti-fraud, AML, and CFT systems in place. Risk and compliance teams need to have a clearly defined policy in place that team members can reference to complete their necessary objectives. It should be written and easily accessible to all members, and delegate what is required of the organization as a whole to meet compliance requirements.
These include customer due diligence procedures that meet Financial Crime Enforcement Network (FinCEN) guidelines, as well as processes for screening users against current and future sanctions lists. They should be reasonably tailored to managing risks associated with the parts of FedNow an FI wants to use or offer to customers.
Meet Information and Data Security Requirements
Since FedNow processes payments extremely quickly and often irrevocably, protecting the information it handles is of paramount importance. Whether it’s customer ID and financial credentials or operations-related data from the Federal Reserve, a breach could allow for mass attempts at laundering money or fraudulently taking money out of random customer accounts.
That’s why the Federal Reserve requires any financial institution that offers FedNow to comply with certain security standards. These include:
- The Federal Reserve’s operating circulars, specifically OC 5 (general access and sending/receiving data vis-a-vis Federal Reserve services) and OC 8 (specific to transactions made through FedNow)
- Physical and digital security for systems, checked annually for consistency with the FedLine Solutions Security and Resiliency Assurance Program
- Digital message signing facilitated by public & private key pairs
- Managing sets of encryption keys and digital authentication certificates
- User interface authorization consistent with the FedLine Solutions authentication process
Establish Consumer Protections and Notifications
Financial institutions that offer FedNow services must comply with applicable consumer protection laws in doing so. Notably, they should develop consistent communication systems with which to notify parties of the statuses of transactions in FedNow. That is, they should disclose as soon as is appropriate when the sending party’s request has been processed and when the receiving party has the funds available.
The Federal Reserve recommends the receiving institution have a mechanism to confirm that a transaction has been posted. In addition, it should relay this notification to the sending institution as soon as possible so it can be passed on to the sender. This makes for good customer service and transparent banking operations.
Other than that, it’s up to FIs to adopt consistent ways of notifying customers, through available (and approved) channels, of what’s happening with their FedNow transactions. Sooner notifications are better, as FedNow is designed to process transactions as quickly as it can do so safely.
Conduct Customer Due Diligence Checks
Financial institutions that offer FedNow as a service must conduct customer due diligence checks on users opening and operating accounts for FedNow. These checks must be consistent with FinCEN’s standards, particularly the CDD Final Rule.
FinCEN’s CDD Final Rule requires financial institutions to ascertain and verify the identities of customers who use their services, be they individuals or companies. In the case of companies, FIs must also find and validate the identities of any beneficial owners: individuals who control at least 25% of an ownership stake and/or voting rights in a company.
Next, an FI has to develop a risk profile for an individual or a company and its owners based on their profile and the stated purpose of the account. Types of questions it should ask include:
- How much money will they be handling?
- Do they hold influential political positions?
- Do they have a good public reputation?
- Have they been involved in illicit dealings in the past?
- Are they dealing in high-risk industries or locations?
- Is the company’s leadership structure difficult to understand?
An FI needs to answer these types of questions to determine how risky a client’s account will be (or is). Some clients may be sufficiently high risk that they need to be subjected to enhanced due diligence, which is a deeper look into their identity and history.
All clients should also be monitored for changes to their identifying information, which may, in turn, increase or decrease their relative risk level.
The point of all this is to ensure clients are who they say they are and aren’t using fake or stolen ID credentials to obfuscate their risk level or cover for committing financial crimes. This is especially important for real-time payment systems like FedNow, as criminals could cause a lot of trouble with instant and irreversible payments if they manage to get into the system.
Perform Sanctions Screening
As part of their customer due diligence, financial institutions offering FedNow need to check whether any potential party to a FedNow transaction is on a sanctions list or other financial watchlist. That includes the person or other entity operating out of a country or other jurisdiction that’s been sanctioned or at least is under increased financial supervision. Such an entity may not be allowed to be part of a transaction at all or at least presents a higher risk and so should be monitored more closely for suspicious activities.
Obviously, this should be done with all of the FI’s own customers at the time of onboarding. However, customer transactions should also be monitored to ensure the parties they are sending money to (or receiving money from) are not sanctioned or overly risky.
FIs also need to be aware that sanctions lists are updated over time. So they need to be able to check for updated sanctions lists regularly and block (or at least more closely monitor) the FedNow activities of parties found on those lists.
Use Transaction Monitoring to Stay Ahead and Get Access to Additional Features
As noted, financial institutions should have adequate transaction monitoring systems in place to check if FedNow is being used by shady actors or for suspicious deals. Despite FedNow being a real-time payments system, the Federal Reserve System does not currently require FIs to have real-time transaction monitoring to offer FedNow as a service.
However, FIs that do screen transactions in real time gain access to additional tools to support their compliance with FedNow regulations. For example, they can use the “accept without post” (ACWP) response if their systems suspect a FedNow user receiving money is doing so illegally.
This exempts the FI from having to make funds immediately available to the receiving user, and gives it time to investigate the transaction. By the next day, the FI must reject the transaction, clear it, or set its status to “pending” (PDNG) and send status reports to the sending bank while conducting and completing an investigation.
In any event, transaction monitoring is still useful for detecting patterns of activity that may indicate certain FedNow users are abusing the system. Then an FI can restrict those users’ access, notify the authorities, and take other disciplinary actions.
Ideally, for FedNow, though, an FI can screen transactions in real time to identify anything out of place before a deal actually goes through. Since FedNow transactions can happen very quickly and can’t be reversed once completed, it’s better to catch financial criminals in the act rather than investigate them after the fact.
Be Fully Prepared for FedNow with Unit21
Overall, adopting FedNow doesn’t require much in terms of compliance from financial institutions that they shouldn’t already be doing. Still, FedNow is a real-time payments system that could be abused for acts of stealing or laundering money that would be hard to undo. So it would definitely help participating FIs to have a full complement of anti-fraud and AML tools to make onboarding as smooth as possible.
Unit21 is here to help with our real-time Transaction Monitoring and Case Management solutions. Aggregate and analyze activity and contextual data from multiple sources, then auto-file SARs with the authorities to stay one step ahead of crooks. Contact us for a demo to see how it works.