Risk Assessments that capture all known risks and controls, rooted in customer, product, and geographic trends and operational effectiveness.

KYC programs designed to verify the identity of customers, collect required information, and assess customer risk levels. Onboarding and ongoing due diligence efforts should seek to reasonably minimize customer friction.

Transaction Monitoring should be risk-based and take into account factors such as the customer's risk level, the type of account or transaction, and the geographic location of the transaction. Companies should maximize the use of automated systems to assist with transaction monitoring and flag suspicious activity for further investigation.

Suspicious activity reporting is a critical component of AML compliance and helps law enforcement to investigate and prosecute money laundering and terrorist financing.

Written policies and procedures designed to comply with sanctions regulations and guidance. These policies and procedures should be tailored to business activities and should cover all aspects of sanctions compliance, including customer due diligence, transaction screening, and reporting.

Risk-based screening programs to identify and assess the risk of each customer. The program should include procedures for identifying and verifying the identity and locations of customers and beneficial owners, as well as screening customers against applicable sanctions lists.

Transaction screening programs to detect and prevent transactions that violate OFAC and other relevant global sanctions regimes. The screening program should include procedures for screening all transactions, including wire transfers, ACH transactions, blockchain transaction, and other payment methods.

Geolocation monitoring to mitigate risks of transactions and customers violating sanctions obligations.

Policies and control mechanisms to prevent internal fraud against the company. This includes an established whistleblower program and routine testing.

Policies and control mechanisms to prevent external fraud against customers and business partners. This includes reasonable account access, funding, and transaction controls.

Customer education programs and prominent fraud and scam warnings to customers at higher risk of financial exploitation at account opening and periodic intervals.

Data collected and processed legally, fairly, and in a transparent manner. Data subjects should be informed about what data is collected, why it is collected, and how it will be used.

Personal data collected for specified, explicit, and legitimate purposes.

Minimally necessary amount of data to be collected and processed for intended purposes.

Accuracy and consistency of customer data.

Personal data kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Complaint and customer appeals handling processes that incorporate: complaint management database for documenting/tracking/routing; escalation procedures for complex or repeat complaints or appeals; and timely. closed loop validation of complaints and appeals.

Communications that provide accurate, timely, and meaningful information to customers regarding appropriate use of the platform, availability of support channels, the need for requested information,  expectations and processes, and disclosing required legal and regulatory information sufficient to support any adverse account action. 

Controls that prevent the financial exploitation of at-risk populations (ex., elder abuse, human trafficking).

Integration of customer support functions into compliance and operations to maximize customer experience and maintain a defensible compliance posture.