This is Part 1 of "The Compliance-First Fintech Playbook" series. Part 2 covers ML fraud detection. Part 3 examines the full cost of compliance programs.
Our first onboarding attempt took eleven days. Name, date of birth, address, SSN, done. That is consumer KYC. Then we added DEA license verification. NPI validation. State board monitoring. Beneficial ownership tracing through a professional corporation where three dentists each held 33.3% and a management services organization controlled the bank account. Eleven days, and we still had questions.
Standard KYC costs $2-3 per customer through vendors like Alloy or Persona. Healthcare KYC costs $8-12 per practice due to specialized data sources, manual verification steps, and ongoing monitoring requirements.
After onboarding 777 dental practices through the fall, we learned that compliance is an ongoing operational expense that determines whether healthcare fintech unit economics work at scale. These requirements build competitive advantages through compliance infrastructure that competitors cannot replicate without similar investment.
Healthcare providers operate under multiple identity frameworks that standard banking KYC does not address.
Individual provider identity includes NPI (National Provider Identifier), a CMS-issued 10-digit identifier available through the NPPES registry. DEA registration provides a DEA-issued alphanumeric identifier for controlled substances. State medical or dental licenses come from state board-issued professional licensing. Specialty board certifications add additional credentialing for specialties.
Practice entity identity includes NPI for organizational providers (different from individual NPI), FEIN/EIN for tax purposes, state professional corporation registration, and group practice agreements with ownership structures.
Beneficial ownership complexity is where healthcare KYC gets difficult. Medical practices often have ownership structures that consumer KYC cannot handle: multiple physician partners with less than 25% individual stakes but greater than 75% collective ownership, equipment financing companies with security interests, management service organizations (MSOs) with operational control but no equity, and spouse ownership for asset protection purposes. Standard banking KYC identifies beneficial owners with 25% or greater ownership stake. Healthcare KYC must also identify control persons who may have operational authority without equity ownership.
DEA number verification involves multiple validation steps that most fintech platforms do not understand. The format is 2 letters plus 7 digits (e.g., BC1234567). The first letter indicates registrant type (B for hospital, M for mid-level practitioner, etc.). The second letter is the first letter of the practitioner's last name. A check digit algorithm validates the number.
Active status verification checks the DEA public database for status: Active, Expired, Surrendered, or Revoked. Expiration dates require ongoing monitoring (typically 3-year renewals). Schedule authority validation confirms controlled substance schedules (I-V). Dental practices typically need Schedules II-V for pain management. Anesthesia practices require additional Schedule I authority. Geographic limitations mean DEA registrations are location-specific. Practices with multiple locations need separate registrations. Cross-state practice requires validation in each jurisdiction.
Our implementation through Alloy:
// Simplified example - actual implementation more complex
const deaValidation = await alloy.validate({
type: 'dea_license',
number: 'BC1234567',
lastName: 'Smith',
practiceAddress: '123 Main St, Austin TX',
expectedSchedules: ['II', 'III', 'IV', 'V']
})
if (deaValidation.status === 'ACTIVE' &&
deaValidation.schedules.includes('II')) {
// Proceed with onboarding
} else {
// Flag for manual review
}Cost implications: DEA verification runs $3-5 per check through specialized vendors. State medical board verification costs $2-4 per license per state. Ongoing monitoring costs $1-2 per month per provider. Manual review for exceptions runs $15-25 per case. This explains why healthcare KYC costs 3-4x consumer KYC.
National Provider Identifier validation involves cross-referencing multiple databases to ensure provider legitimacy. NPPES (National Plan and Provider Enumeration System) validation confirms NPI is active and properly formatted, validates taxonomy codes match claimed specialties, checks provider demographics (name, address, phone), and identifies individual versus organizational NPIs.
Taxonomy code verification matters. 207Q00000X is Pediatric Dentist. 1223G0001X is General Dental Practice. 122400000X is Oral and Maxillofacial Surgery. Mismatched taxonomy codes flag potential fraud.
Cross-database validation checks NPPES data against state licensing boards, NPI against DEA registration addresses, organizational NPIs against FEIN/EIN records, and individual NPIs against Social Security Death Master File.
Many providers have multiple NPI registrations: individual NPI for personal practice, organizational NPI for group practice employment, and locum tenens arrangements for temporary coverage. Our KYB process must identify all relevant NPIs and understand the relationships between individual and organizational providers.
Example validation failure: Dr. Sarah Johnson applies for business banking claiming solo practice ownership. NPI validation shows she is employed by Dental Corp LLC with no ownership stake. This triggers enhanced due diligence to understand actual practice ownership structure.
Healthcare providers face discipline from state licensing boards that standard KYC sanctions screening does not catch. State medical and dental board actions include license suspension or revocation, probationary supervision, continuing education requirements, and practice restrictions or limitations. Specialty board sanctions come from bodies like the American Board of Oral Surgery or state dental societies or hospital credentialing. OIG Exclusion List screening through the Office of Inspector General maintains a list of sanctioned providers. Exclusions prevent participation in federal healthcare programs and automatically trigger account closure or enhanced monitoring.
Providers licensed in multiple states require monitoring across all jurisdictions. A dentist licensed in Texas and Oklahoma needs monitoring from both state boards plus federal exclusion lists.
Ongoing monitoring implementation:
# Monthly state board monitoring
def monitor_state_licenses():
for provider in active_providers:
for license in provider.state_licenses:
board_status = check_state_board(license.state, license.number)
if board_status.disciplinary_action:
flag_for_review(provider, board_status)
oig_status = check_oig_exclusion(provider.npi)
if oig_status.excluded:
initiate_account_closure(provider)This monitoring generates ongoing compliance costs but prevents regulatory violations that could shut down the entire program.
Many states restrict corporate ownership of medical practices, creating KYB complexities that standard business banking does not address. Prohibited structures include direct corporate employment of licensed practitioners, non-physician ownership of medical practices, and management companies with excessive control. Permitted structures include professional corporations owned by licensed practitioners, management service agreements with appropriate limitations, and equipment leasing arrangements with proper documentation.
When onboarding a dental practice, we must verify all equity owners are licensed dentists (where required by state law), management agreements do not violate corporate practice restrictions, fee-splitting arrangements comply with state regulations, and referral relationships do not create Stark Law violations.
Example compliance issue: Dental practice applies for business banking. Ownership structure shows Dr. Smith (dentist) at 60% and Smith Holdings LLC at 40%. Enhanced due diligence reveals Smith Holdings LLC is owned by Dr. Smith's spouse, a non-dentist. In states prohibiting non-dentist ownership, this structure violates corporate practice of medicine laws. Resolution requires restructuring ownership or declining the customer relationship.
Healthcare KYC requires specialized vendors that understand medical provider verification. Our vendor stack: Alloy for primary KYC/KYB orchestration with healthcare-specific workflows. Persona for document verification and identity proofing. ProPublica for state medical board scraping and monitoring. NPPES API for direct NPI validation and taxonomy verification.
Alloy healthcare workflow configuration:
healthcare_kyc_workflow:
steps:
- identity_verification:
vendor: persona
document_types: [drivers_license, passport]
selfie_required: true
- professional_verification:
npi_validation: required
dea_verification: required_if_controlled_substances
state_license_check: required
- sanctions_screening:
ofac_check: required
oig_exclusion_check: required
state_board_check: required
- beneficial_ownership:
threshold: 25_percent
corporate_practice_check: required
control_person_identification: required
decision_logic:
auto_approve:
- all_checks_pass: true
- risk_score: < 30
manual_review:
- any_check_pending: true
- risk_score: 30-70
auto_decline:
- oig_excluded: true
- license_revoked: true
- risk_score: > 70Cost breakdown per practice: Alloy platform fee $0.50 per workflow. Identity verification $1.50 per individual. NPI validation $2.00 per provider. DEA verification $3.50 per registration. State board monitoring setup $2.50 per license. Total onboarding cost: $8-12 per practice.
Healthcare KYC requires ongoing monitoring as provider status changes. Monthly monitoring tasks include DEA registration renewals (every 3 years, but dates vary), state license renewals (annual or biennial by state), OIG exclusion list updates (monthly additions), state board disciplinary actions (weekly updates), and NPI status changes (practice affiliations, addresses).
Event-driven monitoring covers news alerts for provider arrests or malpractice suits, court records for bankruptcy or civil judgments, professional society sanctions or suspensions, and hospital credentialing issues or terminations.
Automated workflow:
class HealthcareMonitoring:
def __init__(self):
self.alloy_client = AlloyClient()
self.monitoring_schedule = {
'daily': [self.check_oig_updates],
'weekly': [self.check_state_boards],
'monthly': [self.validate_renewals],
'quarterly': [self.full_risk_reassessment]
}
def check_provider_status(self, provider_id):
provider = self.get_provider(provider_id)
# Check each license/registration
for license in provider.licenses:
if license.expires_within_days(90):
self.notify_renewal_required(provider, license)
board_status = self.check_state_board(license)
if board_status.has_disciplinary_action():
self.escalate_for_review(provider, board_status)Monitoring costs: automated monitoring $1-2 per provider per month. Manual review of flagged cases $15-25 per incident. License renewal tracking $0.50 per license per month. Emergency sanctions screening $5-10 per urgent check.
For federal exclusions screening, see HHS OIG LEIE. These ongoing costs must be factored into healthcare fintech unit economics.
Starting January 2024, the Corporate Transparency Act requires reporting beneficial ownership information to FinCEN for most business entities. BOI (Beneficial Ownership Information) Reporting is required for corporations and LLCs created after 1/1/2024. Existing entities must file by 1/1/2025. Updates are required within 30 days of ownership changes. Penalties run up to $500/day for non-compliance.
Healthcare-specific considerations: professional corporations may qualify for exemptions. Medical practices with complex ownership need careful analysis. Beneficial ownership rules interact with corporate practice of medicine laws.
Our CTA compliance process: entity analysis to determine if the practice entity requires BOI reporting, ownership mapping to identify beneficial owners and control persons, documentation collection of required identification documents, filing coordination to submit BOI reports or coordinate with practice counsel, and ongoing monitoring to track ownership changes requiring updates.
Cost implications: initial CTA analysis $2-5 per entity. BOI report preparation $10-15 per filing. Ongoing change monitoring $1-2 per entity per month. Legal consultation for complex cases $150-300 per case.
Healthcare fintechs must either build CTA compliance capabilities or partner with legal and accounting firms that handle these filings. Reference: FinCEN BOI Reporting.
Healthcare KYC complexity requires purpose-built compliance infrastructure. Workflow management needs multi-step verification processes with manual review queues, automated retry logic for temporary verification failures, exception handling for edge cases and missing data, and integration with compliance case management systems. Data management needs secure storage of sensitive healthcare provider information, audit trails for all verification decisions and data updates, version control for changing regulations, and APIs for third-party compliance tools and legal reviews. Risk scoring includes healthcare-specific risk factors (malpractice history, board actions), geographic risk weighting (state regulatory environments), practice type risk assessment (controlled substance prescribing), and ongoing risk score updates based on monitoring alerts. Reporting and analytics cover compliance dashboards for internal teams and regulators, KYC completion rates and processing times, false positive and negative analysis for continuous improvement, and cost tracking for compliance operations and vendor expenses.
Healthcare KYC costs $8-12 per practice versus $2-3 for consumer customers. This investment creates sustainable competitive advantages.
Regulatory moat: competitors cannot serve healthcare customers without similar compliance infrastructure investment. Data advantage: healthcare KYC generates valuable data about provider credentials, practice ownership, and regulatory standing that enables better underwriting and risk management. Customer trust: practices value working with fintechs that understand healthcare regulatory requirements. Partner relationships: healthcare KYC compliance enables partnerships with medical suppliers, equipment vendors, and professional organizations that require verified provider relationships.
The key is building compliance infrastructure that scales efficiently while maintaining regulatory effectiveness. Significant upfront investment, long-term competitive positioning.
Next in series
Part 2 - explores how machine learning detects healthcare-specific fraud patterns that traditional banking systems miss.Data sources: FinCEN CTA guidance, CMS NPI documentation, DEA registration requirements, internal compliance cost analysis from 777-practice onboarding experience