AML Compliance for Payments Companies: What You Need to Know

Payments companies occupy a unique position in the financial services compliance landscape. As facilitators of money movement between parties — merchants, consumers, businesses, and financial institutions — payments companies face AML risks and regulatory obligations that are both similar to and distinct from those of traditional banks and other fintechs.

If you are building or operating a payments company, understanding how BSA/AML requirements apply to your specific business model — and where standard compliance frameworks need payments-specific adaptation — is essential for building a program that actually works.

How BSA Requirements Apply to Payments Companies

Payment Processors vs. Money Transmitters

The most important threshold determination for payments companies is whether your business qualifies as a money transmitter — and therefore as a Money Services Business subject to full BSA requirements — or whether you fall within the payment processor exemption.

Money transmitters are businesses that accept and transmit funds on behalf of the public. If your payments company accepts funds from one party and transmits them to another — holding funds, even briefly, in the process — you are very likely a money transmitter.

The payment processor exemption applies to businesses that process payments solely as agents of a payee facilitating the movement of funds for goods and services where the payment processor acts only as an intermediary. This exemption is narrower than many payments companies assume and requires careful legal analysis of your specific business model.

If You Are a Money Transmitter

If your payments business qualifies as a money transmitter, you are an MSB subject to full BSA requirements including FinCEN registration, a written AML program with all five pillars, SAR filing obligations, and state money transmitter licensing requirements.

Payments-Specific AML Risks

Merchant Risk

Payments companies that serve merchants take on the AML risk profile of those merchants. A payments company serving high-risk merchant categories such as gambling, adult entertainment, or money services has a materially different and more complex risk profile than one serving lower-risk merchants.

Your AML risk assessment must include a thorough evaluation of your merchant base — the industries you serve, the transaction types you process, the geographies your merchants operate in, and the customer bases your merchants serve.

Transaction Volume and Velocity

Payments companies often process high volumes of transactions at high velocity — characteristics that increase both AML risk and the operational demands of your monitoring program. High-volume transaction flows require monitoring rules specifically calibrated to identify anomalous patterns within that flow.

Third-Party Risk

Payments companies frequently work with third parties — payment facilitators, ISOs, agents, and submerchants — who interact directly with end customers. Each layer introduces compliance risk. Your contracts must establish clear compliance obligations for those third parties.

Cross-Border Payment Risk

Payments companies that process cross-border transactions — particularly involving high-risk jurisdictions — face elevated sanctions and AML risk. Every cross-border transaction requires sanctions screening of counterparties.

Nested Processing Risk

Some payments companies process transactions on behalf of other payment processors — a practice called nested processing. This creates visibility challenges because end customers are not directly visible to the nested processor. Nested processing arrangements require specific due diligence on the upstream processor.

Building a Payments-Specific AML Program

Merchant Onboarding and Due Diligence

Your KYC and CDD program must cover merchants — not just individual consumers. Merchant onboarding should include verification of the merchant's legal identity and beneficial ownership, assessment of the merchant's industry and risk category, review of expected transaction types and volume, and ongoing monitoring against the established profile.

Transaction Monitoring Calibrated for Payments

Common red flags in payments monitoring include sudden spikes in transaction volume inconsistent with the merchant's profile, high rates of chargebacks or refunds that may indicate fraud or laundering, rapid fund cycling — large amounts in followed immediately by large amounts out, transactions involving the same end customer across multiple merchants with no apparent relationship, and geographic inconsistencies between merchant location and customer base.

Sanctions Screening at Scale

Payments companies must screen counterparties against OFAC sanctions lists. At high transaction volumes, this requires automated screening technology with real-time processing capability and fuzzy matching. Manual screening is not viable at payments scale.

Common Compliance Gaps in Payments Companies

Underestimating merchant risk is the most common gap. Many payments companies conduct thorough KYC on individual consumers but apply insufficient due diligence to the merchants they onboard.

Generic monitoring rules not calibrated to payments transaction patterns produce excessive false positives while missing payments-specific money laundering typologies.

Inadequate third-party oversight of ISOs, agents, and submerchants creates compliance gaps that regulators hold the payments company responsible for.

Frequently Asked Questions

Does a payment facilitator need its own AML program?

Yes. Payment facilitators that qualify as money transmitters have independent BSA obligations including a written AML program, FinCEN registration, and SAR filing requirements. The fact that a payment facilitator works through a sponsor bank does not eliminate its independent compliance obligations.

How does AML compliance apply to buy-now-pay-later companies?

BNPL companies that qualify as money transmitters or offer consumer credit are subject to BSA requirements for transmission activities and consumer financial law requirements for credit elements. Specific obligations depend on the BNPL product structure and require careful regulatory analysis.

What is the Travel Rule and does it apply to payments companies?

The BSA's Travel Rule requires financial institutions to pass along originator and beneficiary information when transmitting funds of $3,000 or more. For payments companies that qualify as money transmitters, the Travel Rule applies to fund transfers meeting the threshold.

How ComplyOne Helps

ComplyOne works with payments companies to build AML compliance programs specifically designed for the payments business model — from merchant risk assessment and due diligence to transaction monitoring calibrated for payments typologies and sanctions screening at scale — through advisory services, compliance technology, or both.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.