Blog Login
AML

What Is an AML Compliance Program? BSA Requirements for Fintechs

A

Anzar Dewani

1 month ago

A deep dive into what an AML compliance program requires under the Bank Secrecy Act — the five pillars, who needs one, and how fintechs build one that satisfies FinCEN and sponsor banks.

What Is an AML Compliance Program?

BSA Requirements for Fintechs

 

Under the Bank Secrecy Act, most fintechs that move money are legally required to maintain a written AML compliance program. Not a general compliance framework — a specific, documented anti-money laundering program with defined components that FinCEN expects to see, audit, and enforce against.

AML stands for Anti-Money Laundering. The purpose of an AML compliance program is narrow and specific: detect, prevent, and report the movement of illegally obtained funds through your platform. Every control, policy, and process inside your AML program exists to serve that purpose.

 This is distinct from your broader compliance program, which covers everything from consumer protection to licensing to data privacy. Your AML program sits inside that broader framework — but it has its own legal requirements, its own structure, and its own regulator looking at it.

 This article breaks down exactly what FinCEN requires, who needs an AML program, what each component must include, and what happens if yours is missing or inadequate.

The Law Behind It — The Bank Secrecy Act

The Bank Secrecy Act (BSA), enacted in 1970 and administered by the Financial Crimes Enforcement Network (FinCEN), is the primary U.S. law governing AML compliance. It requires covered financial institutions to maintain records and file reports that help detect and prevent money laundering and other financial crimes.

Under the BSA, a compliant AML program must be:

  1. Written — formally documented, not informal or verbal
  2. Approved by senior management — leadership must own it on record
  3. Reasonably designed — built around your specific risk profile, not copied from a template
  4. Implemented and operational — actively running inside your business, not sitting in a folder

 

Meeting these four conditions is the baseline. FinCEN examiners look for evidence that all four are true — not just that a document exists.

Who Needs a BSA/AML Program?

BSA requirements apply to businesses that FinCEN classifies as financial institutions — a category that captures far more than traditional banks.

You are likely required to have a BSA/AML program if your business is:

  • Money Services Business (MSB) — including money transmitters, prepaid card issuers, cryptocurrency exchangers, check cashers, and currency dealers
  • fintech operating under a sponsor bank — the sponsor bank's BSA obligations extend directly to your operations, and they will require your program to meet their standards
  • broker-dealer or investment platform — subject to FINRA and SEC oversight with parallel AML requirements
  • neobank or challenger bank — operating under a bank charter or partnership carries full BSA obligations

If you are unsure whether your business qualifies as an MSB or falls under BSA requirements, that determination needs to be made before you launch — not after your first regulatory inquiry.

The Five Pillars of a BSA/AML Program

FinCEN defines the required structure of a BSA/AML program through five pillars. Each one is a distinct requirement — not a suggestion.

1. Internal Controls

Internal controls are the backbone of your AML program. They are the written policies, operational procedures, and automated systems your business uses to identify, investigate, and report suspicious financial activity.

Your internal controls must cover:

  • Risk assessment — how your company identifies and documents its AML risks based on products, customers, geographies, and transaction types
  • Transaction monitoring — the rules, thresholds, and systems that flag unusual or suspicious activity for review
  • SAR filing — your process for investigating flagged activity and filing Suspicious Activity Reports with FinCEN when required
  • Recordkeeping — maintaining the transaction records and customer information the BSA requires you to retain

Weak internal controls are the most common finding in BSA examinations. Rules that are never triggered, alerts that are never reviewed, and SARs that are filed late or not at all — these are the gaps examiners look for.

2. A Designated BSA/Compliance Officer

Every BSA/AML program must have a named individual responsible for overseeing it. This person — typically called the BSA Officer or Chief Compliance Officer — is accountable for ensuring the program is built correctly, kept current, and functioning effectively.

FinCEN does not require this to be a dedicated full-time role at early-stage companies. What it does require is that:

  • Someone is clearly named and accountable
  • That person has sufficient authority to make compliance decisions
  • That person has access to the transaction data and systems needed to do the job
  • Senior management is informed of program performance and issues

As your business scales, this role typically becomes a full-time function. For now, what matters is that it isn't nobody's job.

3. Ongoing Employee Training

AML training is a legal requirement — not a best practice. All employees whose roles touch compliance-relevant functions must receive regular, documented training on BSA obligations and your internal AML policies.

BSA training requirements include:

  • Annual training as a minimum frequency for most covered businesses
  • Role-specific content — customer-facing staff, operations teams, and senior management each need training appropriate to their responsibilities
  • New hire training — employees should be trained before they begin handling compliance-relevant functions
  • Documentation — records of who completed training, when, and what it covered must be maintained and available for examination

Regulators and sponsor banks will ask for training records. Verbal or informal training with no documentation does not satisfy the requirement.

4. Independent Testing

Your AML program must be reviewed regularly by someone independent of the function being tested. This is commonly referred to as an AML audit or independent review, and it is a formal BSA requirement — not optional.

Independent testing must:

  • Be conducted by someone with no direct responsibility for the AML program being reviewed
  • Assess whether controls are working as designed and whether gaps exist
  • Produce written findings that are reported to senior management
  • Occur at a frequency appropriate to your risk profile — typically annually for most businesses, more frequently for higher-risk operations

For early-stage fintechs, independent testing is most commonly performed by an external compliance consultant. The key requirement is independence — the reviewer cannot assess their own work.

5. Customer Due Diligence (CDD)

Added by FinCEN in 2016, Customer Due Diligence became the fifth formal pillar of the BSA/AML framework. It requires covered financial institutions to implement a documented CDD program with four core components:

  • Customer identification — verifying the identity of individuals and entities at onboarding (KYC/KYB)
  • Customer risk profiling — understanding who your customers are, what they're expected to do on your platform, and assigning a risk rating accordingly
  • Ongoing monitoring — continuously reviewing account activity against the customer's expected profile and updating risk ratings when behavior changes
  • Beneficial ownership — for legal entity customers, identifying and verifying the individuals who own or control the business

CDD is where your AML program directly intersects with your customer experience. The identity verification tools, onboarding flows, and monitoring rules you build are all executing this pillar in practice.

What Happens If Your AML Program Is Inadequate

FinCEN enforces BSA requirements aggressively — and enforcement actions are public record. The consequences of an inadequate or missing AML program include:

Civil money penalties. FinCEN can assess penalties for BSA violations that range from thousands to tens of millions of dollars depending on severity, duration, and whether the violation was willful.

Sponsor bank termination. Your sponsor bank is legally required to oversee your AML program. If they determine it is inadequate, they will exit the relationship — often quickly and with limited notice. Losing a sponsor bank mid-growth is one of the most disruptive events a fintech can face.

Cease and desist orders. Regulators can require you to stop certain business activities until compliance gaps are remediated.

Criminal liability. Willful BSA violations carry criminal penalties. Founders and BSA Officers can be personally exposed.

Reputational damage. FinCEN enforcement actions are published on its website and covered by financial services press. Being named in a public action follows a company for years.

Building Your AML Program

A compliant AML program doesn't need to be complicated — it needs to be appropriate for your risk profile and genuinely operational. Here's the practical sequence:

  1. Conduct a written AML risk assessment — document your products, customers, geographies, and the specific risks each creates
  2. Draft your BSA/AML policy — a written document covering all five pillars, approved by senior management
  3. Implement your controls — KYC /identity verification, transaction monitoring, SAR filing workflow, recordkeeping systems
  4. Name your BSA Officer — assign accountability formally and in writing
  5. Conduct and document your first training session — before you go live if possible
  6. Schedule your first independent review — within 12 months of launching your program

How ComplyOne Helps

Building a BSA/AML program that satisfies FinCEN requirements, passes sponsor bank audits, and actually runs inside your business takes expertise most founding teams don't have in-house.

ComplyOne works with fintechs and money services businesses to design, document, and implement AML programs built for your specific risk profile — from risk assessments and policy drafting to BSA Officer support and independent testing.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.

Share this article:

Related Articles