What is AML compliance in the United States?

AML compliance means maintaining a risk-based program under the Bank Secrecy Act that detects and prevents money laundering and terrorist financing, including CDD, sanctions screening, monitoring, and FinCEN reporting.

Who regulates AML for US fintechs?

FinCEN administers BSA regulations; OFAC enforces sanctions; state regulators oversee money transmitter licensing; and sponsor banks face federal banking agency examinations that extend scrutiny to fintech partners.

Do all fintechs need an AML program?

Any company that qualifies as a money services business or other covered financial institution must maintain a written AML program. Many fintechs trigger MSB rules through payments, wallets, or virtual currency services.

What are the five pillars of a BSA AML program?

Internal controls, a designated BSA/AML officer, training, independent testing, and customer due diligence procedures.

How does AML differ from KYC?

KYC verifies identity at onboarding; AML is the ongoing framework—including monitoring and SAR filing—that ensures activity remains consistent with the customer profile and legal requirements.

What happens if my AML program is inadequate?

Consequences include civil money penalties, consent orders, loss of banking partners, and potential criminal exposure for willful violations.

What Is AML Compliance? A Practical Guide for US Fintechs

Anti-money laundering compliance is no longer a niche concern for large banks on Wall Street. If you operate a fintech, money services business, payment company, or any firm that moves value on behalf of customers in the United States, AML obligations are part of your license to operate—whether a regulator has sent you a formal letter yet or not.

This guide explains what AML compliance means under US law, who sets the rules, what a credible program looks like in practice, and how the pieces fit together from customer onboarding through suspicious activity reporting.

The US AML framework: BSA, FinCEN, and OFAC

The backbone of US anti-money laundering law is the Bank Secrecy Act (BSA), originally enacted in 1970 and repeatedly strengthened through the USA PATRIOT Act, the Anti-Money Laundering Act of 2020 (AMLA), and related statutes. Congress sets the statutory requirements; FinCEN (the Financial Crimes Enforcement Network), a bureau of the US Treasury, writes implementing regulations and receives millions of regulatory filings every year.

FinCEN is not the only agency that matters. OFAC (the Office of Foreign Assets Control), also within Treasury, administers economic sanctions programs. A customer who passes identity verification but appears on the SDN List still cannot be onboarded. State regulators, federal banking agencies, the SEC, CFTC, and industry-specific supervisors layer additional expectations on top of the BSA baseline.

Understanding this split is essential: the BSA tells you to run an AML program and file certain reports; FinCEN tells you how; OFAC tells you whom you cannot do business with; and your primary examiner—whether a bank sponsor, state MTL regulator, or SEC staff—tells you whether your implementation is credible.

What “AML compliance” actually requires

AML compliance is not a single checkbox. At minimum, covered US businesses are expected to maintain a written AML program that is approved by senior management, includes internal controls, designates a qualified BSA/AML Officer, provides ongoing training, and undergoes independent testing.

The program must address:

Customer identification and verification under CIP/CDD rules
Beneficial ownership collection for legal entity customers
Sanctions screening against OFAC and other applicable lists
PEP and high-risk customer policies, including Enhanced Due Diligence where warranted
Transaction monitoring appropriate to your products and risk profile
Suspicious activity reporting via FinCEN SAR filings when red flags cannot be reasonably explained

None of these elements stands alone. Examiners evaluate whether your controls are risk-based, documented, and actually operated—not merely copied from a template.

How AML differs from KYC—and why both matter

KYC (Know Your Customer) is the front-door process: who is this customer, can we verify their identity, what is the stated purpose of the relationship? AML is the broader lifecycle: is ongoing activity consistent with that profile, are we detecting typologies indicative of money laundering or terrorist financing, and do we escalate when something does not add up?

A common fintech failure mode is treating KYC as a one-time onboarding selfie check, then running production traffic with no monitoring, no rescreening, and no SAR workflow. Regulators explicitly expect ongoing due diligence—see our guide on ongoing customer monitoring for what that looks like in practice.

Who must comply—and how to know if you are covered

Coverage under the BSA extends to financial institutions broadly defined: banks, credit unions, broker-dealers, mutual funds, futures commission merchants, and—critically for startups—money services businesses (MSBs). Many fintech products trigger MSB classification because they transmit funds, exchange currency, or provide certain prepaid access or virtual currency services.

If you are unsure whether your business model falls in scope, read Who Must Comply with BSA/AML?. The cost of guessing wrong includes civil money penalties, consent orders, loss of banking partners, and personal liability exposure for individuals who willfully ignore red flags.

Core program components in plain language

Internal policies and risk assessment

Your policies should describe how you identify customers, escalate high-risk cases, monitor transactions, and file SARs. An annual or trigger-based enterprise risk assessment documents your products, geographies, delivery channels, and customer types—and maps controls to those risks.

The BSA/AML Officer

This person has real authority. Examiners will interview them. They need access to transaction data, the ability to halt onboarding, and a reporting line to senior management or the board.

Training and culture

Training must be role-appropriate: front-line support sees different typologies than engineers building payout APIs. A strong compliance culture means product teams consult compliance before shipping features that introduce new anonymity or cross-border corridors.

Independent testing

An internal audit function or qualified external party must test your program periodically and report findings to leadership. Findings should be remediated with tracked deadlines.

CDD, EDD, and the Customer Identification Program

CDD (Customer Due Diligence) requires understanding the nature and purpose of customer relationships and conducting ongoing monitoring to identify suspicious activity. FinCEN’s CDD Rule also requires identifying and verifying beneficial owners of legal entity customers.

When risk elevates—PEPs, correspondent banking, high-risk jurisdictions, complex ownership chains—you apply Enhanced Due Diligence (EDD): deeper source-of-funds inquiries, senior management approval, more frequent reviews. Our step-by-step CDD guide walks through implementation details.

Sanctions, PEPs, and adverse media

OFAC screening is mandatory before you provide services and, as a best practice and examiner expectation, on an ongoing basis when lists update or customer data changes.

PEP screening aligns with FATF Recommendation 12 and US supervisory guidance: politically exposed persons and their close associates present higher corruption risk. See Politically Exposed Persons (PEPs): Identification and EDD in the US.

Adverse media—negative news about financial crime, fraud, or regulatory actions—catches risks that structured lists miss. It has become a standard element of reasonable AML programs, especially for fintechs serving higher-risk segments. Learn more in Adverse Media Screening.

Reporting obligations: CTRs, SARs, and recordkeeping

Depending on your activities, you may file Currency Transaction Reports (CTRs) for cash transactions over $10,000, FBAR-related workflows for foreign accounts in certain contexts, and Suspicious Activity Reports (SARs) when you know, suspect, or have reason to suspect illicit activity.

SARs are filed through FinCEN’s BSA E-Filing System. Timing matters: filing must occur within 30 calendar days of initial detection in most cases. Our FinCEN SAR Filing guide covers red flags and documentation.

Record retention is equally non-negotiable: generally five years from account closure or transaction date for CDD and certain transaction records. See AML Record Retention.

Enforcement trends fintechs should take seriously

FinCEN, OFAC, the DOJ, and state regulators have brought numerous enforcement actions against payment companies, crypto exchanges, and neobanks for program deficiencies—not only for processing known bad actors. Weak governance, inadequate transaction monitoring, and failure to file timely SARs are recurring themes.

Banking partners increasingly demand sponsor-bank-grade artifacts before approving integrations: policy manuals, risk assessments, audit reports, and live dashboards. AML compliance is therefore a commercial imperative, not only a legal one.

Building a program that scales

Early-stage companies often start with manual reviews and spreadsheets. That can work briefly at low volume, but breaks quickly. Automation should support human judgment, not replace it: rules-based monitoring plus analyst queues, integrated KYC vendors, sanctions list updates, and immutable audit logs.

Design onboarding with compliance embedded—our client onboarding guide shows how to avoid funnel-killing friction while meeting CDD requirements.

Payment processors and embedded finance platforms face layered obligations; if that is your model, read AML/KYC Compliance for Payment Processors and PSPs.

Crypto and virtual asset businesses must also track FATF travel rule expectations and global frameworks like MiCA when serving European customers—covered in MiCA and FATF.

Practical checklist for leadership

Before your next investor diligence or bank review, confirm:

Written AML/BSA policy approved by the board or equivalent
Named BSA Officer with documented responsibilities
Risk assessment dated within the last 12–18 months
CIP/CDD procedures including beneficial ownership
OFAC screening at onboarding and periodically thereafter
PEP and adverse media procedures with EDD triggers
Transaction monitoring calibrated to your product
SAR escalation workflow with legal review
Training logs and independent test reports
Record retention schedule aligned with BSA requirements

Gaps in any row become exam findings—or worse, headlines.

Get started with Legaltalent

Building a defensible AML program takes the right policies, evidence, and tooling—not spreadsheets held together with hope. Legaltalent helps US fintechs and financial services firms automate KYC, sanctions screening, PEP checks, adverse media, and audit-ready recordkeeping in one platform.

Start your free trial and see how compliant onboarding and monitoring can scale with your business.