Are payment processors MSBs?

Many are, if they transmit funds, hold balances, or facilitate value transfer between parties. Each model requires legal analysis.

What KYB data should processors collect on merchants?

Entity formation details, beneficial owners, MCC, website and operations evidence, and screening for sanctions, PEP, and adverse media.

What do sponsor banks require from PSPs?

Written AML policies, risk assessments, onboarding metrics, transaction monitoring, SAR processes, and audit access.

What monitoring rules fit payment processors?

Rules targeting merchant ticket size changes, chargeback spikes, cross-border concentration, structuring, and shared payout devices.

When must processors file SARs?

When they know, suspect, or have reason to suspect illicit activity in covered transactions, following MSB or institution-specific thresholds.

How long should merchant AML records be kept?

Generally at least five years under BSA recordkeeping rules, though contracts may require longer.

AML/KYC Compliance for Payment Processors and PSPs

Payment processors, payment service providers (PSPs), and embedded-finance platforms sit at the center of modern commerce—and at the center of AML risk. When you move money between buyers, sellers, and financial institutions, regulators and sponsor banks expect you to know your customers, monitor transactions, and report suspicious activity.

This guide covers US BSA/FinCEN expectations for payment companies, how sponsor bank oversight works, and how to scale compliance without choking merchant growth.

Why payment processors are high AML scrutiny

Processors aggregate many merchants or users through few bank accounts, creating concentration risk. Typologies include:

Merchant acquiring fraud and chargeback laundering
Shell merchants layering proceeds
MSB customers commingling consumer and commercial flows
Cross-border remittance disguised as merchant payouts
Trade-based money laundering through fake invoices

FinCEN and federal banking agencies have issued extensive guidance on money services businesses and third-party payment processors. Examiners know these patterns.

MSB registration and licensing

Many payment models trigger money transmitter or MSB classification:

Holding customer funds before settlement
Facilitating person-to-person transfers
Providing cross-border remittance APIs
Operating stored-value wallets

Requirements typically include FinCEN Form 107 registration, state MTLs, written AML programs, and SAR/CTR obligations where applicable.

If unsure, read Who Must Comply with BSA/AML? before scaling volume.

Sponsor bank and BaaS dynamics

Most fintech PSPs rely on sponsor banks subject to OCC, Fed, or FDIC BSA examinations. Banks must manage third-party risk under interagency guidance. Expect:

Pre-launch diligence on your AML policies
Ongoing reporting on onboarding volumes, SAR counts, and exceptions
Audit rights and termination triggers for program weaknesses
Joint remediation of exam findings

Your AML program must be bank-examination ready even if FinCEN has not examined you directly.

Merchant KYC vs. consumer KYC

Processors often perform KYB (Know Your Business) on merchants while performing lighter KYC on payers. Both require risk-based design:

Merchant onboarding

Collect legal entity data, beneficial owners under the CDD Rule, MCC codes, refund policies, and website presence. Verify against Secretary of State records. Screen merchants and owners against OFAC, PEP, and adverse media databases.

High-risk MCCs (crypto, adult, gambling, pharmaceuticals) warrant EDD—see Customer Due Diligence (CDD) and Politically Exposed Persons (PEPs).

Consumer / payer flows

Retail payer KYC may be streamlined for low-value transactions but must strengthen as limits rise. Compliant Client Onboarding discusses progressive KYC.

Transaction monitoring for processors

Monitoring rules should reflect merchant behavior baselines:

Sudden spikes in average ticket size
Cross-border concentration inconsistent with merchant profile
Excessive refunds or chargebacks
Round-dollar structuring patterns
Multiple merchants sharing devices, IPs, or payout accounts

Tune models when launching new verticals. Ongoing Customer Monitoring explains rescreening and lifecycle reviews.

Sanctions and OFAC compliance

Screen merchants, beneficial owners, payout beneficiaries, and—in applicable models—payers against OFAC lists before first settlement and on list updates. Block prohibited jurisdictions and document match dispositions.

OFAC violations can result in catastrophic penalties independent of BSA fines.

SAR filing for payment firms

File FinCEN SARs when activity suggests fraud, money laundering, or other illicit purposes—even if chargebacks already hurt your P&L. Common triggers:

Merchant collusion with stolen cards
Payouts to unrelated third parties
Rapid cash-out after inbound wires
Customer reluctance to provide invoice support

Consult FinCEN SAR Filing for timelines and tipping-off rules.

Record retention and audits

Maintain onboarding files, risk scores, monitoring alerts, and SAR workpapers for five years where BSA requires. See AML Record Retention.

Adverse media for merchant risk

Negative news about merchant principals often precedes regulatory actions. Implement Adverse Media Screening for higher-risk KYB tiers.

Crypto and stablecoin payout rails

Processors adding crypto settlement must consider VASPs, travel rule, and FinCEN CVC guidance—MiCA and FATF.

Organizational tips

Embed compliance in merchant risk scoring at signup
Separate fraud and AML teams but share intelligence
Give the BSA Officer authority to pause settlements
Run independent AML testing annually
Document reasons for merchant termination carefully

AML program foundations

For policy architecture and pillars, see What Is AML Compliance?.

Underwriting velocity vs. AML depth

Fast merchant approval SLAs pressure analysts to skip KYB steps. Cap daily auto-approvals and route MCC-sensitive verticals to senior reviewers.

Sponsor bank dashboards should include merchant termination reasons coded by AML vs. fraud vs. credit policy.

ISOs, agents, and downstream MSB customers

Processors often onboard independent sales organizations (ISOs) and payment facilitators who introduce merchants. Apply KYB and reputational screening to ISO principals, not only end merchants.

When your customer is itself an MSB, implement flow-down audits: prove their AML program exists before enabling sub-merchant aggregation.

Chargeback monitoring belongs in AML conversations when patterns suggest transaction laundering between unrelated merchants sharing settlement paths.

Settlement timing changes (instant payout) alter typologies—re-tune monitoring when product marketing pushes faster funds availability.

Contractual termination rights for AML should be exercisable without breaching card network rules—legal drafting matters.

Reserve and settlement account monitoring

Processor reserve accounts concentrating merchant settlements are attractive laundering targets. Monitor reserve inflows and outflows with the same suspicion framework applied to customer wallets, including SAR escalation when merchants cycle unknown third-party payers through reserves.

Document sponsor bank reporting templates for monthly merchant risk summaries, including counts of enhanced due diligence merchants and pending law enforcement inquiries.

Horizontal risk: payment facilitators and marketplaces

Platforms that onboard sub-merchants under a master MID inherit concentrated AML risk. Master merchants should undergo KYB equal to direct merchants, with flow-down audits proving sub-merchant KYC exists. Monitoring must aggregate sub-merchant behavior to detect typologies invisible at individual storefront level. Sponsor banks increasingly request live merchant risk heatmaps—build reporting before they ask.

Network rules and compliance coexistence

Card network chargeback programs and AML offboarding must be coordinated so terminating a merchant for laundering does not violate dispute timing obligations. Legal and compliance should pre-draft termination notice templates that satisfy both objectives.

ACH return codes and AML signals

Unusual return code patterns on ACH payouts may indicate mule activity—correlate return reason codes with AML alerts rather than treating them as operations-only noise. Processor leadership should review top twenty merchant SAR contributors quarterly the same way they review revenue concentration. Independent testers should sample merchant onboarding files across high, medium, and low risk MCC buckets every examination cycle. Treat payroll funders and gig platforms as first-class merchant categories with tailored typologies, not generic retail defaults. Document processor-level concentration limits for single merchants and related party groups.

Get started with Legaltalent

Building a defensible AML program takes the right policies, evidence, and tooling—not spreadsheets held together with hope. Legaltalent helps US fintechs and financial services firms automate KYC, sanctions screening, PEP checks, adverse media, and audit-ready recordkeeping in one platform.

Start your free trial and see how compliant onboarding and monitoring can scale with your business.

Practical next steps for your compliance program

Regulators expect documented policies, trained staff, and evidence that controls run in production—not slide decks. Map each obligation to an owner, a control, and a record type. Run tabletop exercises for SAR decisions, sanctions hits, and EDD escalations. When examiners or auditors arrive, they will ask for samples: show that your process is consistent, risk-based, and improving over time.

Technology should reduce manual error, not replace accountability. Automate identity verification, list screening, and case management, but keep human review for edge cases. Periodically validate vendor match quality and tune thresholds so you neither flood analysts with false positives nor miss material risk.