Who must comply with the Bank Secrecy Act?

Covered financial institutions including banks, broker-dealers, MSBs, and other categories defined in BSA regulations must comply with AML and reporting obligations.

Is my fintech a money services business?

If you transmit funds, exchange currency, or provide certain prepaid or virtual currency services, you may be an MSB and must register with FinCEN and implement an AML program.

Does using a sponsor bank eliminate my AML obligations?

No. Sponsor banks contractually require fintech partners to perform KYC, monitoring, and SAR workflows even when the bank is the chartered institution.

What is FinCEN Form 107?

Form 107 is the MSB registration form filed with FinCEN, renewed every two years, confirming your business engages in covered MSB activities.

Can I operate without state money transmitter licenses?

Federal MSB registration does not replace state licensing. Most states require separate MTLs for money transmission activities.

What are penalties for unregistered MSB activity?

Operating as an unregistered MSB when required violates federal law and typically results in banking termination, fines, and enforcement referrals.

Who Must Comply with BSA/AML? A Guide for US Businesses

“Are we even required to have an AML program?” is one of the first questions founders ask—and one of the most expensive to get wrong. Under US law, the answer depends on what your company actually does with money, not what you call yourself on a pitch deck.

This guide helps you determine whether the Bank Secrecy Act (BSA) and FinCEN regulations apply, what category you likely fall into, and what happens if you operate without a defensible compliance posture.

The BSA casts a wide net

Congress designed the BSA to require financial institutions to assist government efforts to detect and prevent money laundering. The statutory definition is broader than traditional banks. FinCEN and federal functional regulators have issued rules for banks, broker-dealers, mutual funds, futures merchants, casinos, insurance, dealers in precious metals, and more.

For technology companies, the most common trigger is classification as a money services business (MSB). MSBs include:

Money transmitters (sending funds domestically or internationally on behalf of customers)
Currency dealers or exchangers
Check cashers (above applicable thresholds)
Issuers, sellers, or redeemers of money orders or traveler’s checks
Providers or sellers of prepaid access (in certain circumstances)
Dealers in virtual currency (administering, exchanging, or transmitting convertible virtual currency)

If your product touches any of these activities, you may need FinCEN MSB registration, a written AML program, SAR/CTR obligations, and state money transmitter licensing in many jurisdictions.

Fintech models that frequently trigger BSA coverage

Neobanks and BaaS programs

If you are not a chartered bank but offer deposit-like accounts through a sponsor bank, the bank retains primary BSA responsibility—but you are typically contractually required to perform KYC, fraud, and AML functions. Examiners look through to program operators.

Payment processors and platforms

Marketplaces and SaaS platforms that control the flow of funds, hold balances, or route payouts often create MSB exposure for the platform or its payment subsidiary. Read AML/KYC Compliance for Payment Processors and PSPs for detail.

Crypto exchanges and wallet providers

FinCEN treats administrators and exchangers of convertible virtual currency as MSBs. Travel rule obligations and enhanced scrutiny apply. See MiCA and FATF for global alignment.

Lending and BNPL

Pure lending may be subject to different rules, but loan origination combined with payments, secondary trading, or servicing platforms can pull you into broader financial institution definitions or state regimes.

The FinCEN MSB registration question

MSBs must register with FinCEN using Form 107, renew every two years, and maintain an effective AML program. Registration is not a license to operate in every state—you may still need state money transmitter licenses (MTLs) and other permits.

Operating as an unregistered MSB when required is a federal violation. Banking partners will terminate relationships if they discover it.

Banks vs. non-bank financial institutions

If you hold a bank charter, OCC/Fed/FDIC rules apply in full. Most growth-stage fintechs are non-bank entities relying on sponsor banks, which means:

Primary BSA examination often targets the bank
Your contractual third-party risk management obligations are extensive
You must produce policies, metrics, and testing evidence on demand

Do not assume the bank’s charter shields your brand from reputational and contractual consequences of AML failures.

Other US entities with AML obligations

Beyond MSBs, consider whether you fit:

Registered investment advisers (AML rules evolving; custody and certain activities increase exposure)
Broker-dealers (SEC/FINRA AML requirements)
Insurance companies (for certain covered products)
Dealers in precious metals, stones, or jewels
Housing GSEs and mortgage originators (in specified contexts)

Gatekeeper professions—lawyers, accountants, trust and company service providers—face increasing AML expectations under the Corporate Transparency Act and FinCEN’s historical interest in profession-based reporting. See AML Compliance for Lawyers, Accountants, and Other Professionals.

Indicators you are probably in scope

You likely need a formal AML program if several of these are true:

Customers can send or receive funds through your product
You maintain wallets, balances, or stored value
You exchange one currency or asset for another
You onboard customers without a chartered bank being the only regulated party
You market cross-border remittance or payout APIs
You serve MSBs or high-risk merchants as a B2B platform

Still uncertain? Map each user journey that involves value transfer and ask whether FinCEN would characterize it as money transmission.

What compliance looks like once you are covered

Covered entities need the five pillars of an AML program:

Internal controls
BSA/AML Officer
Training
Independent testing
Customer due diligence procedures

Practically, that means CIP/CDD at onboarding (CDD step-by-step), OFAC screening, PEP policies (PEP guide), transaction monitoring (ongoing monitoring), SAR filing when appropriate (FinCEN SAR guide), and five-year record retention (retention requirements).

Consequences of non-compliance

Civil penalties under the BSA can reach hundreds of thousands of dollars per violation, with higher amounts for egregious or willful conduct. OFAC penalties can be far larger—into the billions for systemic sanctions failures.

Non-monetary consequences hurt sooner:

Debanking and sponsor bank termination
Consent orders restricting growth
Personal liability for willful blindness by executives
Investor and customer trust collapse

Regulators publish enforcement actions regularly; patterns show that “we were too small to matter” is not a recognized defense.

Risk-based approach for startups

FinCEN expects programs to be risk-based, not one-size-fits-all. A domestic-only, low-limit wallet has different monitoring thresholds than a global remittance API. Document your rationale in a risk assessment and revisit it when you launch new products or geographies.

Working with partners and APIs

If you rely on a KYC vendor or banking-as-a-service provider, you remain responsible for the adequacy of overall controls. Contractual pass-through language does not satisfy examiners if your program is hollow.

International companies serving US persons

Foreign MSBs with US customers generally must register with FinCEN and comply with US rules for those relationships, in addition to home-country obligations. OFAC applies regardless of where your servers sit.

Next steps if you are in scope

Confirm MSB status with counsel experienced in fintech BSA issues
Register with FinCEN if required; do not delay
Draft or upgrade your AML policy and risk assessment
Appoint a BSA Officer with authority and capacity
Implement CDD, sanctions, and monitoring before scaling volume
Schedule independent testing within 12–18 months of launch

For a broader primer on what AML entails operationally, start with What Is AML Compliance?.

Get started with Legaltalent

Building a defensible AML program takes the right policies, evidence, and tooling—not spreadsheets held together with hope. Legaltalent helps US fintechs and financial services firms automate KYC, sanctions screening, PEP checks, adverse media, and audit-ready recordkeeping in one platform.

Start your free trial and see how compliant onboarding and monitoring can scale with your business.

Practical next steps for your compliance program

Regulators expect documented policies, trained staff, and evidence that controls run in production—not slide decks. Map each obligation to an owner, a control, and a record type. Run tabletop exercises for SAR decisions, sanctions hits, and EDD escalations. When examiners or auditors arrive, they will ask for samples: show that your process is consistent, risk-based, and improving over time.

Technology should reduce manual error, not replace accountability. Automate identity verification, list screening, and case management, but keep human review for edge cases. Periodically validate vendor match quality and tune thresholds so you neither flood analysts with false positives nor miss material risk.