Building a BSA/AML Program That Satisfies a Bank Sponsor's Compliance Team
FinCEN guidance and bank sponsor expectations for fintech BSA/AML programs are not the same thing. Bank sponsors are accountable for their fintech partners' AML compliance under the Bank Secrecy Act, and their internal compliance standards often exceed what FinCEN technically requires of the fintech directly. Understanding the gap is the first step to closing it.
The Two-Layer BSA/AML Obligation
A fintech operating on a BaaS platform has two distinct BSA/AML obligations. The first is the obligation that applies to the fintech directly under FinCEN rules, which depends on the fintech's charter status, the financial activities it performs, and whether it is itself a money services business. The second is the obligation the bank sponsor imposes contractually through the program agreement, which reflects the bank's own regulatory obligations to its federal supervisor.
These two obligations do not align perfectly. A fintech that is not itself subject to FinCEN's full BSA program requirements can still be required by its bank sponsor to maintain a program that meets those requirements, because the bank sponsor is accountable for the fintech's compliance under the bank's own BSA obligations. Fintechs that build their programs only to the regulatory floor applicable to them directly will fail bank partner compliance reviews.
What Bank Sponsors Are Requiring
Written BSA/AML policy document. A formal policy statement, board-approved or senior management-approved, describing the fintech's anti-money laundering program, risk-based approach, and designated BSA officer. Banks require the policy to be current, reviewed on a defined cadence, and certified annually by the fintech's compliance leadership.
Customer Identification Program. A written CIP that describes how the fintech collects, verifies, and records identity information for each customer. The CIP must address what happens when verification fails, how beneficial ownership is collected for business accounts, and how the fintech handles customers who cannot be verified.
Suspicious activity monitoring and SAR filing procedures. Written transaction monitoring procedures describing the rules or thresholds used to flag potentially suspicious activity, the investigation workflow from alert to disposition, the SAR filing process, and how the fintech coordinates SAR filings with its bank sponsor to avoid duplicate filings and ensure bank examiner visibility.
OFAC screening documentation. Evidence that the fintech screens new customers and transactions against OFAC Specially Designated Nationals and Blocked Persons lists, with documentation of the screening tool used, its update cadence, and the workflow for handling potential matches.
Training records. Annual BSA/AML training completion records for all employees with customer-facing or financial product responsibilities. Banks require training records, not just training materials.
Independent testing. An annual independent assessment of the BSA/AML program by a party that is independent of the program's day-to-day operation. For early-stage fintechs, this is typically performed by an external compliance consultant. The assessment must produce a written report, and the fintech must document how it responded to any findings.
The gap most fintechs have: Most early-stage fintechs have a written AML policy and some version of a CIP. Very few have written suspicious activity monitoring procedures, documented SAR coordination workflows, OFAC screening documentation, training records, or independent assessment reports. Those are the items that consistently produce delays in bank partner due diligence.
Building to Bank Sponsor Standard
The approach that resolves bank partner BSA/AML due diligence fastest is building the program to the standard the bank's own examiner would apply, rather than to the standard the fintech believes applies to it directly. Bank compliance teams are trained to evaluate BSA/AML programs as their examiners would. A program built to that standard produces fewer information requests and shorter review timelines.
This practice builds BSA/AML programs for fintech clients as part of the Bank Partner DD Package and Fractional CCO engagements. The programs are written to examiner standard because that is the standard that will actually be applied to them.