Building a FinTech AML Program: The Pillars

Every BSA/AML program, at a bank or a money services business, is built on the same skeleton: the pillars. For an MSB, the requirement to have a written, risk-based AML program sits at thirty-one C-F-R ten-twenty-two point two-ten; for banks it's at ten-twenty point two-ten. The pillars themselves are the same well-worn list, and the exam-style point is that they're universal.

What's different in fintech isn't the list, it's how each pillar gets applied to a fast, digital, partner-dependent business. So let's walk the pillars, and at each one, name where fintechs stumble.

The first pillar is a system of internal controls: written policies and procedures, risk-based, approved by the board or equivalent governance, that actually govern how you onboard, monitor, and report. The fintech trap here is the document that exists but doesn't match the product, written once for a funding deck and never updated as five new features shipped. The second pillar is a designated BSA/AML compliance officer, a real, named person with the authority, seniority, and resources to run the program.

In fintech the classic failure is a single overloaded 'compliance person,' junior and under-resourced, who can flag a problem but can't stop a launch. The officer has to be empowered to say no, to slow a product down, to escalate to the board. If your compliance lead can't halt a risky feature, you don't really have this pillar.

The third pillar is ongoing training: appropriate, role-tailored, and documented. In fintech this has to reach further than the compliance team, because product managers and engineers make compliance-relevant decisions all the time, in onboarding flows, in monitoring rules, in how data is stored. If the people building your money features have never been trained on what a Customer Identification Program requires or what triggers a suspicious activity report, your training pillar has a hole in it.

The fourth pillar is independent testing: a periodic, objective audit of the program by someone not responsible for running it, internal audit or a qualified outside firm. The independence is the point, the same principle behind any third line of defense. A fintech that has its own compliance team 'review their own work' has testing, but not independent testing, and an examiner will notice the difference.

The fifth pillar, added by FinCEN's Customer Due Diligence Rule, is risk-based customer due diligence, including identifying the beneficial owners of legal-entity customers. The rule lives at thirty-one C-F-R ten-ten point two-thirty. In substance it means you have to understand who your customer is, develop a risk profile for them, monitor their activity against that profile on a risk basis, and, when the customer is a company, collect the humans who own or control it.

We'll spend a full lecture on CDD and beneficial ownership later, so here just slot it into the skeleton: it's a formal program pillar, not an optional nicety. Fintechs that built slick consumer onboarding sometimes forget that their business customers trigger a whole separate beneficial-ownership obligation.

The thread tying all the pillars together is that the program must be risk-based, and that starts with a written enterprise-wide AML risk assessment: an honest inventory of the money-laundering and sanctions risks your specific products, customers, geographies, and channels create. Your controls should then map to those risks, more control where risk is higher, less where it's lower. The fintech-specific discipline is keeping this current.

Fintechs change fast: a new payout corridor, a crypto on-ramp, a small-business product, each of those changes your risk and should update your assessment and your controls. The FFIEC BSA/AML Examination Manual is the examiner's yardstick for all of this; it's public, and reading it is the cheapest way to see your program through their eyes. A program that can't show a current risk assessment driving its controls looks, to an examiner, like a program that was copied, not built.

Let's recap. A fintech AML program rests on the same pillars as any BSA program: a system of internal controls, a designated and empowered BSA/AML officer, ongoing training, independent testing, and risk-based customer due diligence with beneficial ownership, all driven by a current, written risk assessment. The list is universal; the fintech challenge is applying it for real, at speed, across a partner stack.

Self-check: name your five pillars and, for each, point to the document and the person behind it. If your BSA officer can't stop a launch, or your 'independent' test is run by the people who built the program, you've found the weak pillar. Next, we zoom into the first place the program meets the customer: digital onboarding and your Customer Identification Program.