What companies are required to have an AML compliance program?

Under the Bank Secrecy Act, financial institutions including banks, broker-dealers, money services businesses (MSBs), mutual funds, and insurance companies must maintain AML programs. FinCEN’s definition of MSB captures many fintech companies, including those engaged in money transmission, currency exchange, or payment processing.

What are the core elements of an AML compliance program?

A compliant AML program must include written internal policies and procedures, a designated compliance officer, ongoing employee training, independent testing by a qualified third party, risk-based customer due diligence (CDD) and enhanced due diligence (EDD) procedures, suspicious activity monitoring and SAR filing processes, OFAC sanctions screening, and recordkeeping. FinTech Law designs AML programs calibrated to the company’s specific risk profile and regulatory status.

Does my fintech company need to register with FinCEN?

If your company meets the definition of a money services business under FinCEN’s regulations — which includes money transmitters, payment processors, currency exchangers, and dealers in convertible virtual currency — you must register with FinCEN within 180 days of commencing operations. Registration is a federal requirement separate from state money transmitter licensing. Failure to register carries criminal penalties.

How do AML requirements apply to cryptocurrency and digital asset businesses?

FinCEN has confirmed that businesses engaged in accepting and transmitting convertible virtual currencies are money transmitters subject to BSA obligations. This includes cryptocurrency exchanges, certain DeFi platforms with centralized components, and any business facilitating the transfer of digital assets between parties. AML obligations include customer identification programs, transaction monitoring, SAR filing, CTR reporting for transactions above $10,000, and travel rule compliance for fund transfers.

What happens if my company fails an AML examination or audit?

Consequences range from remediation requirements and consent orders to civil money penalties (which can reach millions of dollars per violation) and criminal prosecution in severe cases. Federal banking regulators, FinCEN, and state regulators all have enforcement authority. Proactive measures — including regular independent testing, timely SAR filing, and documented remediation of identified deficiencies — significantly reduce enforcement risk. FinTech Law assists with examination preparation, response, and remediation.

AML Compliance Attorney | Anti-Money Laundering Legal Services

We provide AML compliance and advisory services for investment advisers, funds, and digital asset firms, including developing AML policies, due diligence, and regulatory reporting.

Let's Talk AML Compliance

AML Compliance Legal Services

Anti-money laundering compliance is a core regulatory obligation for financial institutions, investment advisers, fund managers, broker-dealers, money services businesses, and — increasingly — fintech companies and digital asset platforms. The Bank Secrecy Act (BSA) and its implementing regulations, enforced by the Financial Crimes Enforcement Network (FinCEN), establish the framework for detecting and reporting suspicious financial activity, identifying beneficial owners, and preventing the use of the financial system for money laundering, terrorist financing, and other illicit purposes.

FinTech Law provides AML compliance legal services to investment advisers, private and registered funds, fintech companies, digital asset firms, and money services businesses. Our practice combines deep understanding of BSA/AML requirements with expertise in the broader securities regulatory and fintech landscape, allowing us to design AML compliance programs that satisfy regulatory expectations while operating efficiently within your business model.

Our AML Services

AML Program Design and Implementation

Every financial institution subject to the BSA must establish and maintain a written AML compliance program. The specific requirements vary by entity type, but the core elements are consistent: a system of internal controls and procedures for BSA compliance, designation of an AML compliance officer, ongoing employee training, independent testing (audit) of the AML program, and risk-based customer due diligence (CDD) procedures including beneficial ownership identification.

FinTech Law designs AML programs tailored to your specific risk profile, business model, and regulatory classification. We draft AML policies and procedures, establish customer identification program (CIP) requirements, develop risk-based CDD and enhanced due diligence (EDD) frameworks, create suspicious activity monitoring protocols, and build the documentation infrastructure that examiners expect to see when they review your program.

For fintech companies and digital asset platforms, AML program design must account for the unique risks of digital transactions — including the speed of transactions, the pseudonymous nature of blockchain addresses, the use of mixing services and privacy coins, and the cross-border nature of digital asset transfers.

Customer Due Diligence and KYC

Know Your Customer (KYC) is the foundation of AML compliance. CDD requirements mandate that financial institutions identify and verify the identity of their customers, understand the nature and purpose of customer relationships, and conduct ongoing monitoring to identify suspicious activity. The FinCEN CDD Rule expanded these requirements to include identification and verification of beneficial owners of legal entity customers.

FinTech Law advises on CDD program design, including risk-based customer risk scoring methodologies, identity verification procedures for both individual and entity customers, beneficial ownership identification and verification, enhanced due diligence for higher-risk customers (PEPs, foreign correspondents, high-risk jurisdictions), and ongoing monitoring procedures to detect changes in customer risk profiles.

For digital asset businesses, KYC presents particular challenges around pseudonymous transactions, cross-chain activity, and the identification of counterparties on decentralized platforms. We help design KYC frameworks that satisfy regulatory requirements while preserving user experience.

Suspicious Activity Reporting

The obligation to file Suspicious Activity Reports (SARs) is one of the most critical — and most scrutinized — elements of BSA compliance. Financial institutions must monitor customer activity for transactions that may indicate money laundering, terrorist financing, fraud, or other specified unlawful activity, and file SARs with FinCEN when suspicious activity is detected.

FinTech Law advises on the design of transaction monitoring systems and alert investigation procedures, the legal standards for determining when a SAR filing is required, the preparation of SAR narratives that meet FinCEN expectations, Currency Transaction Report (CTR) filing procedures for cash transactions exceeding $10,000, and the confidentiality provisions that prohibit disclosure of SAR filings to the subjects of reports.

We also advise on the legal protections available to institutions that file SARs in good faith (safe harbor provisions) and the potential liability for failure to file when required.

OFAC Sanctions Compliance

The Office of Foreign Assets Control (OFAC) administers economic sanctions programs that prohibit U.S. persons and entities from conducting business with sanctioned individuals, entities, and jurisdictions. OFAC compliance is a strict liability regime — meaning violations can result in significant penalties regardless of intent or knowledge.

FinTech Law advises on OFAC compliance program design, including screening procedures against the Specially Designated Nationals (SDN) list and other OFAC lists, procedures for addressing potential matches, blocking and rejecting requirements for prohibited transactions, and recordkeeping and reporting obligations. For digital asset businesses, OFAC compliance requires specific attention to blockchain address screening and the risks associated with transactions involving sanctioned jurisdictions or addresses.

AML Regulatory Examinations

BSA/AML compliance is a priority focus area for every financial regulator. SEC examinations regularly assess investment adviser and broker-dealer AML programs. FinCEN conducts direct examinations and enforcement actions. State regulators review AML programs as part of licensing examinations for money services businesses and money transmitters.

FinTech Law helps clients prepare for and respond to AML examinations, including organizing documentation, preparing staff for examiner interviews, addressing examination findings, and implementing remedial measures if deficiencies are identified. Our SEC compliance practice provides additional depth for examination preparation.

AML for Specific Industries

Investment Advisers and Funds

While investment advisers are not currently subject to a specific FinCEN AML rule (a proposed rule has been pending for years), many advisers are subject to AML obligations through other channels — including CFTC requirements for commodity-related advisers, FINRA requirements for dually registered firms, and contractual obligations imposed by custodians and counterparties. Additionally, SEC examination staff regularly assess advisers' and funds' AML risk practices even absent a formal rule. FinTech Law helps investment advisers establish appropriate AML practices that meet current expectations and position the firm for compliance with future FinCEN rulemaking.

Fintech Companies and Payment Platforms

Fintech companies that transmit money, process payments, or facilitate financial transactions may be classified as money services businesses (MSBs) subject to BSA registration and AML compliance requirements. State money transmitter licensing adds another layer of AML obligations. We help fintech companies determine their regulatory classification and build AML programs that satisfy both federal and state requirements.

Digital Asset Businesses

Digital asset exchanges, custody providers, wallet services, and DeFi platforms face AML obligations that are evolving rapidly. FinCEN has classified certain digital asset businesses as MSBs subject to BSA requirements. The travel rule, which requires financial institutions to share originator and beneficiary information for certain transfers, has been extended to digital asset transactions. We advise digital asset businesses on BSA compliance, state licensing AML requirements, and the practical challenges of implementing AML controls in decentralized environments.

Frequently Asked Questions

Does my investment adviser need an AML program? Currently, there is no final FinCEN rule requiring investment advisers to maintain formal AML programs (though a proposed rule exists). However, SEC examination staff assess AML risk practices, custodians often require it contractually, and advisers with CFTC registration or FINRA membership may have AML obligations through those channels. As a practical matter, most investment advisers should maintain AML policies and procedures appropriate to their risk profile.

What triggers a SAR filing obligation? A SAR must be filed when a financial institution knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity, is designed to evade BSA requirements, lacks a lawful purpose consistent with the customer relationship, or involves the use of the financial institution to facilitate criminal activity. The threshold is $5,000 for most financial institutions ($2,000 for MSBs). We advise on the legal standards and help design monitoring systems to detect reportable activity.

What are the penalties for AML non-compliance? BSA/AML violations can result in civil monetary penalties (up to the greater of $1 million or twice the transaction amount per violation), criminal penalties (fines and imprisonment for willful violations), consent orders and enforcement actions, loss of banking relationships and licenses, and reputational damage. The severity of penalties depends on the nature of the violation, the institution's compliance program, and the degree of willfulness involved.

How does AML compliance work for digital asset businesses? Digital asset businesses classified as MSBs must register with FinCEN, implement AML programs, file SARs and CTRs, comply with the travel rule, and maintain records of transactions. Blockchain analytics tools can supplement traditional monitoring, but they do not replace the need for comprehensive AML programs with human oversight. We design AML frameworks specifically for digital asset operations.

How often should we test our AML program? BSA regulations require independent testing of AML programs, with frequency based on the institution's risk profile. Most financial institutions conduct independent AML testing annually. Higher-risk institutions or those with recent examination findings may need more frequent testing. We help design testing programs and can coordinate with independent testers.

Connect with us today

At FinTech Law, we bring strategic expertise to help your firm reduce financial crime risks and build a strong compliance foundation. Contact us today.

Talk with FinTech Law

Subscribe to FinTech Law's Legal & Compliance Newsletter

Subscribe to get the latest news and updates regarding the financial tech and regulatory tech industry.