How to Align Your AML/BSA Policy With FinCEN’s Latest Guidance
Mar 20, 2026
·
15 min read
FinCEN’s updates have led many fintech teams to revisit their AML/BSA policies and, in the process, recognize that some of their documentation no longer reflects how the business actually works or what regulators now expect. This isn’t about adding layers of compliance for the sake of it. It’s about lining up your controls with real risks, real customer behavior, and real operational choices.
This article takes a practical look at what an AML/BSA policy should cover today, how FinCEN approaches fintech obligations, and what the latest guidance looks like when applied in the real world. We translate key requirements into plain language, flag recent changes to SAR reporting and beneficial ownership rules, and share concrete steps to help you update your policies.
Whether you’re a founder, general counsel, or compliance officer, this guide is designed to help you align your AML/BSA policy with current expectations without unnecessary complexity.
At InnReg, we help MSBs (including money transmitters), crypto and payment fintechs build and refine AML/BSA programs, including risk assessments, SAR/escalation procedures, and vendor oversight.
What Is an AML/BSA Policy?
An Anti-Money Laundering/Bank Secrecy Act (AML/BSA) policy explains how a financial company thinks about risk and how it manages threats like money laundering, terrorist financing, and related financial crimes.
It shapes everyday decisions, from customer onboarding to transaction monitoring, investigations, and reporting. At its core, the policy sets clear expectations for how teams approach risk and make consistent, defensible decisions across the business.
For fintechs, the AML/BSA framework sits at the center of regulatory evaluations. Banks, payment networks, and state regulators will review how your controls work in practice. A clear policy helps demonstrate that you understand your products, your customer base, and the risks specific to your business model.
An effective AML/BSA policy also provides internal alignment. It clarifies roles, escalation paths, and the level of documentation required. It becomes the reference point for every decision tied to customer due diligence, transaction monitoring, and suspicious activity reporting.
Core Objectives of an AML/BSA Policy
A well-structured AML/BSA policy is built around a few core objectives:
Establish how your company identifies and assesses financial crime risk
Document the controls used to mitigate those risks
Define monitoring expectations and escalation standards
Describe reporting responsibilities, including SAR and CTR filing processes
Set expectations for training, independent reviews, and governance oversight
These objectives guide how a fintech interprets regulatory obligations within its own operating environment.
See how InnReg helps fintechs develop KYC and AML programs →
How FinCEN Defines AML/BSA Obligations for Fintechs
The Financial Crimes Enforcement Network (FinCEN) sets the baseline expectations for how financial companies prevent and detect financial crime. For fintechs, those expectations apply even when the business model doesn’t look like a traditional financial institution.
In other words, FinCEN cares about your activity, not the labels. That’s why many fintech products fall under the same obligations as long-standing financial entities.
Fintech companies often operate across payments, crypto, investing, or lending. Each of these activities triggers different regulatory touchpoints, but FinCEN’s position is consistent: if you move money or provide financial access, you’re part of the AML/BSA ecosystem.
What Money Services Businesses (MSBs) Must Do
Many fintechs fall under FinCEN’s definition of a Money Services Business. MSB status applies to money transmitters, payment platforms, virtual asset service providers, and similar models. Once a company meets this definition, several obligations apply:
Register with FinCEN
Maintain a written AML/BSA program
Perform customer identification and due diligence
Monitor activity and file SARs when appropriate
Keep required records and support law enforcement requests
MSBs also face examinations from the IRS, which acts as FinCEN’s delegated examiner. That makes documentation, governance, and recordkeeping especially important. An AML/BSA policy serves as the foundation for meeting these expectations and helps teams present a clear, organized picture during reviews.
Overlapping Oversight Between FinCEN, Federal, and State Regulators
FinCEN is the rulemaker, but it’s not the only authority with which fintechs interact. Depending on your model, banks, state regulators, and federal agencies may all play roles in oversight.
Partner banks review your AML/BSA program for their own regulatory obligations.
State licensing agencies evaluate risk controls for money transmitters and digital currency firms.
The SEC and FINRA add requirements for broker-dealers and investment platforms.
For fast-growing fintechs, the most common pressure comes from partner banks. Their regulators will examine how the bank oversees third-party programs, which means your AML/BSA policy must meet bank-level expectations. Even small gaps can stall onboarding or expansion when a partner bank identifies inconsistencies.
How the Bank Secrecy Act (BSA) and FinCEN Intersect
The Bank Secrecy Act sets the legal foundation for AML obligations. FinCEN writes the regulations that implement those requirements. Together, they form the framework that guides customers' onboarding, monitoring, and reporting across the financial system.
From a fintech firm’s standpoint, understanding this relationship helps clarify why requirements sometimes feel broad. The BSA defines the goals while FinCEN provides the operational details. That way, your AML/BSA policy bridges the two by translating both into practical processes that fit your business model.
This connection also explains why FinCEN’s guidance carries so much weight. When the agency updates its expectations, financial companies are expected to reflect those changes in their own policies and procedures.
Key Components Every AML/BSA Policy Should Include
A strong Anti-Money Laundering and Bank Secrecy Act policy gives your team a clear structure to follow. It outlines how your company identifies risk, applies controls, and documents decisions. A complete policy usually includes the following components:
Governance and Accountability: This section defines who owns the AML program. It identifies the BSA Officer, escalation channels, and board or leadership responsibilities. Regulators look for clear accountability.
Risk Assessment Framework: Your policy should explain how you evaluate customer, product, geographic, and transactional risk. Fintechs often face unique exposure points because of digital onboarding, real-time movement of funds, or cross-border flows. A risk assessment is the anchor that justifies why certain controls exist and how resources are allocated.
Customer Identification and Due Diligence: Every AML/BSA policy must describe how you verify identities and assess customer risk. This includes CIP, CDD, and scenarios that require enhanced due diligence.
Transaction Monitoring Standards: This part outlines how your systems detect unusual or potentially suspicious activity. It should reference rule types, alert reviews, escalation paths, and documentation standards. Many fintechs rely on a blend of vendor tools and internal logic, so clarity helps investigators make consistent decisions.
Suspicious Activity Reporting: Your policy should summarize when a SAR is filed, who reviews cases, and how timelines are managed. FinCEN’s 2025 guidance changed several expectations, which means fintechs may need to update escalation criteria and documentation practices. This is often the most scrutinized section during audits and bank partner reviews.
Sanctions Screening and Watchlist Controls: Screening customers and transactions against OFAC and other lists is a core requirement. Your policy should capture how screening occurs, how potential matches are resolved, and how records are kept.
Training and Internal Communication: Training expectations should be documented by role. Founders, customer support, engineering, and fraud teams need different levels of detail. A robust policy shows how training ties back to real operational responsibilities.
Independent Testing: These reviews validate whether your program works as written. Your policy should describe the frequency, scope, and reporting structure of these reviews.
Learn how InnReg helps fintechs conduct gap analysis and risk assessment →
See also:
Aligning Your AML/BSA Policy With FinCEN’s Guidance
FinCEN’s updates pushed financial companies to make their AML/BSA programs more risk-driven and more reflective of actual customer behavior. The agency wants institutions to focus on meaningful activity, not routine filings or template language.
Getting your AML/BSA policy in line with current guidance means knowing where FinCEN changed its expectations. The most significant updates touch suspicious activity reporting, how institutions document their decisions, and how they share information across borders. All three directly affect how a fintech builds out its monitoring and escalation process.
A good approach is to treat FinCEN’s guidance as an operational checklist. Identify what has changed, determine how each change affects your procedures, and update the policy language so your teams have clear direction.
Need help with money transmitter compliance?
Fill out the form below and our experts will get back to you.
Key Changes in Suspicious Activity Reporting (SAR) Requirements
FinCEN’s 2025 SAR guidance clarified how companies should think about “suspicious” activity. The emphasis is on context, judgment, and proportionality. The goal is fewer low-value filings and more reports that reflect real risk.
Notable updates include:
Transactions just under the CTR threshold do not automatically trigger a SAR
Continuing SARs no longer follow a rigid 90-day cycle
Institutions do not have to create unnecessary “no-SAR decision memos.”
For fintechs, this changes the tone of the case review. Investigators can focus on behavior that actually signals illicit activity rather than spending time on administrative filings that add little value.
Hence, this policy should now reinforce the point that SAR decisions must be grounded in risk, clearly documented, and escalated when appropriate.
Incorporating FinCEN’s Priorities and Emerging Threat Areas
FinCEN’s national priorities highlight the risks most relevant to today’s financial system. In June 2021, FinCEN issued its first national AML/CFT priorities under the Anti-Money Laundering Act of 2020, establishing a government-wide framework for identifying the most significant illicit finance threats to the U.S. financial system.
These include cybercrime, fraud schemes, human trafficking, terrorist financing, drug activity, corruption, and proliferation financing. Your AML/BSA policy should show how your program covers these themes.
Fintechs often face exposure to these risks in different ways:
Fast onboarding can amplify fraud and synthetic identity risk
Cross-border transfers can expose companies to corruption or sanctions risks
Digital assets create new patterns of illicit movement or obfuscation
Aligning your policy with FinCEN’s priorities doesn’t require a rewrite. It requires mapping your controls to each risk area and tightening the parts that relate to your actual products. This gives regulators and partner banks confidence that you’ve considered the risks most relevant to your business.
Cross-Border Information Sharing
FinCEN’s recent guidance also clarified when institutions can share AML-related information across borders. FinCEN clarified that institutions can share risk information, trends, and context with foreign affiliates or partners as long as they protect SAR confidentiality.
This opens the door for smoother investigations and better coordination when activity crosses jurisdictions. Regulators want to see if your AML/BSA policy can capture how your company handles this type of information sharing and who approves it.
For companies with global models or foreign banking partners, documenting this process can remove friction during joint investigations or bank reviews. It also helps internal teams understand what can be shared, when, and under what conditions.
Beneficial Ownership and Transparency Requirements
FinCEN’s recent actions around beneficial ownership reporting created confusion for many fintech teams. Some obligations shifted, while others remained unchanged in the March 2025 interim final rule.
Fintech companies often face more complex ownership structures than traditional financial institutions. Startups, SPVs, foreign entities, and crypto-related businesses may all appear in your customer base.
Therefore, it should reflect the current rules and clarify how your company verifies ownership information during onboarding and ongoing monitoring. Clear procedures help your teams collect the right information the first time, reducing delays in onboarding or future reviews.
Impact of Corporate Transparency Act Changes
The Corporate Transparency Act (CTA) introduced a nationwide beneficial ownership reporting obligation. FinCEN later updated that framework, which changed who must file and when. Many companies that were expected to be subject to BOI reporting are no longer required to submit filings, but the rule did not alter due diligence obligations for financial institutions.
Key points fintech teams should understand:
CTA reporting and AML/BSA due diligence are separate obligations.
Even if a customer no longer reports to FinCEN, institutions still collect ownership information under the CDD Rule.
Ownership information remains a core part of onboarding for legal entities.
Your AML/BSA policy should state that customer due diligence is still required, regardless of CTA reporting changes, because banks and fintechs rely on this information to assess risk and meet BSA expectations.
How to Handle Beneficial Ownership in Customer Due Diligence (CDD)
Even though “domestic reporting companies” and their beneficial owners are now exempt from the requirement to report beneficial ownership information (BOI) to FinCEN, beneficial ownership is still a core part of AML/BSA CDD.
Fintech programs typically collect beneficial ownership information during onboarding, periodic reviews, and when risk triggers require updated information. Clear policy language helps your teams make consistent decisions across different customer types.
An effective AML/BSA policy must explain:
When you collect beneficial ownership information
How you identify individuals with significant control or ownership stakes
What kind of documentation you accept (government IDs, formation documents, attestations)
When you apply refresh cycles
How you escalate discrepancies and incomplete information
Beneficial ownership procedures must match your business model, especially if you serve startups, foreign entities, digital asset businesses, or layered corporate structures.
A practical approach is to apply a simple decision framework during onboarding, supported by documentation templates and vendor tools where appropriate. InnReg often helps fintech clients create these frameworks so teams can make quick, consistent decisions without sacrificing quality.
See also:
Common AML/BSA Policy Gaps in Fintech Programs
Fintech companies tend to scale quickly, which often exposes gaps in their AML/BSA programs. These gaps rarely appear in the early days. They surface once customer volume grows, new features launch, or partner banks begin deeper oversight.
Here are some of the common gaps to overcome:
Incomplete Customer Identification and Risk Profiling
Many fintechs rely heavily on automated onboarding tools. Automation helps with speed but can create blind spots if the policy doesn’t define what happens when data is ambiguous or incomplete.
Common issues include:
Relying on a single data source for identity verification
Weak or missing documentary verification rules
No documented approach for synthetic identity risk
Limited differentiation between low, medium, and high-risk customers
A strong AML/BSA policy clearly outlines how customer risks are assessed, how exceptions are handled, and when enhanced due diligence applies. This specification gives onboarding and fraud teams a consistent playbook, especially when volume increases.
Over-Reliance on Vendors or Partner Banks
Fintech programs frequently use third-party tools for KYC, sanctions screening, and transaction monitoring. Vendors can support operations, but they are not a substitute for an internal program.
Gaps will often appear when:
The policy references vendor processes without describing internal oversight
Staff cannot explain how vendor logic works
Partner banks expect higher standards than what the vendor provides
Fintechs also sometimes assume their bank partner covers major parts of the program. In practice, regulators evaluate both sides.
According to FinCEN’s latest guidelines, an AML/BSA policy will effectively describe how vendor output is reviewed, how the team escalates issues, and how responsibilities are divided between you and your bank partner.
Missed Red Flags in Transaction Monitoring
Fast-moving fintechs often outgrow their first transaction monitoring setup. Rules tuned for early-stage activity no longer make sense as customer behavior expands.
Typical gaps include:
High alert volumes with no tuning schedule
Rules that don’t reflect updated product features
Little differentiation between fraud and AML alerts
Inconsistent escalation or documentation standards
Teams need clear thresholds, risk markers, and timelines. Your AML/BSA policy should describe how alerts are generated, reviewed, and escalated, especially in models with high transaction velocity.
Insufficient Internal Oversight and Training
As fintechs scale, training tends to fall behind. Teams expand, responsibilities shift, and documentation becomes scattered. These growing pains often create inconsistencies in how investigators review alerts or how onboarding teams escalate concerns.
Policy gaps usually involve:
Training that doesn’t match each team’s role
No defined review cycle for updating training content
Limited internal communication on new risks or guidance
When you spell out training expectations in your AML/BSA policy, you create a common standard that applies across product, engineering, operations, and compliance. This also puts you in a stronger position when examiners or partner banks come knocking, since training records are one of the first things they ask for.
Practical Steps to Update Your AML/BSA Policy
Updating an AML/BSA policy works best when approached as an iterative, structured process. The goal is to align your controls with FinCEN’s latest guidance while keeping the policy practical for day-to-day use.
Each step below focuses on an operational action the company can take. These steps work for early-stage fintechs refining their first program and for mature companies preparing for a bank review or independent audit.
Step 1: Reassess Your Risk Profile and Customer Base
Start with a fresh risk assessment. Product features, customer segments, and transaction patterns change over time. Your policy should reflect those shifts.
Focus on:
New product lines or payment capabilities
International exposure, including new corridors
Fraud trends or chargeback patterns
Customer types that trigger higher due diligence
A risk assessment drives updates across the full AML/BSA policy because it defines where controls need to be tightened and where monitoring should expand.
See also:
Step 2: Review SAR Escalation and Documentation Procedures
FinCEN’s 2025 guidance changed expectations around SAR timing, thresholds, and documentation. What that means for you is that your procedures may be outdated even if they were acceptable in prior years.
Update your policy to cover:
How investigators make risk-based decisions
When cases escalate to compliance leadership
Internal review timelines before filing
How continuing activity is documented
Your AML/BSA policy should reflect these updated expectations so that investigators and managers apply the same standards during case reviews.
Step 3: Update Internal Controls and Vendor Oversight Practices
Many fintechs rely on vendors for onboarding, screening, or monitoring. Policies should describe how the internal team oversees these tools, because regulators expect documented accountability. This clarity becomes essential during audits or bank partner evaluations.
Step 4: Train Teams on the New SAR and Information Sharing Guidance
Training is where updated policy language becomes operational. Teams across compliance, risk, fraud, and customer support must understand what changed.
Training should cover:
Revised SAR expectations
When information can be shared with affiliates or foreign partners
Escalation paths and ownership
Documentation examples and case studies
Fintech companies that move quickly benefit from scheduled refresh cycles, which keep teams aligned during product or workflow changes.
Step 5: Conduct an Independent Review to Validate Effectiveness
Independent testing verifies whether revised controls work as intended. It also highlights where procedures diverge from actual practice.
A review typically evaluates:
Policy language vs. workflow execution
Case documentation standards
Monitoring logic and system outputs
Vendor performance and oversight
Independent reviews help leadership understand where the AML program is strong and where it needs reinforcement. Many fintechs use outside specialists, such as InnReg, to provide this evaluation when internal resources are limited.
Building a Future-Proof AML/BSA Policy
A future-proof AML/BSA policy adapts as your products, customers, and regulatory expectations evolve. In other words, it should act as a living operational guide that supports growth without creating unnecessary friction.
Here’s how you can future-proof your policy every quarter with a strong foundation:
Integrating Technology Without Losing Human Oversight
Fintech teams rely on automation for onboarding, screening, and monitoring. Automation helps with speed and volume, but can’t replace judgment. Your policy should reflect a balance between system logic and human review.
Technology should support your AML/BSA policy, not dictate it. When teams understand how tools fit into the broader control environment, their decisions become more consistent.
Using Data Analytics to Improve AML Outcomes
As fintechs scale, data becomes one of their most valuable compliance assets. Analytics help reveal patterns, reduce false positives, and highlight new risks. Your AML/BSA policy should include how data informs both strategic decisions and daily reviews.
Some ideas include:
Metrics used to tune transaction monitoring rules
Thresholds that trigger deeper reviews
Data sources used in risk scoring
How models are tested and recalibrated
A data-supported policy creates transparency across teams, especially when investigators, engineers, and compliance managers collaborate on monitoring improvements.
Embedding Continuous Improvement Into Compliance Operations
As stated, a modern AML program evolves with the business. It also incorporates continuous improvement, which helps fintech teams stay aligned with changing products, customer behavior, and regulatory updates.
Your policy can support this by describing:
Review cycles for key program components
How regulatory updates translate into operational changes
How feedback from audits or partner banks is incorporated
How new risks or product features trigger policy updates
This approach keeps your AML/BSA policy relevant and reduces the likelihood of sudden, large-scale rewrites. It also helps build the type of documented discipline that regulators and bank partners expect from fintech companies.
—
Fintech models shift quickly, and your policy needs to keep pace. FinCEN’s new guidelines can help make your program more accurate, more risk-focused, and more reflective of how your fintech actually operates.
The updates outlined in this guide can serve as a clear roadmap for your team. But translating this guidance into practical workflows may require outside expertise. That’s where InnReg can help.
Our compliance specialists work with fast-growing fintechs across payments, crypto, investing, and lending. We assist with policy development, program build-outs, and ongoing compliance operations so you can focus on your product.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with money transmitter compliance, reach out to our regulatory experts today:
Last updated on Mar 20, 2026
Related Articles
Featured LinkedIn Posts
