The 5 Pillars of BSA/AML Compliance: Complete Guide for Fintech Teams

Introduction

Fintech teams face a hard truth: regulators don't wait for your product roadmap to catch up. As companies scale from seed stage to Series C and beyond, BSA/AML compliance expectations arrive immediately—and the cost of getting it wrong is existential. Enforcement actions, partner bank terminations, and licensing denials can halt growth overnight.

In October 2024, FinCEN assessed a $1.3 billion penalty against TD Bank for failures spanning all five BSA/AML program pillars. The consent order detailed monitoring gaps, ineffective testing, insufficient BSA Officer authority, training deficiencies, and CDD backlogs—a textbook case of how pillar failures cascade into regulatory disaster.

That penalty wasn't a single failure—it was five simultaneous ones. This guide breaks down each BSA/AML pillar, how it applies specifically to Fintech teams, where OFAC fits into the picture, and what the most common breakdown points look like in practice. Whether you're building your first compliance program or pressure-testing an existing one, you'll leave with a clear framework for identifying gaps before regulators do.

TLDR

  • The BSA requires all financial institutions (including Fintechs) to maintain a formal AML program built on five regulatory pillars
  • Five pillars form every compliant program: Internal Controls, BSA/AML Officer Designation, Ongoing Employee Training, Independent Testing, and Customer Due Diligence
  • OFAC compliance isn't one of the five pillars but is integral to complete BSA/AML programs
  • FinCEN's proposed rule could codify risk assessment as a formal sixth pillar — treat proactive risk mapping as a near-term priority now

What Is BSA/AML Compliance and Who Does It Apply to in Fintech?

The Bank Secrecy Act (BSA), enacted in 1970, requires financial institutions to help U.S. government agencies detect and prevent money laundering and terrorist financing. This includes filing Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs), and maintaining adequate records.

BSA/AML obligations extend far beyond traditional banks. The requirements apply to:

  • Money services businesses (MSBs): money transmitters, prepaid access providers, check cashers, and foreign exchange dealers must register and comply with BSA requirements
  • Crypto exchanges and virtual currency platforms: FinCEN's 2019 guidance clarified that persons accepting and transmitting value that substitutes for currency—including virtual currency—are money transmitters under the BSA
  • Lending platforms: FinCEN brought nonbank residential mortgage lenders and originators under AML program and SAR requirements in 2012
  • Payments processors and BaaS providers: when engaged in money transmission or other MSB activities, these entities carry BSA obligations

Operating under a sponsor bank model doesn't absolve your compliance responsibilities. While banks must manage third-party fintech risks, fintechs performing regulated activities retain independent BSA obligations — a distinction regulators have enforced with increasing frequency.

Who Enforces BSA Compliance?

FinCEN (Financial Crimes Enforcement Network) under the U.S. Treasury is the primary BSA enforcer, but oversight varies by institution type — as outlined in the FFIEC BSA/AML Manual:

  • OCC (Office of the Comptroller of the Currency): national banks and federal savings associations
  • FDIC (Federal Deposit Insurance Corporation): state-chartered banks not members of the Federal Reserve
  • Federal Reserve: state member banks and bank holding companies
  • NCUA (National Credit Union Administration): federally insured credit unions
  • State regulators: money transmitters and state-chartered institutions

For fintech teams, the stakes are particularly high: a BaaS arrangement or multi-state money transmitter license can mean simultaneous oversight from FinCEN, a federal prudential regulator, and multiple state agencies. Understanding your regulator map is as important as understanding the rules themselves.

The 5 Pillars of BSA/AML Compliance, Explained for Fintech Teams

The five pillars were designed to ensure all financial institutions have consistent governance, accountability, controls, and risk detection in place. Codified at 31 CFR 1020.210, these pillars form the regulatory foundation that examiners evaluate during audits.

5 BSA AML compliance pillars framework overview infographic for fintechs

For Fintech teams operating at speed or under BaaS models, each pillar comes with specific implementation nuances.

Pillar 1: Internal Controls

Internal controls are the documented policies, procedures, and processes designed to detect, manage, and mitigate money laundering and terrorist financing risk. This includes dual controls, segregation of duties, program continuity planning, and IT system oversight.

Many early-stage Fintechs rely on a sponsor bank's BSA program as their foundation — but regulators expect Fintechs to maintain their own independent controls layer. Failure to do so is a common examination finding.

The FFIEC Internal Controls guidance emphasizes that controls must be tailored to each institution's risk profile and must provide oversight of IT systems supporting BSA/AML compliance.

What this means in practice:

  • Document policies for transaction monitoring, SAR filing, CDD processes, and record retention
  • Establish dual controls for high-risk activities (such as approving large transactions or updating sanctions screening rules)
  • Segregate duties between teams that onboard customers and those that monitor for suspicious activity
  • Update controls as products, geographies, or customer segments change — controls designed for a P2P payments app don't automatically fit a crypto exchange or BNPL product

Why it fails:

Generic policy templates inherited from sponsor banks are rarely customized for specific products or risk profiles. When transaction volumes spike or new features launch, controls lag — and examiners notice.

Pillar 2: Designation of a BSA/AML Compliance Officer

The institution's board of directors must formally designate a qualified BSA/AML Officer with documented authority, independence, and access to resources. This designation must be recorded in board minutes. The officer's title matters far less than their actual authority and experience.

Many growth-stage Fintechs appoint underqualified individuals — a general counsel doubling as BSA officer without AML expertise, for example — or delay the hire until a regulatory trigger forces the issue. Regulators don't accept token appointments.

The FFIEC BSA Compliance Officer guidance is explicit: the officer must have "sufficient knowledge, expertise, and authority" to ensure compliance — not just a title on an org chart. This pillar is among the most cited in enforcement actions.

What this means in practice:

  • Hire a dedicated BSA/AML Officer with relevant experience managing AML programs, handling regulatory examinations, and conducting SAR investigations
  • Record the formal designation in board minutes, including the officer's authority to escalate issues directly to the board
  • Provide adequate resources: budget for technology, staffing, training, and outside counsel
  • Don't assign BSA Officer duties as a side responsibility to someone whose primary focus is legal, product, or operations

Why finding the right candidate matters:

This is one of the most consequential hires a Fintech will make. A qualified BSA/AML Officer can lead examinations, defend the program under scrutiny, and build controls that actually fit the business — not just satisfy a checkbox.

Firms like Wayoh, which have spent over 10 years placing compliance professionals across Banking and FinTech, know the difference between candidates who've managed AML programs under regulatory pressure and those who haven't. That distinction matters when an examiner is in the building.

Pillar 3: Ongoing Employee Training

BSA/AML training must be role-specific, documented for every employee (including the board), and conducted periodically. Front-line staff, product teams, and customer-facing roles each require distinct training content based on their exposure to compliance risk.

The FFIEC Training guidance is clear: "appropriate personnel" should receive training tailored to their job duties — not generic compliance modules.

Fintechs that grow headcount quickly often roll out the same training across the company regardless of role. That approach doesn't account for new product lines, novel transaction types such as crypto, P2P, or BNPL, or evolving SAR/CTR obligations. Training gaps are a frequent examiner finding and can cascade into enforcement risk.

What this means in practice:

  • Customer onboarding teams: train on CIP requirements, identifying red flags during account opening, and escalation procedures
  • Product and engineering teams: train on how new features (such as instant payouts or cross-border transfers) introduce AML risk and require compliance review before launch
  • Transaction monitoring analysts: train on typologies, alert investigation procedures, and SAR narrative writing
  • Executive and board members: train on program governance, regulatory expectations, and enforcement trends

BSA AML role-specific employee training matrix by department and content type

Why it fails:

Off-the-shelf training modules rarely reflect a Fintech's actual business model or customer base. A crypto exchange's AML risks differ fundamentally from a lending platform's — yet many Fintechs run identical content across both.

Pillar 4: Independent Testing

Independent testing evaluates the effectiveness of the AML program and must be conducted by parties with no stake in daily compliance operations — either an internal audit function independent of the compliance team, or an external third-party auditor with BSA/AML expertise.

The FFIEC Independent Testing guidance (March 2020) states there is no regulatory mandate for test frequency — it should be commensurate with risk. Testing every 12–18 months is standard for most risk profiles, sooner if significant risk events occur.

Early and growth-stage Fintechs rarely have a mature internal audit function, making third-party independent reviews essential. Testing should cover:

  • Transaction monitoring models: tuning, alert volumes, investigation quality
  • CDD processes: risk rating accuracy, beneficial ownership verification
  • SAR filing practices: timeliness, narrative quality, documentation
  • Technology controls: system access, change management, data integrity

BSA AML independent testing program scope four key coverage areas

What this means in practice:

  • Engage qualified third-party auditors with Fintech BSA/AML experience
  • Scope testing to cover all program elements, not just a single area
  • Review findings with the board and document remediation plans
  • Don't wait for a partner bank to demand testing — be proactive

Why it fails:

Waiting until a sponsor bank demands testing — or an examination is scheduled — means program gaps have had months or years to compound. Remediation under that kind of time pressure is expensive and rarely comprehensive.

Pillar 5: Customer Due Diligence (CDD)

CDD processes enable institutions to identify and verify customer identities (Customer Identification Program/CIP), understand the nature and purpose of customer relationships, build customer risk profiles, and conduct ongoing transaction monitoring.

Under the 2016 FinCEN CDD Rule, institutions must also identify and verify beneficial owners of legal entity customers — specifically, individuals with 25% or greater ownership, as codified at 31 CFR 1010.230.

Fintechs face CDD complexity that traditional banks don't. Digital-first onboarding, pseudonymous crypto wallets, and layered business ownership structures all create gaps that static verification processes miss.

Risk-based CDD is the answer — not all customers require the same depth of due diligence, but Fintechs must document how they differentiate risk levels across customer segments.

What this means in practice:

Customer Identification Program (CIP):

  • Collect and verify name, date of birth, address, and identification number (SSN or EIN)
  • Use document verification tools and database checks appropriate for digital onboarding

Beneficial ownership (for legal entities):

  • Identify individuals with 25% or greater ownership
  • Verify their identities using the same standards as individual customers
  • Document ownership structures and update them when changes occur

Ongoing monitoring:

  • Risk-rate customers based on factors: geography, transaction patterns, product usage, business type
  • Set monitoring parameters tied to risk ratings (high-risk customers trigger more frequent reviews)
  • Investigate anomalies and update customer profiles when new information emerges

Why it fails:

CDD implemented as a one-time onboarding check is one of the most common examination findings. When transaction patterns change or ownership structures shift, a static risk profile creates blind spots — and examiners find them every time.

OFAC and the Emerging 6th Pillar: What Fintechs Need to Know

OFAC Compliance: Not a Pillar, But Essential

The Office of Foreign Assets Control (OFAC) administers U.S. economic sanctions programs and requires financial institutions to screen customers and transactions against OFAC's Specially Designated Nationals (SDN) list.

While not one of the five BSA pillars, OFAC compliance is a standard expectation embedded within a complete BSA/AML program—especially for Fintechs that:

  • Process cross-border payments
  • Operate in crypto or digital assets
  • Serve international users or merchants
  • Enable remittances or currency exchange

What this means in practice:

  • Screen customers at onboarding against the SDN list
  • Screen transactions in real-time for sanctions matches
  • Block or reject transactions involving SDN parties
  • Maintain audit trails of screening results
  • Update screening logic when OFAC publishes list changes

OFAC violations carry their own penalty risk, independent of any BSA enforcement action.

The Proposed 6th Pillar: Formal Risk Assessment

In July 2024, FinCEN and the banking agencies issued an interagency statement on proposed rules that would amend AML/CFT program requirements, which would require a formal risk assessment process as the foundation of each AML/CFT program.

That proposal was superseded on April 7, 2026, when FinCEN issued a new NPRM to fundamentally reform AML/CFT program rules. The updated proposal emphasizes program effectiveness, risk-based resource allocation, independent testing, and supervisor coordination. The comment period runs through June 9, 2026.

What the proposed rule would require:

A documented, recurring risk assessment process that:

  • Maps products, customer segments, geographies, and transaction types to AML and OFAC risk
  • Serves as the foundation for designing the entire AML/CFT program
  • Informs resource allocation, control design, and monitoring parameters
  • Is updated when business model, product mix, or risk profile changes

Even before the rule is finalized, Fintech teams should start building this infrastructure now:

  1. Conduct (or commission) a current-state risk assessment
  2. Document inherent risk factors: customer types, transaction volumes, geographic reach, product features
  3. Assess control effectiveness against identified risks
  4. Identify residual risks and gaps requiring additional controls or resources
  5. Update the risk assessment annually or when significant changes occur

5-step AML CFT risk assessment process flow for fintech compliance programs

Teams that complete this work now will enter the new regulatory framework with documentation already in place—not scrambling to build it after the rule takes effect.

Common BSA/AML Compliance Failures and What Fintechs Can Learn

Real Enforcement Patterns: How Pillar Failures Cascade

TD Bank (October 2024): FinCEN assessed a $1.3 billion penalty for failures spanning all five pillars:

  • Transaction monitoring gaps allowed suspicious activity to go undetected (Internal Controls)
  • BSA Officer lacked sufficient authority and escalation pathways
  • Training deficiencies left staff unprepared to identify red flags
  • Ineffective audits failed to surface program gaps (Independent Testing)
  • Large backlogs in customer risk rating updates left CDD stale

TD Bank 2024 enforcement action mapping five BSA AML pillar failures

Evolve Bank & Trust (June 2024): The Federal Reserve issued an enforcement action citing deficiencies in AML programs and failure to maintain an effective risk management framework for fintech partnerships—a warning for BaaS providers and their fintech partners.

Thread Bank (May 2024): An FDIC Consent Order required enhancements across AML/CFT program components, including staffing, risk assessment, CDD, SAR processes, and specific third-party oversight for BaaS and LaaS fintech partners.

Most Common Pillar-Level Failures in Fintech Examinations

These cases aren't outliers. Examiners see the same failure patterns across fintech examinations — often at the same pillar level.

Pillar 1 (Internal Controls):

  • Over-reliance on sponsor bank's compliance framework without a proprietary controls layer
  • Transaction monitoring models never validated or tuned after initial deployment
  • Failure to update CDD procedures as new products launch

Pillar 2 (BSA Officer):

  • Appointing underqualified individuals without specific AML expertise
  • Failing to record formal designation in board minutes
  • Not providing sufficient resources or authority to escalate issues

Pillar 3 (Training):

  • Generic training that covers regulatory basics but doesn't address the company's actual product risk surface
  • No role-specific content for customer-facing, product, or technical teams
  • Training not updated when product features or customer segments change

Pillar 4 (Independent Testing):

  • Waiting for sponsor bank to demand testing instead of proactive scheduling
  • Scoping testing too narrowly (only one program area)
  • Not documenting remediation plans or tracking completion

Pillar 5 (CDD):

  • One-time onboarding checks without ongoing monitoring
  • Customer risk ratings never updated despite changing transaction patterns
  • Beneficial ownership verification skipped or incomplete for business customers

Downstream Business Risk Beyond Regulatory Penalties

Penalty dollars are only part of the damage. Pillar failures put the business itself at risk:

  • Sponsor banks terminate accounts when fintechs fall short of compliance standards — cutting off access to banking infrastructure
  • State regulators deny or suspend money transmitter licenses, stalling expansion plans
  • Enforcement actions surface publicly, impairing fundraising conversations and customer confidence
  • BSA/AML Officers and board members face individual penalty exposure, not just institutional fines

Self-Assessment: Stress-Test Your Five Pillars

Use these questions to evaluate your program:

Pillar 1 (Internal Controls):

  • Have you documented policies specific to your products and risk profile?
  • Are controls updated when new features launch or customer segments change?

Pillar 2 (BSA Officer):

  • Has your BSA/AML Officer designation been formally recorded in board minutes?
  • Does your officer have direct escalation authority to the board?
  • Does your officer have relevant regulatory examination experience?

Pillar 3 (Training):

  • Is training role-specific, or does everyone receive the same content?
  • Does training address your actual products (crypto, BNPL, P2P, etc.)?

Pillar 4 (Independent Testing):

  • When was your transaction monitoring model last independently validated?
  • Are test findings documented and remediation plans tracked?

Pillar 5 (CDD):

  • How do you differentiate risk levels across customer segments?
  • When do you update customer risk ratings?

Building the Compliance Team Behind Each Pillar

Each Pillar Has a People Requirement

Internal controls need owners. Training requires program managers. CDD demands skilled analysts. Independent testing requires internal audit staff or vendor relationships. For Fintechs, building the right compliance team is often as important as buying the right technology.

Core Compliance Roles at Different Growth Stages

Early stage (Seed to Series A):

  • BSA/AML Officer: typically owns the entire compliance function — responsible for policy documentation, SAR filing, regulatory liaison, and initial risk assessments

Growth stage (Series A to Series B):

  • Financial Crime Analyst: investigates alerts, conducts enhanced due diligence, and prepares SAR narratives
  • CDD Specialist: manages customer onboarding verification, beneficial ownership documentation, and risk rating
  • Transaction Monitoring Analyst: tunes monitoring rules, investigates alerts, and documents disposition decisions

Scaling stage (Series B to Series C+):

Fintech compliance team staffing roadmap across seed series A B and C growth stages

  • Compliance Operations Manager: oversees day-to-day program execution and vendor management
  • Chief Compliance Officer: leads overall compliance strategy and regulatory relationships
  • Internal Audit/Testing Lead: conducts or manages independent testing and remediation tracking

Why Compliance Hiring in Fintech Is Uniquely Difficult

Candidates need to understand both traditional regulatory requirements and emerging-technology risk contexts. A BSA Officer who excelled at a commercial bank may lack experience with crypto wallets, real-time payment rails, or BNPL underwriting models. Conversely, a compliance professional from a crypto exchange may not have navigated FDIC or OCC examinations.

That dual expertise — regulatory fluency combined with technology-native risk understanding — is genuinely rare. Specialized recruiting partners with deep networks in financial crime compliance can shorten time-to-hire for critical roles and reduce the risk of a weak appointment in any of the five pillars.

Wayoh has placed 500+ professionals across Banking and FinTech over 10+ years, with particular focus on sourcing candidates who bridge traditional regulatory knowledge and emerging-technology risk contexts — the profile most Fintechs struggle to find through general job postings alone.

Frequently Asked Questions

What are the 5 pillars of a BSA/AML compliance program?

The five pillars are Internal Controls, Designation of a BSA/AML Compliance Officer, Ongoing Employee Training, Independent Testing, and Customer Due Diligence (CDD). These elements form the regulatory foundation examiners evaluate when assessing the adequacy of any AML program.

How many pillars should a BSA/AML compliance program have?

The established regulatory framework includes five pillars. However, FinCEN's proposed AML/CFT Program Modernization Rule may formalize a sixth—a documented risk assessment process—one fintechs should be preparing for now.

What are the key elements of an effective AML program?

Effective programs include the five regulatory pillars as the foundation, plus a calibrated risk assessment, properly tuned transaction monitoring, timely SAR/CTR filing practices, and compliance accountability that extends beyond the compliance team into operations, product, and leadership.

How do OFAC requirements fit into a BSA/AML compliance program?

OFAC is not one of the five BSA pillars but is treated as an integral part of a complete compliance program. Institutions must screen customers and transactions against the SDN list. OFAC violations carry independent penalty risk—separate from, and in addition to, any BSA violations.

When should a Fintech start building a BSA/AML compliance program?

Fintechs should begin building their BSA/AML program before launching financial products—particularly before obtaining a money transmitter license, entering a sponsor bank partnership, or handling regulated transaction types. Regulators and partner banks evaluate program maturity from day one.

What happens if a Fintech fails to comply with BSA/AML requirements?

The consequences are significant and compound quickly:

  • Civil monetary penalties from FinCEN
  • Enforcement actions from banking regulators
  • Loss of sponsor bank relationships or money transmitter licenses
  • Reputational damage that affects fundraising and partnerships
  • Criminal liability for compliance officers and executives in serious cases