To an engineering-led fintech, the Bank Secrecy Act can look like a tax on innovation—a body of obligations written for legacy banks and dropped onto a product team that would rather ship. That framing is understandable and, in my experience, expensive. The BSA is not going away, the Anti-Money Laundering Act of 2020 sharpened it, and the companies that treat compliance as a core competency are the ones that keep their bank accounts and pass diligence. The goal is not to choose between compliance and product. It is to build controls that are proportionate and defensible without grinding the product to a halt.
What the BSA Actually Requires
The Bank Secrecy Act, administered by FinCEN, requires covered businesses to help the government detect and prevent financial crime. Many crypto and payments companies fall within it as money services businesses, which carries a concrete set of obligations. The starting point is FinCEN registration as an MSB, followed by a written AML program—the four "pillars" most practitioners recite: a designated compliance officer, internal policies and controls, ongoing training, and independent testing.
From there the operational duties follow. Customer due diligence and know-your-customer at onboarding, including beneficial ownership for legal-entity customers. Screening against OFAC sanctions lists and other watchlists. Transaction monitoring calibrated to your actual flows, with suspicious activity reports filed when the facts warrant and currency transaction reports where thresholds are met. For transmittals at or above the applicable threshold, the recordkeeping and "travel rule" requirements attach—originator and beneficiary information has to travel with the transfer. And all of it has to be documented well enough that someone outside the company can verify it works.
Where Fintechs Actually Get Into Trouble
The failures are predictable, and they are rarely about intent. A company launches with a polished policy document that nobody operationalizes. Monitoring thresholds get set once during onboarding of a vendor tool and are never tuned to real behavior, so they either drown the team in false positives or miss the patterns that matter. Sanctions screening runs against names but not wallet addresses, and an obvious hit slips through. Or, most common of all, growth simply outpaces the compliance function—transaction volume 10x's while the program stays where it was at seed stage.
Any one of these can cost a banking relationship, and the reason is structural. When a bank serves your company, it inherits your financial-crime risk and answers for it to its own examiners. A thin AML program is one of the fastest ways to be de-risked off a bank's books, and regaining access afterward is far harder than keeping it.
Building Controls That Scale
The BSA is explicitly risk-based, which is the part fintechs should lean into. A risk-based program concentrates diligence where the risk actually sits—high-value flows, higher-risk jurisdictions, unusual patterns—rather than treating every customer identically and calling it rigor. Monitoring and screening should be tuned to how value genuinely moves through your specific rails, not lifted from a generic template. The program and its audit files should be legible to a banking partner without a month of back-and-forth. And an independent review should happen before a regulator or a prospective bank asks the hard questions, not after.
Compliance Is a Commercial Asset
There is a commercial case here that founders underrate. A credible, documented AML program shortens bank onboarding, removes a recurring objection in fundraising diligence, and lets you enter a new market without rebuilding the function from scratch. Mature payments companies do not experience innovation and compliance as opposites; they run both at once, and the compliance posture becomes part of why partners trust them.
If you're building a payments or crypto company and want a BSA/AML program that satisfies banks and regulators without strangling the product, get in touch.