Figure 1: BSA/AML obligation structure in bank-fintech partnerships. Liability remains with the chartered institution; the program must be validated, not assumed.
BSA/AML obligations do not diminish when a bank outsources a function to a fintech. They transfer downstream through the bank's third-party risk program. The chartered institution is responsible for every transaction, every filing, and every documentation failure in that relationship, regardless of who operates the technology.
This matters to community banks because the OCC, FDIC, and Federal Reserve have been explicit since the 2023 interagency third-party risk management guidance: outsourcing a function does not outsource the regulatory obligation. It transfers the work while keeping the liability at the bank level.
It matters to fintech founders because the bank's BSA officer is evaluating your program during due diligence with the same lens an examiner will use. If your documentation cannot answer their questions on paper, the conversation stalls long before a term sheet appears.
This article addresses both sides. The regulatory framework that governs these partnerships. The three gaps that surface most consistently in fintech-bank BSA/AML programs. What community banks need to require before signing. What fintechs need to have ready before asking.
What Regulators Expect from Bank-Fintech BSA/AML Programs
The Bank Secrecy Act (31 U.S.C. sections 5311-5336) establishes the obligation. FinCEN's implementing regulations (31 C.F.R. Chapter X) define the minimum program requirements: a designated compliance officer, internal controls, employee training, and independent testing. These requirements apply to the bank. Full stop.
When a bank partners with a fintech, the 2023 interagency guidance on third-party relationships (issued jointly by the OCC, FDIC, and Federal Reserve) requires the bank to conduct risk-based due diligence on the fintech's BSA/AML program before the relationship begins, and to monitor that program on an ongoing basis. The bank cannot simply rely on the fintech's representations. It must validate.
This means the bank's BSA officer needs to review the fintech's customer identification program (CIP), its customer due diligence (CDD) and enhanced due diligence (EDD) procedures, its transaction monitoring logic, and its suspicious activity report (SAR) filing protocols. The bank needs to understand how the fintech's controls map to its own BSA risk assessment, and where they do not align.
What examiners check: During the bank's BSA/AML examination, examiners review the bank's third-party risk management program as part of the overall exam scope. If the bank is partnering with a fintech that handles transactions or customer relationships, examiners will ask for the fintech's BSA/AML documentation, the bank's validation of that program, and evidence that the bank is conducting ongoing monitoring. "We rely on our fintech partner" is not an acceptable answer.
FinCEN's 2022 priorities guidance made clear that the agency expects financial institutions to maintain risk-based programs calibrated to their actual customer and product risk profiles. A bank that partners with a fintech serving a customer population the bank does not normally serve needs to account for that additional risk in its own BSA program. The fintech's monitoring system may be calibrated for a different population. That gap is the bank's problem.
The Three BSA/AML Gaps That Surface in Fintech Partnerships
Having reviewed compliance programs across bank-fintech partnerships, the same gaps appear repeatedly. They are not exotic compliance failures. They are structural misalignments that neither side notices until an examiner points them out.
Figure 2: The three compliance gaps that examiners identify most consistently in bank-fintech BSA/AML programs.
Transaction Monitoring Miscalibration
The fintech's TM system was built for a different population
The fintech built its transaction monitoring system around its own customer base. That base has a specific risk profile, geographic footprint, and transaction velocity. The community bank's customers are different. Their expected transaction behavior is different.
The fintech's monitoring logic, thresholds, and alert rules were calibrated for its population, not the bank's. Without written documentation showing how the fintech's monitoring covers the bank's obligated population, the bank cannot demonstrate to examiners that its third-party BSA program is working.
SAR Filing Responsibility Is Ambiguous
The contract does not name who files
The partnership agreement says both parties will cooperate on SAR filings. That is not a SAR protocol. It is a placeholder that creates confusion at exactly the moment when clarity matters most: when a suspicious pattern has surfaced and someone needs to file within the regulatory window.
FinCEN regulations require SARs to be filed within 30 days of detecting a reportable activity (31 C.F.R. section 1020.320). Ambiguity about who files creates the conditions for a missed or late filing. Both outcomes are regulatory findings.
CDD/EDD Standards Are Misaligned
The fintech collects what its product needs; the bank requires more
FinCEN's Customer Due Diligence Rule (31 C.F.R. section 1010.230) sets minimum standards. The bank's BSA program often requires more. The fintech built its customer onboarding to serve its product, not to satisfy the bank's internal CDD standards. The gap between them sits undocumented.
Enhanced due diligence triggers may differ. Beneficial ownership collection thresholds may differ. Documentation formats may differ. When an examiner pulls a customer file and compares it to the bank's written CDD procedures, they see those differences immediately.
What Community Banks Should Require Before Signing
The bank's BSA officer should be part of fintech due diligence before legal counsel begins drafting the partnership agreement. The BSA review is not a formality. It determines whether the bank's third-party program can accommodate this relationship without creating examination risk.
Four things the bank should require before signing:
-
Independent BSA/AML Program Audit An internal self-assessment from the fintech is not sufficient. The bank needs documentation that the fintech's program has been reviewed by a qualified independent party. This is the same standard the bank applies to its own program under 31 C.F.R. section 1020.210(b)(4). If the fintech has not had an independent review, the bank should require one before the relationship begins, or build a timeline for completion into the agreement.
-
Written Transaction Monitoring Calibration Documentation The fintech must produce written documentation showing how its transaction monitoring system was calibrated, against what customer risk profile, and when it was last reviewed. The bank needs to assess whether that calibration is appropriate for its customer population. If it is not, calibration to the bank's risk profile must be completed and documented before launch.
-
SAR Filing Protocol Clearly Assigned in the Agreement The partnership agreement must name which party is responsible for filing SARs arising from the fintech's transactions, define the escalation path from detection to filing, and establish the internal notification timeline. General language about cooperation does not satisfy this requirement. Specificity is what protects the bank in an examination.
-
Annual BSA/AML Review Obligation Written Into the Contract The 2023 interagency guidance requires ongoing monitoring of third-party relationships. That monitoring obligation should be codified in the agreement: the fintech must submit to an annual BSA/AML program review, produce updated documentation on request, and notify the bank within a defined timeframe if the fintech's program materially changes.
What Fintechs Should Have Ready
The community bank's BSA officer is reading your program documentation before your business development team has finished its pitch. In my experience reviewing programs on both sides of these conversations, the fintech's BSA/AML documentation often determines whether the partnership moves forward, not the product itself.
What a bank's BSA officer will ask during due diligence:
-
Written BSA/AML Program Document A formal, dated program document covering your four pillars: designated compliance officer, internal controls, training program, and independent testing. This is not a policy summary. It is a program document with enough specificity that an examiner could evaluate it against the minimum program requirements in 31 C.F.R. section 1020.210.
-
CIP and CDD Procedures Documented customer identification procedures that meet FinCEN's CIP rule (31 C.F.R. section 1020.220), your CDD procedures under 31 C.F.R. section 1010.230, and your EDD triggers. The bank will compare these against its own standards. Document where your program goes further than the minimum, not just where it meets it.
-
Transaction Monitoring System Documentation The bank needs to understand what system you use, how alerts are generated, what thresholds are set and why, how those thresholds were calibrated, and who reviews alerts. If you can provide calibration documentation showing the methodology, you remove the largest single friction point in the BSA due diligence conversation.
-
SAR Escalation Procedures A written internal procedure showing how suspicious activity is detected, escalated internally, reviewed, and reported. Include the timeline from detection to filing. The bank will want to see this before assigning SAR responsibility in the partnership agreement. If your procedure is weak, the bank will ask you to strengthen it before signing.
-
Evidence of Prior Examination or Independent Review If your program has been reviewed by a qualified third party or examined by a regulator, that evidence materially strengthens your position. If it has not, acknowledge it and provide a timeline for completing an independent review. Banks understand that pre-launch fintechs may not have examination history. They cannot work with fintechs that have no plan to get it.
A foundational program covering these elements takes 60 to 90 days to build and document. A program that has been independently reviewed and can withstand examination scrutiny requires 4 to 6 months. If you are in active bank partnership conversations, the documentation work should have started already.
Frequently Asked Questions
A community bank remains fully responsible for BSA/AML compliance even when working with a fintech partner. The OCC, FDIC, and Federal Reserve expect the bank to conduct due diligence on the fintech's program, monitor ongoing compliance, and ensure SAR filing obligations are clearly assigned and met. The 2023 interagency third-party risk guidance codified what examiners had been applying for years: outsourcing a function does not outsource the regulatory obligation.
This depends on the structure of the partnership and whether the fintech is acting as an agent of the bank or operating independently. In most Banking-as-a-Service (BaaS) structures, the fintech maintains its own program but must align it with the bank's standards and submit to the bank's oversight. The bank remains the primary obligor. The fintech's program supplements the bank's, but does not replace the bank's responsibility to validate and monitor it.
Fintech-bank partnerships are reviewed during the bank's regular examination cycle. Examiners review the bank's third-party risk management program, which includes the fintech's BSA/AML program as a component. High-risk products, unusual transaction patterns, or SAR filing gaps can trigger a targeted review outside the normal cycle. Banks that partner with fintechs serving higher-risk customer populations or transaction types should expect BSA scrutiny to increase proportionally.
A foundational program covering CIP, CDD, transaction monitoring, and SAR procedures takes 60 to 90 days to document and test. A program that has been independently reviewed and can withstand examination scrutiny typically requires 4 to 6 months of structured development. Fintechs that begin this work early, before bank partner conversations accelerate, are in a materially stronger position when BSA due diligence begins.
Ready for a Candid Assessment?
If you are a community bank evaluating a fintech partnership or a fintech preparing for bank due diligence and want a direct review of your BSA/AML program, book a discovery call. First conversation is diagnostic, not a pitch.
Book a Discovery Call// 30-minute call · No sales pitch · Substantive conversation about your BSA/AML compliance situation