# AML/BSA Compliance Program (Fintech & MSB) > Draft a complete AML/BSA compliance program for non-bank financial institutions — fintechs, MSBs, crypto exchanges, and insurance companies. Covers all five BSA pillars: compliance officer, policies, independent testing, training, and CDD. Includes CTR filing, transaction monitoring, SAR filing, OFAC screening (50% Rule, proliferation financing), and information sharing procedures. Tags: Compliance, Financial Services, AML, BSA, FinCEN, Fintech, MSB, OFAC, SAR, CTR, CDD, KYC, Crypto ## Example Prompts - Draft an AML/BSA compliance program for our fintech payments platform - Create CDD/KYC procedures for a crypto exchange - Write SAR and CTR filing procedures for a money services business - Build a transaction monitoring program for a neobank - Document OFAC screening procedures including the 50% Rule URL: https://rakenne.app/skills/aml-bsa-compliance-program/index.md Try this skill: https://rakenne.app/a/?skill=aml-bsa-compliance-program ## Overview Draft a complete AML/BSA compliance program for non-bank financial institutions — fintechs, MSBs, crypto exchanges, and insurance companies. Covers all five BSA pillars: compliance officer, policies, independent testing, training, and CDD. Includes CTR filing, transaction monitoring, SAR filing, OFAC screening (50% Rule, proliferation financing), and information sharing procedures. FinCEN expects every regulated entity to maintain a written program that addresses all five BSA pillars. Examination deficiencies most often involve missing beneficial ownership control prong documentation, absent CTR procedures (distinct from SARs), incomplete OFAC 50% Rule coverage, and inadequate board-level accountability. This skill produces the full program document — typically 40–80 pages — with entity-specific requirements for MSBs, crypto, fintechs, and insurance companies. ## Getting Started Add your source materials to the project workspace — FinCEN registration documents, state licenses, existing AML policies, risk assessments, organizational charts, and any prior examination findings — then activate the *AML/BSA Compliance Program (Fintech & MSB)* skill. The agent will guide you through entity profiling, risk assessment, and program drafting. ## Example Conversation Below is an example of how a typical AML/BSA program session unfolds. The agent gathers the entity profile, identifies regulatory obligations, and iteratively builds and validates the program. > **You:** We need an AML/BSA program for our fintech — PayStream. We're a payments platform offering instant ACH transfers and digital wallets for small businesses. We operate through a sponsor bank partnership with First National. > > **Agent:** I'll help you draft the AML/BSA program. Let me gather the entity profile: > > 1. What products and services does PayStream offer? (ACH, P2P, wallets, prepaid, virtual currency?) > 2. What customer types do you serve — retail consumers, small businesses, or both? > 3. What is your geographic exposure — US only, or do you process cross-border transactions? > 4. Approximate monthly transaction volume and average transaction size? > 5. Does First National's BSA Officer have examination authority over PayStream, and is there a written BSA responsibility agreement in place? > > **You:** ACH transfers and digital wallets only — no crypto or prepaid. Small businesses only, US domestic. About 15,000 transactions/month, average $2,400. Yes, First National has exam authority and we have a written agreement, but it's from 2022 and hasn't been updated. > > **Agent:** Important: your sponsor bank agreement is from 2022 — FinCEN and the OCC have issued updated guidance on fintech-bank BSA responsibility delineation since then. I'll flag this for update. Here's the initial risk assessment: > > - **Customer risk:** Medium — small businesses are moderate risk; no individual consumers, no PEPs as direct customers, but business beneficial owners need screening > - **Product risk:** Medium — ACH transfers can be used for structuring; digital wallets can aggregate value > - **Geographic risk:** Low — domestic only > - **Transaction risk:** Medium — 15K monthly transactions with $2,400 average creates structuring exposure around the $10,000 CTR threshold > > I've built the program structure. Let me run the completeness checker... There are 3 errors: > > - **[ERROR]** Fintech/Neobank: Verify written BSA/AML responsibility agreement with sponsor bank exists and is referenced. > - **[ERROR]** Missing CTR filing procedures — CTRs are mandatory for currency transactions exceeding $10,000 per business day. Even though PayStream is primarily ACH, you may receive or facilitate currency transactions. > - **[ERROR]** CDD/BO: Control prong missing — one individual with significant management control must be collected regardless of ownership percentage. > > Let's address these. First — does PayStream handle any cash or currency transactions, or is everything electronic? > > **You:** Everything is electronic — no cash at all. And for beneficial ownership, we collect the 25% ownership threshold but I'm not sure about the control prong. > > **Agent:** Two things: > > 1. **CTR procedures** — Even if PayStream doesn't handle cash directly, the program must document that CTR obligations are assessed and explain why they don't apply (electronic-only platform). This protects you during examination. I'll add a "CTR Applicability" section noting that PayStream transactions are exclusively electronic and don't trigger CTR filing, with a trigger for reassessment if product offerings change. > > 2. **Beneficial ownership control prong** — Under 31 CFR 1010.230(d)(1)(ii), you must collect one individual with significant management control (typically the CEO, COO, or managing member) **regardless of ownership percentage**. This is separate from the 25% ownership prong. Many fintechs miss this — it's one of the top FinCEN examination findings. I'll update the CDD section with both prongs documented. > > I've fixed both issues and re-run the checker — down to 1 error (the sponsor bank agreement reference) and 2 warnings. The agreement needs to be updated to reflect current BSA responsibility delineation. Want me to continue drafting the OFAC screening and SAR procedures sections? ## Sample Output Excerpt Below is a representative excerpt from a generated AML/BSA program, showing the OFAC Sanctions Screening section — where examination deficiencies are most common — and the Beneficial Ownership section. --- ### 6. OFAC Sanctions Compliance #### 6.1 Overview PayStream maintains an OFAC sanctions screening program as a strict-liability compliance obligation separate from and in addition to its BSA/AML obligations. Sanctions compliance requires blocking or rejecting transactions involving sanctioned persons, entities, countries, or programs, regardless of whether the transaction would otherwise be lawful. #### 6.2 Screening Points PayStream screens against the OFAC Specially Designated Nationals (SDN) List, Consolidated Sanctions List, and Sectoral Sanctions Identifications (SSI) List at the following points: | Screening Point | Parties Screened | Timing | |---|---|---| | Customer onboarding | Customer entity, all beneficial owners (25%+ and control person), authorized signers | Before account activation | | Transaction processing | Originator name and account, beneficiary name and account, any intermediary parties | Real-time, before transaction release | | Recurring batch screening | Full customer base and associated beneficial owners | Within 24 hours of any OFAC list update | | Ongoing monitoring | Adverse media screening of high-risk customers | Quarterly | #### 6.3 OFAC 50% Rule Any entity owned 50% or more, directly or indirectly, by one or more blocked persons (SDNs) is itself a blocked entity — even if the entity is not named on the SDN List. PayStream applies the 50% Rule as follows: - At onboarding, collect ownership structure sufficient to determine whether any SDN holds a direct or indirect 50%+ ownership interest - Aggregate ownership across multiple blocked persons: if SDN-A owns 30% and SDN-B owns 25%, the entity is blocked (combined 55%) - Screen not only the customer entity but also its parent companies, subsidiaries, and affiliates when ownership information is available - Document the 50% Rule analysis in the customer file for any match or near-match #### 6.4 Proliferation Financing Programs PayStream's screening includes OFAC programs targeting weapons of mass destruction proliferation: - **DPRK programs**: Executive Orders 13551, 13687, 13722 — North Korean entities, banks, front companies, and shipping networks - **Iran programs**: Executive Order 13382 — WMD proliferators; 31 CFR Parts 544/560 — Iran sanctions - **WMD proliferators**: 31 CFR Part 544 — entities supporting WMD programs globally Proliferation financing typologies are incorporated into the transaction monitoring rule set, with enhanced scrutiny for transactions involving jurisdictions with known proliferation activity. #### 6.5 Match Handling | Action | Requirement | Deadline | |---|---|---| | **True positive — blocked person** | Block the transaction and the property; do not release | Immediately | | **Blocking Report** | File with OFAC within 10 business days | 31 CFR 501.603(b)(1) | | **Rejected transaction** | Reject and file Rejected Transaction Report | 10 business days (31 CFR 501.604) | | **False positive** | Document rationale in screening log; retain for 5 years | Same day as determination | | **Escalation** | All potential true positives escalated to BSA Officer and General Counsel | Within 1 hour of detection | --- ### 4.3 Beneficial Ownership (31 CFR 1010.230) PayStream collects beneficial ownership information for all legal entity customers at account opening and upon trigger events (ownership change, renewal, or adverse information). **Ownership Prong** (31 CFR 1010.230(d)(1)(i)): Identify each natural person who, directly or indirectly, owns 25% or more of the equity interests of the legal entity customer. Collect: full legal name, date of birth, address, and identification number (SSN or passport for non-US persons). **Control Prong** (31 CFR 1010.230(d)(1)(ii)): Identify one individual with significant responsibility to control, manage, or direct the legal entity customer. This is typically the CEO, CFO, COO, Managing Member, General Partner, President, Vice President, or Treasurer. The control prong applies regardless of ownership percentage — even if no individual owns 25%+, one control person must always be identified. | Prong | Trigger | Minimum Collection | |---|---|---| | Ownership (25%+) | Each natural person with 25%+ equity | Name, DOB, address, SSN/passport, ownership % | | Control (1 person) | Always required — regardless of ownership | Name, DOB, address, SSN/passport, title | **Exemptions**: Certain legal entity types are exempt from beneficial ownership requirements — including publicly traded companies listed on a US securities exchange, SEC-registered investment companies, and government entities. See 31 CFR 1010.230(e) for the full exemption list. PayStream verifies exemption eligibility at onboarding and documents the basis. ## Built-in Validation The skill includes a completeness checker that validates the AML/BSA program against all five BSA pillars and mandatory regulatory requirements. The agent runs it automatically after building the program structure and surfaces gaps so you can address them before drafting the narrative. ### What the validator checks | Check Category | What It Validates | Severity | |---|---|---| | **Pillar 1: Compliance Officer** | Named BSA/AML officer with authority and resources | ERROR if missing | | **Pillar 2: Policies/Procedures** | At least CDD, monitoring, or SAR procedures present | ERROR if missing | | **Pillar 3: Independent Testing** | Annual independent audit program | ERROR if missing | | **Pillar 4: Training** | Risk-based training program | ERROR if missing | | **Pillar 5: CDD** | CIP, CDD, EDD, beneficial ownership (both prongs) | ERROR; control prong separate ERROR | | **Entity profile** | Entity type, products, geographic exposure | ERROR if missing | | **Risk assessment** | Customer, product, geography, transaction risk | ERROR if missing | | **Transaction monitoring** | Monitoring rules, alert triage, investigation workflow | ERROR if missing | | **CTR filing** | Currency transaction reporting procedures (distinct from SAR) | ERROR if missing | | **SAR filing** | SAR procedures, timelines, narrative standards | ERROR if missing | | **OFAC screening** | Sanctions screening with 50% Rule | ERROR; proliferation financing WARNING | | **Recordkeeping** | 5-year retention per 31 CFR 1010.430 | ERROR if missing | | **Information sharing** | 314(a) mandatory + 314(b) voluntary | ERROR if missing | | **Board oversight** | Board-level accountability | ERROR if missing | | **Entity-specific** | MSB: FinCEN registration, $2K SAR threshold, agents | ERROR / WARNING | | **Entity-specific** | Crypto: Travel Rule, unhosted wallets, DPRK typologies | ERROR / WARNING | | **Entity-specific** | Fintech: Sponsor bank BSA agreement | ERROR | | **Entity-specific** | Insurance: Covered products, $5K SAR threshold | WARNING | ### Severity levels - **ERROR** — A mandatory regulatory requirement is missing. The program would fail a FinCEN or state examination without this element. Must be resolved. - **WARNING** — A strongly recommended element or entity-specific requirement that could draw examination findings or create compliance risk. ### Example validation output ``` ======================================================================== AML/BSA Compliance Program — Completeness Check ======================================================================== --- Errors (must fix — mandatory regulatory requirements) --- [ERROR] Missing Currency Transaction Report (CTR) filing procedures (31 CFR 1010.311 / 1022.310). CTR is a distinct, mandatory obligation — not the same as SAR filing. [ERROR] CDD/BO: Control prong missing — one individual with significant management control must be collected regardless of ownership percentage (31 CFR 1010.230(d)(1)(ii)). [ERROR] Fintech/Neobank: Verify written BSA/AML responsibility agreement with sponsor bank exists and is referenced. --- Warnings (strongly recommended / entity-specific) --- [WARNING] CDD: Missing Enhanced Due Diligence (EDD) triggers and procedures. [WARNING] OFAC: Proliferation financing (PF) sanctions programs not explicitly documented (DPRK/EO 13551/13722, Iran/EO 13382, WMD proliferators/31 CFR Part 544). Particularly important for crypto businesses (DPRK sanctions evasion typologies). [WARNING] Fintech/Neobank: BSA obligations cannot be fully delegated to sponsor bank — independent program required. ======================================================================== ``` The agent runs validation automatically after each major section is added and surfaces findings inline, so you always know what gaps remain before the program goes to compliance review or examination. --- Back to [Skill Library](https://rakenne.app/skills/index.md)