Unlike traditional banks, many payment processors operate under a dangerous misconception that AML compliance is optional or minimal. This misunderstanding has led to landmark enforcement actions—including FinCEN's $3.4 billion penalty against Binance and $37 million penalty against Brink's Global Services—and the loss of critical banking partnerships.
This guide covers the unique AML risks payment processors face, key regulatory requirements across jurisdictions, the core pillars of a compliant AML program, how to build one, and what's at stake if you don't.
TLDR: Key Takeaways
- MSB-registered payment processors must comply with BSA/AML requirements: SAR filing, CIP, and transaction monitoring
- The 5 pillars are risk assessment, customer due diligence, transaction monitoring, suspicious activity reporting, and staff training
- Non-compliance risks fines, sponsor bank termination, license revocation, and criminal liability
- Fractional BSA Officer services deliver expert oversight at a fraction of full-time executive costs
Why Payment Processors Face Unique AML Money Laundering Risks
Payment processors serve as intermediaries between banks and merchants, creating a structural "visibility gap." The sponsor bank has no direct relationship with the end merchant, allowing illicit activity to hide within legitimate transaction flows.
Three structural factors elevate AML risk specifically for payment processors:
- High transaction volume and velocity — Manual review breaks down at scale. Processors handling millions of transactions daily need well-calibrated automated monitoring, yet many still rely on inadequate manual processes.
- Diverse merchant risk profiles — Higher-risk sectors like gaming, telemarketing, and cross-border e-commerce each carry distinct money laundering typologies that generic monitoring tools miss.
- Layered processor arrangements — Sub-processor and ISO structures add intermediary layers between the bank and the end merchant, obscuring fund origins and making due diligence verification harder at every step.
Regulators have taken direct notice. FinCEN's Advisory FIN-2012-A010 explicitly warns that third-party payment processors make the payment system vulnerable to money laundering, identity theft, and fraud — and the FDIC and OCC have issued parallel guidance on third-party processor risks.
Payment processors fall within the MSB category for SAR reporting purposes, and the numbers reflect the stakes: MSBs filed 1.26 million SARs in FY2025, representing over a quarter of all suspicious activity reports filed in the United States.
AML Regulatory Requirements for Payment Processors
Applicable Laws and Regulators by Jurisdiction
United States: Payment processors qualifying as Money Services Businesses under 31 CFR 1010.100(ff) must register with FinCEN within 180 days of establishment and comply with the Bank Secrecy Act. Processors must renew registration every two years under 31 CFR 1022.380.
United Kingdom: Payment Service Providers regulated by the FCA must comply with the Money Laundering Regulations 2017 (MLR 2017). This includes conducting risk assessments (Regulation 18), implementing controls (Regulation 19), and appointing a Money Laundering Reporting Officer (MLRO) responsible for compliance (Regulation 21).
European Union: The EU is transitioning to a unified framework. The AML Regulation (EU) 2024/1624 applies from 10 July 2027, harmonizing CDD and monitoring rules. The new AML Authority (AMLA) is now operational in Frankfurt.
Canada: Payment service providers and crowdfunding platforms qualify as MSBs. They must register with FINTRAC before operating, implement a five-element compliance program, and file Suspicious Transaction Reports as soon as practicable.
Specific Compliance Obligations
Across these jurisdictions, five core compliance obligations apply. The table below maps each requirement to its key threshold or deadline:
| Obligation | Key Requirement | Threshold / Deadline |
|---|---|---|
| Written AML Program (31 CFR 1022.210) | Policies, internal controls, designated compliance officer, staff training, independent testing — approved by senior management | Required before operating |
| CIP / CDD | Verify customer identity, collect beneficial ownership information, understand relationship purpose, maintain records | Risk-based; applies at onboarding |
| Suspicious Activity Reports (31 CFR 1022.320) | File with FinCEN (US), NCA (UK), or FINTRAC (Canada) when suspicious activity is detected | Transactions ≥$2,000; within 30 calendar days |
| Currency Transaction Reports (31 CFR 1010.311) | Report cash transactions to FinCEN; equivalent thresholds apply in UK and Canada | Transactions >$10,000 |
| Recordkeeping (31 CFR 1010.430) | Retain transaction records, customer ID documents, and compliance program documentation | Five-year minimum retention |
Merchant Due Diligence: A Critical Processor-Specific Obligation
Payment processors must conduct risk-based due diligence on the merchants for whom they originate payments, not just direct account holders. Regulators treat gaps here as direct compliance failures — not oversight. The 2012 FinCEN enforcement action against First Bank of Delaware makes that clear: the bank was penalized for failing to adequately assess AML risks posed by third-party payment processors and for ignoring red flags like excessive unauthorized return rates.
The $3,000 Rule (Travel Rule)
Under 31 CFR 1010.410(e) and (f), processors must collect, retain, and transmit specific data for funds transfers of $3,000 or more. This includes transmittor name, address, account number, amount, execution date, and recipient information—creating the audit trail regulators rely on during investigations.
The 5 Pillars of an AML Compliance Program
Pillar 1: Risk Assessment
A risk-based approach starts with a formal, documented risk assessment mapping your processor's exposure across four dimensions:
- Customer types: Merchant segments, sub-processors, ISOs
- Products and services: ACH processing, card payments, cross-border transfers
- Transaction channels: Online, mobile, point-of-sale
- Geographic footprint: Domestic versus international, high-risk jurisdictions
Risk assessments must be reviewed and updated annually or when material business changes occur—such as launching new products, entering new markets, or onboarding higher-risk merchant categories.
Regulators and sponsor banks will review this document during onboarding and examinations. A poorly documented or outdated risk assessment is an immediate red flag.
Pillar 2: Customer Due Diligence and KYC
Payment processors must implement a two-tier due diligence model:
Standard CDD applies to typical customers and includes:
- Identity verification (individuals and business entities)
- Business purpose and expected transaction patterns
- Ownership structure and beneficial owners
- Source of funds verification
Enhanced Due Diligence (EDD) applies to higher-risk relationships:
- High-volume merchants or those with irregular patterns
- Cross-border transactions or customers in high-risk jurisdictions
- Politically Exposed Persons (PEPs) or their relatives
- Merchants operating in industries with elevated money laundering risk
Payment screening in AML/KYC means checking customer and counterparty names against sanctions lists (OFAC SDN), PEP databases, and adverse media sources—both at onboarding and continuously throughout the relationship.
Pillar 3: Transaction Monitoring
Transaction monitoring systems analyze payment flows against expected behavior baselines to identify anomalies indicating potential money laundering:
- Sudden volume spikes inconsistent with merchant history
- Structuring patterns (transactions just below reporting thresholds)
- Unusual return rates suggesting unauthorized transactions
- Geographic anomalies (transactions from unexpected locations)
- Round-number transactions deviating from typical ticket sizes
For payment processors, volume makes manual review impractical. The FATF's guidance on Virtual Assets and VASPs confirms that where large transaction volumes occur, "automated systems may be the only realistic method of monitoring transactions."
Automated systems must be properly calibrated, though. The Wolfsberg Group urges institutions to move beyond legacy rules-based approaches and incorporate customer behavior and attributes—not just raw transaction data—into detection logic.
Pillar 4: Suspicious Activity Reporting
When a processor identifies a transaction or pattern that it knows, suspects, or has reason to suspect involves illicit funds or has no lawful purpose, it must file a SAR with FinCEN (or equivalent authority) within 30 days.
Three critical SAR requirements:
- Reasonable suspicion is enough: You don't need proof—filing is required once facts give you reason to suspect illicit activity
- Self-identify in the narrative: FinCEN guidance specifically instructs processors to note their role as a payment processor in every SAR
- Start the clock accurately: The 30-day filing window opens when suspicious facts are first detected, not when an investigation concludes
Failure to file SARs is one of the most common—and most severely penalized—AML violations. Both Binance and Brink's Global Services faced massive penalties partially due to SAR filing failures.
Those enforcement cases underscore a broader point: a compliance program is only as strong as the people running it and the audits validating it.
Pillar 5: Training and Independent Testing
Ongoing Staff Training
Front-line and compliance personnel must receive regular training to:
- Identify industry-specific AML red flags
- Understand escalation procedures
- Stay current on emerging money laundering typologies
- Know regulatory reporting obligations and timelines
Training must be documented, role-specific, and updated regularly to address new risks and regulatory changes.
Independent Testing
An independent party (internal audit or external reviewer) must validate that your AML program functions as designed. Testing typically occurs annually for most processors and examines:
- Policy implementation and adherence
- Control effectiveness
- Transaction monitoring system performance
- SAR quality and timeliness
- Training completion and comprehension
Regulators treat absent or stale training and untested programs as significant deficiencies—and examiners will ask for documentation. If your last independent test was more than 12 months ago, schedule one before your next exam or sponsor bank review.
Red Flags and Suspicious Activity Patterns Specific to Payment Processing
Merchant-Level Red Flags
Unusually high ACH return rates or chargeback rates may indicate unauthorized transactions or fraud layering schemes. The FFIEC warns that high levels of ACH debits returned for insufficient funds or as "unauthorized" are strong fraud indicators.
Merchants operating outside their stated business type suggest potential account misuse. A merchant registered as a retail clothing store suddenly processing high-value wire transfers should trigger immediate investigation.
Sub-processors or ISOs re-selling services to unknown third parties without proper disclosure create additional layers of obscurity. These arrangements make it nearly impossible to conduct effective due diligence on the ultimate merchant.
Transaction-Level Red Flags
FinCEN's Advisory FIN-2012-A010 identifies specific red flags:
- Structuring: Multiple transactions just below CTR thresholds ($10,000 in the US)
- Rapid fund movement: Deposits immediately withdrawn or transferred
- Round-number transactions: Significant deviation from a merchant's typical ticket size
- High-risk geography: Transactions involving countries on FATF grey or black lists
- Multiple bank accounts: Use of accounts at multiple institutions to obscure activity
- Check consolidation accounts: Used to conceal actual return rates from regulators
Return Rate Monitoring
High return rates are particularly important for processors. Excessive returns for ACH debits, especially those coded as insufficient funds or unauthorized, signal that merchants may be originating payments on accounts without proper authorization. This is a hallmark of fraud schemes layered through processing accounts.
Processors must monitor return rates continuously and investigate spikes immediately. The First Bank of Delaware enforcement action illustrates the consequences: inadequate return rate oversight contributed directly to a consent order and significant regulatory penalties.
Key monitoring actions:
- Track ACH return rates daily against NACHA thresholds (0.5% for unauthorized, 3% for administrative returns)
- Escalate any merchant account spiking above baseline for immediate review
Building Your AML Compliance Program: A Step-by-Step Approach
Step 1: Conduct a Baseline Risk Assessment
Document every customer segment, product, payment channel, and geography your business touches. Assign an inherent risk score to each based on:
- Volume and velocity of transactions
- Industry sector risk profiles
- Geographic exposure to high-risk jurisdictions
- Customer base composition (individual consumers vs. merchants vs. sub-processors)
The output is a written risk assessment that anchors every program design decision. It's also the first document regulators and sponsor banks review during onboarding or examination.
Step 2: Draft Your AML Policies and Procedures
Written policies must translate your risk assessment into specific operational controls:
- Who performs CDD and how (documentation requirements, verification methods)
- What triggers Enhanced Due Diligence
- How transactions are monitored (system rules, thresholds, alert handling)
- Who can approve high-risk relationships and under what conditions
- How SARs are identified, prepared, filed, and documented
Generic internet templates are routinely flagged by regulators as inadequate. Your policies must reflect your actual risk profile — not someone else's.
Step 3: Designate a Qualified AML Compliance Officer
Regulations require designating a BSA/AML Compliance Officer (or MLRO in the UK, CAMLO in Canada) with appropriate qualifications. Regulators expect this individual to have:
- Deep knowledge of BSA/AML regulations and guidance
- Experience implementing compliance programs
- Authority to implement necessary changes
- Direct access to senior management and the board
For early-stage payment processors, hiring a full-time BSA Officer can be cost-prohibitive. Fractional compliance leadership from providers like Fraxtional fills this gap. You get director-level BSA/AML expertise on a flexible engagement model, giving sponsor banks and regulators a qualified point of contact without the cost of a full-time executive hire.
Step 4: Implement Monitoring and Screening Systems
Your technology stack needs to cover three core functions:
Real-time screening of customers and counterparties against:
- OFAC SDN lists and other sanctions databases
- PEP databases
- Adverse media sources
Rule-based transaction monitoring with:
- Thresholds calibrated to your specific risk profile
- Behavioral baselines that adapt to merchant patterns
- Alert prioritization to focus investigator time on true risks
Case management tools to document:
- Alert investigation steps and findings
- Disposition decisions (close, escalate, file SAR)
- Audit trail for regulatory review
Step 5: Test, Audit, and Update
AML programs require continuous maintenance:
- Independent testing at least annually confirms that controls function as designed
- Periodic risk assessment refresh when business changes occur (new products, markets, merchant types)
- Update staff training to cover emerging typologies and regulatory changes
- Documentation of all improvements demonstrates the continuous cycle regulators expect
Regulators look for evidence of ongoing program enhancement, not a static program built once and abandoned.
Consequences of AML Non-Compliance for Payment Processors
Regulatory and Financial Penalties
FinCEN, OCC, and state regulators impose civil money penalties ranging from thousands to billions of dollars. Recent enforcement actions demonstrate the scale:
- Binance Holdings Ltd. (2023): $3.4 billion penalty for willful failure to register as an MSB, failure to implement an effective AML program, and failure to file SARs
- Brink's Global Services USA (2025): $37 million penalty for unregistered MSB activity, failing to maintain an AML program, and failing to file SARs
- Bittrex, Inc. (2022): $29.28 million penalty for failing to maintain an effective AML program and failure to file SARs
Operational Consequences
The operational damage frequently outlasts the fine itself. Processors that fail compliance obligations face three compounding consequences:
- Sponsor bank termination: Banks routinely exit relationships with non-compliant processors. FDIC FIL-41-2014 confirms banks won't be criticized for serving processors — provided they properly manage the relationship. Lose that trust, and operations can shut down entirely.
- Payment network removal: Loss of access to card networks and ACH systems eliminates the ability to process transactions outright.
- Consent order remediation: Multi-year remediation programs consume management attention and resources that would otherwise go toward growth.
Personal Liability
Organizational consequences don't stay at the organizational level. Under the BSA, individuals face serious personal exposure:
| Exposure Type | Statute | Penalty |
|---|---|---|
| Civil | 31 U.S.C. § 5321 | Up to $100,000 per violation (or transaction amount); each day counts separately |
| Criminal — standard | 31 U.S.C. § 5322 | Up to $250,000 fine and 5 years imprisonment |
| Criminal — pattern | 31 U.S.C. § 5322 | Up to $500,000 fine and 10 years imprisonment (where >$100,000 in violations over 12 months) |
Liability extends to partners, directors, officers, and employees who willfully violate BSA requirements — not just the named compliance officer.
Individuals may also be required to repay bonuses earned during the year violations occurred. A qualified compliance officer with genuine authority — not just a title — is what separates personal exposure from personal protection.
Frequently Asked Questions
Frequently Asked Questions
What are the requirements for payment processors in AML?
Payment processors that qualify as MSBs must register with FinCEN, maintain a written AML program with a designated compliance officer, implement CIP and CDD procedures, file SARs and CTRs, and retain records for five years. The UK, EU, and Canada impose equivalent obligations under MLR 2017, AMLR, and PCMLTFA.
What is payment screening in AML KYC?
Payment screening checks customer names, transaction counterparties, and beneficiaries against sanctions lists (OFAC SDN), PEP databases, and adverse media sources. Checks run in real time or at onboarding, preventing transactions involving prohibited individuals and satisfying KYC obligations for customers and counterparties.
What are the 5 pillars of AML compliance?
The five pillars are:
- Risk assessment covering customer, product, channel, and geographic exposure
- Customer due diligence and KYC procedures
- Transaction monitoring to detect suspicious patterns
- Suspicious activity reporting to FinCEN or equivalent authorities
- Staff training and independent testing
All five must be documented and functioning.
What is the $3,000 rule in banking?
The BSA's funds transfer recordkeeping rule requires financial institutions to collect and retain identifying information (name, address, account number) for the sender and recipient of funds transfers of $3,000 or more. This creates a traceable record supporting AML investigations and is commonly called the Travel Rule.
What are the consequences of AML non-compliance for payment processors?
Consequences include civil money penalties ranging from thousands to billions of dollars, loss of banking partnerships and payment network access, license revocation, reputational damage, and personal civil or criminal liability for responsible individuals. Recent penalties against Binance ($3.4 billion) and Brink's ($37 million) demonstrate the scale of exposure.
Do payment processors need a dedicated AML compliance officer?
Yes, a designated BSA/AML Compliance Officer (or equivalent MLRO/CAMLO) is a legal requirement under FinCEN rules and equivalent regulations globally. Many early-stage processors meet this requirement through fractional compliance leadership — giving regulators and sponsor banks direct access to qualified expertise without the cost of a full-time hire.
