This scenario plays out more often than most founders expect. The gap wasn't malicious — it was invisible. Nobody had formally measured the company's compliance posture against the specific obligations it was required to meet.
This guide walks through exactly how to do that: a practical, step-by-step compliance gap analysis designed for fintech, crypto, and financial services companies operating across the US, UK, Canada, and EU.
TL;DR
- A compliance gap analysis measures your current controls against applicable regulatory requirements, so you find problems before regulators do.
- Applicable frameworks vary by jurisdiction: BSA/AML, UDAAP, Reg E, FCA rules, FINTRAC, GDPR, and others depending on your model and markets.
- The process has six steps: define scope → gather documentation → map requirements → identify gaps → prioritize and remediate → monitor and repeat.
- Common fintech gaps include AML program deficiencies, missing BSA officer designations, stale transaction monitoring rules, and cross-border blind spots.
- Resource-constrained teams benefit most from experienced outside compliance leadership — internal teams often can't see the gaps they're already inside.
What Is a Compliance Gap Analysis — and Why It Matters in Financial Services
A compliance gap analysis is a structured evaluation that compares your organization's current compliance posture — policies, controls, and day-to-day practices — against the specific regulatory requirements you're obligated to meet. The output is a clear picture of where shortfalls exist and what needs to change before those gaps become examination findings, enforcement actions, or worse.
Why Financial Services Companies Face Elevated Stakes
Most industries deal with a handful of regulatory frameworks. A fintech or money transmitter may need to simultaneously comply with:
- BSA/AML under FinCEN (31 CFR 1022.210 for MSBs, 31 CFR 1020.210 for banks)
- UDAAP and Regulation E enforced by the CFPB
- State money transmission laws across every jurisdiction where you operate
- FCA requirements under the Payment Services Regulations 2017 and Electronic Money Regulations 2011 (UK)
- FINTRAC obligations for Canadian money services businesses
- GDPR data handling requirements (EU and UK)
The complexity multiplies under sponsor bank or embedded finance arrangements, where both the fintech and its banking partner carry compliance obligations. The bank's own regulators will scrutinize the fintech's program just as closely as the bank's.
That layered exposure has real financial consequences. Financial crime compliance in the US and Canada totaled $61 billion annually as of 2024, according to LexisNexis Risk Solutions. FinCEN's enforcement record makes the stakes specific: a $3.4 billion settlement against Binance in 2023, $29 million against Bittrex in 2022, and $3.5 million against Paxful in 2025, each tied to BSA/AML program failures.
The Core Benefits
Done well, a gap analysis delivers:
- Early detection of regulatory vulnerabilities before audits or exams surface them
- Smarter resource allocation: fixing the highest-risk gaps first rather than spreading effort thin
- Credibility with sponsor banks, investors, and regulators
- A documented compliance baseline that holds up under regulatory examination and investor due diligence
How to Perform a Compliance Gap Analysis: Step by Step
Each step below is designed to produce documented, auditable outputs. The quality of your findings depends on the rigor applied at each stage — skipping steps or treating this as an informal checklist review produces surface-level results that won't hold up under examiner scrutiny.
Step 1 – Define the Scope
Scope definition answers two questions: which regulations apply to this organization, and which parts of the business are being assessed?
For a fintech operating in both the US and UK, that might mean scoping one exercise to BSA/AML and FinCEN requirements, and a separate exercise to FCA compliance obligations. Combining everything into one pass often produces surface-level results.
The most common mistake here is scoping too broadly. Start with the highest-risk regulatory area or the one most likely to face scrutiny. For a money transmitter, that's almost always the AML program.
Step 2 – Gather Documentation and Establish a Baseline
Collect everything that represents your "current state":
- Written policies and procedures
- Training materials and completion records
- Internal audit findings and prior exam results
- Contracts and compliance requirements from sponsor banks
- Any previous regulatory correspondence
Involve cross-functional stakeholders: compliance, legal, operations, technology, and product teams. Policies on paper are not always policies in practice. Reviewing transaction monitoring outputs, complaint logs, and interviewing staff will surface operational gaps that documentation reviews miss.
Step 3 – Map Regulatory Requirements
Break the applicable regulations into specific, testable obligations. Under FinCEN's BSA requirements, for example, the four program pillars are:
- Written policies and procedures
- Internal controls
- Independent testing
- Designated BSA Officer
Each pillar becomes a line item to evaluate. The most effective tool here is a control mapping matrix: a structured document that lists each regulatory requirement, the corresponding internal control or procedure, available evidence, and a compliance status (compliant / partially compliant / not in place). This transforms a subjective assessment into a documented, auditable record.
When mapping BSA requirements, keep these two citations separate: 31 CFR 1020.210 covers bank AML program requirements, while beneficial ownership CDD for legal entities falls under 31 CFR 1010.230. Treating them as interchangeable is a common mapping error.
Step 4 – Identify and Document Gaps
Compare the baseline against the mapped requirements. Document every instance where controls are missing, inadequate, or outdated — and be precise. "AML policy is weak" is not a gap. A properly documented gap looks like this:
Customer Due Diligence procedures do not include enhanced due diligence triggers for high-risk customer categories as required under 31 CFR 1010.230.
Specificity matters for two reasons. It makes remediation actionable. And it demonstrates to regulators and sponsor banks that your organization takes compliance seriously — not just that you produced a document.
Document the risk associated with each gap: the likelihood of a regulatory finding and the severity of the consequence. That documentation feeds directly into Step 5.
Step 5 – Prioritize Gaps and Build a Remediation Plan
Not all gaps carry equal risk. A missing BSA Officer designation is a critical, high-urgency gap. An incomplete procedure for a low-volume, low-risk transaction type is not.
Rank gaps by:
- Regulatory severity and likelihood of examination scrutiny
- Business impact (could this pause a sponsor bank relationship?)
- Effort required to remediate
For each gap, create a remediation task with a named owner, specific corrective action, required resources, and a realistic deadline. Vague action items fail. Compare these two versions: "Improve AML policy" tells nobody what to do. "Update CDD procedures to include EDD triggers for high-risk customer segments, with legal review completed by [date], assigned to [name]" is an actual task.
This is also where external expertise pays off most directly. The remediation plan needs to satisfy regulators and sponsor banks, not just internal stakeholders — and that requires someone who knows what examiners actually look for. Fraxtional's fractional compliance directors work at this level regularly, which is why clients bring them in specifically for remediation planning rather than after the fact.
Step 6 – Monitor Progress and Schedule Repeating Reviews
Remediation is not complete when a new policy document is written. Retest controls to confirm they operate as intended, track progress through regular check-ins, and update the gap register as items close.
Establish a repeating schedule:
- At minimum: Annually
- Also triggered by: Regulatory changes, new product launches, market expansion, new sponsor bank relationships, mergers or acquisitions, or any regulatory examination or enforcement action
FINTRAC's guidance explicitly requires Canadian reporting entities to review their compliance program's effectiveness every two years. US BSA rules require independent testing as a program element without specifying a fixed annual frequency — but best practice is annual, at minimum.
Common Compliance Gaps Found in Fintech and Financial Services
BSA/AML Gaps
These appear most frequently across FinCEN enforcement actions and sponsor bank reviews:
- No formally designated BSA Officer in writing — a required program element that is often handled informally until an examiner or bank review demands documentation
- CDD procedures missing EDD triggers — Customer Due Diligence procedures that don't address enhanced due diligence for high-risk customer categories (required under 31 CFR 1010.230)
- Unreviewed transaction monitoring thresholds — rules configured at launch and never validated against actual transaction patterns or risk profile changes
- SAR filing backlogs or gaps — a recurring issue in enforcement cases against Bittrex and Paxful, both of which faced FinCEN penalties that included SAR failures
One client told Fraxtional: "We had an AML policy, but it didn't hold up during a sponsor bank review." That's the gap analysis failing silently — the policy existed, but it didn't meet the standard required.
Consumer Protection and Operational Gaps
BSA/AML failures are often the most visible, but consumer protection gaps carry their own enforcement risk. Companies that scaled quickly without a dedicated compliance function frequently have:
- UDAAP exposures in marketing materials or terms that could be characterized as unfair or deceptive — a particular risk when product growth outpaces compliance review
- Regulation E error resolution failures — the CFPB's action against Block/Cash App resulted in $175 million in penalties for fraud and error-resolution failures. Many fintechs have never stress-tested their workflows against Reg E's deadlines: 10 business days to investigate, 45 days with a provisional credit.
- Outdated or missing privacy notices — particularly when product features have evolved after initial disclosure documents were drafted
Cross-Border and Multi-Jurisdictional Gaps
Companies expanding internationally often don't reassess their compliance posture before entering new markets:
- UK: The FCA's 2023 supervisory review of payment and e-money firms found material financial crime weaknesses across governance, risk assessment, customer due diligence, and transaction monitoring — a pattern affecting firms supervised under the PSRs 2017 and EMRs 2011
- Canada: FINTRAC MSB registration and reporting gaps remain common among companies with Canadian operations that have not mapped their obligations to FINTRAC's compliance program requirements
- EU/UK: GDPR obligations that exist on paper but haven't been mapped to operational reality — data flows involving third-party processors, sponsor bank data sharing, or retention practices that conflict with regulatory requirements
Each jurisdiction adds a distinct layer of obligation. Most companies entering new markets assume their existing compliance framework extends automatically — it rarely does, and the gaps that emerge are the ones regulators find first.
How Fraxtional Can Help
Most companies hitting a gap analysis trigger point face the same problem: they need director-level regulatory expertise, but can't justify a full-time executive hire. That's the exact situation Fraxtional is built for — a fractional risk and compliance firm serving fintech, crypto, BaaS banks, and private equity clients across the US, Canada, UK, and EU.
Every Fraxtional engagement is director-led. The person running or overseeing the gap analysis brings deep regulatory experience across BSA/AML, UDAAP, Reg E, privacy, and cyber risk and stays directly involved at every stage. Clients aren't handed off to junior staff.
For the gap analysis process specifically, Fraxtional helps with:
- Defining the right regulatory scope for a specific business model and geography
- Conducting the control mapping exercise with practitioner-level precision
- Identifying gaps that internal teams don't recognize as gaps (often the most consequential ones)
- Building remediation plans that satisfy sponsor bank partners and regulators rather than just internal reviewers
The engagement is flexible. Companies can start with a targeted On Demand Advisory engagement for the gap analysis alone — most risk assessments deliver initial findings within 10 business days and complete within two to four weeks.
That engagement can convert to a Subscription Advisory or Fractional Advisory relationship, where a named CCO, BSA Officer, CAMLO, or MLRO provides ongoing oversight as remediation proceeds and the compliance program evolves.
When a sponsor bank requires a named BSA Officer, Fraxtional's fractional leaders serve in that capacity — appearing in regulatory filings, handling bank Q&A, and representing the company to examiners with full accountability.
Frequently Asked Questions
What is a compliance gap analysis?
A compliance gap analysis is a structured process of comparing an organization's current policies, controls, and procedures against the regulatory requirements it must meet. It identifies where shortfalls exist so they can be addressed before they produce regulatory findings, fines, or reputational damage.
What are the steps of a compliance gap analysis?
Six steps: define scope, gather documentation and establish a baseline, map regulatory requirements, identify and document gaps, prioritize and build a remediation plan, and monitor progress with scheduled repeating reviews.
What are the most common compliance issues found in a gap analysis?
In financial services, the most common issues include BSA/AML program deficiencies (missing BSA officer, inadequate CDD or transaction monitoring), UDAAP policy weaknesses, Regulation E error resolution gaps, and unaddressed cross-border compliance obligations for companies operating in multiple jurisdictions.
How often should a compliance gap analysis be conducted?
At minimum, annually — and also triggered by regulatory changes, new product launches, sponsor bank onboarding, major organizational changes, or any regulatory examination. Canadian reporting entities must review compliance program effectiveness every two years under FINTRAC rules.
What is the difference between a compliance gap analysis and a risk assessment?
A compliance gap analysis measures whether controls and procedures meet specific regulatory requirements. A risk assessment evaluates the likelihood and impact of adverse events across a broader set of threats and vulnerabilities. Both serve distinct purposes and should be maintained separately within a compliance program.
How long does a compliance gap analysis take?
A targeted single-framework gap analysis for a startup typically takes two to four weeks, with initial findings available within the first 10 business days. A comprehensive multi-jurisdictional review for a scaling fintech can take several months — experienced fractional compliance directors who run these regularly can often cut that timeline by a third or more.
