Guide to MSB Compliance Essentials

Introduction

Running a money services business puts you in a regulatory category most financial service companies never have to navigate. MSBs handle cash, cross-border flows, and high-risk customer segments — and enforcement actions reflect that scrutiny. Binance received a $3.4 billion FinCEN civil money penalty and a $4.3 billion DOJ resolution in 2023 for BSA violations. Helix faced a $60 million FinCEN penalty for operating as an unregistered MSB with no AML program at all.

This guide covers what MSB compliance requires across the US, UK, and Canada — registration, AML program requirements, reporting obligations, and independent reviews. If you're a fintech founder determining whether you qualify, or an operator scaling through your next regulatory review, the sections below give you a practical framework.

The consequences of getting this wrong go beyond fines. Non-compliance ends banking relationships, triggers license revocations, and can close off sponsor bank partnerships permanently.

TL;DR

  • MSB status in the US triggers at $1,000 per person per day for most categories — but money transmitters have no transaction threshold
  • FinCEN registration (Form 107) is required — but it does not replace state-level money transmitter licenses
  • Every MSB needs a written, risk-based AML program with four core elements: internal controls, compliance officer, training, and independent testing
  • SAR filing threshold is $2,000; CTR threshold is $10,000 — both have strict filing deadlines
  • Independent reviews are legally required — and carry real weight with regulators, sponsor banks, and investors

What Is an MSB and Who Qualifies?

"Money services business" is a legal term defined under 31 CFR 1010.100(ff) — not a business category in the general sense. It covers any person engaged in certain financial activities, regardless of whether financial services are their primary business.

Business Types That Qualify

The main categories under US law include:

  • Currency dealers and exchangers
  • Check cashers
  • Issuers, sellers, or redeemers of traveler's checks or money orders
  • Providers and sellers of prepaid access
  • Money transmitters
  • Virtual currency exchangers and administrators
  • Remittance services

In Canada, FINTRAC extends this to foreign exchange dealing, virtual currency dealing, and prescribed crowdfunding platforms. The UK's Money Laundering Regulations 2017 cover currency exchange offices, money transmission, and cheque cashing services.

The Threshold Nuance That Catches Fintech Founders

For most US MSB categories — currency exchangers, check cashers, money order issuers — the activity threshold is more than $1,000 per person per day. Below that, MSB status generally doesn't apply.

Money transmitters are different. FinCEN is explicit: there is no activity threshold for money transmitters. A fintech that moves funds on behalf of users qualifies from the first transaction.

Many founders assume that low transaction volumes or small ticket sizes keep them outside regulatory scope. That assumption is wrong — and FinCEN civil money penalties for unregistered MSB activity start at $5,000 per violation.

MSB Category Activity Threshold
Currency exchangers, check cashers, money order issuers >$1,000 per person per day
Money transmitters No threshold — first transaction triggers MSB status

MSB category activity thresholds comparison showing money transmitter no-threshold rule

MSB Registration: US, UK, and Canada Requirements

Registration requirements vary by jurisdiction, and critically, they stack — federal registration doesn't satisfy state requirements, and AML registration doesn't satisfy payment authorization requirements.

US Federal Registration

All US MSBs must register with FinCEN by filing Form 107 within 180 days of commencing operations. Renewal is required every two calendar years. Agents of registered MSBs are exempt from separate registration, but the parent MSB must maintain an agent list.

FinCEN is direct on one point: federal registration does not satisfy state or local licensing requirements. These are two entirely separate obligations.

US State-Level Licensing

Most states require a separate money transmitter license, administered through NMLS. Operating in a state without the required license is one of the most common and costly compliance failures MSBs make. Requirements vary significantly by state across several dimensions:

  • Net worth thresholds — minimum capital requirements that differ by state and business model
  • Surety bond amounts — often scaled to transaction volume or geographic footprint
  • Examination schedules — some states conduct annual reviews; others are triggered by complaint or risk factors

For fintech and crypto operators expanding across multiple states simultaneously, Fraxtional's money transmitter licensing advisory handles pre-filing strategy, state-by-state prioritization, and ongoing license maintenance.

UK Registration (HMRC vs. FCA)

UK MSBs must register with HMRC for AML supervision under the Money Laundering Regulations 2017. This covers money transmission, currency exchange, and cheque cashing businesses.

The critical distinction: HMRC registration is not the same as FCA authorization. Firms providing payment services or issuing e-money must separately obtain FCA authorization or registration. Treating HMRC supervision as full regulatory coverage is a common and significant gap for UK-based fintechs.

Canada Registration (FINTRAC)

Canadian MSBs must register with FINTRAC before providing any covered services — registration is a prerequisite, not a post-launch filing. Renewal follows a two-year cycle.

Foreign MSBs that direct services to persons or entities in Canada also have FINTRAC registration obligations. Any non-Canadian platform serving Canadian customers needs a FINTRAC analysis before launch.

Registration Comparison

Jurisdiction Regulator Initial Deadline Renewal Cycle
US (Federal) FinCEN Within 180 days Every 2 calendar years
US (State) NMLS / State regulators Varies by state Varies by state
UK (AML) HMRC Before operating Ongoing per HMRC guidance
UK (Payments) FCA Before operating Ongoing per FCA requirements
Canada FINTRAC Before operating Every 2 years

MSB registration requirements comparison across US FinCEN UK HMRC FCA and Canada FINTRAC

The Core Pillars of MSB AML Compliance

Under 31 CFR 1022.210, every US MSB must develop, implement, and maintain an effective written AML program. The regulation specifies four minimum required elements. "Minimum" means exactly that. Examiners expect programs commensurate with the risk posed by the MSB's location, size, services, and transaction volumes.

Pillar 1 — Written AML Program

The program must be written, risk-based, and tailored. A generic template doesn't satisfy regulators or sponsor banks. Off-the-shelf policies routinely miss key regulatory and bank expectations. A policy that fails a sponsor bank review triggers immediate remediation demands — often before the MSB has even launched.

A compliant written program addresses:

  • Products, services, and their specific money laundering risks
  • Customer types and geographic risk
  • Internal controls covering onboarding, monitoring, and escalation
  • Documented escalation paths for suspicious activity

Pillar 2 — Designated Compliance Officer

Every MSB must designate an individual responsible for day-to-day BSA/AML compliance. For early-stage operators, hiring a full-time Chief Compliance Officer or BSA Officer, which typically costs $25,000+ per month in total compensation, isn't viable.

Fractional compliance leadership solves this directly. Fraxtional's Fractional Advisory model provides a dedicated Director with full use of name and title, so clients can designate that person as their named BSA Officer or CAMLO in regulatory filings, sponsor bank agreements, and audits.

The engagement delivers up to 50-70% cost savings versus full-time hiring. The Director is embedded directly into the organization, covering:

  • Day-to-day BSA/AML oversight and escalation ownership
  • Representation to regulators, examiners, and sponsor banks
  • Named title use in filings, agreements, and audits

Pillar 3 — KYC and Customer Due Diligence

MSBs must implement procedures to verify customer identities, assess risk profiles, and apply enhanced due diligence (EDD) for higher-risk customers. Regulators and sponsor banks scrutinize CDD procedures closely — inadequate documentation here is one of the most frequent triggers for sponsor bank review failures.

KYC/CDD programs should cover:

  • Identity verification at onboarding
  • Ongoing risk-rating of customers
  • EDD triggers and documented rationale for high-risk relationships
  • Periodic review of existing customer profiles

Pillar 4 — Transaction Monitoring

Ongoing transaction monitoring covers suspicious patterns including unusual cash activity, structuring, and high-risk cross-border flows. Gaps here don't just create monitoring deficiencies — they produce SAR filing failures, which regulators treat as compound violations.

Effective monitoring programs include:

  • Rule sets calibrated to the MSB's specific product and customer risk
  • Regular rule validation and tuning
  • Clear escalation workflows from alert to investigation to filing decision

Pillar 5 — Employee Training

Training must be ongoing, documented, and role-specific. A one-time onboarding module doesn't meet regulatory expectations. During audits and examinations, reviewers look for:

  • Records of training sessions with dates and participant lists
  • Role-specific content covering front-line staff, the compliance team, and senior leadership separately
  • Evidence that senior leadership participated
  • Training updates when products, regulations, or risk profiles change

Five pillars of MSB AML compliance program requirements infographic

MSB Reporting Obligations: CTRs, SARs, and Recordkeeping

Currency Transaction Reports (CTRs)

US MSBs must file FinCEN Form 112 for cash transactions exceeding $10,000 in a single business day. Key rules:

  • Applies to individual transactions and aggregated transactions for the same person
  • Multiple transactions must be aggregated when the MSB knows they involve the same individual
  • Filing deadline: 15 calendar days from the transaction date

Suspicious Activity Reports (SARs)

US MSBs must file FinCEN Form 111 when a transaction of $2,000 or more is known or suspected to involve money laundering, fraud, or other criminal activity. Filing deadlines:

  • 30 calendar days after initial detection when a suspect is identified
  • Up to 60 days when no suspect is identified

The MSB is legally prohibited from tipping off the subject of a SAR filing. Disclosure to the person under review is a separate violation.

Recordkeeping Requirements

Record Type Threshold Retention Period
Funds transmittal records $3,000+ 5 years
Monetary instrument purchases $3,000–$10,000 (cash) 5 years
Prepaid access records Per 31 CFR 1022.420 5 years

Records must be made available for examination under 31 CFR 1022.400.

These US obligations cover the baseline. MSBs operating in the UK or Canada face parallel — but distinct — regimes that require the same operational rigor.

UK and Canada Equivalents

UK: MSBs report suspicious activity to the National Crime Agency (NCA) under POCA 2002. Failing to file where required is a criminal offence under POCA sections 330–331, carrying up to five years' imprisonment.

Canada: FINTRAC MSBs file Large Cash Transaction Reports (LCTRs) for transactions of CAD $10,000+, Suspicious Transaction Reports (STRs) where there are reasonable grounds to suspect money laundering or terrorist financing, and Electronic Funds Transfer reports for transfers of CAD $10,000+.

Cross-border MSBs must track which reporting regime applies to each transaction. That determination isn't a compliance afterthought — it needs to be built into operational design from day one.

The Independent Review Requirement

BSA Section 5318(h) requires covered financial institutions to maintain AML programs that include an independent audit function. For MSBs, 31 CFR 1022.210 specifies that independent review must be used to monitor and maintain an adequate program.

What the Regulation Requires

  • The reviewer can be an internal officer, employee, or outside party
  • The designated compliance officer cannot conduct the review — independence from the compliance function is mandatory
  • No fixed frequency is prescribed; scope and frequency must be commensurate with the risk of the services provided

What Independent Reviewers Examine

A well-scoped independent review covers:

  • Policies and procedures versus actual operational practices
  • Transaction samples and monitoring effectiveness
  • CTR and SAR filing accuracy and timeliness
  • KYC and CDD documentation
  • Training records and participation
  • Prior audit recommendations and remediation status

Covering each of these areas, Fraxtional's independent audit deliverables produce board-ready reports with prioritized remediation recommendations structured for use in regulatory examinations, sponsor bank due diligence, and investor reviews — giving every external audience a clear picture of where your program stands.

Common MSB Compliance Failures and Their Consequences

Enforcement actions against MSBs follow recognizable patterns. The violations that triggered the largest penalties weren't exotic edge cases — they were foundational failures.

Most Frequent Failure Themes

Failure Enforcement Example Penalty
Operating as unregistered MSB FinCEN action against Helix $60 million
Ineffective AML program DOJ action against MoneyGram $125 million forfeiture
Willful BSA violations (AML + sanctions) FinCEN/DOJ action against Binance $3.4B FinCEN / $4.3B DOJ
CDD, recordkeeping, and risk assessment failures HMRC action against MT Global Initial £23.8 million fine
Registration and compliance program failures FINTRAC action against Binance Holdings CAD $6 million

Major MSB enforcement actions and penalties comparison chart from FinCEN DOJ and HMRC

Beyond fines, non-compliance carries consequences that can be harder to recover from than a monetary penalty:

  • Loss of banking relationships through account derisking — the US Treasury's 2023 De-Risking Strategy explicitly identifies small and mid-sized MSBs as affected
  • License revocation, which eliminates the ability to operate in key markets
  • Inability to secure new sponsor bank partnerships, a serious obstacle for fintechs that depend on banking-as-a-service infrastructure

Having experienced compliance leadership in place, whether a full-time hire or a fractional engagement, is the most direct way MSBs avoid these outcomes. Fraxtional sees this play out regularly: a crypto lending platform needed a named BSA Officer to pass a sponsor bank review.

Once fractional leadership cleaned up the AML framework, they cleared the review ahead of schedule. Without that, losing the banking relationship would have shut down operations entirely.

Frequently Asked Questions

What is MSB in compliance?

MSB stands for Money Services Business — any entity that transmits, converts, or exchanges money, such as fintechs, crypto platforms, and remittance services. In the US, MSBs are regulated under the Bank Secrecy Act; the UK and Canada have equivalent AML frameworks.

What is MSB in the UK?

In the UK, an MSB is a business providing money transmission, currency exchange, cheque cashing, or similar payment services. UK MSBs must register with HMRC under the Money Laundering Regulations 2017 for AML supervision, and certain firms also require separate FCA authorization for payment services or e-money activity.

Who regulates MSBs in the UK?

HMRC is the primary AML supervisor for most UK MSBs. The FCA regulates payment institutions and e-money firms separately. Both regulators have authority to conduct inspections and impose sanctions — HMRC for AML compliance failures, the FCA for payment services and e-money violations.

Do MSBs need to register at the state level in the US?

Yes. Federal FinCEN registration does not substitute for state money transmitter licenses. Most US states require separate licensing through NMLS, and operating in a state without the required license is a regulatory violation that can trigger significant penalties and jeopardize existing licenses in other states.

What is the difference between an MSB and a money transmitter?

"Money transmitter" is one category within the broader MSB umbrella — specifically, any business that transfers funds on behalf of another person, regardless of transaction size. MSB is the wider term that also covers currency exchangers, check cashers, money order issuers, and prepaid access providers.

What are the penalties for MSB non-compliance?

Penalties include FinCEN civil fines, DOJ criminal prosecution, loss of banking access through derisking, and revocation of operating licenses. Recent enforcement actions have reached into the billions — making proactive compliance significantly less costly than the alternative.