Prior to founding Adytum, I had spent the last decade in the trenches as a Compliance Officer for a Crypto MSBs and Money Transmitter. I’ve seen it all: from the “Wild West” days of 2016 to the increasingly and arguably hyper-regulated landscape of 2026.
If you’re a Fintech startup founder, you must move quickly, but in this industry, if your growth outpaces your compliance, you become a bigger target for regulators. Building a scalable BSA/AML program is about checking boxes, but it’s also about building a modular engine that won’t overheat when you hit 100k users; and that can accept upgrades as needed.
Here’s my blueprint for building AML from scratch without losing your shirt or your license.
Risk Assessment as your Foundation
Before you write a single policy, you have to understand your business and know where your risks are concentrated. Following the FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual is pretty much the industry standard, even for non-bank financial institutions like Money Transmitters, MSBs and FinTechs.
Initially evaluate risk across your Products, Services, Customers, Entities, Locations and Vendors. If you’re in the digital asset space, your risk assessment needs to account for risks on-chain, for example transacting with an OFAC sanctioned wallet. It’s not just who your customer is, but also where their coins have been or where their coins go after they leave your inventory, including the risk that those outputs arrive in a mixer or darknet market, or worse. Only from this understanding can you build mitigation effective mitigation strategies; also knowing that you will continue to iterate, basically in perpetuity.
Once you’ve documented your risks before implementing mitigation controls, then apply your “mitigants” to find your residual risk. If the leftover risk is still “High,” you need better tools, or a team of lawyers.
Live Policy Development is Key
I’ve seen 200-page AML program manuals that were beautiful, but impossible to follow. The Company’s AML Program must be written to encompass the risks identified through assessments, regulatory requirements as stated in federal or state regulatory guidance, implementation of controls, and enforcement mechanisms.
Eventually, when the AML program is tested by state or federal regulators, they can and will evaluate your policy against your specific business model and will issue fines if they deem it doesn’t fit. All this to say, don’t employ template policy as your AML policies must adequately and accurately reflect your organization’s specific tech stack, products, services and the associated risks. So at a minimum, your AML BSA Compliance program must include tenants for Recordkeeping, Internal Controls, Independent Testing, Designated CCO, Ongoing Training, and Customer Due Diligence including collection and validation of identity data and screening against global watchlists like OFAC PEP SDN.
AML Program Implementation with “Scalability” in Mind
This is where most startups fail. They raise money, hire 25 people to complete manual KYC reviews of ID cards, source of funds documentation, transaction monitoring alerts, suspicious activity investigations, and that simply doesn’t scale and inevitably leads to a poor customer experience and loss of revenue for the Company, in the name of “effective compliance”.
In 2026 you need Automated Onboarding and Validation of Customer Identity data, Automated Transaction Monitoring Systems & Reporting Tools, and Human Compliance Managers to review and approve the 10% of accounts in they grey that require additional documentation, review or investigation; and preventing those accounts from becoming bottlenecks as you scale.
Real-World Lessons from the Front-Lines of Crypto BTMs and OTC Trade Desks
After an unpredictable 10 years in crypto AML Compliance for BTMs and OTC Trade Desks, my take aways are that if your engineers or leadership think of compliance as a waste or impediment to faster growth, that regulatory debt must be paid eventually in the form of regulatory fines. A culture of compliance begins at the Board and CEO level, but Compliance Officers must also want the business to succeed and grow profitably. A CCO’s job is not to shut down every transaction that they consider suspicious or high volume, instead they are charged with implementing and enforcing a program that adequately assesses and mitigates risks, which functions more effectively as an automated, rules based transaction monitoring system.
Ultimately data and documentation are what regulatory examiners want to see, including documentation of suspicious activity investigations and records of the SAR filings. And ofcourse, the Suspicious Activity Report (SAR); over the last 10 years, time and time again many organizations fail to file a single SAR and are mercilessly fined by regulators or worse. SARs are labor intensive, but consider them the ultimate culmination of your AML program’s effectiveness. A regulator will never consider your program effective if there is not a single SAR filing, we are dealing with Money after all, as Money Transmitters, and FinTech MSBs. Furthermore, the SAR filing actually insulates the Company and the CCO from penalties and liabilities; there is no insulation absent the SAR filing.
Final Thought
Building a scalable BSA AML Compliance program as a FinTech MSB isn’t about being “un-hackable” or “un-washable”, the tech stack matters but Compliance is about demonstrating effective institutional controls, and a thorough understanding of the associated AML and business risks. At Adytum AML Consultants, we don’t just give you a manual; we help you understand the risks and build the machine.
Contact us today
Leave a Reply