When a neobank receives its money transmitter licenses and begins onboarding retail customers, the question of Bank Secrecy Act obligations comes up almost immediately — often from the bank sponsor, sometimes from state regulators, occasionally from both at once. The regulatory framework that applies to digital banks is the same one that applies to Wells Fargo: 31 CFR Part 1010 and, for banks specifically, 31 CFR Part 1020. The difference is that Wells Fargo has had since 1970 to build the infrastructure. A neobank serving 200,000 retail customers does not have that luxury, and examiners know it.
This article covers the five core components of a BSA/AML program that every digital bank must have, what "adequate" looks like at different customer volume tiers, and where neobank programs most frequently fall short.
The Five Pillars: What 31 CFR 1020.210 Actually Requires
The BSA requires covered financial institutions to establish and maintain a written AML program. For banks and bank-like entities operating under a sponsor bank relationship, that program must include five components:
- A system of internal controls reasonably designed to ensure ongoing compliance
- Independent testing (internal audit or third-party BSA examination)
- A designated BSA Officer with day-to-day operational responsibility
- Ongoing training for all personnel with BSA/AML responsibilities
- Customer due diligence procedures, including risk-based KYC and beneficial ownership verification under 31 CFR 1010.230
None of these are optional. A neobank that has CDD procedures but lacks documented internal controls, or that has never conducted independent testing, has a program gap that will surface in examination — regardless of how good its transaction monitoring looks.
Customer Identification Program: What CIP Requires at Account Opening
Under 31 CFR 1020.220, every bank must establish a Customer Identification Program with procedures for verifying the identity of each customer at the time an account is opened. For individual retail customers, minimum CIP elements are: legal name, date of birth, address, and an identification number (SSN for US persons, passport number or equivalent for non-US persons).
The regulation requires verification through documentary or non-documentary means, or a combination of both. In practice, most neobanks rely on non-documentary verification — database matching against credit bureau records, ID document scan-and-extract, and increasingly liveness detection to establish that the person presenting the document is physically present. Vendors like Persona and Jumio operate in this space as integration partners; their outputs feed into a compliance program but do not themselves constitute a compliance program.
Where neobanks get into trouble is treating CIP as a one-time event. CIP establishes identity at onboarding. Ongoing monitoring — which is distinct from CIP — is what catches identity drift, account takeover patterns, and changed risk profiles. Both are required. A well-structured KYC verification workflow should distinguish clearly between initial CIP verification and the periodic refresh logic that follows.
The CDD Rule and Beneficial Ownership: Not Optional for Legal Entity Accounts
FinCEN's Customer Due Diligence Rule (31 CFR 1010.230), effective May 11, 2018, added a fifth AML program pillar: identifying and verifying the beneficial owners of legal entity customers. This applies to all "covered financial institutions" — which includes neobanks operating through bank sponsors — when opening accounts for legal entities other than those in the rule's enumerated exclusions.
Beneficial ownership means two things under the CDD Rule: the ownership prong (any individual who owns 25% or more of equity interests) and the control prong (a single individual with significant responsibility to control, manage, or direct the entity). Collecting a certification form is required; verifying the information is also required, though the rule permits reasonable reliance on the certifying individual's representations unless the institution has reason to doubt accuracy.
A neobank in the SMB segment that has never built a legal entity onboarding flow is not just missing a product feature — it is missing a regulatory requirement. Examiners will ask for a sample of legal entity accounts opened in the prior 12 months and will check whether beneficial ownership certifications exist in the file.
SAR and CTR Filing: Thresholds and Documentation Requirements
Two of the most concrete BSA obligations are Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). CTRs are required under 31 CFR 1010.311 for currency transactions exceeding $10,000, and the filing window is 15 calendar days from the transaction date. Structuring — deliberately breaking transactions into sub-$10,000 pieces to avoid CTR reporting — is itself a federal crime under 31 USC 5324.
SARs under 31 CFR 1020.320 are triggered by a different standard: known, suspected, or attempted violations of law, or suspicious transactions with no lawful explanation, above $5,000 (for banks). The SAR filing deadline is 30 calendar days from the date of initial detection of the suspicious activity. The 30-day window can extend to 60 days if no suspect can be identified. SAR documentation should capture the five Ws: who, what, where, when, and why the activity is suspicious.
Many neobanks significantly underestimate the operational load of SAR-filing obligations. A neobank with 200,000 active retail customers, a significant share of whom make peer-to-peer transfers or cash loads, can see alert volumes that require multiple full-time investigators. The AML screening infrastructure must support not just screening but the full case management workflow from alert to disposition to SAR filing.
OFAC Screening: A Parallel but Separate Obligation
OFAC sanctions compliance is not part of the BSA program per se — OFAC is administered by the Treasury Department under different statutory authority than FinCEN. But it sits alongside the BSA/AML program in every examination, and the two are often evaluated together. OFAC requires that US persons not engage in transactions with individuals or entities on the SDN (Specially Designated Nationals) list, and that they comply with country-based and sectoral sanctions programs.
For a neobank, this means screening customers at onboarding against the SDN list and OFAC's other sanctions lists (Consolidated Sanctions List), and screening again on an ongoing basis when OFAC updates its lists. It also means screening counterparties in transactions — not just the account holder. A US neobank customer sending a wire to an SDN-listed counterparty creates an OFAC exposure even if the customer themselves is not listed.
We are not saying that neobanks need to build their own sanctions list infrastructure — commercial data vendors like ComplyAdvantage, Refinitiv World-Check, and LexisNexis Bridger maintain the SDN and consolidated list data with intraday update feeds. What matters is having a documented screening program with clear criteria for what triggers a match review, who conducts the review, how long reviews must be completed, and what the escalation path looks like when a potential match cannot be cleared.
What Examiners Look For (and Where Programs Break Down)
Based on patterns observed across FinCEN examination findings and public enforcement actions, the areas most consistently cited in neobank and fintech BSA examinations include:
- Inadequate risk assessment documentation. The BSA program must be calibrated to the institution's actual risk profile. A neobank that serves international remittance customers but has a risk assessment written as if it serves domestic payroll accounts will have a credibility problem with examiners from the first meeting.
- Transaction monitoring that is not customer-risk-informed. Running every retail customer through the same transaction monitoring scenarios regardless of their risk tier generates excessive false positives and misses high-risk indicators in elevated-risk accounts. The monitoring program must be risk-tiered.
- SAR documentation gaps. A SAR that says "customer conducted unusual transactions" is not adequate documentation. Examiners expect the filing narrative to explain why the pattern is suspicious, what the customer's expected activity profile was, and what steps the institution took to investigate before filing.
- Independent testing that is not truly independent. A BSA audit conducted by the same team that built the AML program does not satisfy the independent testing requirement. Third-party BSA examination or a separate internal audit function with genuine independence is required.
The neobank compliance landscape is maturing rapidly. The earliest-generation digital banks that treated BSA compliance as an afterthought have largely either been acquired, shut down their banking products, or faced enforcement. The standard of care that examiners apply in 2025 is not the permissive early-stage standard of 2015 — it is the same standard applied to any other covered financial institution. Building a program that reflects that standard from day one is significantly less costly than retrofitting one under regulatory pressure. Neobank-specific compliance infrastructure should be designed with examination-readiness as a baseline requirement, not a future aspiration.