Course/Module 5/Lesson 1
Module 5 · Lesson 1

Building Your Compliance Program from Day One

Putting It All Together

The Phased Approach to Fintech Compliance

You don't need a Goldman Sachs-level compliance operation on day one. But you do need a defensible, functioning program from the moment you touch customer funds. The key is building a "minimum viable compliance" program that satisfies regulators and scales with your growth. Here's how to think about it in phases.

Phase 1: Pre-Launch (Months 1-3 Before Go-Live)

Before you onboard a single customer, these must be in place:

  • Written BSA/AML Policy: This doesn't need to be 200 pages. A 20-30 page document covering your risk assessment, CIP procedures, transaction monitoring approach, SAR filing process, and OFAC screening is sufficient at this stage. Have it reviewed by a BSA/AML attorney (budget $5,000-$15,000).
  • Designated BSA Officer: Someone — often the CEO or Head of Operations at a startup — must be formally designated as the BSA Officer. This person is personally responsible for the program. They need adequate training (ACAMS certification is ideal but not yet required at this stage).
  • KYC/CIP Process: Either build or integrate a KYC onboarding flow that collects and verifies: name, date of birth, address, and government ID number (SSN for U.S. persons). Use a vendor like Alloy, Persona, or Jumio for identity verification.
  • OFAC Screening: Implement real-time screening against the SDN list for all customers at onboarding. This is non-negotiable from day one. Vendors like Dow Jones, ComplyAdvantage, or even free options like the OFAC search tool can work initially.
  • Basic Transaction Monitoring: At minimum, set up manual review triggers for transactions above certain thresholds. Even a well-designed spreadsheet process is better than nothing — but document it formally.

Phase 2: Early Operations (Months 1-6 Post-Launch)

Once you're live with customers, quickly build out:

  • Automated Transaction Monitoring: Replace manual processes with an automated TMS. At this stage, Unit21 or Sardine are good fits for early-stage fintechs — they're affordable and quick to implement.
  • SAR Filing Capability: Register for BSA E-Filing with FinCEN. File your first SAR when warranted — don't wait. Your first SAR demonstrates to regulators that your program is functioning.
  • Employee Training: All customer-facing employees must complete BSA/AML training within 30 days of hire. Use a vendor like KnowBe4 or build a simple internal training module. Document everything.
  • Customer Risk Rating: Implement a basic customer risk scoring model: low, medium, and high risk. Apply enhanced due diligence (EDD) to high-risk customers. At minimum, EDD should include source of funds verification and more frequent monitoring.

Phase 3: Growth (Months 6-18)

As you scale, your compliance program must scale with you:

  • Hire a dedicated compliance professional. When you hit approximately 10,000 active customers or $10M in monthly transaction volume, a part-time or fractional BSA Officer is no longer sufficient. Budget $120,000-$180,000 for a full-time BSA/AML compliance officer.
  • Conduct an independent audit. Under BSA requirements (31 CFR 1010.210), your AML program must undergo independent testing. This should happen within 12-18 months of launch. Engage a qualified firm — expect to pay $15,000-$40,000 for a comprehensive BSA audit.
  • Formalize your risk assessment. Move from a basic risk assessment to a comprehensive, documented Enterprise-Wide Risk Assessment (EWRA) covering all product lines, customer types, and geographic risks. Update it annually.
  • Implement ongoing monitoring and periodic reviews. Beyond transaction monitoring, establish a schedule for periodic customer reviews — annually for high-risk customers, every 2-3 years for medium-risk.

Phase 4: Maturity (18+ Months)

  • Build out a compliance team. A mature fintech compliance team typically includes: BSA Officer, 1-2 compliance analysts, and a compliance operations/technology specialist. Depending on volume, you may need additional SAR analysts.
  • Implement model validation. Your transaction monitoring rules should be independently validated at least every 12-18 months. This ensures your rules are still effective and appropriately calibrated.
  • Develop a compliance management system. Centralize policies, training records, audit findings, and regulatory correspondence in a single system (GRC platforms like LogicGate, Hyperproof, or even a well-organized SharePoint).
  • Engage with regulators proactively. If you're operating under a bank partnership, attend joint compliance meetings. If you have a direct charter or license, build a relationship with your examiner before the examination.

Hiring Timeline Summary

  • Pre-launch: Designate a BSA Officer (can be an existing executive) + outside AML counsel
  • 0-10K customers: BSA Officer (part-time/fractional is OK) + KYC vendor
  • 10K-50K customers: Full-time BSA Officer + 1 compliance analyst
  • 50K-200K customers: BSA Officer + 2-3 analysts + compliance technology specialist
  • 200K+ customers: Full compliance team (5-8 people) with specialized roles

Practical Tip: Don't wait until you "need" compliance to build it. The best time to establish your program is before your first customer, when you can design processes correctly. The worst time is after a regulatory finding, when you're scrambling under a consent order. Budget 10-15% of your operational costs for compliance from day one.

Previous
Record Keeping Requirements
Next
Common Mistakes That Get Fintechs in Trouble