Learning from Others' Mistakes
The fastest way to learn what not to do is to study enforcement actions. FinCEN, the OCC, the FDIC, and state regulators publish consent orders and civil money penalties (CMPs) that detail exactly what went wrong. Here are the most common — and costly — mistakes fintechs make.
Mistake #1: Inadequate SAR Filing
Real Example: In 2020, FinCEN proposed a $390 million penalty against Capital One for willful failure to file SARs and implement an effective AML program related to check-cashing customers. The bank had identified suspicious activity but failed to file timely SARs.
What Goes Wrong:
- Alerts are generated but sit in a queue for weeks without review
- Analysts close alerts without adequate documentation ("no suspicious activity observed" with no supporting analysis)
- SAR narratives are generic and lack specific transaction details
- Continuing SARs are not filed every 90 days for ongoing activity
- The institution files SARs but doesn't retain the supporting investigation files
How to Avoid It: Establish SLA targets — alerts reviewed within 48 hours, SAR determination within 15 days, filing within 25 days (giving yourself a 5-day buffer before the 30-day deadline). Track these metrics weekly.
Mistake #2: Weak Transaction Monitoring
Real Example: In 2022, Robinhood's crypto subsidiary paid $30 million to the New York Department of Financial Services (NYDFS) for significant failures in AML and cybersecurity compliance. Among the findings: the company's transaction monitoring system was understaffed and unable to handle the firm's rapid growth.
What Goes Wrong:
- Rules are set once and never tuned — thresholds become outdated as customer behavior evolves
- No coverage for key risk areas (e.g., no rules for peer-to-peer transfers or crypto off-ramping)
- Alert volumes overwhelm the compliance team, leading to backlogs and rubber-stamp dispositions
- No model validation — the institution can't demonstrate that its rules are effective
How to Avoid It: Review and tune your monitoring rules quarterly. Conduct formal model validation annually. Ensure your analyst team can handle the alert volume — if backlog exceeds 5 business days, you need more resources.
Mistake #3: Poor KYC and CDD at Onboarding
Real Example: In 2023, Binance agreed to pay $4.3 billion in penalties to multiple U.S. agencies, including FinCEN. A central allegation was that Binance failed to implement adequate KYC for U.S. customers, allowing users to create accounts with minimal identity verification.
What Goes Wrong:
- Collecting customer information but not verifying it against independent sources
- Allowing customers to transact before CIP is complete ("we'll verify them later" — you won't)
- Not updating customer information when risk indicators change
- Inadequate beneficial ownership collection for business accounts (25% threshold under the CDD Rule)
- Relying solely on automated verification without manual review of failures and edge cases
How to Avoid It: Never allow a customer to transact until CIP is complete. Set up automated re-verification triggers for high-risk customers. Establish a process for collecting and updating beneficial ownership information.
Mistake #4: Insufficient Documentation
What Goes Wrong:
- Compliance decisions are made verbally but never documented in writing
- Risk assessments exist as vague, high-level documents that don't address specific product risks
- Policies are written once and never updated — the examiner finds a policy dated 2022 that references products you no longer offer
- No evidence of board or senior management oversight of the BSA/AML program
How to Avoid It: Adopt the mindset: "If it isn't documented, it didn't happen." Every compliance decision needs a written record with the date, the decisionmaker, the facts considered, and the conclusion reached. Review and update all policies at least annually, with documented board approval.
Mistake #5: Treating Compliance as an Afterthought
Real Example: In 2021, BitMEX (a crypto derivatives platform) paid $100 million to FinCEN and the CFTC for operating without an adequate AML program. The founders had deliberately prioritized growth over compliance, even joking in internal communications about lax KYC requirements.
What Goes Wrong:
- Compliance is "bolted on" after product launch instead of designed into the product from the start
- The BSA Officer reports to the Head of Product or Engineering rather than to the CEO or board — creating conflicts of interest
- Compliance budget is the first thing cut when money gets tight
- The compliance team is not consulted before new product launches or market expansions
How to Avoid It: Give the BSA Officer a direct reporting line to the CEO or board. Include compliance review in your product development lifecycle — no new feature launches without a compliance impact assessment. Set a compliance budget floor (10-15% of operations) that can't be raided.
Mistake #6: Ignoring the Bank Partner Relationship
What Goes Wrong (Specific to BaaS fintechs):
- Assuming the bank partner "handles" compliance — you are responsible for first-line compliance, period
- Not sharing transaction monitoring data or SAR filings with the bank partner
- Failing to implement the bank's compliance requirements into your product
- Not understanding that the bank's examiners (OCC, FDIC, Fed) can and will examine your compliance program directly
How to Avoid It: Treat your bank partner's compliance team as an extension of your own. Establish regular (at least monthly) compliance check-ins. Share monitoring reports, SAR filings, and risk assessment updates proactively. When the bank makes compliance requests, treat them with the same urgency as a regulatory order — because that's effectively what they are.
Practical Tip: Set up a quarterly "enforcement action review" meeting where your compliance team discusses recent FinCEN, OCC, and state regulatory actions against fintechs and banks. Ask: "Could this happen to us?" Then address any gaps you identify. FinCEN publishes enforcement actions at fincen.gov/news-room/enforcement-actions.