Understanding Who Regulates You — and Why It Matters
AML/KYC compliance is not governed by a single global authority. Instead, a patchwork of national and supranational regulators each enforce their own frameworks. For fintechs operating across borders, understanding who has jurisdiction over your activities — and what they expect — is foundational to building a compliant program.
FinCEN (Financial Crimes Enforcement Network) — United States
FinCEN is a bureau of the U.S. Department of the Treasury and serves as the primary AML regulator in the United States. It administers the Bank Secrecy Act (BSA), the cornerstone of U.S. AML law since 1970.
Key regulations FinCEN enforces:
- 31 CFR 1020.220: Customer Identification Program (CIP) requirements for banks
- 31 CFR 1020.320: SAR filing requirements — institutions must file SARs for transactions of $5,000 or more that they know, suspect, or have reason to suspect involve funds from illegal activity
- 31 CFR 1010.311-313: Currency Transaction Report (CTR) requirements for transactions exceeding $10,000
- 31 CFR 1010.230: The Beneficial Ownership Rule (updated in 2024 via the Corporate Transparency Act) requiring companies to report beneficial owners to FinCEN
- The Anti-Money Laundering Act of 2020 (AMLA): Modernized the BSA framework, introduced whistleblower incentives, and expanded FinCEN's subpoena power
How FinCEN applies to fintechs: Any business operating as a money services business (MSB) in the U.S. must register with FinCEN under 31 CFR 1022.380. This includes money transmitters, payment processors, and many crypto businesses. Registration is not optional, and failure to register is a federal crime (18 U.S.C. § 1960). Additionally, fintechs that partner with banks must comply with the bank's BSA program requirements.
FCA (Financial Conduct Authority) — United Kingdom
The FCA is the primary conduct regulator for financial services firms in the UK. Post-Brexit, the UK has diverged from EU AML frameworks in some areas, creating a distinct compliance environment.
Key regulations the FCA enforces:
- The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017): The UK's primary AML legislation, amended multiple times since enactment
- The Proceeds of Crime Act 2002 (POCA): Criminalizes money laundering and establishes the framework for suspicious activity reporting to the NCA (National Crime Agency)
- FCA Handbook, SYSC 6.3: Requirements for financial crime systems and controls
- Joint Money Laundering Steering Group (JMLSG) Guidance: While not law, the FCA expects firms to follow JMLSG guidance, and courts treat it as a relevant factor
How the FCA applies to fintechs: Any fintech providing regulated activities in the UK — including payment services (under the Electronic Money Regulations 2011 or Payment Services Regulations 2017), lending, or investment services — needs FCA authorization. The FCA has been particularly aggressive with crypto firms: as of 2023, only about 15% of crypto firm applications for registration were approved. The FCA's "Dear CEO" letters provide sector-specific guidance on AML expectations and are essential reading.
EU AMLD (Anti-Money Laundering Directives) — European Union
The EU has progressively strengthened its AML framework through a series of directives:
- 4th AMLD (2015/849): Established the risk-based approach, beneficial ownership registries, and enhanced due diligence requirements
- 5th AMLD (2018/843): Extended AML rules to virtual currency exchanges and custodian wallet providers, reduced anonymous prepaid card thresholds to €150, and enhanced access to beneficial ownership registers
- 6th AMLD (2018/1673): Harmonized the definition of money laundering across member states, expanded the list of predicate offenses to 22 categories, and introduced criminal liability for legal persons
- The AML Package (2024): The EU adopted a comprehensive AML package including a new regulation (AMLR) directly applicable in all member states (no transposition needed), and established the Anti-Money Laundering Authority (AMLA), a new EU-level supervisory body based in Frankfurt
How EU AMLDs apply to fintechs: EU AML rules apply to "obliged entities," which include credit institutions, payment institutions, electronic money institutions, and crypto-asset service providers (under MiCA). Each member state transposes directives into national law, meaning specific requirements vary. For example, Germany's GwG (Geldwäschegesetz) may impose stricter requirements than France's transposition. Fintechs operating across the EU must map their obligations on a country-by-country basis.
Practical Tips for Multi-Jurisdictional Compliance
- ☐ Build a regulatory mapping matrix listing every jurisdiction you operate in, the applicable regulations, the supervisory authority, and your license type
- ☐ Apply the "highest common denominator" approach — design your baseline program to meet the strictest requirements, then layer on jurisdiction-specific elements
- ☐ Subscribe to regulatory update services (e.g., Thomson Reuters Regulatory Intelligence, Lexology) to track changes in real time
- ☐ Engage local counsel in each major jurisdiction — AML regulations have nuances that general practitioners often miss
- ☐ Maintain a regulatory change log documenting how your program adapts to new rules, including the decision-making process