How to Build a BSA/AML Compliance Program for Your Crypto MSB

If you operate a crypto business in the United States — an exchange, a hosted wallet, a Bitcoin ATM network, a payment processor — chances are you’re classified as a Money Services Business (MSB) under the Bank Secrecy Act (BSA). That classification comes with a specific obligation: you need a written Anti-Money Laundering (AML) compliance program.

This isn’t optional. FinCEN requires every MSB to develop and implement an AML program that is “reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities.” The penalty for not having one ranges from civil fines to criminal prosecution.

Here’s what a BSA/AML program actually looks like for a crypto MSB, broken down into the five pillars FinCEN expects.

1. Designate a BSA Compliance Officer

Every MSB needs a named individual responsible for day-to-day BSA compliance. This person doesn’t need a specific certification, but they need to understand the regulatory landscape and have the authority to make compliance decisions.

For a small crypto MSB, this is often the founder or a senior operations lead. What matters is that:

• The person is named in your written policies
• They have the authority to escalate issues and block transactions
• They stay current on FinCEN guidance, OFAC updates, and state-level requirements
• The role isn’t just a title — they’re actively overseeing compliance operations

As you grow, this role should transition to a dedicated hire. But at the start, what regulators want to see is that someone owns it.

2. Write Your Policies and Procedures

Your AML program must be documented. This means a written set of policies that cover:

• Customer Identification Program (CIP): How you verify customer identity at onboarding. For crypto MSBs, this typically means collecting government-issued ID, verifying it against a database, and screening against sanctions lists.
• Know Your Customer (KYC): How you assess customer risk — including the nature of their business, expected transaction patterns, and geographic risk factors.
• Transaction monitoring: How you detect suspicious activity. This includes the rules and thresholds you apply, how alerts are reviewed, and how cases are escalated.
• Suspicious Activity Reporting (SAR): When and how you file SARs with FinCEN. MSBs must file a SAR for transactions of $2,000 or more where there’s reason to suspect illicit activity.
• Currency Transaction Reporting (CTR): For cash transactions exceeding $10,000 in a single day.
• OFAC screening: How you screen customers and counterparties against the SDN list and other sanctions lists.
• Recordkeeping: What records you retain and for how long. BSA requires five years for most records.

Your policies should reflect your actual operations — not a boilerplate template downloaded from the internet. Examiners check whether your written program matches what you’re doing in practice.

3. Implement Internal Controls

Internal controls are the mechanisms that enforce your policies. For a crypto MSB, this typically includes:

• Automated screening at customer onboarding and on an ongoing basis (OFAC, PEP, adverse media)
• Transaction monitoring rules that flag unusual patterns — structuring, rapid movement of funds, transactions with high-risk jurisdictions
• Workflow for alert review — who reviews flagged transactions, what the escalation path looks like, and how dispositions are documented
• Access controls — limiting who can approve transactions, override alerts, or access sensitive customer data

The key principle is that your controls should be risk-based. A crypto ATM operator dealing in cash transactions has different risk exposure than a custodial exchange. Your controls should reflect your specific risk profile.

4. Provide Ongoing Training

FinCEN requires that “appropriate personnel” receive training on BSA requirements. This includes:

• New employee onboarding training on your AML policies
• Annual refresher training for all relevant staff
• Role-specific training (e.g., compliance analysts need deeper SAR filing training than engineers)
• Updates when regulations change — for example, the October 2025 FinCEN FAQ updates on SAR filing requirements

Document everything. Keep records of who was trained, when, and on what topics. Examiners will ask.

5. Conduct Independent Testing

Your AML program must be independently reviewed. For MSBs, this means:

• An annual (or more frequent) review by someone who isn’t responsible for day-to-day compliance
• The reviewer evaluates whether your policies are adequate, your controls are working, and your team is following the documented procedures
• The review should produce a written report with findings and recommendations
• You need to show that findings are actually addressed — not just filed away

For early-stage companies, this can be an external consultant or a qualified internal resource who isn’t part of the compliance team. As you scale, a formal internal audit function or third-party audit firm is standard.

FinCEN Registration

Before any of this, you need to be registered with FinCEN as an MSB. Registration is done through the BSA E-Filing System and must be renewed every two years. FinCEN registration is federal — it doesn’t replace state money transmitter licenses, which are separate and vary by state.

Common Mistakes to Avoid

• Copy-pasted policies: Examiners can tell when your AML program is a template with your company name swapped in. Your policies need to reflect your actual business model, products, and risk profile.
• No evidence of execution: Having a written program is necessary but not sufficient. You need documentation showing that you’re actually screening customers, monitoring transactions, and filing SARs when required.
• Ignoring state requirements: FinCEN registration is federal. Most states also require a money transmitter license with their own compliance requirements. Operating without state licenses is a separate violation.
• Treating compliance as a one-time project: Your AML program needs to evolve as your business grows, your risk profile changes, and regulations are updated.

Getting Started

Building a BSA/AML program isn’t a weekend project, but it doesn’t need to be a six-figure consultancy engagement either. Start with the five pillars, document what you’re doing, and make sure your controls match your risk profile.

If you’re looking for infrastructure to handle the screening, monitoring, and SAR generation components programmatically, Decern is building exactly that — compliance infrastructure for crypto MSBs that integrates with your existing workflows via a single API.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified compliance attorney for guidance specific to your business.