Every money services business registered with FinCEN is legally required to maintain a written anti-money laundering compliance program. This isn't a best practice or a recommendation — it's a federal mandate under the Bank Secrecy Act, codified at 31 CFR 1022.210. Failure to maintain an adequate program exposes your business to IRS examination findings, civil money penalties, and in serious cases, referral to the Department of Justice.
The challenge for most small MSBs is that compliance guidance is written for large financial institutions. The FinCEN BSA/AML Examination Manual runs hundreds of pages. IRS Internal Revenue Manual chapter 4.26.9 is dense technical guidance aimed at examiners, not business owners. This guide distills what you actually need to know: what the law requires, what examiners look for, and the mistakes that cause most small MSBs to fail examinations.
The AML program requirement for MSBs is found at 31 CFR 1022.210. This rule applies to all MSBs as defined under 31 CFR 1010.100(ff) — money transmitters, check cashers, currency dealers and exchangers, issuers and sellers of money orders, and issuers and redeemers of traveler's checks. FinCEN registration alone does not satisfy this requirement.
What the BSA Actually Requires
The Bank Secrecy Act, as implemented for MSBs through 31 CFR Part 1022, requires every MSB to develop, implement, and maintain an effective written AML program. The program must be approved in writing by senior management. It must be reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities.
"Effective" and "reasonably designed" are the operative terms. An AML program isn't a box-checking exercise — examiners are trained to evaluate whether your program actually functions. A twenty-page binder that employees have never seen and procedures that don't match actual operations will not pass examination. Your program must reflect how your business actually works.
Importantly, the requirements differ by MSB type. Check cashers and currency exchangers are not required to file Suspicious Activity Reports under 31 CFR 1022.320 — so an AML program that includes SAR procedures for a check cashing business isn't just unnecessary, it signals that the program was copied from a money transmitter template without customization. Examiners notice this. The Travel Rule under 31 CFR 1010.410(f) applies only to money transmitters, not to check cashers or money order sellers. Your program must apply the rules that apply to your specific business type.
The Four Pillars of 31 CFR 1022.210
The regulation specifies four components that every AML program must contain. These are commonly called the "four pillars." Each pillar has specific requirements — and each is evaluated independently by IRS examiners. Weakness in any single pillar can produce an examination finding even if the others are strong.
Written Policies, Procedures, and Internal Controls
This is the foundation of your program — a written document describing how your business complies with every applicable BSA requirement. It must be specific to your operations, not generic boilerplate.
- Customer Identification Program (CIP): How you identify and verify customer identity at account opening or for transactions above applicable thresholds. What identification documents you accept, how you verify them, and how you retain the records.
- Transaction monitoring: How employees recognize suspicious activity. What red flags apply to your specific business type. What the escalation process is when a red flag is identified.
- CTR procedures: How you identify, aggregate, and file Currency Transaction Reports for cash transactions exceeding $10,000 in a single business day. MSBs cannot exempt any customer from CTR requirements — unlike banks, no Phase I or Phase II exemptions are available.
- SAR procedures (money transmitters only): Your process for identifying, documenting, and filing Suspicious Activity Reports. The threshold for MSBs is $2,000 — lower than the $5,000 threshold that applies to banks.
- OFAC screening: Your procedure for screening customers and transactions against the Office of Foreign Assets Control Specially Designated Nationals (SDN) list. There is no dollar threshold — every transaction must be screened.
- Recordkeeping: How long you retain BSA records (minimum five years for most records), where they're stored, and how they can be retrieved for examination.
Designated Compliance Officer
Your program must identify a specific individual responsible for day-to-day BSA compliance. This person must have the authority and resources to implement the program effectively. The compliance officer doesn't need to be a lawyer or compliance professional — but they must actually perform the compliance function, not just hold the title.
- The compliance officer's name, title, and contact information must appear in the written program.
- The compliance officer must have sufficient knowledge of BSA requirements applicable to your business type.
- The compliance officer cannot be the same person who conducts the independent review (Pillar 4), and the reviewer cannot report to the compliance officer.
- If the compliance officer changes, the written program must be updated and senior management must re-approve it.
Ongoing Employee Training Program
Your employees must receive BSA training — not once at hire, but on an ongoing basis. The training must be appropriate to the employee's role and tailored to the specific compliance risks of your business.
- Training must cover: what money laundering is, the BSA requirements applicable to your business, red flags and suspicious activity indicators specific to your product type, and how and when to escalate concerns.
- Training records must be maintained: who was trained, when, what was covered, and confirmation of completion.
- New employees should be trained before they handle transactions, not months later.
- Training must be updated when regulations change or new products are introduced.
- Attendance at an external seminar satisfies the training requirement if documented, but internal training with a written program and quiz is easier to demonstrate during examination.
Independent Review
Your AML program must be reviewed periodically by someone independent of the compliance function. This is an audit of your compliance program — not just a self-assessment.
- The reviewer cannot be the compliance officer and cannot report to the compliance officer. This independence requirement is firm. Many small MSBs fail examinations on this point alone by having the owner serve as both compliance officer and reviewer.
- The frequency should be risk-based — typically annual for most MSBs, more frequently if your risk profile is high (high transaction volumes, cash-intensive operations, high-risk geographies or customer types).
- The review must be documented in a written report that identifies findings, deficiencies, and corrective actions taken.
- The reviewer can be an outside consultant, a qualified employee from a different department, or a board member — as long as the independence requirement is met.
- The independent review report must be retained as a BSA record.
What IRS Examiners Actually Look For
MSBs are examined by the IRS under Title 31 of the Bank Secrecy Act — not by bank regulators. IRS examiners follow procedures outlined in Internal Revenue Manual chapter 4.26.9. Understanding this manual gives you insight into exactly what they're evaluating.
Examiners arrive with a pre-examination questionnaire requesting specific documents: your written AML program, training records, independent review reports, CTR filings for the examination period, and transaction logs. If these documents don't exist or can't be produced promptly, the examination begins with an immediate finding.
Examiners evaluate your program against the actual transactions in your system. They're looking for pattern consistency: do your written procedures match what actually happens? If your program says all CTR-triggering transactions are aggregated across the business day but your system shows no aggregation, that's a finding. If your program says employees are trained annually but you have no training records from the last two years, that's a finding.
A particularly common examination technique is the "look-back" — selecting a sample of transactions and asking your compliance officer to walk through how each one was handled. This tests whether your procedures are real or theoretical. An examiner will select a $9,500 cash transaction and ask: did you consider whether this was structured to avoid CTR reporting? What did you document? What was your decision process?
Examiners also look for risk assessment integration. Your written program must reflect your actual risk exposure. A high-volume money transmitter operating in a corridor known for trade-based money laundering should have different monitoring thresholds and red flags than a small convenience store selling money orders. Generic risk assessments that don't address your specific business profile are a red flag in themselves.
The Most Common AML Program Mistakes
Based on public FinCEN enforcement actions, IRS examination findings, and the structure of 31 CFR 1022.210, these are the most consistent failures in small MSB compliance programs:
-
1
Generic templates not customized for your MSB type Using a bank AML program or a template for a different MSB type is one of the most common findings. A check cashing business with SAR procedures and Travel Rule language has a program that doesn't match its regulatory requirements — which signals to an examiner that nobody actually read it.
-
2
Compliance officer and independent reviewer are the same person The independence requirement in Pillar 4 is explicit and non-negotiable. When the owner is both the compliance officer and signs off on the independent review, the fourth pillar doesn't exist. This is among the easiest findings for an examiner to identify.
-
3
No training records Many MSBs conduct informal training — a conversation with a new employee about what to watch for — without documenting it. Undocumented training didn't happen as far as an examiner is concerned. A sign-in sheet, a quiz, a training acknowledgment form — something must exist for every employee.
-
4
Program not updated after ownership, product, or regulatory changes A written program dated four years ago that still names a former employee as compliance officer and references products you no longer offer is a program that hasn't been maintained. Programs must be reviewed and updated annually at minimum, and whenever there is a material change in operations.
-
5
No CTR aggregation across the business day The $10,000 CTR threshold applies to currency received or disbursed in the course of a single business day — not per transaction. Two $6,000 transactions from the same customer on the same day require a CTR. Many MSBs track individual transactions but have no aggregation mechanism, missing this requirement entirely.
-
6
Risk assessment is not risk-specific A one-page risk assessment that says "our risk is medium because we follow all procedures" doesn't satisfy the requirement. A proper BSA/AML risk assessment analyzes your specific products, services, customer base, geographic locations, and transaction volumes — and uses that analysis to calibrate your monitoring thresholds and controls.
-
7
OFAC screening is not documented Most MSBs screen customers against the SDN list but don't retain evidence of the screening. "We check every customer" is not sufficient without records showing when the check was performed and what the result was. Screening results should be logged in your transaction records.
How Long Should Your Program Be?
There's no minimum page count in the regulation — a short program that covers all four pillars thoroughly is better than a long program full of boilerplate. That said, a meaningful AML program for a money transmitter typically runs 80–130 pages across all documents when you include the risk assessment, CIP manual, SAR procedures, CTR procedures, training materials, OFAC procedures, and independent review checklist.
Don't confuse length with quality. An examiner reading a 120-page program full of generic regulatory language that doesn't describe your actual operations will immediately identify that it was never customized. A tighter, 80-page program that precisely describes how your specific business identifies, monitors, and reports on transactions will pass examination more reliably.
The critical test: could a new compliance officer read your written program and understand exactly how to run compliance at your specific business? If the answer is no, the program needs more work regardless of its length.
Getting Your Program in Place
If you don't have a written AML program, or if your existing program hasn't been updated in years, the priority is getting a compliant, exam-ready program in place before an IRS examination letter arrives — because examinations are unannounced. The average time to build a program from scratch, including researching the applicable regulations, drafting the documents, and implementing the procedures, is 40 or more hours.
An alternative starting point is a professionally built template tailored to your MSB type. A good template provides the structure, the regulatory citations, and the compliance procedures pre-built — your job is customizing it with your business details, your specific products and services, and your operational reality. That process typically takes a few hours rather than weeks.
Regardless of whether you start from scratch or from a template, the non-negotiables remain the same: the program must be written, must be signed by senior management, must be specific to your business, must cover all four pillars, and must be actively maintained. A program that sits in a binder and is never consulted will not protect you during an examination.
Need a complete program ready to customize?
Our template packages give you every document your AML program requires — written, formatted, and traceable to specific federal regulatory requirements. Built for your MSB type: money transmitter, check casher, crypto/VASP, or money order/prepaid.
View Compliance Packages → How It Works