BSA/AML Obligations When a Fintech Expands Its Payment Products

The Product Expansion Gap in Fintech AML Programs

Fintech companies that launch with a single payment product - typically ACH transfers, bill pay, or stored value accounts - build their initial Bank Secrecy Act compliance program around the risk profile and regulatory obligations of that product. That AML program: the customer identification and verification procedures, the customer risk rating methodology, the transaction monitoring rules, the suspicious activity report filing thresholds - is calibrated to the transaction types, customer base, and risk characteristics of the founding product.

When the company expands into a new payment product category, particularly one with different risk characteristics, different FinCEN transaction reporting thresholds, or different correspondent relationship requirements, the original AML program does not automatically expand with it. The risk rating methodology built for ACH transfers may not capture the risk indicators relevant for wire transfers. The transaction monitoring rules tuned to ACH transaction patterns will not flag the typologies associated with wire fraud, international money laundering, or trade-based money laundering schemes that move through wire transfer channels. The Currency Transaction Report (CTR) obligations that apply to wire transactions above $10,000 may not have been operationalized if the previous product set never generated transactions in that range.

What Specifically Changes When You Add Wire Transfers

Wire transfers - both domestic and international - are subject to FinCEN's "Travel Rule" (31 CFR 1010.410(f)), which requires transmittor financial institutions to pass specific identifying information about the originator along with the transfer to the intermediary or recipient financial institution. For domestic wire transfers of $3,000 or more, the transmittor must record: the originator's name, address, and account number; the amount of the transfer; the execution date; any payment instructions; and the identity of the recipient financial institution. For international wire transfers, the Travel Rule information requirements are more extensive and interact with OFAC screening obligations at each processing stage.

A fintech adding wire transfer capability to an ACH platform must implement the Travel Rule data collection, retention, and transmission workflows that did not exist in the ACH-only product. The data requirements must be incorporated into the product UX (because some of the required information must be collected from the customer at origination), the back-end transaction processing system (which must pass the Travel Rule data field to the receiving institution), and the compliance monitoring system (which must verify that required data fields are present and flag transactions where they are not).

Separately, wire transfers to or from jurisdictions designated by FinCEN as having significant money laundering concerns, or entities on OFAC's Specially Designated Nationals (SDN) list, require enhanced due diligence and real-time screening processes that most ACH-focused fintech compliance programs do not have in place. International wire transfers add correspondent banking risk considerations, particularly if the fintech processes transfers through a correspondent bank that has OFAC exposure in specific jurisdictions. The compliance implications of correspondent relationships for the fintech's own AML obligations - not just the correspondent bank's - are frequently underestimated in product expansion planning.

Customer Risk Rating: Why the ACH Model Does Not Transfer

Customer risk rating under a BSA/AML program classifies each customer into risk tiers (typically low, medium, high) that drive the intensity of due diligence, the frequency of review, and the transaction monitoring rules applied to that customer's activity. The factors that determine risk rating include: the nature of the customer's business, the customer's geographic risk exposure, the payment types used, the expected transaction volume and size, and adverse media or regulatory action indicators.

An ACH-focused fintech will typically have calibrated its risk rating model around the ACH use cases it processes: payroll disbursements, bill payments, peer-to-peer transfers in consumer amounts. These use cases are generally lower-risk from a money laundering perspective. The customers using those services fall into risk distribution that is skewed toward lower-risk tiers, and the risk rating factors that differentiate within that population are specific to ACH transaction characteristics.

When wire transfer capability is added, the customer population expands (or the existing customer population changes its behavior in ways not predicted by the ACH risk model), and the risk distribution shifts. Business customers using international wire transfers for vendor payments or payroll may be appropriate and low-risk. Business customers using the same product for high-frequency transfers to high-risk jurisdictions require enhanced due diligence under a risk-based approach. The ACH risk model does not have the factors, weights, or thresholds needed to differentiate within the wire transfer customer population.

The compliance implication is a risk rating model revision, not a minor update. The model must be re-calibrated to the combined product risk profile, which requires analysis of the wire transfer product's expected customer base, transaction patterns, and risk indicator distribution. That analysis must be documented and approved by the compliance function before the wire product launches - not after the first examination cycle.

Transaction Monitoring: Building Rules for a Different Risk Profile

Transaction monitoring systems for BSA/AML compliance use rule-based and, increasingly, model-based detection to flag transactions and customer behavior patterns that warrant investigation for potential suspicious activity report (SAR) filing. Rules are calibrated to specific transaction types and the typologies associated with those types.

Wire transfer typologies are materially different from ACH typologies. Common wire fraud and money laundering patterns include: structuring of international wire transfers just below the reporting threshold, rapid transit of funds through accounts with no business-purpose explanation, transfers to shell company beneficiaries in multiple jurisdictions within a short timeframe, and reverse wire fraud patterns where outbound transfers are misrepresented as payroll or vendor payments. Rules designed to detect ACH structuring, layering through small consumer transfers, or P2P fraud patterns will not reliably detect these wire-specific typologies.

Building wire-appropriate transaction monitoring rules requires access to wire transfer typology guidance (FinCEN advisories, FATF typology reports, and the Egmont Group guidance are the primary sources) and calibration of detection rules against a representative sample of wire transactions. For a fintech that has not previously processed wire transfers, the historical data needed for rule calibration does not exist internally - requiring the use of industry benchmark data or engagement with a transaction monitoring vendor that maintains pre-built rule libraries for wire transfer products.

Program Governance: The Compliance Review Trigger

Under FinCEN's regulations for money services businesses, financial institutions subject to BSA are required to maintain an AML program that is risk-based, designed to detect and report suspicious activity, and updated periodically to reflect changes in the institution's products, services, and customer base. The "updated periodically" requirement encompasses material product changes - a new payment product category qualifies as a material change that triggers an AML program review and update.

The practical governance implication is that the compliance function must be involved in product expansion decisions before launch, not after. The AML program update, the risk rating model revision, the transaction monitoring rule build, the Travel Rule implementation, and the enhanced due diligence procedures for high-risk wire transfer customers all require lead time that is measured in weeks to months, not days. A product launch that precedes the completion of AML program updates creates the regulatory risk of operating a payment product without an adequate compliance program - regardless of the fact that the underlying AML program was adequate for the previous product set.

Building compliance review triggers into the product development process - so that compliance impact assessments are initiated at the design stage rather than the launch stage - is the governance change that prevents this pattern. As we discuss in our article on why manual gap analysis breaks down at scale, the challenge is ensuring that regulatory obligations introduced by product changes are systematically captured and tracked, not discovered during examination.

Conclusion

Fintech product expansions into new payment product categories are not incremental compliance updates. They trigger systematic reviews of the AML program's risk rating methodology, transaction monitoring rules, transaction reporting obligations, and program governance structure. The compliance workload associated with a wire transfer product launch at a previously ACH-only fintech can be substantial - and it is substantially more manageable when it is planned before launch than when it is remediated after an examination finding.

The compliance function's role in product expansion decisions is to characterize the regulatory change exposure early enough for the business to plan remediation into the product development timeline, not to certify compliance on the day the product launches.