building a fintech crypto card issuing business

Building a Compliance Program for a Fintech, Crypto, or Credit Card Issuing Business

In this post, I will review how to build a compliance program for a new or startup fintech, crypto, or credit card issuing business. Most startups focus on tech, testing, and finding customers in the early days. But, a complete compliance program should be the first thing a fintech, crypto, or credit card issuing business should build because this governs onboarding and nearly all aspects of the business. 

Also, your compliance program and documents are the keys to maintaining good relations with your bank, brokerage, exchange, processor, or issuer. Many providers will open an account with minimal documents. But, once you begin transacting, they will ask all kinds of questions. If you don’t have a compliance program in place, your fintech, crypto, or credit card issuing business will be paused or closed until you can build a proper compliance program. 

Building the Program – First Steps

Building a compliance program for a credit card issuing company requires adherence to various regulatory requirements, including those from payment networks like MasterCard and Visa, as well as complying with Know Your Customer (KYC) and Anti-Money Laundering (AML) policies. Here is an overview of the process:

  1. Understand MasterCard and Visa requirements: Both MasterCard and Visa have their own set of rules and regulations for credit card issuers. These may include guidelines on transaction processing, chargeback management, fraud prevention, data security, and reporting. Review the MasterCard Rules and the Visa Core Rules and Visa Product and Service Rules to familiarize yourself with their requirements.
  2. Develop internal policies and procedures: Create comprehensive internal policies and procedures that adhere to MasterCard and Visa requirements, as well as applicable federal and state laws and regulations. This may include policies for card issuance, underwriting, account management, billing, dispute resolution, and fraud management.
  3. Implement a KYC program: A robust KYC program should include customer identification procedures, risk-based customer due diligence, and ongoing monitoring of customer transactions. Ensure that your program aligns with applicable KYC regulations and industry best practices.
  4. Implement an AML program: Develop an AML program that includes risk-based customer due diligence, transaction monitoring, suspicious activity reporting, record-keeping, and employee training. Ensure that your program complies with applicable AML regulations, such as the Bank Secrecy Act (BSA) and the USA PATRIOT Act.
  5. Establish a Compliance Management System (CMS): A CMS is a formalized system for managing compliance within the organization. It should include components like compliance policies and procedures, a compliance officer, employee training, and monitoring and corrective action processes.
  6. Develop a data security program: Implement a data security program that complies with the Payment Card Industry Data Security Standard (PCI DSS) and any applicable data privacy regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
  7. Train employees: Train employees on your compliance program, policies, and procedures. Regularly update training materials to ensure that employees stay informed about regulatory changes and industry best practices.
  8. Monitor and audit: Regularly monitor and audit your compliance program to identify any gaps or areas for improvement. Implement corrective actions as necessary to maintain compliance with all applicable regulations and requirements.

Creating a compliance program for a credit card issuer is similar to creating a compliance program for a bank in several ways:

  • Both require adherence to federal and state regulations, as well as KYC and AML policies.
  • Both need to establish a CMS to manage compliance within the organization.
  • Both require employee training to ensure understanding of and adherence to the compliance program.
  • Both need to conduct regular monitoring and audits to maintain compliance with applicable regulations and requirements.

However, credit card issuers must also comply with the specific rules and regulations set forth by payment networks like MasterCard and Visa, as well as adhere to the PCI DSS for data security.

Building a Program – Toolbox

A robust compliance program for a credit card issuer should include various tools and resources to ensure adherence to regulatory requirements and mitigate risks. Some common and popular compliance tools include:

  1. Compliance Management System (CMS): A CMS is a centralized platform to manage, track, and report on all aspects of the organization’s compliance program. It can help automate and streamline processes, such as policy management, risk assessment, training, and reporting.
  2. Risk Assessment Tools: Risk assessment tools can help identify, assess, and prioritize risks associated with credit card issuing activities. These tools may include questionnaires, checklists, or software solutions designed to assess risks in areas like fraud, AML, and data security.
  3. Policy Management Software: Policy management software can be used to create, maintain, and distribute internal policies and procedures related to credit card issuing operations. This software typically includes version control, approval workflows, and audit trails to ensure consistency and compliance with regulations.
  4. Transaction Monitoring System: A transaction monitoring system can be used to detect suspicious activities, potential fraud, and other risks related to credit card transactions. This may involve rule-based systems or machine learning algorithms to analyze transaction data and generate alerts for further investigation.
  5. Fraud Detection Tools: Fraud detection tools, such as artificial intelligence (AI) and machine learning algorithms, can help identify patterns indicative of fraudulent activities. They may be used to analyze transaction data, monitor user behavior, and identify potential risks in real time.
  6. Know Your Customer (KYC) and Customer Due Diligence (CDD) Solutions: KYC and CDD solutions can help automate customer identification, verification, and risk assessment processes. These tools may include identity verification services, watchlist screening, and ongoing customer monitoring.
  7. Anti-Money Laundering (AML) Software: AML software can help automate the process of monitoring transactions for suspicious activity, filing suspicious activity reports (SARs), and maintaining compliance with AML regulations. This may include rule-based systems or more advanced AI-driven solutions.
  8. Data Security Solutions: Data security solutions, such as encryption tools, firewalls, and intrusion detection systems, can help protect sensitive customer and transaction data, ensuring compliance with data privacy and security regulations like the Payment Card Industry Data Security Standard (PCI DSS).
  9. Training and Learning Management Systems (LMS): An LMS can help manage and track employee training related to compliance, including course content, attendance, assessment, and reporting. This can be especially useful for organizations that must regularly train employees on AML, KYC, and other compliance topics.
  10. Regulatory Reporting Tools: Reporting tools can help streamline the process of generating, submitting, and tracking regulatory reports, such as SARs or periodic financial statements. These tools may include templates, automated data aggregation, and tracking capabilities.

While these tools can help support a comprehensive compliance program for a credit card issuer, it is important to remember that the specific tools needed will depend on the organization’s size, risk profile, and regulatory environment. Tools will also depend on the jurisdiction of your customers, of which I was uncertainly reviewing your website. 

Building a Program – Bank Secrecy Act

The Bank Secrecy Act (BSA) does apply to credit card issuers. The BSA, also known as the Currency and Foreign Transactions Reporting Act, was enacted to combat money laundering and other financial crimes. It requires financial institutions, including credit card issuers, to maintain certain records, file reports, and implement anti-money laundering (AML) programs.

Credit card issuers and fintech companies are considered financial institutions under the BSA, as they offer various types of financial products and services. Therefore, they are subject to the same AML rules and regulations as banks and other financial institutions. These rules and regulations include Know Your Customer (KYC) policies, Currency Transaction Reports (CTRs), Suspicious Activity Reports (SARs), and other due diligence requirements.

Compliance with the BSA helps credit card issuers mitigate risks associated with money laundering, terrorism financing, and other financial crimes. Non-compliance can lead to substantial fines and penalties, as well as reputational damage.

Building a Program – US Sanctions for Card Issuers

U.S. sanctions are relevant to U.S. credit card issuers and fintech companies because they impose restrictions on transactions and dealings with specific individuals, entities, or countries. They are required to comply with these sanctions to prevent financial crimes, such as money laundering and terrorism financing. Non-compliance can lead to significant penalties and reputational damage.

Here’s how U.S. sanctions are relevant to U.S. credit card issuers and fintech companies:

  1. Restricted transactions: Sanctions prohibit U.S. credit card issuers from engaging in transactions with individuals, entities, or countries designated by the Office of Foreign Assets Control (OFAC), a division of the U.S. Department of the Treasury. This includes processing payments, providing services, or extending credit to sanctioned parties.
  2. Compliance programs: Credit card issuers must implement comprehensive compliance programs to identify and block transactions involving sanctioned parties. These programs should include policies and procedures, employee training, and transaction monitoring systems to ensure compliance with OFAC regulations.
  3. Due diligence: Credit card issuers are required to conduct due diligence on their customers, merchants, and business partners to ensure they are not engaging in transactions with sanctioned parties. This involves screening customers against OFAC’s Specially Designated Nationals (SDN) list and other restricted party lists.
  4. Reporting requirements: U.S. credit card issuers must report any blocked or rejected transactions involving sanctioned parties to OFAC within a specified timeframe. Failure to report such transactions can lead to penalties and enforcement actions.
  5. Penalties for non-compliance: Non-compliance with U.S. sanctions can result in substantial fines, penalties, and reputational damage for credit card issuers. In some cases, individuals involved in non-compliance may also face criminal prosecution.

U.S. credit card issuers and fintech companies must stay informed of updates and changes to U.S. sanctions programs and ensure their compliance programs are up-to-date and effective. This helps protect the issuer from potential financial and reputational risks associated with non-compliance.

Building a Program – AML & BSA Risk Assessment 

An Anti-Money Laundering (AML) and Bank Secrecy Act (BSA) risk assessment is a comprehensive evaluation of an organization’s exposure to money laundering, terrorism financing, and other financial crime risks. A risk assessment typically includes factors such as geographical risk, market risk, product risk, customer risk, and distribution channel risk. By assigning scores to these factors, an organization can better understand its risk exposure and implement appropriate controls to mitigate those risks.

Here is a description of an AML/BSA risk assessment that incorporates a scoring system based on various risk factors:

  1. Geographical risk: Assess the countries and regions where the organization operates or conducts business with customers. Assign a score based on the level of risk associated with each location, considering factors such as political stability, corruption levels, the presence of organized crime or terrorist groups, and AML/CTF regulatory framework effectiveness.
  2. Market risk: Evaluate the organization’s exposure to market risks, such as fluctuations in interest rates, currency exchange rates, or stock market prices. Assign scores based on the level of market volatility and the organization’s susceptibility to these risks.
  3. Product risk: Assess the organization’s products and services, focusing on their vulnerability to money laundering and terrorism financing. Assign a score to each product or service based on factors such as the level of anonymity, transaction size, ease of transferability, and complexity of the product or service.
  4. Customer risk: Evaluate the organization’s customer base, considering factors such as customer type (individual, corporate, or government), occupation, source of funds, and expected transaction patterns. Assign a score based on the level of risk associated with each customer segment.
  5. Distribution channel risk: Assess the organization’s distribution channels, such as branches, agents, digital platforms, or correspondent banking relationships. Assign a score based on factors such as the level of oversight, transparency, and the risk of money laundering or terrorism financing associated with each channel.
  6. Internal controls and compliance risk: Evaluate the effectiveness of the organization’s internal controls and compliance program, including policies, procedures, employee training, and monitoring systems. Assign a score based on the level of risk mitigation provided by these controls.

Once the scores are assigned, the organization can aggregate the scores to create an overall risk score for each category. This process helps identify areas of higher risk that require enhanced due diligence and monitoring.

The results of the risk assessment should be used to develop and enhance the organization’s AML/BSA compliance program, ensuring that resources are allocated effectively to mitigate identified risks. Regularly reviewing and updating the risk assessment is essential to maintain its effectiveness and ensure the organization’s compliance with evolving regulatory requirements.

Building a Program – Miscellaneous Policies 

Here’s an overview of a few key policies and their relevance to credit card issuers which I haven’t covered above:

  1. Suspicious Activity Reports (SARs) Policy: Under the Bank Secrecy Act (BSA), credit card issuers are required to file SARs for any transaction that may involve money laundering, terrorist financing, or other suspicious activities. This policy should establish guidelines for identifying, investigating, and reporting suspicious transactions, as well as maintaining proper documentation.
  2. USA PATRIOT Act Policy (Section 314 reporting): Section 314(a) of the USA PATRIOT Act allows financial institutions, including credit card issuers, to share information with law enforcement agencies to identify and report potential money laundering or terrorist financing activities. The policy should outline procedures for responding to 314(a) requests, safeguarding customer information, and maintaining records of information sharing.
  3. FinCEN Policy: The Financial Crimes Enforcement Network (FinCEN) is responsible for implementing and enforcing the BSA and AML regulations. A credit card issuer’s FinCEN policy should detail the company’s compliance with FinCEN’s regulations, including Customer Identification Program (CIP), Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and recordkeeping requirements.
  4. OFAC Policy: The Office of Foreign Assets Control (OFAC) enforces economic and trade sanctions against certain individuals, entities, and countries. Credit card issuers must have a policy in place to ensure compliance with OFAC regulations, including screening customers, transactions, and business partners against OFAC’s Specially Designated Nationals (SDN) list and other restricted parties lists, as well as blocking or rejecting prohibited transactions.
  5. FBAR Policy: The Report of Foreign Bank and Financial Accounts (FBAR) is a reporting requirement for U.S. persons with foreign financial accounts. While this requirement may not directly apply to credit card issuers, they should have policies in place to ensure compliance with FBAR regulations if they hold or have signature authority over foreign financial accounts.
  6. Identity Theft Policy: The Fair and Accurate Credit Transactions Act (FACTA) requires financial institutions, including credit card issuers, to establish an Identity Theft Prevention Program (ITPP) to detect, prevent, and mitigate identity theft. The policy should include procedures for identifying and addressing red flags, verifying customer identity, maintaining customer information security, and responding to identity theft incidents.

By developing and implementing these policies, credit card issuers or fintech companies in the United States can demonstrate compliance with relevant regulations, mitigate risks associated with financial crimes, and protect their customers and business from potential harm. Regularly reviewing and updating these policies is essential to ensure ongoing compliance and effectiveness.

Building Program – Why is this Relevant 

Credit cards and fintech systems can be used in various ways to facilitate money laundering. Money laundering is the process of making illegally-gained proceeds appear legitimate by disguising their origins. Here are some ways that credit cards can be used in money laundering schemes:

  1. Overpayment and refunds: A criminal may make a large overpayment on their credit card account using illicit funds and then request a refund. This creates the appearance of a legitimate transaction and allows the launderer to receive “clean” money from the credit card issuer.
  2. “Credit card factoring” or “credit card laundering”: This involves a criminal using a shell or front company to process fraudulent credit card transactions. They use stolen or fake credit card information to create transactions, which are then processed through the merchant account of the shell company. The company receives the funds from the credit card processor, less any fees, and transfers the laundered money to the criminal’s account.
  3. Collusion with merchants: Criminals may collude with complicit merchants who allow them to use their credit cards to make purchases or pay for services with illegal funds. The merchant then refunds the transaction, providing the criminal with laundered money from the merchant’s account.
  4. Buying and selling goods: Criminals may use illicit funds to purchase high-value goods or services using credit cards, and then sell those goods or services to convert them back into cash. This process can help disguise the origins of the illegal funds.
  5. Multiple small transactions: Criminals can use credit cards to make multiple small transactions (structuring) to avoid detection or reporting thresholds. These transactions may be spread across several accounts, cards, or merchants to further reduce the risk of detection.
  6. Prepaid credit cards: Prepaid credit cards can be used to launder money, as they can be bought and reloaded with cash. Criminals can use these cards for purchases, ATM withdrawals, or online transactions without revealing their true identity. In some cases, they may also use prepaid cards to transfer money between different countries.

Financial institutions, including credit card issuers and Fintech companies, are required to implement robust anti-money laundering (AML) programs to detect and prevent such activities. This includes Know Your Customer (KYC) policies, transaction monitoring systems, and Suspicious Activity Reports (SARs) to identify and report any suspicious activities.

Building a Program – Transaction Flow for a Credit Card Provider

The typical transaction flow for a credit card issuer involves multiple parties and several steps. This section is specific to card issuers as fintech companies have structures that are to diverse to cover in an article, Here is an overview of the process when a cardholder makes a purchase using a credit card:

  1. Cardholder initiates a purchase: The cardholder presents their credit card to the merchant for payment.
  2. Merchant processes the transaction: The merchant uses a point-of-sale (POS) terminal, payment gateway, or other payment processing system to capture the card details and submit the transaction for authorization.
  3. Transaction is sent to the acquiring bank: The merchant’s acquiring bank (or payment processor) receives the transaction details and forwards the information to the card network (e.g., Visa or MasterCard).
  4. Card network routes the transaction: The card network routes the transaction to the issuing bank (the bank that issued the credit card to the cardholder) for authorization.
  5. Issuing bank authorizes the transaction: The issuing bank checks the cardholder’s account for available credit, verifies that the card is valid and not flagged for fraudulent activity, and either approves or declines the transaction. The response is sent back through the card network and the acquiring bank to the merchant.
  6. Merchant receives authorization response: The merchant receives the response and completes the sale if the transaction is approved. The approved transaction is then stored in a batch for later settlement.
  7. Merchant submits the batch for settlement: At the end of the business day or another predetermined time, the merchant submits the batch of approved transactions to the acquiring bank for settlement.
  8. Acquiring bank requests funds: The acquiring bank sends the batched transaction details to the card network, which then forwards the information to the respective issuing banks.
  9. Issuing banks transfer funds: The issuing banks transfer the funds for the settled transactions, minus interchange fees, to the card network.
  10. Card network transfers funds to the acquiring bank: The card network consolidates the funds from the issuing banks and transfers the net amount, minus network fees, to the acquiring bank.
  11. Acquiring bank deposits funds to the merchant’s account: The acquiring bank deposits the funds, minus any applicable fees, into the merchant’s account.
  12. Cardholder is billed: The issuing bank adds the transaction amount to the cardholder’s account balance. The cardholder will be responsible for paying the balance according to their credit card agreement.

This transaction flow represents a simplified version of the process. In practice, there may be variations depending on the specific payment infrastructure, card network, and additional services or features offered by the involved parties.

SOP for a Credit Card Processor and Fintech Company

Creating a comprehensive compliance Standard Operating Procedure (SOP) for a credit card issuer and a fintech company requires addressing multiple areas of regulatory and operational compliance. While the exact SOP will depend on your specific circumstances, the following components should generally be included:

  1. Compliance Management System (CMS): Develop a formalized system for managing compliance within the organization, including the appointment of a dedicated compliance officer, clear reporting lines, and regular communication with senior management.
  2. Regulatory Compliance: Ensure adherence to all applicable federal, state, and local regulations, as well as payment network rules (e.g., MasterCard and Visa). This may include consumer protection laws, fair lending practices, data privacy, and security requirements.
  3. Know Your Customer (KYC): Establish a robust KYC program that includes customer identification, risk-based due diligence, and ongoing monitoring of customer transactions. Ensure that the program complies with all applicable KYC regulations.
  4. Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF): Implement a comprehensive AML/CTF program, including risk-based customer due diligence, transaction monitoring, suspicious activity reporting, record-keeping, and employee training.
  5. Third-Party Risk Management: Develop a process for assessing, monitoring, and managing risks associated with third-party service providers, such as payment processors, technology vendors, and collection agencies.
  6. Fraud Prevention and Detection: Implement a fraud management program that includes transaction monitoring, fraud detection tools, chargeback management, and customer education on fraud prevention.
  7. Data Security and Privacy: Establish a data security program that complies with the Payment Card Industry Data Security Standard (PCI DSS) and any applicable data privacy regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
  8. Internal Policies and Procedures: Develop and maintain comprehensive internal policies and procedures that cover all aspects of the credit card issuer’s operations, including card issuance, underwriting, account management, billing, dispute resolution, and fraud management.
  9. Employee Training and Awareness: Provide regular training to employees on compliance requirements, internal policies, and procedures. Ensure that training materials are updated to reflect regulatory changes and industry best practices.
  10. Monitoring, Auditing, and Reporting: Establish a process for regularly monitoring and auditing the credit card issuer’s compliance program to identify gaps, areas for improvement, and potential violations. Implement corrective actions as needed and report any significant compliance issues to senior management and, if required, to regulatory authorities.
  11. Record-Keeping: Maintain accurate and complete records of all compliance-related activities, including risk assessments, audits, training, and reporting, as required by applicable regulations.

The million-dollar issue: Do all credit card issuers and Fintech companies take possession of client funds? As a result, do all credit card issuers require a money services license?

Credit card issuers and Fintechs generally do not take possession of client funds in the same way as banks, which hold deposits in customer accounts. Credit card issuers extend a line of credit to cardholders, allowing them to make purchases or obtain cash advances up to a specified limit. Cardholders are then required to repay the borrowed amount, typically with interest, according to their credit card agreement.

As a result, credit card issuers usually do not fall under the category of money services businesses (MSBs) and may not require a money services license. MSBs typically include entities involved in money transmission, currency exchange, check cashing, and other financial services that involve the handling of client funds.

For more on this topic, you might also read through Structuring a Fintech or Card Issuer without an MSB License

Process to Apply for a Money Service Business License

In the United States, money transmission licensing is regulated at the state level. Each state has its own requirements and procedures for obtaining a money transmission license, which means that if you plan to operate in multiple states, you may need to obtain a license in each state where you conduct business. Here is a general outline of the process:

  1. Research state-specific requirements: Begin by researching the specific licensing requirements for each state in which you plan to operate. You can usually find this information on the state’s financial regulatory agency website or by consulting with a legal professional.
  2. Prepare your application: Each state has its own application form and supporting documentation requirements. Commonly required documents may include a business plan, financial statements, policies and procedures, AML program documentation, background checks, and fingerprints for key personnel, as well as information about the company’s organizational structure and management.
  3. Obtain a surety bond: Most states require money transmitters to obtain a surety bond as part of the licensing process. The bond amount varies by state and is designed to protect consumers in case the licensee fails to meet its obligations.
  4. Pay application fees: Each state typically requires payment of a non-refundable application fee and, if applicable, a licensing fee upon approval.
  5. Submit your application: Once you have prepared all the required documents, submit your application to the appropriate state agency for review. The review process can take several weeks to several months, depending on the state and the complexity of your application.
  6. Respond to any inquiries or requests for additional information: During the review process, the state agency may request additional information or clarification. Respond promptly to these requests to avoid delays in the licensing process.
  7. Obtain your license: If your application is approved, the state agency will issue your money transmission license. You may need to pay an initial licensing fee or meet additional requirements, such as providing proof of a surety bond, before your license becomes active.
  8. Maintain compliance: Once licensed, you must maintain compliance with state-specific regulations, including periodic reporting, financial statement submissions, and maintaining a surety bond. You may also be subject to periodic examinations by the state agency to ensure ongoing compliance.
  9. Renew your license: Money transmission licenses typically have expiration dates and must be renewed periodically. Each state has its own renewal process and fees, so be sure to stay aware of the requirements and timelines to avoid any lapses in your license.

Bond Requirements (CA and TX as examples)

Money Services Businesses (MSBs) are required to obtain surety bonds as part of the licensing process. These bonds help protect consumers from potential financial loss resulting from the MSB’s failure to comply with state regulations or unethical business practices.

Here are the bond requirements for MSBs in California and Texas:

  1. California: Money transmitters in California are required to obtain a surety bond under the California Money Transmission Act. The bond amount varies based on the volume of the money transmitter’s business. The minimum bond amount is $250,000, and the maximum bond amount is $7,000,000. However, if the money transmitter also conducts business in receiving money for obligations, the maximum bond amount may be increased to $10,000,000.
  2. Texas: In Texas, MSBs that are engaged in money transmission or currency exchange must obtain a surety bond under the Texas Finance Code. The bond amount is determined by the Texas Department of Banking based on the MSB’s business activity and volume. The minimum bond amount is $300,000, and the maximum bond amount is $2,000,000. In addition to the state-level bond requirement, certain cities in Texas, such as Austin and Houston, may also require MSBs to obtain a separate bond at the local level.

Note that bond requirements may vary based on the specific type of MSB (e.g., money transmitter, check casher, currency exchanger) and other factors, such as the volume of transactions processed. The above is just an example.

Given the complexity and state-specific nature of money transmission licensing, this is a very complex matter. We are capable of applying for licenses in multiple states if that is what’s required. My quotation below does NOT include the cost of applying for an MSB license(s).

Consulting Services

We can create a compliance program that covers all essential aspects, including regulatory compliance, risk assessment, transaction monitoring, fraud detection, data security, and employee training as described above. Our team of experienced compliance professionals will work closely with you to ensure the program is tailored to your organization’s unique needs and requirements.

We can assist in all aspects of a fintech, crypto, or credit card issuing business compliance program. For more information and pricing, please contact us at For information on this topic for banks, see my other website