Receiving your bank charter — or launching under a sponsor bank arrangement — triggers an immediate regulatory obligation that many neobank founders are surprised to find so specific: you need a written BSA/AML program. Not a policy document. Not a compliance deck. A written program that satisfies five enumerated elements under 31 CFR 1020.210, with procedures, systems, and recordkeeping that can withstand examination scrutiny from day one.
We've worked through this exercise with early-stage digital banks often enough to see where the gaps appear. What follows is a practical account of each required element and the infrastructure decisions that support it.
The Five Required Program Elements
The Bank Secrecy Act, as implemented at 31 CFR 1020.210, requires covered financial institutions to maintain a written AML program that incorporates, at minimum:
- A system of internal controls to ensure ongoing compliance
- Independent testing of BSA/AML compliance
- Designation of a BSA Compliance Officer
- Ongoing training for appropriate personnel
- Customer identification and due diligence procedures (added via Customer Due Diligence rule effective 2018)
That enumeration looks straightforward. In practice, each element generates a set of sub-requirements that neobanks — particularly those built on lightweight ops teams — find difficult to satisfy completely out of the gate.
Internal Controls: The System Layer
Internal controls for BSA purposes means the actual policies, procedures, and systems that detect and report suspicious activity. At minimum, this includes a Customer Identification Program (CIP) that verifies identity at account opening, a transaction monitoring system with documented rule logic and calibration rationale, a process for OFAC screening at onboarding and on an ongoing basis, and a SAR filing workflow that tracks detection-to-filing timelines.
For neobanks in the first 12 months of operation, the trap here is treating internal controls as a documentation exercise rather than an operational one. A written CIP procedure that says "we verify identity using a third-party KYC provider" is only the beginning. The examiner will want to see the actual identity verification failure rate, what happens when a customer fails the automated check, how manual reviews are documented, and whether the ID verification logic has been tested against identity fraud patterns relevant to the institution's customer profile.
The controls need to exist in the systems, not just on paper. The paper describes what the systems do. If the paper and the systems diverge, that discrepancy is itself an examination finding.
Independent Testing: Not an Internal Audit
The independent testing requirement is frequently the element neobanks shortcut most aggressively in the early stage. Testing performed by the BSA Compliance Officer or by the compliance team that owns the program does not satisfy the independence standard. The testing function must be genuinely independent — either an internal audit function with no reporting line through compliance, or an external third party.
For a digital bank with 15 employees, maintaining an internal audit function with true independence is typically impractical. The realistic solution is an annual BSA/AML program review by an external firm with demonstrated BSA examination experience. This isn't optional; examiners specifically evaluate whether independent testing was performed, how it was scoped, what findings it produced, and how management responded to those findings.
We're not saying an independent test will always find deficiencies. What we are saying is that the absence of any independent testing — or testing documented as independent but actually performed by the same team — creates a program gap that is more consequential than most of the substantive findings a test might produce.
BSA Officer Designation: More Than a Title
Designating a BSA Compliance Officer is a specific regulatory obligation, not just a job title. The designated officer needs the authority to implement the BSA program, access to information necessary to assess compliance risk, and sufficient seniority within the organization to escalate findings to the board when necessary.
At early-stage digital banks, we frequently see the BSA Officer role assigned to the General Counsel, the Chief Risk Officer, or in some cases the CEO. That's legally permissible. What matters is whether the designated individual has the time and subject-matter competency to actually execute the role — reviewing SARs before filing, approving rule calibration changes, responding to exam findings.
A BSA Officer who is also running three other critical functions and has limited BSA examination experience is a program risk even if the title is correctly assigned. If the institution lacks the internal depth, augmenting with fractional compliance advisory support from someone with direct BSA examination experience is a reasonable approach in the 12-to-24-month pre-raise window.
Customer Identification and Due Diligence
The fifth element, added by FinCEN's CDD rule, requires financial institutions to maintain written procedures for Customer Identification Program (CIP) compliance, Customer Due Diligence (CDD) including collection of beneficial ownership information for legal entity customers, and Enhanced Due Diligence (EDD) for higher-risk accounts.
For consumer-focused neobanks, beneficial ownership is less operationally complex — individual accounts don't trigger the legal entity ownership requirement. But EDD triggers are relevant across account types. A consumer account with unusually high transaction velocity that cannot be explained by the customer's stated occupation and account purpose is an EDD trigger. The program needs documented procedures for what happens next: what information is collected, how it's evaluated, how the decision to maintain or exit the relationship is made and documented.
The Infrastructure Requirements Behind the Program
A written BSA program without the supporting technology infrastructure is a set of promises an institution can't keep. Transaction monitoring requires a system that generates auditable alerts with timestamps, disposition records, and escalation history. OFAC screening requires a system that logs every screening event, every hit, and every resolution decision. SAR filing requires a workflow that tracks the initial detection date, the case development timeline, and the final filing confirmation from FinCEN's BSA E-Filing System.
The recordkeeping obligations are specific: SAR-related records must be retained for five years from the filing date. CIP records must be retained for five years from account closure. The records need to be accessible — retrievable in a format that an examiner can review, not archived in a format that requires weeks to reconstruct.
None of this requires an enormous compliance technology stack. What it does require is deliberate choices about which systems generate which records, who has access to those records, and how they'd be produced in response to an examination request on 48 hours' notice.
