AML Policy for Fintechs: The Complete Guide to Building a Compliant Program in the US and LATAM [2026]

In 2025, global regulators imposed $3.8 billion in AML, KYC, sanctions, and CDD penalties — and fintechs bore a disproportionate share. OKX paid $504 million for operating without adequate AML controls while serving US customers. BitMEX was fined $100 million for willfully failing to maintain an AML program. Block's Cash App paid $40 million for BSA/AML failures including inadequate customer due diligence and transaction monitoring.

Yet here's the paradox: while enforcement reached record levels, US regulators simultaneously eased procedural requirements. FinCEN streamlined CDD obligations in February 2026, narrowed beneficial ownership reporting under the Corporate Transparency Act in March 2025, and delayed the investment-adviser AML rule to 2028\. The message is unmistakable: regulators want fewer checkbox requirements but more effective detection.

For product, operations, and technology leaders at fintechs operating in the US and Latin America, this creates a clear mandate. Your AML policy can no longer be a document that sits in a compliance folder. It needs to be an operational system — risk-based, technology-enabled, and designed to scale with your business across multiple jurisdictions.

This guide covers what an effective AML policy requires in 2026, the specific regulatory changes reshaping compliance in the US and LATAM, and a practical framework for building a program that actually works.

What Is an AML Policy and Why Can't Fintechs Afford to Get It Wrong?

An AML policy is the documented framework that governs how your organization identifies, prevents, detects, and reports money laundering and terrorist financing. It's not a checklist or a template you download and file away — it's the operating system for your compliance program, covering everything from risk assessment and customer due diligence to transaction monitoring, suspicious activity reporting, and board-level governance.

Fintechs face a set of AML challenges that traditional banks don't. Teams are lean — 51% of fintechs have compliance teams of just 11–24 people, according to Alloy's US fintech survey. Growth is fast, which means onboarding volumes, transaction types, and geographic exposure can change faster than compliance controls can adapt. And the regulatory landscape spans multiple jurisdictions — especially for fintechs serving both US and LATAM markets.

The consequences of inadequate AML policies are no longer hypothetical. In July 2025, the UK's FCA fined Monzo £21 million because the digital bank's onboarding, customer-risk assessment, and transaction-monitoring controls failed to keep pace with its rapid growth. That same month, Barclays was fined £42 million for failures in financial-crime risk management. The pattern is consistent: regulators penalize programs that don't scale with the business.

As one compliance practitioner noted on Reddit: "AML alerts feel annoying until a partner bank calls." For fintechs operating within banking-as-a-service (BaaS) structures, AML failures don't just trigger fines — they can end sponsor-bank relationships overnight.

The financial burden is substantial across the industry. LexisNexis estimated global financial-crime compliance costs at $206.1 billion in 2023, while 55% of fintechs cite lack of automation as a leading barrier to meeting BSA requirements. Getting AML right isn't optional — but getting it right efficiently is what separates fintechs that scale from those that stall.

For a foundational understanding of how AML differs from KYC and the specific red flags your program should detect, Signzy's guides provide detailed breakdowns.

---

What Are the Key AML Regulations Affecting Fintechs in the US and LATAM?

What Has Changed in US AML Regulations in 2025–2026?

The US regulatory picture in 2025–2026 tells a paradoxical story. On one hand, enforcement reached unprecedented levels — FinCEN assessed an $80 million penalty against Canaccord Genuity in March 2026, the largest BSA penalty ever imposed on a broker-dealer, for failures in AML program design, customer due diligence, and SAR filing. FinCEN also imposed its first-ever action against an armored-car company — $37 million against Brink's for moving hundreds of millions across the Southwest border without adequate AML controls.

On the other hand, regulators actively reduced procedural burden. The key changes:

Beyond FinCEN, two FATF revisions are reshaping how fintechs approach compliance. FATF's revised Recommendation 1 (February 2025\) explicitly supports digital onboarding and proportionality — meaning non-face-to-face relationships are not inherently higher risk when appropriate mitigants are in place. This provides a stronger regulatory basis for e-KYC and tiered due diligence. FATF's revised Recommendation 16 (June 2025\) raises the bar for payment transparency — cross-border payment firms, wallet providers, and virtual-asset transfer businesses face stricter requirements around originator/beneficiary data quality and payment-chain accountability.

The takeaway for fintech leaders: the regulatory direction in the US is not "more rules" — it's "smarter rules." FinCEN wants programs that are effective, risk-based, and reasonably designed, not maximally comprehensive. But the enforcement data makes clear that "streamlined" does not mean "lenient."

Top AML Enforcement Actions: 2025–2026

The enforcement landscape underscores the real financial consequences of inadequate AML programs. Here are the most significant actions impacting fintechs and financial institutions:

The pattern is clear: crypto platforms, digital banks, and non-traditional financial services firms are now facing the same enforcement intensity previously reserved for major banks.

What Are the Key LATAM AML Requirements for Fintechs?

While each Latin American country operates on its own regulatory timeline, the direction across the region is strikingly uniform. Every major LATAM market is simultaneously expanding its AML perimeter, strengthening beneficial-ownership requirements, and pulling virtual assets into formal regulation. For fintechs with a well-designed, FATF-aligned AML program, this convergence creates an opportunity: build once, adapt by jurisdiction, rather than starting from scratch in each market.

The convergence pattern is clear. Across all six markets, regulators are demanding better data, better traceability, and more mature compliance governance — especially from fintechs and crypto platforms. Brazil's Coaf demonstrated this enforcement posture by imposing R$28.5 million in AML fines in a single May 2025 session, including R$15.6 million against Real Brasil Metais for failing to report R$156 million in suspicious operations.

For deeper context on what AML programs aim to prevent, Signzy's guide on the three stages of money laundering — placement, layering, and integration — explains the detection opportunities at each stage. For sanctions screening specifics, see the AML watchlist screening guide.

---

What Should an Effective AML Policy Include? A Practical Framework for Fintechs

FinCEN's regulatory direction is explicit: AML programs must be "effective, risk-based, and reasonably designed." Not maximally comprehensive. A 10-page policy that's implemented, tested, and adapted to your actual business risks is more valuable — and more defensible — than a 100-page document that sits in a compliance folder.

Here's what an effective AML policy needs to cover — with the operational reality for each component.

Risk Assessment: Start Here, Revisit Often

The strongest AML programs don't begin with technology — they begin with a documented risk assessment. The effective pattern, supported by FinCEN's modernization proposal and the Wolfsberg Group's effectiveness framework, follows a control-mapping approach:

Start with your products and services, customer types, channels, geographies, and counterparties. Overlay national priorities and known typologies. Score inherent risk. Map existing controls to each risk and calculate residual risk. Identify data dependencies, owners, and metrics. And critically — require a product-change review whenever the business launches something new.

The most common mistake is treating risk assessment as an annual exercise. Effective programs refresh when there's a new product, a new geography, a new bank partner, a new payment rail, or a material change in alert or SAR trends.

Customer Due Diligence: The 92% Problem

CDD tiers — simplified (SDD), standard (CDD), and enhanced (EDD) — form the backbone of risk-based compliance. In theory, this is straightforward: low-risk customers get lighter verification, high-risk customers get deeper scrutiny. In practice, this is where most fintechs struggle.

Capgemini's KYC/AML benchmark reported an average transaction-monitoring false-positive rate of 92%. As one compliance practitioner described on Reddit: "Out of nearly 5,000 monthly alerts, maybe 50 are legit." The root cause is almost always the same — screening rules calibrated for traditional banks, not for the actual transaction patterns of a fintech's specific customer base.

The fix isn't more rules; it's better-tuned rules. Use risk-based segmentation, document your thresholds, validate models independently, and retire controls that aren't performing. FFIEC guidance emphasizes that filtering criteria must be explainable, periodically reviewed, and independently validated.

Transaction Monitoring and SAR Filing: The Biggest Time Sink

According to Alloy's survey, 34% of fintechs say SAR/STR/CTR writing and filing is their single most time-consuming compliance activity — ahead of customer due diligence at 23%. The same survey found that creating a single SAR typically takes 1–2 weeks.

For lean compliance teams, the technology stack decisions here matter enormously. A pragmatic approach from EY's 2024 transaction monitoring survey: buy commodity controls (watchlist screening, case workflow, reporting connectors) and build or customize where your risk is proprietary (transaction segmentation, customer-risk scoring, and alert-suppression logic tied to your product behavior). EY found that 43% of institutions already use ML in detection mechanisms, and 29% use in-house solutions across parts of their monitoring estate.

Startup vs. Growth-Stage: How Implementation Differs

The depth of your AML program should match your stage. For early-stage fintechs, the practical approach is: one core compliance owner, outsourced or fractional advisory support, one integrated vendor for onboarding/screening/workflow, and relatively simple transaction monitoring rules tied to a few product-specific typologies. This works because FinCEN's regulatory minimums — a written program, a designated owner, training, independent review, and risk-based controls — can be satisfied with a lean but disciplined setup.

Growth-stage fintechs need more structure. As volumes, products, partner-bank expectations, and regulatory scrutiny rise together, the program must evolve: a dedicated AML operations lead, split responsibilities between alert triage, investigations/SAR, QA, and program governance, a stronger data platform and customer-360 view, more formal model/rule governance, and selective use of ML on top of a vendor core. ComplyAdvantage's 2024 industry survey found 49% of firms planned to add new compliance capabilities and 46% planned to upskill their teams — reflecting this growth-driven investment pattern.

The biggest mistake at either stage is treating compliance as a vendor purchase rather than a production operating system. The fintechs that scale best keep their first stack simple and integrated, build a disciplined risk-assessment and tuning cadence early, and spend their scarce people on high-value investigations and control design rather than manual swivel-chair work.

Training, Testing, and Governance: The Components Most Fintechs Underbuild

Training and awareness must be role-specific, not one-size-fits-all. Analysts need training on typologies, red-flag recognition, and SAR narrative writing. Product teams need to understand how new features or geographies change the risk profile. Leadership needs enough AML literacy to ask the right questions during board reporting and exam preparation. Annual check-the-box training doesn't satisfy examiners — regulators want evidence that training content is updated for new typologies and regulatory changes, and that completion is tracked and enforced.

Independent testing and audit is where many fintechs fall short, particularly at the growth stage. The OCC's updated exam procedures (effective February 2026\) emphasize documented frameworks, prior-cycle conclusions, and evidence that the institution's own controls have been independently validated. This means your AML program needs periodic testing by a party independent of the compliance function — either an internal audit team or an external firm — that evaluates whether controls are operating as designed, thresholds are appropriate, and deficiencies from prior cycles have been remediated. If your program has never been independently tested, that's a finding waiting to happen.

RegTech Governance: The Hidden Risk

Most AML content says "use technology to automate compliance." What it doesn't say is that technology itself is a risk vector. The European Banking Authority found that over half of serious compliance failures in its EuReCA database involved improper use of compliance technology.

For fintechs — which have leaner teams, less regulatory examination history, and greater reliance on third-party tools — this risk is especially acute. 93% of fintechs use at least one third-party platform for compliance management. But buying a tool is not the same as governing it. Effective RegTech governance means: documented vendor oversight, model validation, explainability for auditors and regulators, and human-review controls that ensure automated decisions are defensible.

For detailed guidance on screening implementation, see Signzy's sanctions screening guide and transaction monitoring overview. For KYB verification as part of your AML policy, see the guide on how to check if a company is legitimate. For a comparison of leading AML technology providers, see the 10 best AML software for regulatory compliance.

How Signzy Helps Fintechs Build and Maintain AML Compliance

The operational challenges are clear: lean teams, multi-jurisdiction complexity, 92% false-positive rates, and rapidly expanding LATAM regulatory requirements. Running AML compliance across separate point solutions — one for screening, another for monitoring, another for KYB — creates workflow fragmentation, weak audit trails, and a higher total cost of ownership.

What fintech compliance leaders should look for in a platform is a unified stack that covers KYC, KYB, AML screening, transaction monitoring, and fraud prevention — with global watchlist coverage, risk-based workflows, continuous monitoring, and an API-first architecture that integrates without months of implementation.

Signzy provides this as an integrated compliance infrastructure platform trusted by over 1,000 financial institutions globally:

• Sanctions and watchlist screening against 1,000+ global databases — including OFAC, UN, EU, FinCEN, and local regulatory lists — with daily updates and fuzzy-logic matching that catches name variations, aliases, and transliterations that exact-match systems miss.
• Separate screening workflows for individuals and businesses. For individuals: PEP databases, sanctions lists, adverse media, and criminal records. For business entities: corporate sanctions, state-owned enterprises, shell companies, and trade-violation lists.
• Transaction monitoring with AI-powered pattern recognition and configurable rule engines that compliance teams can adjust without developer resources — reducing the false-positive problem that consumes most AML operations bandwidth.
• KYB verification across 180+ countries with automated UBO identification through complex multi-layered ownership structures.
• Continuous due diligence (CDD) that monitors changes in customer risk profiles, ownership structures, and sanctions exposure throughout the business relationship — not just at onboarding.
• Deployment in 2–4 weeks with 97% API accuracy and sub-5-second response times, via a usage-based pricing model with no minimum commitments.

If your primary need is IDV conversion optimization, platforms like Sumsub are strong — they report 97% verification completion rates and are designed for pass-rate efficiency. If your need is end-to-end compliance infrastructure that covers KYC, KYB, AML screening, transaction monitoring, and fraud prevention in a single platform — reducing vendor sprawl and creating unified risk visibility across the US and LATAM — Signzy's AML screening solution is built for that.

For a detailed feature comparison, see Signzy vs Sumsub. For alternatives to Sumsub across the identity verification landscape, see 10 best Sumsub alternatives. For broader compliance best practices, see 7 KYC best practices for smarter compliance.