← Back to Blog

January 2026 · 10 min read

AML Programs for Startups: What You Actually Need

You don't need a bank-grade AML program on day one. Here's how to build something proportionate that actually works — and scales with you.

Every fintech founder eventually asks: "What kind of AML program do I need?" The honest answer is: it depends. But that's not very helpful, so let me break down what "it depends" actually means.

First: Do You Even Need an AML Program?

Not every fintech has direct AML obligations. Here's the quick test:

  • Money Services Business (MSB)? — If you transmit money, exchange currency, or deal in crypto, you're probably an MSB with BSA obligations.
  • Bank partner program? — If you're operating under a bank's license, they'll impose AML requirements as a condition of the relationship.
  • PayFac or payment intermediary? — You'll have obligations through your sponsor bank/processor.
  • Pure software/SaaS? — You might not have direct AML obligations, but your partners might require it anyway.

Even if you don't have legal obligations, building AML capabilities early makes future partnerships easier. Banks and sponsors love working with companies that already have their act together.

The Five Pillars (In Plain English)

Every AML program needs five components. Here's what they actually mean:

1. Written Policies & Procedures

Document what you do and how you do it. This doesn't need to be 100 pages — it needs to be accurate. Cover:

  • Customer identification and verification (CIP/KYC)
  • Customer due diligence and risk rating
  • Transaction monitoring approach
  • Suspicious activity reporting
  • Record retention

Common mistake: Copying a template from a bank or large company. Your policies should reflect your actual business, not someone else's.

2. Designated Compliance Officer

Someone needs to own this. In early stages, it's often a founder or ops lead wearing multiple hats. That's fine — just make it official and ensure they have:

  • Authority to make compliance decisions
  • Direct access to leadership/board
  • Resources to do the job

As you scale, this typically becomes a dedicated role or you bring in fractional expertise.

3. Training

Everyone who touches customers or transactions needs to understand:

  • What money laundering looks like in your context
  • Red flags specific to your business
  • How to escalate concerns

Training doesn't need to be expensive. A 30-minute internal session with real examples from your business beats a generic online course.

4. Independent Testing

Someone outside day-to-day operations needs to periodically check that your program is working. Options:

  • Internal audit (if you have one)
  • External audit firm
  • Qualified consultant

Frequency depends on risk — annually is typical for early-stage companies, more often for higher-risk businesses.

5. Customer Due Diligence (CDD)

Know your customers. At minimum:

  • Identify them (name, address, DOB, ID number)
  • Verify their identity (document check, database verification)
  • Understand the relationship (what are they using you for?)
  • Ongoing monitoring (does their activity match expectations?)

For business customers, add beneficial ownership identification.

What "Proportionate" Actually Means

Regulators talk about "risk-based" and "proportionate" programs. Here's what that means in practice:

A payments startup processing $1M/month with 500 retail customers needs basic KYC, simple transaction monitoring rules, and a designated person watching for obvious red flags.

A crypto exchange processing $100M/month with global customers needs robust identity verification, sophisticated transaction monitoring, blockchain analytics, dedicated compliance staff, and probably a CAMS-certified BSA officer.

Your program should match your risk. Building a bank-grade program when you have 50 customers is wasteful. Running a startup program when you have 50,000 customers is negligent.

Practical Starting Point

If you're early-stage and need to stand something up quickly, here's a reasonable baseline:

  • 5-10 page policy document covering the basics
  • KYC vendor for identity verification (Persona, Alloy, etc.)
  • Sanctions screening (most KYC vendors include this)
  • Basic transaction monitoring rules (velocity limits, amount thresholds)
  • SAR filing process (know how to file when needed)
  • Designated owner with compliance in their job description
  • 30-minute training for customer-facing staff

This isn't a complete program — it's a starting point. As you grow, layer in more sophisticated controls, dedicated staff, and external testing.

The Most Important Thing

The best AML program is one that actually gets used. I've seen elaborate programs that look great on paper but nobody follows. I've seen simple programs that catch real issues because people understand and believe in them.

Start simple, make it real, and evolve as you grow.

Need help building your AML program?

We help startups build proportionate compliance programs that work — and scale.

Let's Talk