Frequently Asked Questions

Banks and FinTechs must comply with a wide range of federal and state laws, depending on their activities, licensing status, and business model. Here are the most critical regulations and frameworks to be aware of:

Anti-Money Laundering & Financial Crime

• Bank Secrecy Act (BSA) – Requires AML programs, reporting of suspicious activity (SARs), large cash transactions (CTRs), and customer due diligence.
• USA PATRIOT Act (Title III) – Expands BSA requirements, including Customer Identification Programs (CIP) and enhanced due diligence for foreign accounts.
• FinCEN Rules – Ongoing rulemakings (e.g., Beneficial Ownership under the Corporate Transparency Act) directly impact KYC/CDD obligations.

Consumer Protection

• Truth in Lending Act (TILA) – Disclosures for loans and credit products.
• Equal Credit Opportunity Act (ECOA) – Prohibits discrimination in lending decisions.
• Fair Credit Reporting Act (FCRA) – Governs use of consumer credit data.
• Electronic Fund Transfer Act (EFTA) / Regulation E – Protects consumers using electronic payments.

Privacy & Data Protection

• Gramm-Leach-Bliley Act (GLBA) – Requires safeguarding of consumer financial data and privacy notices.
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) – Impacts FinTechs with users in California; requires data access, deletion rights, and opt-outs.
• FTC Safeguards Rule – Enforces information security standards for non-bank financial institutions.

Licensing & Chartering

• State Money Transmission Laws – FinTechs operating as money transmitters must be licensed in each state unless exempt.
• National Bank Act / OCC Charters – Applies to national banks and FinTechs seeking special purpose charters.
• FDIC and State Banking Authorities – Govern insured depository institutions and state-chartered banks.

Credit & Lending Compliance

• Home Mortgage Disclosure Act (HMDA) – Requires certain lenders to collect and report mortgage lending data.
• Fair Lending Laws – Enforced by CFPB, DOJ, and others; includes redlining, disparate impact, and other practices.
• Servicemembers Civil Relief Act (SCRA) and Military Lending Act (MLA) – Protections for military borrowers.

Payments, Crypto, and Emerging Tech

• Payments Compliance (NACHA rules, Reg E, UCC Article 4A) – Governs ACH, wires, and payment systems.
• Securities Laws (SEC, Howey Test) – Apply to tokenized assets and investment platforms.
• CFPB Regulation of BNPL, earned wage access, and embedded finance – Evolving rapidly.

Governance & Risk Management

• Community Reinvestment Act (CRA) – Applies to banks; encourages lending in underserved communities.
• FFIEC Guidelines – Include standards for cybersecurity, third-party risk, and model risk management.
• OCC Heightened Standards – Governance, risk, and compliance expectations for larger institutions.

The BSA requires you to monitor financial activity, report suspicious transactions, and maintain anti-money laundering (AML) controls. This includes filing Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs).

Under the USA PATRIOT Act, financial institutions must implement a Customer Identification Program (CIP) to verify the identity of anyone opening an account. This includes collecting identifying information (e.g., name, date of birth, address, ID number), verifying it, and keeping records.

Know Your Customer (KYC) is broader—it refers to ongoing monitoring to understand customer behavior, assess risk, and flag suspicious activity. KYC is a key part of your Customer Due Diligence (CDD) process and Anti-Money Laundering (AML) program.

GLBA: provide clear privacy notices and secure customer data.

CCPA (if applicable): allow consumers to access, delete, and opt out of data sales, and update your privacy policy accordingly.

The licensing process includes submitting an application, providing a sound business plan, demonstrating sufficient capital, and undergoing reviews by regulators like the FDIC or OCC.

Create a documented process to intake, investigate, and resolve complaints. Track outcomes and ensure they’re handled fairly and in line with consumer protection laws.

CTRs must be filed for cash transactions over $10,000. SARs are required when there’s reason to suspect money laundering, fraud, or other suspicious behavior.

CRA applies to depository institutions and evaluates how well your bank meets the credit needs of its entire community, especially low- and moderate-income areas.

Regular risk assessments, employee training, endpoint protection, incident response plans, and encrypted data storage are key components of a strong cybersecurity program.

Conduct due diligence, monitor performance, include contractual protections, and ensure vendors meet regulatory expectations, especially when handling sensitive data or key functions.

Non-compliance can result in fines, enforcement actions, reputational damage, restricted business operations, or even loss of licensure.

Follow regulatory websites (FDIC, OCC, FinCEN), subscribe to industry alerts, participate in compliance networks, and consider working with consultants for ongoing support.

FinTechs must navigate money transmission laws, securities regulations, state-by-state licensing, and emerging data privacy laws, all while maintaining tech agility.

Banks are subject to more stringent oversight and ongoing exams. FinTechs often face fragmented state-level regulations but must still meet core federal standards.

The board is ultimately responsible for oversight. They should approve your compliance program, receive regular reporting, and foster a culture of accountability.