Payments Compliance: State Licensing and Aml Defense

Federal money transmitter registration runs through FinCEN under Bank Secrecy Act regulations. Money services business (MSB) registration applies to entities transmitting money, exchanging currency, or providing similar services. The 31 C.F.R. § 1022 framework defines registration triggers and AML program requirements. Federal registration does not preempt state licensing.

State money transmitter licensing requires separate applications in 49 states plus the District of Columbia and Puerto Rico. Each jurisdiction maintains different definitions, capital requirements, surety bond minimums, and examination procedures. The Conference of State Bank Supervisors operates the Nationwide Multistate Licensing System for unified application processing. Counsel handling state licensing typically coordinates administrative case work across multiple jurisdictions simultaneously, since renewals and exams occur on rolling schedules.

The Money Transmission Modernization Act of 2021 emerged from CSBS as model state legislation harmonizing inconsistent state requirements. The model addresses agent-of-payee exemptions, virtual currency treatment, capital requirements, and examination procedures. State adoption began in 2022 with continuing legislative activity through 2024.

Adoption status varies substantially. Approximately 25 states adopted full or partial Modernization Act provisions through 2024. Other states continue under legacy frameworks producing operational complexity for multistate licensees. Companies expanding payment functionality should evaluate licensing implications across all relevant states before launch rather than waiting for cease-and-desist letters from individual state regulators. State convergence remains incomplete, leaving substantial compliance variation across jurisdictions for the foreseeable future.

Bank Secrecy Act AML programs require five core components for payment companies. Written policies and procedures must address risk identification, transaction monitoring, and reporting obligations. A designated compliance officer must possess sufficient authority and resources for the role. Ongoing training programs must reach all relevant personnel. Independent testing must occur on appropriate intervals through qualified parties.

Customer Due Diligence Rule effective May 2018 expanded BSA requirements substantially. Beneficial ownership identification became mandatory for legal entity customers. Risk-based customer due diligence procedures must address ongoing monitoring across the customer relationship. Enhanced due diligence applies to higher-risk relationships including correspondent accounts and politically exposed persons. Transaction monitoring systems must scale to detect suspicious patterns across customer activity, with regulator expectations rising substantially since 2022.

FinCEN Travel Rule requires transmittal of customer information for cross-border transfers above $3,000. Required information includes sender name, address, account number, transmitting institution, and beneficiary details. Receiving institutions must obtain corresponding information about beneficiaries. The rule predates digital payments but applies fully to modern remittance services and cross-border processors.

The 2020 FinCEN guidance extended Travel Rule application to cryptocurrency transactions through Money Services Business reach over virtual asset service providers. Counsel handling cross-border compliance frequently addresses foreign investment compliance work alongside Travel Rule obligations, since correspondent banking relationships intersect with foreign investment review when cross-border partnerships involve specific jurisdictions. Recent enforcement actions targeted incomplete Travel Rule data transmission as separate AML violations producing substantial penalties.

PCI DSS v4.0 became effective March 2024 with phased implementation extending through 2025. Future-dated requirements take effect March 2025 covering authentication, encryption, and risk assessment standards. Customized approach methodology allows alternative controls demonstrating equivalent security through documented validation.

Twelve high-level requirements remain consistent with prior versions while 64 new controls add specificity. Multi-factor authentication requirements expanded across non-administrative access. Encryption standards updated for card data transmission and storage. Vulnerability scanning frequency increased for some merchant tiers. Self-assessment questionnaires for smaller merchants face technical updates aligning with v4.0 controls. PCI Forensic Investigators must complete training updates addressing new requirements.

Office of Foreign Assets Control sanctions screening requires pre-transaction review against Specially Designated Nationals list and country-based programs. Real-time screening must address customer onboarding, ongoing monitoring, and transaction-level review. Match resolution procedures distinguish true matches from false positives through documented investigation processes. OFAC license applications address scenarios where sanctions affect otherwise legitimate transactions.

OFAC enforcement priorities since 2022 expanded substantially with Russia sanctions, Iran enforcement, and continuing Cuba/North Korea/Venezuela programs. Payment companies face strict liability for sanctions violations regardless of intent. Recent enforcement actions against payment processors for sanctions violations produced multimillion dollar penalties despite voluntary self-disclosure. Counsel handling sanctions compliance often coordinates administrative case work with OFAC license applications when transaction blockages affect legitimate business operations.

State money transmitter examinations occur on 18 to 24 month cycles depending on jurisdiction and risk assessment. Examination scope includes AML program review, financial condition analysis, and consumer complaint records. Examination report findings produce administrative responses ranging from informal corrective actions to formal enforcement orders. Multi-state coordination through CSBS produces uniform examination procedures across participating states.

State Money Transmission Examination Network coordinates examinations across multiple states reducing duplicative regulatory burden. The CSBS Money Services Business Call Report consolidates financial reporting across states. Recent coordination efforts produced multi-state settlement frameworks for major enforcement matters. Counsel responding to state examinations typically prepares responses addressing both state-specific findings and potential federal implications, since examination findings frequently trigger parallel FinCEN review.

FinCEN enforcement actions during 2024 targeted multiple major payment companies. Wise faced AML program deficiency penalties addressing transaction monitoring inadequacies. Remitly resolved cross-border AML matters through coordinated state and federal settlements. Block (Cash App) reached $175 million settlement with CFPB addressing consumer protection violations during 2024.

Western Union historic settlement patterns continue affecting industry expectations through ongoing regulatory dialogue. Recent FinCEN enforcement priorities targeted virtual currency exchanges, peer-to-peer payment apps, and cross-border remittance services. State regulators pursued parallel actions through California DFPI, New York DFS, and similar primary licensing jurisdictions. Companies facing enforcement should expect multi-jurisdictional coordination requiring strategic planning across overlapping proceedings rather than focusing on single agency negotiations. Counsel handling administrative case work frequently coordinates between federal and state regulators while managing public disclosure obligations affecting business operations.