FinCEN doesn't care that you don't hold a charter. If your neobank opens accounts, moves money, or touches customer funds through a sponsor bank, BSA/AML obligations apply - and regulators are testing whether you're actually executing them. The consent orders against BaaS banks in 2023–2025 made one thing clear: a sponsor bank's AML program does not substitute for your own. FinCEN's enforcement data shows that BSA/AML penalties against banks with fintech partnerships exceeded $150 million in 2023-2024, with inadequate oversight of fintech AML controls cited in the majority of those actions.
This guide covers what a neobank AML program requires in practice: the split-responsibility model with your sponsor bank, KYC and CDD at digital onboarding, transaction monitoring obligations, SAR filing mechanics, sanctions screening, and what examiners actually look for when they examine the bank-fintech relationship.
Key Takeaways:
- AML compliance for neobanks operates under the Bank Secrecy Act (31 U.S.C. § 5311 et seq.) through your sponsor bank's charter, but regulators evaluate your controls independently
- The sponsor bank files SARs, but you own front-line detection - KYC, transaction monitoring, and alert investigation
- FinCEN and federal banking regulators have pursued enforcement actions where the neobank had the data to detect suspicious activity but failed to escalate it
- OFAC sanctions screening must happen at onboarding, on an ongoing basis, and within 24 hours of list updates
- Examination findings increasingly target the neobank's role in the AML chain, not just the bank's
How AML Responsibility Splits Between Neobanks and Sponsor Banks
The foundational question in BaaS AML compliance is who owns what. The answer: both parties own more than they think.
Your sponsor bank holds the charter, maintains the BSA/AML program of record, and files SARs and CTRs with FinCEN. But the bank can't execute AML effectively without the neobank performing front-line functions - because the neobank controls the customer relationship, the onboarding flow, and often the transaction data.
Here's how responsibilities typically divide:
| AML Function | Neobank Responsibility | Sponsor Bank Responsibility |
|---|---|---|
| Customer Identification (CIP) | Collects and verifies identity at onboarding; maintains records | Oversees CIP procedures; validates neobank's verification methods |
| Customer Due Diligence (CDD) | Risk-rates customers; performs ongoing monitoring; conducts periodic reviews | Approves risk methodology; reviews high-risk customer decisions |
| Transaction Monitoring | Operates first-line monitoring or reviews bank-generated alerts; investigates activity | Maintains monitoring system of record; calibrates rules; makes final SAR determination |
| SAR Filing | Investigates suspicious activity; prepares SAR narratives; escalates to bank BSA team | Reviews investigation; makes filing decision; submits SAR to FinCEN |
| Sanctions Screening (OFAC) | Screens customers and transactions at onboarding and ongoing | Validates screening coverage; maintains OFAC compliance program |
| Independent Testing | Subjects own AML controls to periodic testing | Tests full BSA/AML program including neobank controls |
| Training | Trains own staff on AML red flags and procedures | Validates training adequacy; provides regulatory updates |
The critical detail: when examiners find a gap, they don't accept "the bank handles that" as an answer from the neobank, or "the fintech handles that" from the bank. The FFIEC BSA/AML Examination Manual tests both sides. If your neobank has the data to detect a pattern - and you didn't flag it - that's your failure.
For a broader view of how these obligations fit into overall neobank compliance, see our neobank compliance requirements guide.
AML KYC Onboarding for Neobanks
Digital onboarding is where AML KYC onboarding for neobanks either works or falls apart. Under 31 CFR § 1020.220, every customer must be identified and verified before account opening. For neobanks doing this entirely online, the stakes and the risks are higher than branch-based models.
CIP Requirements in a Digital Environment
The Customer Identification Program must collect four pieces of information: name, date of birth, address, and identification number (SSN or ITIN for U.S. persons; passport or equivalent for non-U.S. persons). Verification must occur through documentary methods, non-documentary methods, or a combination.
For neobanks, this means:
- Document verification: ID upload with automated validation (checking for tampering, matching name/DOB to application data). Selfie-to-ID matching adds a layer but is not a regulatory requirement - it's a compensating control.
- Database verification: Cross-referencing applicant data against authoritative sources (credit bureaus, government databases). The regulation permits non-documentary verification, but you must document which sources you used and the results.
- Fraud screening overlap: Identity fraud detection and CIP verification serve different purposes but share inputs. A stolen identity that passes CIP verification is still a CIP compliance problem if your procedures should have caught it.
FinCEN has flagged digital-only CIP as a heightened risk area. If your identity verification vendor has measurable false-acceptance rates, your program must document what compensating controls exist - and that they're working. A 2% false-acceptance rate without compensating controls is an examination finding.
CDD and Beneficial Ownership at Onboarding
Customer Due Diligence under 31 CFR § 1020.210 requires neobanks to understand the nature and purpose of the customer relationship and develop a risk profile. This goes beyond identity verification.
At onboarding, CDD includes:
- Risk rating assignment based on product type, expected transaction volume, geographic factors, and customer characteristics. This must happen before or at account opening - not retroactively.
- Source of funds / source of wealth inquiry for higher-risk customers. If a customer's stated income doesn't match expected activity, that's a CDD obligation to resolve.
- Beneficial ownership collection for legal entity accounts under 31 CFR § 1010.230 - identifying all individuals with 25%+ ownership and at least one person with significant management responsibility.
The CDD rule explicitly requires ongoing monitoring - not just a one-time check. Customer profiles must be updated when activity patterns change or new information emerges. For a neobank processing thousands of new accounts daily, this means automated trigger-based reviews, not manual periodic sweeps.
Transaction Monitoring and SAR Filing Obligations
Transaction monitoring is where the split-responsibility model gets tested. The sponsor bank owns the monitoring system of record, but the neobank often has data the bank doesn't - app-level behavior, merchant category patterns, peer-to-peer flow details, and velocity metrics that core banking systems may not capture. The FFIEC BSA/AML Examination Manual explicitly states that transaction monitoring must cover all products and services offered through third-party relationships, and that reliance on the bank's monitoring alone is insufficient when the fintech controls unique data streams.
What Regulators Expect From the Neobank
Examiners evaluating AML compliance for neobanks focus on three questions:
- Do you generate or receive alerts? Either the neobank runs its own monitoring rules on its data, or the bank's system generates alerts that the neobank reviews. Both models work - but "we don't see the alerts" is a red flag.
- Do you investigate within the 30-day window? Under 31 CFR § 1020.320, the SAR filing clock starts at detection. If the bank's monitoring system flags activity on March 1, the SAR must be filed by March 31. Investigation delays at the neobank compress the bank's filing window.
- Is your escalation path documented and tested? When the neobank's investigation concludes that activity is suspicious, how does it reach the bank's BSA officer? Email isn't sufficient. There must be a defined escalation protocol with acknowledgment, tracking, and SLA documentation.
A Realistic Examination Finding
Consider a neobank offering consumer deposit accounts through a BaaS partner. The bank's transaction monitoring system generates alerts based on rule-sets calibrated to traditional banking patterns. But the neobank's customer base skews younger, with high-frequency, low-dollar peer-to-peer payments and cryptocurrency on-ramp activity.
During the bank's BSA examination, examiners pull a sample of neobank customer accounts. They identify three accounts that received structured cash deposits across multiple linked accounts - a pattern visible in the neobank's own data but not flagged by the bank's rules, which were calibrated for branch-based cash deposits. The neobank had the transaction data and the customer behavioral data to detect the pattern, but no monitoring rules covered it.
The finding: The bank receives an MRA (Matter Requiring Attention) for inadequate transaction monitoring coverage of its fintech partner's customer activity. The neobank's partnership agreement is amended to require the neobank to implement supplementary monitoring rules on its own data within 90 days - or face partnership termination.
This pattern has appeared in multiple consent orders. The OCC's and FDIC's enforcement actions against BaaS banks in 2023–2025 consistently cite gaps where the fintech partner's transaction data wasn't adequately monitored. FinCEN data indicates that SAR filings related to fintech and BaaS activity grew by over 60% between 2022 and 2025, reflecting both expanded enforcement scrutiny and the rapid growth of bank-fintech partnerships.
Track SAR investigation timelines and monitoring gaps before examiners find them →
Neobank Sanctions Screening Requirements
Neobank sanctions screening under OFAC regulations is non-negotiable and has zero tolerance for gaps. Every neobank must screen against the OFAC Specially Designated Nationals (SDN) list and other OFAC lists at multiple touchpoints.
When to Screen
- At onboarding: Every applicant must be screened before account opening. No exceptions.
- On an ongoing basis: Existing customers must be rescreened when OFAC updates its lists. Updates can happen multiple times per week.
- Transaction screening: International wires and, depending on your risk profile, domestic transactions must be screened against OFAC lists.
- Within 24 hours of list updates: When OFAC adds or modifies SDN entries, your screening must incorporate the changes within 24 hours. Examiners check implementation timestamps.
What Goes Wrong
The most common sanctions screening failures for neobanks:
- Fuzzy matching calibration: Screening tools that match only on exact names miss transliteration variants, aliases, and name reordering. Examiners test this by checking whether known SDN entries with common name variants would be caught by your system.
- Disposition of potential matches: When a screening hit occurs, someone must investigate and resolve it. Auto-clearing potential matches without investigation is an examination finding. Document who reviewed the match, what additional information was considered, and why it was cleared or escalated.
- Blocked property reporting: If you identify a match to the SDN list and block funds, OFAC requires a report within 10 business days. Failing to report blocked property is a separate violation.
The Neobank-Specific Risk
Neobanks with rapid onboarding flows face a timing problem. If your account opening process takes 90 seconds but OFAC screening takes 15 seconds, there's pressure to make screening asynchronous or to lower matching thresholds to reduce false positives. Both create risk. Screening must complete before the customer gains access to funds. Period. OFAC's enforcement actions demonstrate zero tolerance on this point: penalties for processing transactions involving sanctioned parties have reached $8 million per violation for financial institutions, regardless of whether the violation was at the bank or fintech layer.
FinCEN Expectations for Neobank AML Programs
FinCEN has not issued neobank-specific AML guidance, but its expectations are clear from enforcement actions, advisory notices, and the regulatory framework under 31 U.S.C. § 5311 et seq. The agency evaluates neobank AML programs through the sponsor bank examination - and the expectations are the same five pillars that apply to any financial institution.
What FinCEN Tests Through the Bank Exam
- Internal controls: Does the neobank have written AML procedures? Are they followed? Is there evidence of execution - not just policies on a shelf?
- Designated compliance officer: Does someone at the neobank own AML compliance with documented authority and direct access to senior management?
- Training: Are neobank employees trained on AML red flags specific to their products? Is completion documented?
- Independent testing: Has the neobank's AML program been tested independently? Testing the bank's program alone isn't sufficient if the neobank operates distinct controls.
- CDD program: Is the neobank's CDD implementation consistent with 31 CFR § 1020.210? Are risk ratings assigned and updated?
Recent Enforcement Patterns
The enforcement trend since 2023 has been consistent: regulators penalize the bank, and the bank passes operational consequences to the neobank. Consent orders against BaaS banks have included requirements to:
- Pause onboarding new fintech partners until AML deficiencies are remediated
- Require existing fintech partners to submit independent AML program assessments
- Mandate that fintechs implement their own supplementary monitoring within defined timelines
- Require the bank to terminate partnerships where the fintech cannot demonstrate adequate AML controls
For neobanks, this means your AML program quality directly affects your business continuity. A weak program doesn't just create regulatory risk - it creates partnership risk.
For a broader view of BSA/AML program requirements, including the five-pillar framework and examination procedures, see our BSA/AML compliance checklist.
Building AML Compliance Tools for Neobank Operations
Choosing the right AML compliance tools for neobanks matters because the volume and velocity of digital banking don't allow for manual processes. A neobank onboarding 5,000 customers per week can't run CIP, CDD, and sanctions screening through spreadsheets and email threads.
The tooling stack for a neobank AML program typically includes:
- Identity verification and KYC: Automated document verification, database checks, and screening at onboarding. Must integrate with your account opening flow and produce auditable records.
- Transaction monitoring: Either your own rule engine or integration with the bank's monitoring system - with a defined process for alert receipt, investigation, and escalation.
- Case management: SAR investigation workflow tracking from alert to filing decision, with 30-day deadline enforcement and documented rationale at each step.
- Sanctions screening: Real-time OFAC screening at onboarding and ongoing, with list update monitoring, potential match investigation, and blocked property reporting.
- Evidence and audit trail: Every CIP verification, CDD review, alert investigation, SAR decision, and screening result must be recorded with timestamps, owners, and outcomes.
The gap for most neobanks isn't the point tools - it's connecting them into a workflow that produces the evidence regulators demand. Your KYC vendor generates verification results. Your monitoring system generates alerts. But who tracks that every alert was investigated within 30 days? Who ensures CDD reviews happened on schedule? Who produces the evidence package when the bank's compliance team asks for it?
That's the execution layer. And that's where programs fail examination.
How Neobank AML Teams Close the Evidence Gap
The pattern in AML examination findings is consistent: the neobank had policies, had tools, and often had people doing the work. What was missing was documented proof that the work happened on time, by the right person, with the right outcome recorded.
Canarie maps AML obligations - CDD reviews, SAR investigation timelines, sanctions screening updates, training cycles - into executable workflows with built-in evidence capture. When a CDD review is due, it generates with an assigned owner and deadline. When a SAR investigation completes, the decision, rationale, and escalation path are recorded automatically. When OFAC lists update, screening verification is tracked with timestamps.
When your sponsor bank requests an AML evidence package, or when examiners arrive, everything is already organized - because the evidence was captured as the work happened, not reconstructed after the fact.
See how neobank AML teams stay exam-ready →
Frequently Asked Questions
Does a neobank need its own AML program separate from the sponsor bank?
Yes. The sponsor bank's BSA/AML program is the program of record, but regulators expect the neobank to operate front-line AML controls: customer identification, due diligence, transaction monitoring participation, and suspicious activity escalation. The FFIEC BSA/AML Examination Manual tests whether both parties in a bank-fintech relationship are fulfilling their respective roles. Having no independent AML controls is an examination finding against the bank - which becomes a partnership risk for you.
What happens if the neobank detects suspicious activity but fails to escalate?
The SAR filing obligation belongs to the bank, but if the neobank had information indicating suspicious activity and didn't escalate it, both parties are exposed. FinCEN can impose civil money penalties on any person - not just the bank - involved in BSA violations under 31 U.S.C. § 5321. In practice, the bank faces the regulatory enforcement action and passes operational consequences to the neobank through the partnership agreement, up to and including termination.
How should neobanks handle OFAC screening for high-volume onboarding?
Screening must be real-time and must complete before the customer accesses funds. For neobanks processing thousands of applications daily, this requires automated screening integrated into the onboarding flow. Potential matches must trigger a hold - not a post-hoc review. OFAC expects that list updates are incorporated within 24 hours and that existing customers are rescreened against updated entries. Fuzzy matching must be calibrated to catch name variants and transliterations without generating unmanageable false positive volumes.
What AML-specific documentation should neobanks maintain for sponsor bank audits?
Prepare evidence packages covering: CIP verification records (method used, result, date), CDD risk rating documentation (methodology, individual ratings, periodic review records), transaction monitoring participation (alerts received or generated, investigation records, escalation logs, SAR decision documentation), sanctions screening logs (onboarding screens, list update implementation dates, potential match dispositions), training records (completion dates, content covered, attendee lists), and independent testing results. For practical guidance on automating this evidence capture across compliance functions, see our fintech compliance automation guide.
Are neobanks subject to FinCEN's beneficial ownership requirements?
If your neobank opens accounts for legal entities - business accounts, LLC accounts, or similar - the beneficial ownership requirements under 31 CFR § 1010.230 apply. You must collect and verify information on all individuals owning 25% or more of the entity and at least one individual with significant management responsibility. This applies at account opening, and changes in beneficial ownership must be captured through your ongoing CDD procedures. FinCEN's beneficial ownership reporting requirements (effective 2024) add a separate obligation for entities to report to FinCEN directly, but this does not replace your CDD collection obligation.