AML Requirements for Payment Processors: Complete Guide

Introduction

Payment processors sit in a regulatory gray zone that's getting harder to ignore. They move enormous volumes of money daily — US card purchase volume alone hit $11.9 trillion in 2024, according to the Nilson Report — yet most operate without the formal AML obligations that govern banks, credit unions, and money services businesses.

That gap is closing fast. Banking partners are requiring documented compliance programs as a condition of account maintenance. Regulators are expanding coverage globally. And enforcement actions — including an $80 million penalty against Block/Cash App in 2025 — are making the cost of inaction very clear.

This guide covers what payment processor compliance actually requires in practice:

  • The US regulatory framework that applies to payment processors
  • Core AML program requirements banking partners and examiners expect
  • Risk factors unique to the payments business model
  • What a scalable compliance program looks like in practice

Key Takeaways

  • Payment processors aren't direct BSA financial institutions, but bank partners are required to treat them as high-risk customers
  • Losing a banking relationship is now the primary compliance risk for processors without documented AML programs
  • Core requirements include written AML policy, merchant KYC/CDD, transaction monitoring, sanctions screening, and a designated compliance officer
  • Processors issuing prepaid cards, originating ACH, or transmitting funds may cross into MSB territory and face direct AML obligations
  • Global regulation — including the EU AMLR and Canada's FINTRAC — is moving toward direct AML coverage of payment service providers

What Is AML in Payment Processing, and Why Does It Matter?

Anti-money laundering in the payment processing context refers to the policies, controls, and procedures that prevent payment infrastructure from being used to move illicit funds. The relevant typologies include transaction laundering (routing fraudulent sales through legitimate-looking merchant accounts), terrorist financing, and systematic merchant fraud.

Payment processors are structurally exposed to financial crime risk. The business model creates inherent vulnerabilities:

  • Merchants are approved quickly, often with minimal documentation
  • Transaction volumes span thousands of merchants across dozens of industries
  • The processor typically has no direct banking relationship with underlying merchants
  • Compliance infrastructure rarely matches the scale of banking institutions

The FFIEC's BSA/AML Examination Manual is direct on this point: processors pose greater money laundering and fraud risk when they cannot effectively verify merchant identities or business practices. That gap between onboarding speed and verification depth is where regulators focus — and where compliant programs must be built.

Does the BSA Apply to Payment Processors? The US Regulatory Landscape Explained

The Direct Obligation Question

In the US, payment processors are generally not classified as financial institutions under the Bank Secrecy Act and are therefore not directly subject to BSA/AML regulatory requirements as third-party payment processors (TPPPs).

Banks, credit unions, and money services businesses carry direct BSA obligations. Most payment processors do not — at least not by virtue of being processors alone.

The Indirect Pressure That Functions Like an Obligation

The absence of a direct mandate doesn't mean processors operate free of AML expectations. Banks serving payment processors are required to treat them as high-risk customers and conduct enhanced due diligence on them.

The FFIEC BSA/AML Examination Manual explicitly identifies TPPPs as a heightened risk category.

In practical terms, this means:

  • Your bank is reviewing your AML controls as part of its own compliance program
  • Insufficient documentation can trigger account restrictions or termination
  • FDIC guidance from 2012 specifically notes that contracts should protect financial institutions by providing for immediate account closure when processors fail to maintain adequate controls

For most processors, losing a banking relationship is an existential threat. A terminated banking relationship can halt operations overnight — which is why AML controls are a business continuity priority, regardless of what the regulations technically require.

When Direct BSA Obligations Do Apply

Business model matters significantly here. Processors that move beyond merchant payment facilitation may cross into MSB territory under 31 CFR 1010.100, triggering direct AML program obligations under 31 CFR Part 1022. Triggering activities include:

  • Transferring funds on behalf of customers (rather than facilitating merchant payments) qualifies as money transmission
  • Issuing or distributing prepaid cards — FinCEN's 2011 prepaid access final rule added SAR filing and customer/transaction recordkeeping requirements
  • Originating ACH transactions under certain structural models may also constitute money transmission

Three payment processor activities that trigger direct BSA MSB obligations

Every processor should assess its own model carefully. The exclusion under 31 CFR 1010.100(ff)(5)(ii)(B) for processors facilitating purchase of goods or services through clearance and settlement systems is real — but it's activity-specific and not a blanket shield.

Global Direction of Travel

Internationally, the trend is unambiguous: regulators are moving toward direct AML coverage of payment service providers.

  • EU: Payment institutions are regulated as obliged entities under EU AML Directives and PSD2, with Regulation (EU) 2024/1624 (the AMLR) applying from July 2027
  • Canada: SOR/2022-76, registered April 2022, expanded FINTRAC registration and AML obligations to crowdfunding platforms and certain PSPs

US processors with international operations or EU-facing banking partners should be watching these developments closely.

Core AML Requirements Payment Processors Must Address

Whether or not a direct legal mandate applies, the following represent the baseline that banking partners, examiners, and direct regulators will expect to see.

KYC and Customer Due Diligence (CDD)

KYC for payment processors has two layers: verifying the processor's own principals, and — more critically — verifying the merchants being onboarded.

Merchant KYC should include:

  • Business registration documents and legal entity verification
  • Beneficial ownership identification (who ultimately owns and controls the merchant)
  • Validation of the merchant's actual business model and industry
  • Risk profile assessment before the first transaction clears

Enhanced Due Diligence (EDD) applies when the risk profile is elevated. Trigger criteria include:

  • High-risk merchant categories (online gaming, adult content, telemarketing, money services businesses)
  • High-risk geographies or complex ownership structures
  • Merchants previously declined by other processors
  • Merchants with limited operating history or inconsistent business documentation

EDD isn't a one-time check — periodic review is required, especially when merchants change business models or show unusual transaction patterns.

Transaction Monitoring

Transaction monitoring is the ongoing surveillance of payment activity to catch anomalies before they become enforcement problems. Effective monitoring requires establishing a baseline for each merchant's expected behavior, then flagging meaningful deviations.

Key red flags to monitor include:

  • Sudden spikes in transaction volume inconsistent with merchant history
  • Structuring patterns — repeated transactions just below reporting thresholds
  • High chargeback or ACH return rates
  • Transactions involving high-risk jurisdictions
  • Rapid fund-cycling behavior

On ACH specifically, NACHA sets measurable return-rate benchmarks: 0.5% for unauthorized debit returns, 3.0% for administrative returns, and 15.0% for overall debit returns. These are network risk benchmarks, not AML thresholds — but exceeding them warrants AML investigation, not just operational remediation. The FFIEC manual reinforces this: high ACH return rates for insufficient funds or unauthorized transactions are an AML concern, not just a payment operations issue.

NACHA ACH return rate thresholds for unauthorized administrative and overall debit transactions

Sanctions Screening and SAR Filing

Sanctions screening must cover merchants, beneficial owners, and transaction counterparties against OFAC's SDN list, other government sanctions lists, and PEP databases. OFAC frames screening as risk-based and responsive to ongoing list changes — meaning a one-time onboarding screen is insufficient. Post-onboarding screening must be operationalized as lists are updated continuously.

SAR filing is nuanced for processors. Processors without direct BSA obligations aren't independently required to file SARs — but they can trigger SAR filings by their own bank. Processors classified as MSBs must file under 31 CFR 1022.320, with a $2,000 threshold and 30-day filing window after detection.

For processors without a direct filing obligation, maintaining internal escalation procedures and SAR-equivalent documentation signals program maturity to examiners and reduces the risk of triggering adverse bank action.

Written AML Program, Compliance Officer, and Staff Training

Regulators and banking partners look for four foundational elements:

  1. Written, board-approved AML policy — tailored to the payment processing business model, not copied from a bank template
  2. Designated compliance officer — with defined authority, accountability, and direct reporting access to senior leadership
  3. Documented training program — with evidence of completion for all relevant staff
  4. Independent review or audit process — to test whether the program is actually working, not just documented

Pillars FinCrime Advisory works with payments companies on AML program development and fractional CCO/BSA Officer services — including processors building out these four pillars without a full-time compliance hire.

AML Risk Factors Unique to Payment Processors

Transaction Laundering

Unlike banks, processors often aggregate thousands of merchants — some of whom may be processing transactions for undisclosed third parties, operating businesses different from what was described at onboarding, or deliberately obscuring their true activity. The FTC's 2023 action against payment processors routing sales for tech-support scammers illustrates how this plays out: legitimate-looking merchant accounts become laundering conduits.

ISO and Gateway Layering

When processors re-sell services through Independent Sales Organizations or gateway arrangements, they may have no direct relationship with the end merchant. Each additional layer obscures the true source of transactions and complicates due diligence.

Industry comment letters to CSBS have flagged nested processor arrangements as a mechanism that creates visibility gaps in the payment system. The FFIEC manual treats the absence of direct merchant relationships as a core TPPP risk factor.

High-Risk Merchant Categories

Certain merchant types carry disproportionate fraud and money laundering exposure. FinCEN and FFIEC have identified:

  • Telemarketing merchants
  • Internet merchants (broad category)
  • Internet gaming
  • Prepaid travel services
  • Online tobacco
  • Adult entertainment

FinCEN and FFIEC identified high-risk merchant categories requiring enhanced AML due diligence

Processors need written policies that identify these categories, apply enhanced scrutiny during onboarding, require ongoing monitoring, and in some cases restrict onboarding entirely based on risk appetite.

Return and Chargeback Signals

Abnormally high ACH return rates and chargeback ratios are more than operational headaches — they're AML red flags that can signal deeper problems. FinCEN's 2012 advisory identifies the following as indicators warranting investigation and potential SAR filing:

  • Elevated ACH return rates pointing to unauthorized transactions
  • Chargeback patterns consistent with account takeover fraud
  • Systematic merchant fraud running through the processor's infrastructure
  • Unusual volume of consumer complaints

Building a Scalable AML Compliance Program for Payment Processors

Three design principles should drive program architecture:

  1. Risk-Based Calibration: Match controls to the actual risk profile of your merchant portfolio. A processor serving low-risk retail doesn't need the same monitoring intensity as one serving high-risk e-commerce — one-size-fits-all programs generate excessive false positives and miss real risk.

  2. Volume-Independence: Scale through documented procedures and technology, not headcount. Well-tuned monitoring rules and clear escalation procedures let programs absorb growth without proportional staffing increases.

  3. Audit-Readiness: Maintain documentation, policies, and testing evidence so the program can withstand scrutiny at any point — whether from a banking partner review, regulatory examination, or internal audit.

Three design principles for building a scalable payment processor AML compliance program

Annual Risk Assessment

An effective AML program isn't static. Processors should conduct formal annual risk assessments that account for:

  • Changes in merchant mix or new industry verticals
  • New product offerings or geographic expansion
  • Emerging typologies relevant to the payments sector
  • Updates to regulatory guidance or enforcement trends

Assessment findings should directly inform updates to monitoring rules and policies.

Processors at early, growth, or remediation stages often benefit from working with specialized advisory firms that can conduct gap assessments, develop fit-for-purpose policies, and prepare leadership for banking partner or regulatory scrutiny. Pillars FinCrime Advisory provides this type of executive-level AML advisory support — from program design and gap assessments to sponsor bank representation.

AML Regulatory Trends Shaping Compliance for Payment Processors in 2026

Bank-Processor Relationship Scrutiny Is Intensifying

In July 2024, the Federal Reserve, FDIC, and OCC issued a joint statement on banks' arrangements with third parties to deliver bank products and services, emphasizing due diligence, contracts, and ongoing monitoring requirements. While not TPPP-specific, this guidance reinforces the broader regulatory expectation that banks actively manage their processor relationships — and terminate those that don't meet AML standards.

The FDIC's 2012 processor guidance remains the TPPP-specific baseline: contracts should protect financial institutions through provisions for immediate account closure when processors fail to maintain adequate controls.

The ENABLERS Act and Legislative Direction

H.R.5525, the ENABLERS Act, was introduced in the 117th Congress to expand the BSA definition of "financial institution" to cover certain gatekeeper businesses, which would bring additional intermediaries under direct SAR filing and AML program obligations. The bill did not become law, and no verified reintroduction in the 118th or 119th Congress was confirmed at time of writing.

The legislative intent is clear: Congress sees coverage gaps for non-bank financial intermediaries as an unfinished problem. Processors operating in that gray zone should track reintroduction activity and assess whether their current programs would satisfy direct BSA obligations if the gap closes.

EU AMLR and Global Convergence

The EU's Anti-Money Laundering Regulation (Regulation (EU) 2024/1624), with a primary application date of July 10, 2027, establishes directly applicable AML rules for obliged entities including payment institutions — without requiring member-state transposition as previous directives did. Combined with Canada's 2022 FINTRAC expansion, the pattern is consistent across jurisdictions: regulators are moving toward direct AML obligations for payment service providers, not delegating that responsibility upstream to banks.

Key implications for US processors with cross-border exposure:

  • EU-facing operations will face directly applicable rules by July 2027 — no member-state phase-in buffer
  • International banking partners increasingly expect program standards that align with their own regulatory requirements
  • Stress-testing your program against AMLR now positions you ahead of binding deadlines, not scrambling at them

Frequently Asked Questions

What are the main AML compliance requirements for payment processors?

The core pillars of a payment processor AML program include:

  • Written, board-approved AML policy
  • KYC/CDD procedures for merchant onboarding
  • Ongoing transaction monitoring
  • Sanctions screening against OFAC and government lists
  • SAR escalation procedures
  • Designated compliance officer with defined authority
  • Documented staff training and independent program review

Does the BSA apply to payment processors?

The BSA generally does not impose direct AML obligations on payment processors in the US — but processors' banking partners are required to treat them as high-risk customers. Processors without adequate AML controls face account termination. Processors that issue prepaid cards, originate ACH, or transmit funds may qualify as MSBs with direct obligations.

What are the new AML regulations in 2026?

Key developments include EU AMLR progress toward its July 2027 application date, continued enforcement trends in North America (including the 2025 Block/Cash App $80 million penalty), and intensified bank guidance on third-party processor relationships. Consulting a compliance advisor is the most reliable way to stay current, as this space is evolving rapidly.

What is AML in payment processing?

AML in payment processing refers to the controls, policies, and monitoring systems that prevent payment infrastructure from being used to move illicit funds. The primary typologies are transaction laundering, systematic merchant fraud, and terrorist financing — all of which exploit the high-volume, multi-merchant nature of payment processing.

What happens if a payment processor doesn't have an AML program?

Banks may restrict or terminate accounts, which is often an existential threat to operations. Processors that cross into MSB territory without an AML program face direct regulatory fines. High-profile enforcement actions also carry reputational consequences that complicate future banking partner relationships.

How do payment processors manage merchant AML risk?

Processors manage merchant AML risk through risk-based onboarding and KYC procedures, with transaction monitoring calibrated to each merchant's profile. Periodic reviews catch business model changes, and written policies for restricted or high-risk categories define both escalation and offboarding procedures.