Field guides on BSA/AML compliance, sponsor-bank oversight, transaction monitoring, and what examiners actually look for, written by the people who sat in the chair. Confident, specific, never hype.
Who owns what between a sponsor bank and its fintech partners, where partnerships fail an exam, and how to build oversight that produces evidence instead of binders.
The five pillars in plain language: internal controls, a designated officer, training, independent testing, and customer due diligence. How each one shows up in an exam.
What the proposed program rule (RIN 1506-AB72) would change: an effective, risk-based standard, a mandatory risk assessment tied to the national priorities, and what to do now. A proposal, not yet law.
The five W's and how, the anatomy of a strong narrative, a before/after example, the mistakes that draw scrutiny, and a filing-ready checklist.
What it is, when you need one, the benchmarks to measure against, a step-by-step method, how to score gaps, and how to turn findings into a remediation plan that closes.
What the exam tests, how it unfolds, the documents examiners request, where fintechs get caught, and a runbook to be ready before the entry letter arrives.
Why compliance is the launch gate, what your sponsor bank checks in diligence, the program you need at go-live, onboarding and monitoring controls, and a pre-launch checklist.
The failures that recur across public enforcement actions, why they trace back to the pillars, and how to find your risk before a regulator does.
Who needs a license, the state-by-state reality, the federal MSB layer, the BSA/AML obligations that come with it, and how to stay examiner-ready.
The licensing and money-transmission terms in plain language: MSB, MTL, NMLS, surety bond, permissible investments, control person, and more.
Who is a reporting entity, enrolment with AUSTRAC, the Part A / Part B program, the SMR / TTR / IFTI reports, independent review, and Tranche 2.
The AUSTRAC-regime terms in plain language: reporting entity, designated service, AML/CTF Program, SMR, TTR, IFTI, Tranche 2, and more.
The terms a compliance team actually uses, defined in plain language: SAR, CTR, CDD, EDD, KYC, beneficial ownership, OFAC, sponsor bank, SR 11-7, and more.
Who GDPR applies to, the core principles, lawful bases, data-subject rights, DPIAs, the 72-hour breach rule, DPO requirements, and penalties.
The data-privacy terms in plain language: controller, processor, lawful basis, DPIA, DPO, DSAR, SCCs, supervisory authority, and more.
Who must comply, the Privacy / Security / Breach Notification Rules, the safeguards, risk analysis, BAAs, breach timelines, and enforcement.
The HIPAA terms in plain language: PHI, ePHI, covered entity, business associate, BAA, the three Rules, safeguards, minimum necessary, and more.
Who must comply, the consumer rights, sale vs share, service providers vs contractors, notice at collection, the CPPA, and how CCPA differs from GDPR.
The California privacy terms in plain language: personal information, sensitive PI, business, service provider, sale, share, the CPPA, and more.
Territorial scope, the legal bases, data-subject rights, controlador / operador / encarregado roles, the ANPD and sanctions, and how LGPD differs from GDPR.
The Brazilian privacy terms in plain language: LGPD, ANPD, controlador, operador, encarregado, titular, legal basis, international transfer, and more.
Who is covered, the cybersecurity program and CISO requirements, MFA and encryption, the 72-hour notice to DFS, and the annual certification.
The Part 500 terms in plain language: Covered Entity, CISO, nonpublic information, MFA, 72-hour notice, certification of compliance, and more.
Who must comply, the cardholder data environment and scope, the 12 requirements and 6 control objectives, merchant levels, SAQ vs ROC, and validation.
The card-security terms in plain language: cardholder data, CDE, PAN, SAD, QSA, ASV, SAQ, ROC, AOC, segmentation, tokenization, and more.
The five pillars of digital operational resilience: ICT risk management, incident reporting, resilience testing, third-party risk, and oversight of critical providers.
The DORA terms in plain language: ICT risk, critical third-party provider, register of information, major incident, threat-led penetration testing, and more.
What SR 11-7 requires, why it covers AI compliance tools, what validation means, explainability and the audit trail, the human in the loop, and the questions to ask any AI vendor.
The objection that regulators will not accept AI is backwards. What examiners actually object to, what makes AI-supported work acceptable, and how to present it.
A fair, practitioner's comparison: what each does well, where they differ, when to choose which, and whether to use both.
Who the Act binds, the four risk tiers and Annex III high-risk systems, the obligations on providers and deployers, GPAI model duties, conformity assessment, and the phased timeline.
The EU AI Act terms in plain language: AI system, provider, deployer, high-risk AI, Annex III, prohibited practices, GPAI, conformity assessment, CE marking, and more.
Who SOX applies to, Sections 302 and 404, the COSO framework, design vs operating effectiveness, deficiency severity, and the audit cycle.
The ICFR terms in plain language: Section 302, Section 404, material weakness, significant deficiency, COSO, RCM, key control, PCAOB, and more.
Who is in scope after the Omnibus changes, double materiality, reporting against the ESRS, assurance, digital tagging, and the wave timeline as it stands now.
The sustainability-reporting terms in plain language: double materiality, ESRS, sustainability statement, limited assurance, ESEF tagging, Omnibus I, and more.
Who counts as a producer, EPR registration in each Member State, recyclability and recycled-content rules, reuse targets, and the phased PPWR timeline.
The packaging-EPR terms in plain language: extended producer responsibility, producer, eco-modulation, recyclability grade, recycled content, reuse target, and more.
The Consumer Principle, the cross-cutting rules, the four outcomes, and the governance and board-report obligations that evidence good outcomes.
The UK retail-conduct terms in plain language: Consumer Principle, PRIN 2A, cross-cutting rules, the four outcomes, fair value, foreseeable harm, and more.
These guides are the thinking. Compliance Command Center is how we put it to work: software-leveraged, practitioner-led, examiner-ready.