Money Transmitter

Money Transmitter Risk Assessment (BSA/AML)

The short version

A money transmitter is a money services business, so its anti-money laundering program must be reasonably designed and commensurate with the risks it faces, under 31 CFR 1022.210. The risk assessment is how the transmitter establishes those risks. It rates inherent money-laundering and terrorism-financing risk across products and services, customers, geographies, and delivery channels, including the agent network, scores the controls against that risk, and derives a residual rating that drives the rest of the program. Both FinCEN and the state regulators that issue the license review it.

A money transmitter inherits the full BSA/AML obligation set the moment it is licensed, and the risk assessment sits underneath all of it. The program rule does not prescribe a separate risk-assessment document by name, but it requires a program that is commensurate with the risks the business carries, and the FFIEC manual treats the risk assessment as the basis for that risk-based program. You cannot show a program is sized to the risk without first establishing what that risk is. This guide covers what the assessment must cover for a money transmitter, the categories that matter most for this model, how to build it, and where these assessments fail an exam.

Why a money transmitter needs one

Money services businesses, including money transmitters, are required to develop, implement, and maintain an effective anti-money laundering program under 31 CFR 1022.210. The rule's standard is that the program be reasonably designed to prevent the business from being used to facilitate money laundering and terrorism financing, and that it be commensurate with the risks posed by the location, size, nature, and volume of the services provided. The phrase commensurate with the risks is the hook: it presumes the business has assessed its risks. The risk assessment is that work, and it is the document a federal or state examiner reads to test whether the rest of the program is built to the right size.

The risk categories that matter

A money transmitter's risk assessment uses the same four categories every BSA/AML assessment uses, but each one carries weight specific to the money-transmission model.

CategoryWhat drives risk for a money transmitter
Products and servicesCross-border remittance, cash-to-cash transfer, prepaid access, and convertible virtual currency carry higher inherent risk than closed-loop or low-value domestic transfer.
CustomersThe customer base and any higher-risk segments, including cash-intensive senders and customers in higher-risk corridors.
GeographiesThe jurisdictions and corridors served, weighting higher-risk countries and the states in which the business operates.
Delivery channelsThe agent or authorized-delegate network, online and app-based onboarding, and any non-face-to-face channel that distances the transmitter from the customer.

The agent network is the category that most distinguishes a money transmitter from a bank. Risk is introduced by parties the transmitter does not directly employ, so the assessment has to reach agent oversight: how agents are vetted, monitored, and trained, and how the transmitter sees the activity flowing through them.

The two layers of review

A money transmitter answers to two readers. FinCEN sets the federal program requirement, and the state regulators that grant the license supervise the business under state money-transmission law, increasingly harmonized through the CSBS Money Transmission Modernization Act. The BSA/AML risk assessment is a federal obligation rooted in 31 CFR 1022.210, but a state examiner reviews it too, because the BSA/AML program is a condition of holding the license. One assessment serves both readers; it does not need to be written twice.

How to build it

Step 1: Inventory products, customers, geographies, and channels

Catalog the services offered, the customer segments served, the corridors and states covered, and the channels and agents through which transfers move.

Step 2: Rate inherent risk in each category

Assign an inherent-risk rating to each category before considering controls, weighted toward the higher-risk products, corridors, and channels.

Step 3: Score the controls

Evaluate the controls that mitigate each inherent risk, including agent oversight, transaction monitoring, sanctions screening, and customer due diligence, and rate their strength.

Step 4: Derive residual risk

Combine inherent risk and control strength into a residual rating for each category, then aggregate to an enterprise rating.

Step 5: Document, then refresh on a cycle and on change

Record the methodology and the ratings, review the assessment on a periodic cycle, and refresh it whenever the business enters a new state or corridor, adds a product, or changes its agent model.

Where it goes wrong

The risk assessment is the foundation the rest of a money transmitter's program is built on, and the first thing two sets of examiners read. Keep it current, reach the agent network, and make the program genuinely match it. For the wider obligation, see the money transmitter compliance guide and the money transmitter glossary; for the underlying method, see the BSA/AML risk assessment guide.

Primary sources

Common questions

Does a money transmitter need a BSA/AML risk assessment?
Yes, in substance. A money transmitter is a money services business, and 31 CFR 1022.210 requires an anti-money laundering program that is reasonably designed and commensurate with the risks the business faces. Establishing those risks is what a risk assessment does, so a program cannot be shown to be adequately sized without one.
What must a money transmitter risk assessment cover?
Inherent money-laundering and terrorism-financing risk across products and services, customers, geographies, and delivery channels, including the agent or authorized-delegate network, scored against the controls that mitigate each, with a residual rating that drives the program.
Who reviews a money transmitter's risk assessment?
Both FinCEN, which sets the federal AML program requirement, and the state regulators that issue the money transmitter license, who supervise the BSA/AML program as a condition of the license. One assessment serves both.
Why does the agent network matter so much?
Because a money transmitter's risk is often introduced by agents or authorized delegates the transmitter does not directly employ. An assessment that rates only the transmitter's own activity and never reaches agent oversight misses the category most specific to the model.
From the team behind this guide

A money transmitter risk assessment two examiners accept

Compliance Command Center builds the BSA/AML risk assessment a money transmitter's program is sized to, reaching the agent network and tying each rated risk to the controls that meet it. Practitioners build it, with a human reviewing every deliverable, so it holds up to both a federal and a state examiner.

See Compliance Command Center Talk to a Practitioner