US Money Transmitter Licensing
PART NINE: ENFORCEMENT, EXAMINATIONS, AND RISK Chapter 29

State Regulatory Examinations

The examination notice arrives on a Tuesday afternoon. A single paragraph from your state regulator's compliance division: they're sending an examination team on the twenty-first of next month. Five business days to prepare.

Most compliance officers panic. They shouldn't. Examinations are predictable events with knowable outcomes, and a business that has been operating honestly will pass one because the examiners are not prosecutors—they're auditors looking for what you already know about yourself.

I have been through approximately eighty regulatory examinations across various jurisdictions and regulatory frameworks. What I have learned is that examinations test three things simultaneously: whether you meet the regulatory requirements on paper, whether you actually follow those requirements in practice, and whether you have built the organizational infrastructure to catch yourself when you slip.

What Triggers a State Examination

Most states operate on a routine examination cycle. For money transmitters, this is typically every two to four years, depending on the state and the perceived risk profile of the company. The states that have moved to annual examinations in recent years—New York among them—do so because they have become more aggressive about supervision and enforcement. Some states still operate on a five-year cycle, though this is becoming rarer.

Risk-based examination triggers work differently. A single suspicious activity report filed by your bank, a customer complaint that reaches the state's consumer protection office, a material change in your business (acquisition, new service offering, new ownership), a cybersecurity incident, or regulatory findings from a federal examination can all accelerate an examination schedule. If you have been through a FinCEN examination or a BSA examination at the federal level, expect a coordinated state examination to follow.

The practical reality is that you cannot predict when an examination will occur with precision, but you can operate with the assumption that one will happen annually. This means your compliance infrastructure should be built to survive an examination at any moment, not positioned to pass an examination when you know one is coming.

Some companies treat the period between the examination notice and the examination date as an opportunity to fix problems. This creates exposure. If you fix a document that was wrong for the previous two years, the examiner will ask what changed and why. The honest answer—"we realized we were doing it wrong and we fixed it"—converts a technical violation into evidence of ongoing breach. The better position is to have gotten it right to begin with.

Multi-state operators should expect coordinated examinations. Most states belong to the Money Transmitter Regulators Association (MTRA), and the association has developed a standardized examination approach and information-sharing protocol. If you are operating in five states, you should anticipate that the state examiners are talking to each other, are using similar examination procedures, and will compare findings. A serious violation in one state will accelerate examination scheduling in other states.

The Examination Process from Start to Finish

The examination notice should specify the scope of examination, the anticipated start date, the duration (usually three to four weeks for the on-site phase), and the documents the examiner will need delivered before the examination begins. Some regulators request documents two weeks in advance. Others request them one week before. Use the deadline provided, not earlier. Delivering documents too early creates the impression that you have been preparing for an examination you thought was routine, which can shift the examiner's perception of risk.

The week before the examination begins, identify a primary point of contact within your organization who will manage the examination process. This should be your chief compliance officer or, if you do not have a separate CCO, your chief operations officer or someone with operational authority—not an external counsel, not a consultant, not someone from the legal department. The examiner needs to speak to people inside the business, and the point of contact should be someone who understands the operation and can make decisions.

Ensure that your examination team has a dedicated workspace. The examiner will need a secure area with desk space, network access if they require it, and the ability to conduct interviews privately. The workspace does not need to be luxurious, but it should be professional. An examiner sitting at a folding table in a broom closet or sharing a cubicle with a customer service representative creates an adversarial dynamic that you do not want.

The examination typically follows this sequence. The examiner will conduct an entry meeting with you, your CCO, and your senior management. In this meeting, the examiner will explain the scope of the examination, will describe what they are looking for, will discuss the document requests, and will establish a timeline for interviews and for delivery of additional information. This is not a negotiation session. The examiner has already determined what they plan to examine. This meeting is bureaucratic and informational.

Following the entry meeting, the examiner will conduct document reviews. They will pull the items they requested: your compliance policies and procedures, board meeting minutes, your BSA officer appointment and qualifications, your customer risk assessment, your customer due diligence procedures, your transaction monitoring system documentation, your AML training materials, your records of customer complaints and how you handled them. They will request access to transaction systems to pull samples. They will request sample customer files to test whether the customer on file matches the customer in your system, whether you performed adequate due diligence, whether you detected the transaction activity appropriately.

Concurrent with document review, the examiner will conduct interviews. They will meet with your BSA officer, your compliance staff, your management, your transaction monitoring team, your customer service staff. The purpose of these interviews is to assess whether the people in the business understand what the policies say and whether they follow the policies in their daily work. An examiner is performing a control test when they interview your customer service representative and ask, "When you open a new account, walk me through what you do." If the customer service representative describes a process that does not match the documented procedure, the examiner has identified a control failure.

During the on-site phase, the examiner will also conduct system walkthroughs. If you use a transaction monitoring system, the examiner will ask to see the system configured in your environment. They will run test transactions to understand the thresholds you have set, will examine the alerts your system produces, will understand what happens to an alert once it is generated. If you use a sanctions screening tool, they will understand the matching logic, the false positive rate, the workflow for resolving matches.

At approximately the midpoint of the on-site examination, the examiner typically hosts a midpoint meeting. In this meeting, the examiner will discuss preliminary findings with you. This is a critical moment. If the examiner raises a finding that you believe is based on misunderstanding of your procedures or your business, this is the time to clarify. Do not argue with the examiner—examinations are not litigation—but do correct factual errors about how your business operates. If the examiner misunderstood something, a clear explanation now prevents the error from appearing in the final examination report.

At the end of the on-site phase, the examiner will conduct an exit meeting. In this meeting, they will discuss preliminary findings, will discuss the anticipated timeline for the examination report, will describe whether they anticipate issuing a formal examination report or a letter (less formal, but still official). The exit meeting is not the place to challenge findings. That comes later, when you receive the draft report and have the opportunity to provide written responses.

The examination does not end when the examiner leaves your office. Following the on-site phase, the examiner will typically request additional information. They may request clarification on policies, may ask to pull additional transaction samples, may request information about specific transactions or customer relationships. You should expect the post-examination document request phase to last two to four weeks.

Once the examiner has completed all fieldwork, they will draft an examination report. This report will summarize the examination scope, will describe the examiner's findings, and will rate the examination by functional area (anti-money laundering, customer due diligence, sanctions compliance, transaction monitoring, suspicious activity reporting, compliance management, training, and so forth). The examiner will use a standard rating scale: usually "effective," "needs improvement," or "deficient" depending on the regulator.

You will receive a draft examination report for your comments. This is sometimes called the "pre-examination" or "draft" report. You have a window—typically ten to thirty days depending on the state—to read the report, discuss it with your team, and provide written responses to the findings. Your responses should not be defensive. Instead, they should clarify any factual errors or provide context that the examiner may have missed. If the examiner found a technical error that you have already corrected, explain what you corrected and when. If the examiner found a control failure and you have implemented a remediation, explain the remediation. Do not argue with the examiner's legal interpretations or their analysis of whether something is a violation. That is not productive.

After you submit your comments, the examiner will finalize the report, incorporating your responses into the final document. The final examination report is what becomes the regulatory record. Some states make examination reports public. Others keep them confidential. You should assume they will become public eventually through public records requests.

On-Site vs. Remote Examinations

The COVID pandemic accelerated the adoption of remote examinations. Most states now offer a hybrid model: the examiner conducts the initial document review remotely, conducts interviews remotely, and travels on-site for system walkthroughs and for spot-checking of operations if necessary.

Remote examinations work better than on-site examinations for some purposes and worse for others. They are faster because the examiner does not spend time traveling. They are less disruptive to your operations because you do not have a regulator sitting at a desk in your office for three weeks. But they are worse at detecting control failures that are operational in nature. An examiner who sits with your customer service team will observe whether policies are actually being followed. An examiner on a Zoom call can see what you show them.

If you are offered a remote examination, accept it when possible. But do not assume that "remote" means "less thorough." The examination standards are the same regardless of format. The examiner has the same authority and the same expectations.

Some regulators have begun to require on-site examinations for larger institutions or when previous examinations have identified material findings. New York, for example, will conduct on-site examinations for superintendence of larger licensees. If your state offers a choice, make the choice based on your compliance position. If you are confident in your controls and have no material findings from previous examinations, a remote examination is preferable. If you have identified control failures and have implemented remediations, an on-site examination gives you the opportunity to demonstrate the remediation in operation.

What Examiners Look For

Examiners follow a standardized examination handbook. Most state regulators use a version of the Federal Reserve's examination procedures, adapted for money transmitters. These procedures organize examinations into functional areas: management and oversight, BSA and AML compliance, customer due diligence and beneficial ownership, sanctions compliance, transaction monitoring and reporting, record keeping and reporting, and consumer protection and complaint handling.

Within each functional area, the examiner is looking for evidence of control. The first-line control is the policy: does the business have a documented procedure that describes how it handles the risk? The second-line control is the implementation: does the business actually follow the procedure? The third-line control is the verification: does the business have a mechanism to test that the procedure is being followed?

For anti-money laundering compliance, the examiner will look at your customer risk assessment. They will look for evidence that you have actually identified the risks in your business—that you understand what kinds of customers you serve, what kinds of transactions they conduct, what their geographic exposure is, what the AML risk profile is for those customers and transactions. If you have a customer risk assessment that is generic and does not reflect the specific characteristics of your business, the examiner will note this as a deficiency.

For customer due diligence, the examiner will pull sample customer files. They will test whether you have performed the CDD required by your risk assessment. If your risk assessment says that for high-risk customers you will conduct beneficial ownership verification, they will pull a high-risk customer file and verify that you did it. If you did not, they will cite a finding. If you did it but documented it inadequately, they will cite a finding.

For transaction monitoring, the examiner will examine your monitoring rules. They will look for evidence that your rules are tuned to your business—that they are not so sensitive that they create an overwhelming number of false positives and not so insensitive that they would miss actual suspicious activity. They will examine your alert queue and will look for evidence that you are investigating alerts appropriately and closing them with documented reasoning. An alert queue with hundreds of unreviewed alerts is a serious control failure.

For suspicious activity reporting, the examiner will pull a sample of your filed SARs and a sample of transactions that you determined not to file SARs on. They will test whether your SAR decisions are consistent with the AML Act and FinCEN guidance. They will look for evidence that you are not filing SARs reflexively or avoiding filing SARs because you do not want to be associated with suspicious activity.

For record keeping, the examiner will test whether you have maintained the records required by the BSA and by state law. They will look for customer identification records, beneficial ownership records, transaction records, SAR copies, and AML training records. They will verify that your record retention periods meet or exceed the legal requirements.

For training, the examiner will review your AML training materials and will verify that you have conducted training at the required frequency. They will interview staff to assess whether the training was retained.

For management and oversight, the examiner will review your board minutes and will assess whether the board has provided adequate oversight of your AML compliance program. They will review your internal audit reports and will look for evidence that you are testing your controls and documenting findings. They will assess whether your BSA officer has adequate resources and has reported to the board or to senior management at appropriate frequency.

Document Requests and Preparation

When the regulator requests documents, they are typically very specific. They will ask for policies, not summaries. They will ask for board minutes from a specific time period, not a summary of board activities. They will ask for transaction monitoring alerts from a specific date range. They will ask for training attendance records. They will ask for suspicious activity reports filed during the examination period.

Prepare a response to the document request that is organized and indexed. Create a spreadsheet that lists every document, the date range covered by the document, and the location where the document can be accessed. If the regulator asks for transaction monitoring alerts from the previous year, do not deliver ten thousand pages of unorganized alerts. Provide a summary that shows how many alerts were generated, how they were distributed across different alert types, what the average resolution time was, and how many resulted in suspicious activity reports. Then provide the supporting detail.

If the regulator requests access to your transaction system or your compliance system, prepare the system for access before the examination begins. Ensure that user accounts are created, that the examiner has the appropriate access permissions, and that the system is functioning normally. The worst moment to discover that your system has an unstable connection is when the examiner is trying to use it.

Some regulators will request access to customer information that you may consider sensitive or proprietary. Do not refuse a legitimate regulatory request, but do ensure that your systems are configured such that the examiner's access is logged and can be controlled. Never provide the examiner with raw access to your entire customer database. Provide them with the specific records they request.

If you cannot provide a document that the regulator requests, explain why and provide the closest equivalent. If you cannot provide transaction records from a specific date range because your systems do not retain data that far back, explain this. If you destroyed records in accordance with your retention policy and they are no longer available, explain this. Do not ignore a document request or provide incomplete information.

Common Examination Findings

The most common findings across the examiners I have worked with fall into a few categories.

Customer due diligence deficiencies. The most frequent finding is that businesses have not conducted adequate CDD relative to their risk assessment. This typically means: you identified a customer as high-risk, but you did not perform the enhanced due diligence you said you would; or you did not verify beneficial ownership for beneficial owners you should have verified; or you did not update customer information at the frequency required by your policies. These are correctable findings if you can demonstrate that the control failure is isolated and that you have implemented a remediation.

Transaction monitoring configuration. Many examinations find that transaction monitoring rules are not appropriately configured. This might mean the rules are creating false positives at such a high rate that they are unusable; or the rules are not detecting suspicious transaction patterns that would be obvious to a human reviewer; or the monitoring system is not performing the tests it is configured to perform. Fixing this requires working with your monitoring vendor or with your internal technology team to validate the system configuration.

Suspicious activity reporting errors. Examiners frequently find that businesses have failed to file SARs on suspicious activity that met the SAR thresholds. These cases are typically identified when the examiner pulls a random sample of transactions, identifies transactions that appear suspicious based on the facts, and checks whether the business filed a SAR. If the business did not, that is a finding. The opposite finding—filing SARs on every unusual transaction even if the transaction is not suspicious—is less common but also a violation.

Beneficial ownership verification gaps. Many businesses do not maintain adequate records of beneficial ownership verification. This means they may have conducted the verification but did not document it adequately. The examiner will find no evidence that the verification occurred. This is both a beneficial ownership problem and a documentation problem.

AML training deficiencies. A frequent finding is that the business has not trained all staff adequately. This might mean training was not provided to new hires within the required period. It might mean that certain job categories (customer service staff, operations staff) were not trained on the AML program. It might mean training records are incomplete.

Management and oversight gaps. Examiners frequently find that the board or senior management has not provided adequate oversight of AML compliance. This typically appears as an absence of board minutes discussing AML compliance, an absence of internal audit reports, or an absence of escalations of compliance issues to senior management.

SAR filing procedures. Examiners find that businesses have inadequate procedures for determining whether to file a SAR. They lack clear decision trees or criteria. When the examiner interviews staff, staff cannot articulate the factors that would trigger a SAR.

These findings are not disqualifying. They are control failures, and most businesses have at least one control failure by the time they are examined. The question is whether you remediate the failures promptly and thoroughly.

Responding to Findings and Corrective Action Plans

When the regulator issues a finding, you will be expected to provide a corrective action plan (CAP). The CAP should explain what the finding is, should acknowledge that the control failure occurred, should explain the root cause, should describe the remediation you will implement, and should provide a timeline for completion.

Do not write a CAP that disputes the finding. The examination report is not the place to litigate whether something is or is not a violation. You had the opportunity to provide comments on the draft examination report. The final report is what it is. If you truly believe the finding is based on a misunderstanding of the facts or the law, address that in a subsequent letter or discussion with the regulator, not in the CAP. But most of the time, you will not dispute the finding; you will remediate it.

A strong CAP has several characteristics. It is specific about the remediation, not vague. "We will improve our due diligence procedures" is not specific. "We will implement a documented checklist that requires verification of beneficial ownership for all customers classified as beneficial ownership verification required by our risk assessment, will train all customer service staff on the checklist by [date], and will conduct monthly reviews of beneficial ownership records to ensure compliance" is specific.

It identifies a root cause. Did the control fail because the procedure did not exist? Because the procedure existed but was not communicated? Because the procedure existed but staff did not understand it? Because the procedure was difficult to follow and staff took shortcuts? Because management did not enforce the procedure? The root cause analysis matters because it tells the regulator whether you are fixing a procedural problem or an execution problem.

It provides a realistic timeline. If the remediation requires building a new system or hiring new staff, say so. If the remediation can be completed in two weeks, say so. If the remediation requires changes to your transaction monitoring rules and you need to work with a vendor, explain that and provide a timeline that accounts for vendor availability.

It names a person responsible for execution. The CAP should identify who in your organization will own the remediation. This creates accountability.

A strong CAP will be submitted to the regulator within thirty days of the final examination report. Some regulators require this. Others do not. Regardless of the requirement, submit a CAP promptly. Regulators view the speed and thoroughness of your corrective action as a signal of how seriously you take compliance.

Multi-State Examination Coordination (MTRA)

If you are licensed in multiple states, you should anticipate that the state regulators are coordinating their examination efforts. The Money Transmitter Regulators Association (MTRA) is a formal organization of state money transmitter regulators. The association has created a standardized examination procedure that most states use, and the association coordinates examinations across states.

This means several things in practice. First, the findings from one examination are likely to be shared with other states. If your Texas examination identifies a beneficial ownership verification failure, the Texas regulator will share the examination results with other states where you are licensed. Those states may use that finding as justification to schedule their own examination or to focus their own examination on the same risk area.

Second, if you are examined by the first-to-examine state and find control failures, you should expect similar findings in other states. Rather than waiting for other states to find the same problems, consider providing proactive disclosures to other states. This approach—coming to the regulator with the problem before the regulator finds it—is looked upon favorably.

Third, the standardization of examination procedures means that the procedural expectations are consistent across states. You should be able to take the remediation you implemented for one state's finding and apply it across all states. In fact, you should use the remediation in one state as a baseline for all states.

Building an Examination-Ready Compliance Program

The fundamental insight about examinations is that they are not about passing a test. They are about demonstrating that your business has implemented a functioning compliance program. If you build a program with that objective—not the objective of passing an examination, but the objective of actually preventing bad customers and bad transactions from going through your system—you will pass examinations.

This means several concrete things. Your compliance policies should be specific to your business. A generic money transmitter AML policy is less useful than a policy that describes how your specific business conducts due diligence. If you are a remittance business sending money to Latin America, your policy should address the specific risks in that corridor and the specific due diligence procedures for customers sending to those countries.

Your transaction monitoring rules should be calibrated to your business. If you process an average transaction size of two hundred dollars, a rule that alerts on transactions over five hundred dollars will generate alerts on transactions that are normal for your business. Your rules should generate alerts on abnormal activity relative to your historical patterns, not on absolute transaction amounts.

Your BSA officer should have real authority and adequate resources. The BSA officer should not be the CFO with AML as a side responsibility. The BSA officer should be someone whose job is to manage AML compliance. If you cannot afford a full-time BSA officer, you should hire a consultant or an external provider to fulfill the role. But someone in your organization should own this function as their primary responsibility.

Your board or your senior management should review AML compliance quarterly. At minimum, the board should see transaction monitoring alerts, should review SARs filed, should understand the customer risk profile, and should understand the status of internal audit findings.

You should conduct internal audits of your AML compliance program at least annually. The internal audit should be independent of the operations it is auditing. If the BSA officer conducted the internal audit, that is a conflict. You should hire an external consultant or have internal audit staff who report to the board or to someone other than the BSA officer.

You should maintain a compliance calendar that tracks all regulatory deadlines: when training is due, when you need to update your customer risk assessment, when you need to review your SAR decision procedures. You should assign someone responsibility for each deadline.

You should test your procedures before an examination occurs. Pull a sample of customer files and verify that the documentation supports what your procedures require. Pull a sample of transactions and verify that the transactions you determined not to file SARs on would not be flagged as suspicious by an examiner.

An examination-ready compliance program is not one that passes an examination. It is one that operates in compliance with the law on a daily basis. If you build for operation, examination becomes routine.

Practitioner's Bottom Line

Examinations are predictable events that test three dimensions of your compliance program: your written policies, the implementation of those policies, and your mechanisms for detecting when implementation fails. Prepare for examination continuously rather than after you receive a notice. Focus on correcting control failures promptly through detailed corrective action plans, not on disputing examination findings. Use examination findings from one state as a signal to conduct proactive reviews in other states.

Need Help Navigating Money Transmitter Licensing?

Faisal Khan has spent 15+ years solving the exact problems covered in this book. If you are building a payment company, seeking licensing, or need a trusted advisor — reach out.

SPEAK WITH FAISAL KHAN