Compliance Services Authority

Financial Services Compliance in the US

Financial services compliance in the United States encompasses the regulatory obligations that banks, broker-dealers, investment advisers, insurance companies, credit unions, and fintech firms must satisfy to operate lawfully. The framework spans federal statutes, agency rulemaking, self-regulatory organization (SRO) standards, and state licensing regimes — creating one of the most layered compliance environments in any domestic industry. Understanding how these obligations interact, where authority overlaps, and where enforcement gaps exist is essential for institutions managing regulatory risk.

Definition and scope

Financial services compliance refers to the structured process by which regulated entities identify applicable legal and regulatory requirements, implement controls to satisfy those requirements, and demonstrate ongoing conformance to supervisory authorities. The scope is defined by entity type, activity type, and the jurisdictions in which the entity operates — not by the entity's self-classification.

At the federal level, the primary statutes governing financial services compliance include the Bank Secrecy Act (BSA) of 1970, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, the Gramm-Leach-Bliley Act (GLBA) of 1999, and the Bank Holding Company Act. Each statute delegates rulemaking authority to specific agencies, producing distinct compliance obligations depending on the institution's charter type and product lines.

Scope extends beyond large institutions. Credit unions with assets under $100 million, community banks, registered investment advisers with as few as $25 million in assets under management, and money services businesses (MSBs) registered with the Financial Crimes Enforcement Network (FinCEN) all fall within defined compliance perimeters. The compliance-scope page describes how regulators determine which entities fall within a given rule's reach.

Core mechanics or structure

The operational structure of financial services compliance rests on five interacting components: regulatory mapping, policy and procedure development, internal controls, monitoring and testing, and reporting.

Regulatory mapping establishes which rules apply to which business lines. A bank holding company supervised by the Federal Reserve (Fed) must map obligations under Regulation Y, while its depository subsidiary maps obligations under the Office of the Comptroller of the Currency (OCC) if nationally chartered, or a state banking regulator if state-chartered. The Federal Deposit Insurance Corporation (FDIC) retains backup enforcement authority over state-chartered non-member banks.

Policy and procedure development translates regulatory text into operational instructions. The Consumer Financial Protection Bureau (CFPB), established under Dodd-Frank, requires covered institutions to maintain written policies addressing fair lending under the Equal Credit Opportunity Act (ECOA) and the Fair Housing Act, among others.

Internal controls are the mechanisms that prevent or detect violations before supervisors identify them. Anti-money laundering (AML) programs required under 31 U.S.C. § 5318 must include, at minimum: a written program, a designated compliance officer, ongoing employee training, and independent testing — the "four pillars" articulated by FinCEN guidance.

Monitoring and testing functions examine whether controls operate as designed. The OCC's guidance on model risk management (OCC Bulletin 2011-12, incorporated by reference in subsequent supervisory letters) requires that compliance-related models used in credit decisioning be independently validated. Compliance monitoring and auditing describes independent testing design in detail.

Reporting obligations include Suspicious Activity Reports (SARs) filed with FinCEN, Currency Transaction Reports (CTRs) for cash transactions exceeding $10,000, and call report filings submitted to prudential regulators on a quarterly basis. Investment advisers registered with the Securities and Exchange Commission (SEC) file Form ADV and maintain books and records under 17 C.F.R. § 275.204-2.

Causal relationships or drivers

Financial services compliance frameworks respond to identifiable failure events rather than emerging from abstract regulatory design. The Bank Secrecy Act was enacted in direct response to documented bank facilitation of tax evasion and money laundering. Dodd-Frank's 848-page statute was a legislative consequence of the 2008 financial crisis, specifically targeting gaps in systemic risk oversight, consumer protection, and derivatives regulation that regulators identified as causal factors.

Enforcement actions generate secondary compliance obligations. When the Department of Justice (DOJ) or a prudential regulator enters a consent order with an institution, the remediation requirements specified in that order — enhanced transaction monitoring, third-party audits, board-level certifications — establish de facto compliance benchmarks that peer institutions adopt proactively. This mechanism explains why compliance standards in large institutions often exceed minimum regulatory text requirements by a material margin.

The Financial Industry Regulatory Authority (FINRA), as the SRO for broker-dealers, uses examination findings to publish annual reports identifying the most frequently cited deficiencies. The FINRA Annual Report on Examination and Risk Monitoring Program identifies recurring problem areas — communications supervision, best execution, and consolidated audit trail (CAT) reporting compliance — that drive industry-wide compliance investment. Compliance risk assessment addresses how institutions translate these signals into internal risk ratings.

Classification boundaries

Financial services compliance subdivides into distinct regulatory lanes based on entity type, activity, and supervisory authority:

Prudential compliance applies to depository institutions and focuses on capital adequacy, liquidity, and safety-and-soundness standards set by the OCC, FDIC, Federal Reserve, and National Credit Union Administration (NCUA). Basel III capital requirements, implemented in the US through 12 C.F.R. Part 3 (OCC) and parallel Fed and FDIC rules, fall within this category.

Market conduct compliance governs how financial products are sold and serviced. The SEC and FINRA regulate market conduct for broker-dealers; the CFPB and state attorneys general regulate market conduct for consumer financial products.

AML/CFT compliance (anti-money laundering and countering the financing of terrorism) spans virtually all entity types through FinCEN's BSA framework, the USA PATRIOT Act of 2001, and the Anti-Money Laundering Act of 2020, which amended the BSA to strengthen beneficial ownership requirements.

Data privacy compliance in financial services is governed primarily by the GLBA Safeguards Rule (16 C.F.R. Part 314, as amended effective June 2023), which requires non-bank financial institutions to implement specific technical and administrative safeguards. State-level requirements in California (California Consumer Privacy Act, CCPA) and New York (NYDFS Cybersecurity Regulation, 23 NYCRR Part 500) add additional obligations for institutions operating in those states.

Fiduciary compliance applies to investment advisers under the Investment Advisers Act and to certain plan administrators under the Employee Retirement Income Security Act (ERISA), enforced by the Department of Labor (DOL).

Tradeoffs and tensions

Compliance architecture in financial services involves genuine tradeoffs that do not resolve cleanly.

Cost versus access. Enhanced due diligence requirements under FinCEN's Customer Due Diligence (CDD) Rule (31 C.F.R. § 1010.230) increase the cost of onboarding, which disproportionately affects lower-balance customers and small businesses. The CFPB has published research documenting the correlation between compliance burden and account closure rates in lower-income communities.

Standardization versus risk sensitivity. Rule-based compliance (bright-line prohibitions) produces consistent application but may over-restrict legitimate activity. Principles-based compliance (outcomes-focused standards) allows risk-sensitive calibration but creates uncertainty and inconsistent enforcement outcomes across institutions of different sizes.

Speed versus thoroughness. Compliance review cycles that match the pace of product development are difficult to achieve. The OCC's 2020 Special Purpose National Bank Charter guidance, contested in federal court by the Conference of State Bank Supervisors (CSBS), illustrates how regulatory ambiguity slows fintech product launches while litigation resolves jurisdictional questions.

Federal preemption versus state authority. National bank preemption under 12 U.S.C. § 25b allows federally chartered banks to apply a single compliance standard in multiple states for certain consumer protection rules. State-chartered entities and non-bank fintechs must comply with 50 distinct state licensing and consumer protection regimes — a structural asymmetry that shapes competitive strategy.

Common misconceptions

Misconception: Compliance applies only to large institutions. FinCEN registration requirements apply to MSBs regardless of transaction volume. Investment advisers with $25–$100 million in AUM register at the state level, not the SEC, but face equivalent substantive obligations under state investment adviser statutes modeled on the Investment Advisers Act.

Misconception: A single exam passing means ongoing compliance. Regulatory examinations assess a point-in-time snapshot. OCC examination ratings (CAMELS for banks; UFIRS) do not provide immunity from subsequent enforcement actions if conditions change. Consent orders from prior exam cycles remain in effect until formally terminated by the regulator.

Misconception: Compliance and legal functions are interchangeable. Compliance functions monitor ongoing regulatory conformance and manage examination relationships. Legal functions provide privileged advice on legal risk. The OCC distinguishes the two in its "Heightened Standards" guidelines (12 C.F.R. Part 30, Appendix D), which require independent compliance risk management at large institutions.

Misconception: Technology solutions eliminate compliance risk. Automated transaction monitoring systems require model validation, parameter tuning, and human review of alerts. FinCEN guidance and OCC model risk management standards explicitly require that automated BSA/AML systems be subject to the same independent testing requirements as other risk models.

Checklist or steps (non-advisory)

The following sequence reflects the compliance program establishment steps described in FinCEN guidance, OCC supervisory standards, and FINRA's compliance program framework. This is a reference structure, not professional advice.

  1. Identify applicable regulatory perimeter — Determine charter type, regulated activities, and supervisory authority for each business line.
  2. Conduct regulatory inventory — Document all applicable statutes, agency rules, SRO rules, and state requirements with effective dates and pending amendments.
  3. Perform a gap analysis — Map current controls against identified requirements; document gaps with severity ratings. See compliance gap analysis.
  4. Assign compliance officer authority — Designate a compliance officer with defined authority, resources, and board-level reporting access as required under 12 C.F.R. Part 30 Appendix D for covered institutions.
  5. Draft and adopt written policies — Produce policies addressing each material compliance area; obtain board or senior management approval.
  6. Implement training program — Deliver role-specific training covering applicable regulations; document completion rates. Compliance training and education describes design considerations.
  7. Establish monitoring and testing schedule — Define frequency, scope, and independence standards for ongoing compliance reviews and independent audits.
  8. Build regulatory reporting calendar — Document all filing deadlines (SAR, CTR, Form ADV, call reports, HMDA data, CRA performance context) with assigned owners.
  9. Create escalation and investigation protocols — Define thresholds for escalating potential violations to legal, senior management, and the board.
  10. Review and update annually — Conduct an annual review against regulatory changes; update gap analysis and corrective action plans accordingly. See annual compliance review process.

Reference table or matrix

Regulatory Domain Primary Statute Governing Agency / SRO Key Rule / Regulation Reporting Obligation
Bank safety and soundness Bank Holding Company Act; National Bank Act OCC, Federal Reserve, FDIC, NCUA 12 C.F.R. Part 3 (capital); CAMELS Call Report (quarterly)
AML / BSA Bank Secrecy Act (31 U.S.C. § 5318); USA PATRIOT Act FinCEN 31 C.F.R. Part 1010; CDD Rule SAR, CTR
Consumer protection Dodd-Frank Act; ECOA; TILA CFPB, FTC Regulation B, Regulation Z HMDA (annual), CRA
Securities conduct Securities Exchange Act of 1934 SEC, FINRA 17 C.F.R. § 240.15c3-3; FINRA Rule 3110 Form BD, Annual Reports
Investment adviser Investment Advisers Act of 1940 SEC (federal); state regulators ($25M–$100M AUM) 17 C.F.R. § 275.204-2 Form ADV (annual update)
Retirement / fiduciary ERISA DOL 29 C.F.R. Part 2550 Form 5500
Data privacy / cybersecurity GLBA; 23 NYCRR Part 500 (NY) FTC; NYDFS 16 C.F.R. Part 314 (Safeguards Rule) Incident notifications
Beneficial ownership / AML Corporate Transparency Act (2021); AML Act of 2020 FinCEN 31 C.F.R. § 1010.380 BOI Report

References

On this site

Core Topics
Reference
Contact

In the network

Network