By Jeff Otten, Chief Revenue Officer of ThetaRay
This spring, Block Inc. was fined $80 million for Bank Secrecy Act violations, a penalty that made headlines, but only told part of the story. The company also paid an additional $40M in a separate settlement with New York State regulators and faced further enforcement over consumer fraud and security controls in Cash App, adding millions more in costs and oversight obligations. Together, these actions signal an unmistakable shift. Regulators are tightening expectations, and fintechs are being held to big-bank compliance standards, without big-bank resources.
To put the headline number in perspective, the $80 million federal fine represents just 0.0026% of the $3.1 trillion in illicit funds that move through the global financial system each year, according to Nasdaq’s 2024 Financial Crime Report. Yet for a fast-growing fintech, a single enforcement action can be existential; stalling expansion, derailing partnerships, eroding customer trust, and in some cases even wiping out the business entirely.
Financial crime is silent, systemic, and accelerating. By 2030, global losses could reach $6 trillion annually and regulators are responding quickly. Fintechs, often on the front lines of digital payments and cross-border flows, are struggling to modernize their defenses.
A Failing Status Quo and a New Operational Reality
Anti-Money Laundering (AML) frameworks were built for a slower paper-based era; a time of siloed systems and predictable transaction flows. Fintechs operate in the opposite environment: real-time payments, instant cross-border flows, and high-volume digital activity. The result is a growing mismatch between modern risk and legacy controls.
Many fintechs face an additional constraint: they simply don’t have the internal financial crime expertise or engineering capacity of tier-one banks. Compliance teams are lean, model validation talent is scarce, and building an AI-driven detection engine in-house requires years of investment.
Regulators have noticed these gaps. The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) ongoing BSA/AML modernization efforts emphasize risk-based, auditable programs, not just alert generation. The Financial Action Task Force (FATF) continues to raise global expectations around effectiveness, while U.S. policy initiatives like the AI Action Plan, increasingly stresses the need for governable, explainable AI in regulated industries. This is no longer optional. Fintechs must keep pace with both regulators and increasingly sophisticated bad actors, or risk enforced limits on growth.
False Positives and Exceptions Are About to Spike
As scrutiny increases, fintech compliance teams face a less visible but equally damaging challenge: a sharp rise in alerts and operational exceptions that strain capacity and undermine consistency.
Under long-standing Bank Secrecy Act requirements, funds transfers of $3,000 or more are subject to enhanced record keeping and “Travel Rule” obligations, requiring institutions to collect and transmit detailed originator and beneficiary information. In high-speed digital environments, this significantly increases the likelihood of data gaps, mismatches, and screening exceptions, even when no underlying criminal activity may be present.
At the same time, U.S. enforcement priorities have sharpened. Recent narco-related sanctions and terrorism designations have expanded the universe of high-risk counterparties and networks, raising expectations for how institutions identify, contextualize, and document potential exposure. The rules themselves have not changed, but the consequences of getting them wrong have.
The result is not necessarily more crime, but more alerts, more escalations, and more decisions that must be justified under regulatory scrutiny. Each unresolved exception becomes a potential audit issue, raising the bar for judgement, defensibility, and consistency. For fintechs with lead compliance teams, the operational strain is immediate and increasingly unsustainable.
The Compliance Tipping Point
Fintechs now face a structural dilemma: How to operate a genuinely risk-based AML program using tools designed for a different era and without the staff depth of a large bank.
Manual processes and rules-systems can’t scale. As alert volumes rise, they force investigators to prioritize throughput over insight, increasing backlogs while degrading case quality. At the same time, regulators are increasingly clear: “the system flagged it” is no longer an acceptable explanation.
Explainability is non-negotiable. Frameworks such as the Wolfsberg Principles require models to be validated, explainable, and traceable. That leaves fintech leaders confronting a critical question: build AML tech in-house or partner with firms that already have purpose-built, regulator-tested capabilities?
Build or Buy? Why Fintechs Are Turning to Regtech Partnerships
This is one of the most overlooked realities in US fintech coverage: Fintechs cannot match the compliance engineering budgets, risk governance infrastructure, or institutional memory of large banks.
Building in-house requires specialized data scientists, dedicated model-risk teams, continuous regulatory engagement, infrastructure for monitoring, retraining, and audit-ready documentation, often over multi-year cycles. Most high-growth fintechs simply don’t have that luxury.
As a result, many are turning to regtech partnerships that offer purpose-built, explainable AI, regulator-validated risk scoring, embedded audit trails, and continuously evolving criminal typology expertise. Done well, these partnerships provide tier-one compliance capabilities without tier-one headcount or cost.
Purpose-Built AI in Financial Crime Detection
Purpose-built AI addresses what rules-based AML systems never could: precision at scale, fewer false positives, stronger detection and better risk visibility. In 2024, HSBC reported a 60% reduction in false positives after implementing customized AI tools, allowing the bank to detect two to four times more actual financial crime while reducing investigative burden. The key difference was not automation alone, but explainability.
Instead of binary rule violations, risk scores incorporate dozens of behavioral and transactional indicators, with transparent reasoning investigators can understand and regulators can review. This level of transparency is already standard among tier-one banks, and fintechs hoping to scale will be expected to follow suit.
The Business Case for Compliance
The cost of falling behind is steep. Block’s enforcement actions triggered independent monitoring, delayed product rollouts, and damaged trust with regulators and partners.
For fintechs, non-compliance failures cascade into customer attrition, constrained banking partnerships, blocked market expansion, and delayed licensing. The ultimate cost? Growth paralysis.
In contrast, firms that modernize early are already showing the upside. Compliance modernization is increasingly a competitive advantage, forming the foundation for trust with regulators, investors, and customers.
The Road Ahead
The financial industry is at a crossroads. Regulators are modernizing faster, criminal networks are adapting faster, and fintechs must decide whether their compliance strategies are built for 2020 or for 2026 onward. That starts with asking hard questions:
- Can our AML platform deliver explainable, real-time risk decisions to auditors and regulators?
- Are audit trails and model validation built in, not bolted on?
- Has the approach already been tested and validated by regulators across jurisdictions?
In 2026 AML is no longer back-office hygiene. It’s the deciding factor between fintechs that scale and fintechs that stall. Those who modernize how they detect, investigate and explain risk will earn the trust required to scale, and room to innovate. Those who delay will find their growth capped not by regulators, but by their own outdated systems.
