My guidance
1. The Flow of Funds diagram
1.1.
Regulators will first review the Flow of Funds diagram to understand the core of the business.
The diagram must document each step of every planned transaction type, from receiving funds from the sender to delivering them to the recipient.
The diagram must also indicate which accounts (proprietary, transit, or partner) hold the funds and when.
1.2.
There is no single federal law or regulation that explicitly establishes the requirement for the Flow of Funds diagram for all 50 states.
The licensing process remains the prerogative of each state.
States are the primary source of the requirement to submit the Flow of Funds diagram.
States use this document to assess not only anti-money laundering (AML) risks, but also financial stability, operational reliability, and consumer protection mechanisms for prudential supervision.
2. The FinCEN classification
Match the planned operations with the official FinCEN classification (31 CFR § 1010.100(ff)).
3. Licensing
3.1.
A license is required in each state where money transmission services are provided.
3.2.
The choice of the first state for licensing affects not only the initial costs but also the company's reputation with other regulators, as they will see that the company has already passed a review.
3.3.
For a small company like yours (2-9 employees), attempting simultaneous licensing in multiple states is extremely risky.
4. Minimum «net worth» and «tangible net worth» requirements
4.1. Net worth
Most state laws define net worth (NW) in accordance with GAAP (Generally Accepted Accounting Principles) as the difference between a company's total assets and total liabilities.
4.2. Tangible net worth
4.2.1.
Modern regulatory practice, especially in the context of FinTech companies, increasingly uses a more stringent concept — «tangible net worth» (TNW).
This refined requirement is more conservative and aims to ensure a real financial safety cushion.
The Money Transmission Modernization Act (MTMA) of the Conference of State Bank Supervisors (CSBS), which is becoming the industry standard, provides the following definition:
"Tangible net worth" shall mean the aggregate assets of a licensee excluding all intangible assets, less liabilities, as determined in accordance with United States generally accepted accounting principles.
4.2.2.
The key difference between TNW and net worth (NW) is that TNW excludes intangible assets from the calculation, such as goodwill, patents, copyrights, brand value, and software.
For technology companies, whose value may largely consist of such assets, this distinction is critical.
The TNW requirement forces companies to possess a sufficient volume of tangible assets (cash, securities, equipment), which creates a higher barrier to market entry.
This tightening reflects the regulators' intention to ensure that in the event of financial insolvency or bankruptcy, the licensee will have liquid assets to fulfill its obligations to customers, whose funds are in the process of transmission.
4.2.3.
Instead of a fixed NW amount, the MTMA introduces a dynamic, risk-based formula for calculating TNW that ties the required capital to the company's total assets.
This makes the requirement more fair and adequate to the scale of the licensee's business.
The standard MTMA formula states:
A licensee under this Act shall maintain at all times a tangible net worth of the greater of $100,000 or 3% of total assets for the first $100 million, 2% of additional assets for $100 million to $1 billion, and 0.5% of additional assets for over $1 billion.
4.3.
The active adoption of the MTMA by the states (at present, > 30 states have adopted the law in whole or in part) forms two de facto clusters of jurisdictions: states with legacy legislation (often with low, fixed NW requirements) and states that have adopted the MTMA with its dynamic formula.
This factor has strategic importance in selecting the first state for licensing.
Compliance with MTMA standards from the very beginning of operations can significantly simplify obtaining subsequent licenses in other MTMA states and establish a positive reputation for the company with regulators nationwide.
5. Certificate of Good Standing
A universal prerequisite is submitting a «Certificate of Good Standing», issued in the company's state of incorporation.
This requirement is codified in the MTMA:
a certificate of good standing from the state or country in which the applicant is incorporated or formed
This document must be current: typically, it must be issued no earlier than 60 days before submitting the application.
For the regulator, the certificate confirms that the company fulfills its basic legal and tax obligations in its home state, such as filing annual reports, paying franchise taxes, and maintaining a registered agent.
6. Financial statements
6.1. Yearly
Most states require the submission of audited financial statements for the last fiscal year, as well as for the 2 preceding years if the company has been in existence longer.
These statements must be prepared by an independent CPA in accordance with GAAP.
6.2. Quarterly
Most states also require interim (quarterly) financial statements.
They may be unaudited, but they must be dated no later than 90 days before submitting the license application.
6.3. Startups
For companies that have just started operations and do not have a financial history, the requirements are adapted.
In this case, it is necessary to provide an initial statement of condition and documentation supporting the method and source of capitalization.
Verifying the source of initial investments is the primary method by which the regulator can assess AML risk at the earliest stage.
7. Surety bond
Almost all states require a surety bond, which protects consumers and the state from potential losses if the company fails to fulfill its obligations.
8. A package of documents describing the company
Regulators require the submission of a package of documents describing the company's operational activities, management structure, and key personnel:
- Business Plan
- Organizational Chart
- Management Chart
- NMLS requires that an individual MU2 form be completed for each Control Person.
A Control Person is defined differently from state to state, but typically includes all direct and indirect owners with a share of 25% or more, as well as all key executives (e.g., CEO, CFO, CCO).
9. AML/BSA
Implement and document an anti-money aundering program (AML/BSA program) that complies with BSA requirements:
- Officially appoint a BSA Compliance Officer.
- Develop an AML/BSA policy.
- Develop a customer identification program (CIP).
Regulators require the AML program to undergo regular independent testing to assess its adequacy and effectiveness.
10. A cybersecurity program
Develop a cybersecurity program based on the NIST Cybersecurity Framework (CSF).
11. WISP
Create a Written Information Security Plan (WISP).
12. Technical controls
Implement technical controls:
- Multi-factor authentication (MFA)
- Encryption
- Antivirus software
- Patch management: a procedure for the timely installation of security updates for operating systems and software.
- Centralized access control: the use of systems that allow for centrally managing employee access rights to various resources.
13. BCP/DR
Develop a Business Continuity and Disaster Recovery Plan (BCP/DR):
13.1. Business Impact Analysis (BIA)
Its purpose is to identify the company's critical business processes and IT systems and to assess the potential damage (financial, reputational, regulatory) from their downtime over various periods.
13.2. Business Continuity Plan (BCP)
The BCP is a strategic document describing how the company will maintain key business functions during and after an emergency.
It must address not only technical failures but also other events such as natural disasters, power outages, or pandemics.
The experience of the COVID-19 pandemic has fundamentally changed regulators' expectations for a BCP.
A modern BCP must mandatorily contain a separate, detailed section on «Pandemic Response and Remote Work Organization».
13.3. Disaster Recovery Plan (DRP)
DRP is the technical part of the BCP, focused on the recovery of the IT infrastructure and data.
The plan must contain step-by-step instructions for IT personnel.
13.4. Vendor Management Policy.
Modern FinTech companies are heavily dependent on third-party service providers: cloud providers (AWS, Azure), API providers, payment gateways, data verification systems, etc.
Each such provider is a potential point of failure or a source of risk.
Regulators expect companies to manage these risks as diligently as their own.