How to Respond to a FinCEN Subpoena or Regulatory Inquiry

Receiving a subpoena, request, or inquiry from the Financial Crimes Enforcement Network (FinCEN), can be stressful for any fintech founder. It may arrive as a formal subpoena, a request for records, a follow-up question about Bank Secrecy Act compliance, or an inquiry connected to a broader investigation.

The worst response is panic. The second worst response is silence.

FinCEN is the bureau of the U.S. Department of the Treasury responsible for administering and enforcing the Bank Secrecy Act, or BSA. The BSA is the main U.S. anti-money laundering law for financial institutions, including many money services businesses and money transmitters. FinCEN’s authorities include collecting and analysing financial intelligence, supporting law enforcement, and enforcing BSA compliance requirements.

For fintech operators, a FinCEN inquiry should be handled carefully, quickly, and with legal support. It may be routine. It may be serious. Either way, your response should be organised, accurate, and defensible.

This guide explains how fintech founders and compliance teams should respond when FinCEN contacts the business.

The first thing is to understand what you received

Not every FinCEN communication is the same. The first step is to identify the type of request.

You may receive a ’s Section 314(a) request – This is a FinCEN process allows federal, state, local, and certain foreign law enforcement agencies to reach financial institutions through FinCEN to locate accounts and transactions of persons that may be involved in terrorism or significant money laundering.

You may also receive a subpoena for documents or testimony, a request for money services business records, a request routed through another regulator or law enforcement agency or a follow-up question about suspicious activity reports or other filings.

The type of request matters because it affects your deadline, your legal obligations, the documents you must produce, confidentiality rules, and whether you should negotiate the scope of the request.

It’s important not to assume the request is informal because it arrives by email, and not to assume it is an enforcement action simply because it comes from FinCEN. Read it carefully and involve counsel early.

Do not ignore the deadline

Most subpoenas and regulatory requests include a response deadline. That deadline should be treated seriously.

Your first internal step should be to record the date the request was received and the subject matter of the request, the response deadline and the issuing office or contact person.

If the deadline is too short, counsel may be able to request an extension. But you should not wait until the final day. Regulators are more likely to grant reasonable extensions when the company responds early and professionally.

Missing a deadline can make the company look disorganised or uncooperative. In a compliance context, that can be damaging.

Preserve documents immediately

Once you receive a subpoena or regulatory inquiry, you should preserve relevant records. This means stopping ordinary deletion, overwriting, or destruction of potentially relevant information.

Send a legal hold (an instruction to preserve documents and data that may relate to the inquiry) to relevant team members.

The hold may cover customer files, KYC & KYB records, transaction records, communications with customers, banks or payment partners, compliance policies and audit reports;

Do not edit, backdate, delete, or “clean up” documents after receiving the request. That can create serious legal risk. If records are incomplete, say so to your lawyer. Trying to fix the record by creating documents that make the company look better could backfire.

Involve the right people, but keep the group small

A FinCEN inquiry should not be discussed widely across the company. At the same time, it should not be handled by one founder alone.

Create a small response team. The team should understand that communications may be sensitive. Avoid casual internal commentary about the inquiry. So, speculating in writing, making jokes, or blaming employees, partners, or customers in chat channels should be avoided.

Internal communications should be factual, professional, and necessary.

Confirm whether the company is an MSB

If your company provides money transmission or related services, FinCEN may view it as a money services business, or MSB.

FinCEN states that money services businesses generally must register with the Department of the Treasury, and FinCEN’s materials note that registration is generally filed within 180 days after the MSB is established and renewed every two years.

FinCEN also takes enforcement actions against MSBs for failure to register, as well as for violations of BSA reporting, recordkeeping, and other requirements.

For a fintech, this question is critical. If the company should have registered as an MSB but did not, the response strategy may be different from that of a company that is registered and has a solid AML programme.

You should assess: whether the company is a money transmitter and whether licencees are present; whether an exemption applies; whether the company registered with FinCEN, whether registration was timely, whether renewals were filed and whether the company has maintained required records and policies.

Do not answer this casually. MSB classification can affect the entire response.

Review your AML programme before producing documents

If the inquiry relates to BSA compliance, FinCEN may be interested in whether the company has a working anti-money laundering programme.

For money services businesses, examiners may review whether the business has a risk-based AML programme, whether it keeps required records, and whether it files required reports. FinCEN’s MSB examination manual was created to support risk-based examinations and provide a summary of BSA compliance requirements and examination procedures for the MSB industry.

Before producing documents, the company should understand its own position.

Review AML/CFT policy, customer due diligence procedures, currency transaction reporting process, (if applicable), MSB registration records and even vendor agreements.

This review is not about hiding bad facts. It is about understanding the facts before responding. A company should not produce documents blindly without knowing what they show.

Scope the request carefully

Many subpoenas and regulatory inquiries request broad categories of documents. Some requests are clear. Others may be too broad, ambiguous, or difficult to satisfy.

Your response team should break the request into specific categories. If the request is unclear, your lawyer or team may contact the regulator to ask for clarification. This can prevent unnecessary overproduction and reduce the risk of missing important records.

Protect privileged and sensitive material

Some documents may be protected by attorney-client privilege or attorney work product rules. In plain English, this means certain legal advice and legal strategy documents may not need to be produced.

Privilege should be handled carefully. Not every email copied to a lawyer is privileged. However, do not waive privilege accidentally by producing protected material without review.

The company should also protect sensitive personal data. A FinCEN response may include customer identity documents, bank account details, transaction records, and beneficial ownership information. These should be transmitted securely and only through approved channels.

Prepare a clear production plan

A good response is organised. A rushed document dump can create confusion and risk.

A comprehensive production plan should describe the sources of documents to be collected, the search terms or collection methods that will be applied, and the custodians whose records will be reviewed. It should specify the relevant date ranges and the file formats to be included, while also addressing privilege review to ensure protected communications are withheld and noting any redactions that may be necessary. The plan should outline quality control measures to confirm accuracy and completeness, detail the production method (such as electronic transfer or physical media), and include a cover letter or response narrative that explains the scope of the production.

It should maintain a clear record of what was produced to provide transparency and accountability throughout the process. This helps the company track what was sent, when it was sent, and which request category it answered.

If the company cannot produce certain documents, explain why through counsel. For example, the records may not exist, may be held by a partner, may be outside the requested period, or may require more time to retrieve.

Be accurate and consistent

Accuracy matters more than speed.

Do not guess or give informal answers that have not been checked. Also, do not let different teams send separate responses to FinCEN without coordination.

If the company says it has a transaction monitoring programme, be prepared to show how it works. If the company says it screens customers against sanctions lists, be prepared to show the process and records. If the company says it filed suspicious activity reports, make sure the statement is accurate and that confidentiality rules are respected.

FinCEN has stated that it considers cooperation when evaluating BSA enforcement matters. Its enforcement statement says it encourages financial institutions to voluntarily and promptly report violations and to cooperate with investigations.

Cooperation does not mean careless disclosure. It means engaging professionally, preserving records, responding accurately, and correcting issues where necessary.

Avoid retaliating against customers or employees.

A regulatory inquiry may involve customer transactions, employee decisions, or partner activity, so handle these matters with care. Customer accounts should not be closed automatically simply because they appear in a subpoena, and customers should only be notified of an investigation if counsel confirms that notice is permitted otherwise, tipping off a customer could create legal risk.

Likewise, employees should not be disciplined until the facts are fully understood; if a compliance failure occurred, the company should conduct a proper investigation and document its findings.

The response should be controlled, fair, and legally supervised.

Consider whether remediation is needed

A FinCEN inquiry may reveal weaknesses in the company’s compliance programme.

Examples of AML compliance gaps include missing MSB registration, outdated AML policies, weak transaction monitoring, incomplete customer files, poor sanctions screening, lack of suspicious activity escalation, no independent AML review, inadequate staff training, unclear partner responsibilities, and missing agent list records. Each of these issues represents a breakdown in oversight or controls, leaving the program vulnerable to regulatory penalties and financial crime risks.

If a weakness exists, the company should consider remediation. Remediation means fixing the problem and documenting the fix.

This may include updating policies, improving onboarding, retraining staff, reviewing historical transactions, strengthening monitoring rules, filing overdue reports where appropriate, or changing partner controls.

Do not wait until the inquiry is over to address obvious gaps. But coordinate remediation with counsel, especially if the issue may need to be disclosed.

Prepare for possible follow-up

A subpoena or inquiry may not end with the first production. FinCEN or another agency may ask follow-up questions, request interviews, seek more documents, or refer issues to another regulator.

FinCEN’s enforcement materials explain that it may bring enforcement actions for violations of BSA reporting, recordkeeping, and other requirements, including failures involving suspicious activity reports, currency transaction reports, foreign bank account reports, and MSB registration.

Your company should be prepared to clearly explain its business model and money flow, outline the AML programme in place, and describe how customer onboarding, transaction monitoring, and sanctions screening are conducted.

It should also be able to show how suspicious activity is escalated, how records are maintained, and what roles partners play in compliance.

The company must demonstrate the remedial steps taken to address any deficiencies, ensuring regulators see a transparent and well-documented approach to oversight. Employees should not speak to regulators without preparation and legal guidance.

Common mistakes fintechs make

• Ignoring the request – treating it like routine customer support instead of escalating immediately.
• Deleting or altering documents – failing to preserve relevant records once the request is received.
• Responding without counsel – overlooking privilege, confidentiality, enforcement, or licensing issues.
• Overproducing without review – risking disclosure of privileged, irrelevant, or misleading material.
• Giving inconsistent answers – failing to coordinate compliance, operations, engineering, and management through one process.
• Assuming MSB registration solves everything – forgetting that FinCEN registration doesn’t eliminate BSA programme or state licensing obligations.
• Failing to fix known problems – neglecting remediation when compliance gaps are revealed

A practical response checklist

If your fintech receives a FinCEN subpoena or regulatory inquiry, take these steps.

1. Identify the type of request and deadline.
2. Notify counsel and the compliance lead immediately.
3. Preserve relevant documents and issue a legal hold.
4. Create a small internal response team.
5. Review the company’s MSB status, AML programme, and relevant records.
6. Break the request into categories and identify where responsive records are stored.
7. Collect documents in a controlled way.
8. Review for privilege, confidentiality, accuracy, and completeness.
9. Prepare an organised production with a clear cover response.
10. Track what was produced and prepare for follow-up.
11. Identify and begin remediation for any compliance gaps.

This checklist does not replace legal advice, but it gives founders a practical starting point.

Conclusion

A FinCEN subpoena or regulatory inquiry is serious, but it does not have to become chaotic. The right response is calm, organised, and legally supervised.

For fintech operators, the key steps are to understand the request, preserve records, involve counsel, review the company’s MSB and AML position, produce accurate information, protect privileged material, and remediate any weaknesses.

If your fintech receives a FinCEN subpoena or inquiry, do not handle it casually. Escalate quickly, respond carefully, and use the process as an opportunity to strengthen your compliance programme before the issue becomes more serious.

If you have questions about regulatory inquiries, subpoenas, or compliance processes, please fill out our Contact Us Form to reach the compliance team.