What TD Bank's $1.75B Penalty Means for Payment Startups

In 2024 and 2025, three of the largest US banks received enforcement actions for BSA/AML failures. The combined penalties exceeded $3 billion. The details of each case contain lessons that every payment startup should understand — because the same evidence standards apply to you through your banking relationships.

TD Bank: $1.75B — “Couldn't prove controls ran”

TD Bank's penalty was the largest BSA/AML enforcement action in US history. The core finding was not that TD Bank lacked compliance policies. They had policies. They had screening tools. They had a compliance team. What they could not do was produce evidence that those controls actually ran on the transactions examiners asked about.

The distinction matters. Having a compliance program is not the same as proving your compliance program worked. Examiners asked for evidence of transaction monitoring, and TD Bank could not produce it in a format that answered the question.

Lesson for payment startups: Your compliance program is only as strong as the evidence it produces. If you cannot show an examiner the specific screening result, policy version, and approval chain for a flagged transaction, your controls may as well not exist.

Bank of America: Governance and sanctions failures

Bank of America's consent order cited “governance and sanctions failures” — specifically, gaps in how the bank monitored transactions processed through third-party relationships. For every payment startup operating through a BaaS partnership or sponsor bank arrangement, this is directly relevant: your sponsor bank's examiner does not distinguish between the bank's transactions and yours.

When the examiner finds monitoring gaps, every downstream partner feels the consequences. Sponsor banks respond by tightening diligence requirements for their payment processor partners — which means more evidence requests, shorter response windows, and higher standards for what constitutes “proof.”

Lesson for payment startups: Your sponsor bank's examination exposure is your examination exposure. Prepare for Section 8 diligence reviews as if the examiner is asking you directly — because functionally, they are.

Wells Fargo: Suspicious activity reporting failures

Wells Fargo's enforcement action focused on suspicious activity reporting — specifically, failures to file SARs on transactions that met reporting thresholds. The issue was not that Wells Fargo lacked a SAR filing process. The issue was that the process could not keep pace with transaction volume, and the evidence trail between alert generation, investigation, and filing decision was incomplete.

For payment companies processing stablecoin transactions — which settle in seconds, irreversibly, 24/7 — the volume and speed challenge is even more acute. When 86% of illicit crypto flows involve stablecoins (TRM Labs, 2025), the SAR filing burden for stablecoin payment processors is not hypothetical.

Lesson for payment startups: SAR filing is an evidence production problem, not just a detection problem. If your alert-to-filing pipeline cannot produce the supporting evidence (screening results, transaction context, policy applied) in a structured format, you will miss filing deadlines or produce incomplete filings.

The pattern across all three

The common thread is not that these banks lacked compliance programs. All three had substantial compliance operations. The common thread is that they could not produce evidence that those programs worked on the specific transactions examiners asked about. The evidence was fragmented, incomplete, or not structured for examiner consumption.

For payment startups, the implication is clear: the evidence infrastructure you build today determines whether your compliance program is defensible tomorrow. When the GENIUS Act implementing regulations arrive in July 2026, the companies with structured evidence capture will be ready. The ones relying on log reconstruction and screenshots will be in the same position TD Bank was — policies on paper, but no proof they ran.

What payment startups should do now

Three concrete steps, in priority order:

1. Capture evidence at decision time, not after. Every payment decision should produce a structured record with policy version, screening result, approval chain, and enforcement mode — before the payment settles.
2. Link screening results to payment records. The temporal relationship between the screen and the settlement must be provable — timestamped and cryptographically linked, not just “we screen everything.”
3. Build examiner-ready exports now. Do not wait for the examiner to ask. Build the export capability before you need it, so that when the first-request letter arrives, your response time is minutes, not days.