The FFIEC Appendix H Survival Guide for Payment Companies

When an OCC or state banking examiner sends a first-request letter to your sponsor bank, the clock starts. Your bank partner has days to produce documentation across dozens of categories — and for third-party payment processors, many of those requests flow directly to you.

The FFIEC BSA/AML Examination Manual, Appendix H, defines over 130 document categories that examiners can request. Most payment companies have never read it. The ones that have usually discover their evidence is scattered across 5–8 systems with no structured way to produce it under time pressure.

Why Appendix H matters for payment processors

Appendix H is not hypothetical. It is the literal document that drives examiner requests. When TD Bank received its $1.75B BSA penalty, the core finding was that they could not produce evidence that controls actually ran. When Bank of America received its consent order for monitoring gaps, the evidence deficit was in categories directly mapped to Appendix H.

For payment processors — especially those operating stablecoin treasury, cross-border disbursements, or AI-agent initiated flows — the relevant Appendix H categories include:

1. Processor policies and procedures

Examiners want written documentation of your compliance controls. Not a Confluence page that was last updated in 2024 — the specific policy version that was in force when a given payment was processed. This is where most payment companies fail first: they have policies, but they cannot prove which version applied to a specific transaction.

2. Transaction details and volume data

Activity records with amounts, counterparties, dates, and settlement details. For traditional processors, this comes from the core banking system. For stablecoin operations, it is split across blockchain explorers, wallet APIs, and processor dashboards — three systems minimum, with no unified view.

3. SARs filed on processor relationships

Filing history with supporting documentation. Examiners want to see not just that a SAR was filed, but the evidence chain that led to the filing decision — the alerts, the investigation notes, the transaction patterns that triggered the review.

4. Screening results and sanctions evidence

OFAC/SDN check evidence for each payment. The critical requirement is not just that screening happened, but that it happened before the payment executed. Most payment companies can show their screening vendor dashboard — but cannot prove the temporal relationship between the screen and the settlement.

5. NACHA return correspondence and alert documentation

High return rate documentation, alert investigation records, and correspondence with banking partners. For companies operating across multiple rails, this evidence lives in email inboxes, NACHA portals, and case management tools with no connection to payment records.

The programmable money problem

Every new payment rail — stablecoins, real-time payments, AI-agent initiated flows — adds another system to the evidence assembly burden. A payment company operating USDC treasury on Base, ACH payouts through a banking partner, and card processing through a processor API might touch 8 systems to answer a single examiner question.

The FFIEC did not write Appendix H with programmable money in mind. But examiners use it regardless. The gap between what examiners request and what modern payment infrastructure can produce is where enforcement actions happen.

What to do about it

The companies that handle examinations well share one characteristic: they capture evidence at the point of decision, not after the fact. When an examiner asks about a specific payment, they can produce the decision record — policy version, screening result, approval chain, enforcement mode — in minutes, not days.

This is not about buying more compliance tools. It is about ensuring the evidence from your existing tools is captured, linked, and exportable in a format that answers the specific categories in Appendix H.

The GENIUS Act (signed July 2025, implementing regulations due July 2026) will add stablecoin-specific requirements to this framework. The companies building evidence infrastructure now will be ready. The ones assembling evidence from screenshots at 11pm before an OCC exam will not.