Subscribe to the Non-Human & AI Identity Journal

Money Services Business

A money services business is a company that moves, exchanges, or transmits value in ways regulated under US financial law. In crypto, this classification often triggers FinCEN registration, AML obligations, and customer due diligence requirements tied to the identities operating the service.

Expanded Definition

A money services business, or MSB, is not just a payments company in the broad sense. In US regulatory practice, it is an entity that transmits money, issues or redeems stored value, or exchanges currency in a way that can bring it under FinCEN oversight and AML expectations. In crypto and agentic finance, the term often matters because the service itself may operate through software, APIs, wallets, and custody workflows rather than a traditional branch network.

For NHI governance, the critical issue is that an MSB’s compliance posture depends on the identities operating its rails: service accounts, API keys, signing keys, bots, and orchestration agents. Definitions vary across vendors and jurisdictions when virtual asset activity is involved, so teams should anchor interpretation to the relevant regulatory perimeter rather than assume every wallet or relay is automatically an MSB. The NIST Cybersecurity Framework 2.0 helps frame this as an asset, identity, and governance problem, not only a financial one.

The most common misapplication is treating an MSB designation as a legal label for the company alone, which occurs when teams ignore the NHI stack that actually executes transfers, exchanges, and compliance checks.

Examples and Use Cases

Implementing MSB controls rigorously often introduces onboarding friction and monitoring overhead, requiring organisations to weigh faster transaction flows against stronger identity, recordkeeping, and suspicious-activity controls.

  • A crypto exchange registers as an MSB and must govern the service accounts that price assets, approve withdrawals, and generate SAR-related audit logs.
  • A remittance platform uses API-based payout partners, so wallet-signing keys and callback tokens need lifecycle controls similar to human privileged access.
  • A hosted wallet provider applies customer due diligence while also restricting which automated reconciliation jobs can move funds or access balances.
  • An OTC desk handling fiat-to-crypto conversion separates operational bots from compliance workflows, reducing the chance that a single NHI can both initiate and approve transfers.
  • NHI governance teams use the Ultimate Guide to NHIs to map how service accounts, secrets, and rotation practices affect regulated transaction systems.

For identity assurance and transaction trust, MSBs increasingly align automated access patterns with the same discipline used for regulated systems under NIST Cybersecurity Framework 2.0, even when the transaction engine is entirely software-driven.

Why It Matters in NHI Security

MSBs are high-value targets because payment movement, customer onboarding, sanctions screening, and ledger reconciliation often depend on non-human identities that can be over-permissioned, poorly rotated, or left embedded in code. When those identities are compromised, attackers can move value, alter records, or impersonate legitimate automation at machine speed. NHIMG research shows that 97% of NHIs carry excessive privileges, 79% of organisations have experienced secrets leaks, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. Those patterns matter directly for MSBs because financial workflows magnify the impact of every exposed token or signing credential, especially where custody, settlement, or customer identity checks are automated.

The governance challenge is not just preventing theft, but proving which NHI initiated a transfer, which secret was used, and whether the transaction path matched policy. The Ultimate Guide to NHIs is useful here because MSB environments often accumulate sprawling machine identities faster than security teams can inventory them. Organisations typically encounter regulatory exposure only after a suspicious transfer, sanctions failure, or key compromise, at which point MSB control of the underlying NHI estate becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 MSB services depend on secrets and service accounts that this control targets.
NIST CSF 2.0 PR.AC-4 MSB automation needs least-privilege access and disciplined entitlement management.
NIST SP 800-63 IAL2 MSBs often require stronger identity proofing for customer due diligence workflows.

Bind automated account workflows to verified identity processes where regulated customer checks apply.