AML Compliance

AML compliance refers to the systems and procedures that financial institutions, brokers, and other regulated entities must maintain to prevent money laundering, terrorist financing, and other financial crimes. Regulated firms employ compliance teams, software, and processes to detect suspicious activity and file reports with authorities.

For customer identity verification, see Know Your Customer (KYC). For international standards, see Financial Action Task Force.

Program Element	Requirement
KYC program	Identify and verify customer identity
Transaction monitoring	Flag unusual patterns; set risk thresholds
Reporting	File SARs (Suspicious Activity Reports)
Training	All staff must understand AML rules
Independent audit	Annual review by compliance officer or external auditor

What constitutes money laundering

Money laundering is the process of disguising the source of illegal proceeds (drug trafficking, fraud, corruption) so they appear legitimate. The typical flow has three stages:

Placement: Illegal cash enters the financial system (bank deposit, casino buy-in, trade financing).
Layering: The money is moved between accounts, across borders, or through complex transactions to obscure its origin.
Integration: The now-clean money returns to the criminal as legitimate income or investment returns.

AML programs target all three. A suspicious bank deposit from a new customer in a high-risk country triggers scrutiny. Rapid wire transfers to multiple accounts in shell company names raises flags. Unexplained inflows into a previously dormant account are reported.

Core AML program elements

Know Your Customer (KYC): Before opening an account, institutions must verify the customer’s identity (government ID, address verification), understand the nature of their business, and assess their risk profile. High-risk customers (politically exposed persons, PEPs; those in sanctioned countries; cryptocurrency traders) get enhanced due diligence (EDD). Low-risk customers (salary employees in developed countries) get standard KYC.

Suspicious Activity Reporting (SAR): When a transaction meets AML red flags (large round-dollar amounts, structuring to avoid $10,000 reporting thresholds, international wires to high-risk jurisdictions, cash deposits followed by rapid withdrawals), the institution files a SAR with FinCEN (the U.S. Financial Crimes Enforcement Network). Banks file thousands of SARs daily; FinCEN uses data analytics to identify patterns and hand off case files to law enforcement.

Transaction Monitoring: Compliance systems flag transactions that deviate from customer profile. A retiree receiving a $500,000 wire from a jurisdiction with weak AML controls is unusual. A business customer receiving payments from an unverified entity in a sanctioned country is a red flag. Automated rules score transactions; high-risk ones are escalated for manual review.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): Beyond basic KYC, institutions must understand the customer’s business, their sources of funds, and beneficial ownership. For PEPs (politicians, senior government officials), banks verify that their wealth is legitimate and not proceeds of corruption. For shell companies, banks drill down to identify true owners and verify them independently.

Regulatory framework

The primary U.S. law is the Bank Secrecy Act (BSA, 1970), amended by the USA PATRIOT Act (2001). It requires institutions to file Currency Transaction Reports (CTRs) for cash deposits >$10,000 and SARs for suspicious activity >$5,000. Similar laws exist in most developed countries:

EU: AML Directives 4 and 5 (now codified in the AML Regulation)
UK: Financial Conduct Authority (FCA) and Proceeds of Crime Act (2002)
International: The Financial Action Task Force (FATF) sets global standards; countries are peer-reviewed on compliance.

Penalties for violations are severe. Wells Fargo paid $2 billion to settle AML deficiencies. HSBC agreed to $1.9 billion for failing to detect money laundering in Mexico. These penalties include fines plus mandatory improvements to compliance infrastructure.

Sanctions screening and designation lists

Part of AML compliance is checking customer and counterparty names against government sanctions lists—Office of Foreign Assets Control (OFAC) lists for the U.S., HM Treasury lists for the UK, and others. A customer whose name appears on a sanctions list (a terrorist, a Russian oligarch under OFAC sanctions) must have their account frozen and the transaction blocked.

Screening is automated but imperfect. False positives occur (a customer named “Mohammed Hussein” might have a legitimate name match to someone on a terror list). Firms must maintain processes to resolve mismatches. Missed sanctions hits are also costly; institutions are liable for knowingly transacting with sanctioned parties.

Transaction structuring and red flags

“Structuring” (breaking a large transaction into smaller ones to evade the $10,000 reporting threshold) is itself a crime. A customer depositing $8,000 each day for a week raises suspicion. Real estate purchases funded by bearer bonds or shell companies in offshore jurisdictions are flags. Cryptocurrency use in AML compliance is controversial—crypto transactions are pseudonymous, making beneficial ownership hard to verify, though major exchanges now perform KYC.

Common red flags include:

High-value transactions inconsistent with stated business
Circular flows (money in, immediate transfer out to unrelated party)
Use of cash couriers or trade-based laundering (over-invoicing imports to move value offshore)
Deposits into accounts then rapid withdrawals or wires
Transactions with entities in high-risk jurisdictions

Technology and AI in AML

Modern AML relies on machine learning and AI to detect patterns humans would miss. Systems score thousands of transactions daily, flag anomalies, and learn over time. A customer’s baseline behavior (regular paycheck deposits, periodic bill payments) is established; deviations trigger investigation. Network analytics can follow linked accounts and shell companies.

However, false positives remain high. Many AML teams spend time investigating transactions that turn out to be innocent. Financial inclusion advocates argue that overly aggressive AML screening (especially KYC requirements) excludes poor populations and drives business to unregulated alternatives.

AML compliance cost and burden

Large institutions employ hundreds of compliance staff, purchase specialized AML software, and conduct constant training. Compliance costs are material—often $1 billion+ annually for large global banks. Smaller institutions struggle with the expense. This has driven consolidation in banking (smaller banks can’t afford compliance and get acquired) and pushed consumer finance into unregulated corners (check-cashing shops, money transmitters, cryptocurrency platforms with weak controls).

International coordination

Effective AML requires international cooperation. A criminal moving money through multiple countries must be tracked across borders. The Financial Action Task Force (FATF) coordinates this, issuing mutual evaluation reports on each country’s AML framework. Countries with weak AML controls (on the FATF “grey list”) face trade and financial sanctions, creating pressure to strengthen compliance.

Know Your Customer — Customer identification and verification processes
Financial Action Task Force — International AML standard-setter
FinCEN Reporting — Filing suspicious activity reports with the U.S. government
Enhanced Due Diligence — Deep verification for high-risk customers
Anti-Money Laundering — Overview of money laundering and prevention

Wider context

Financial Conduct Authority — UK financial regulator with AML responsibilities
Securities and Exchange Commission — U.S. regulator overseeing broker-dealer AML
Sanctions Screening — Checking names against government watchlists
Cryptocurrency Exchange — AML challenges in digital asset trading
Banking Crisis — Historical context for financial regulation