AML and KYC Regulatory Requirements for Banks

Banks worldwide must identify who they do business with and monitor for signs of illegal activity. AML and KYC regulatory requirements for banks are the legal framework for this scrutiny: KYC (know your customer) mandates due diligence at account opening and ongoing; AML (anti-money laundering) mandates detection and reporting of suspicious transactions. Together, they form a compliance regime enforced by regulators and backed by criminal penalties.

What KYC (Know Your Customer) Requires

KYC is the foundation of all other AML obligations. A bank must identify and verify the identity of anyone opening an account, and must understand the purpose and nature of the customer’s relationship.

At account opening, a bank must collect:

• Full legal name (or business name)
• Date of birth (for individuals)
• Address and contact details
• Government-issued ID and verification (passport, driver’s license, etc.)
• Beneficial ownership information (for businesses: who truly owns and controls the entity)

The bank verifies this information against official records or independent sources—not just trusting what the customer says. This verification must be documented.

For businesses, KYC goes deeper. A bank must understand:

• The nature and purpose of the business
• The organizational structure (who are directors, shareholders, controllers?)
• The expected transaction patterns (volume, geography, sectors)
• The source of funds being deposited

Beneficial ownership is a critical modern addition. If a customer is a company, trust, or other entity, the bank must identify the natural persons who ultimately own or control it—not just the legal entity. For a private company, that means naming the owners and their stakes. For a trust, it means identifying the settlor, trustees, and beneficiaries. Regulators want to prevent hiding behind shell entities.

Enhanced Due Diligence (EDD)

Not all customers warrant the same scrutiny. Higher-risk customers require enhanced due diligence:

• Politically exposed persons (PEPs): Government officials, family members, and close associates. A bank must identify PEPs, understand the source of their wealth, and actively monitor their accounts.
• Customers from higher-risk jurisdictions: Countries with weak AML frameworks, high corruption, or links to sanctions regimes. Transactions are monitored more closely.
• High-value customers: Those moving large sums. A bank needs to understand the source of funds and purpose of the relationship.
• Non-face-to-face customers: Anyone opening an account remotely gets extra verification (additional identity checks, source of funds confirmation).
• Beneficial owners of legal entities: For complex structures, banks may need to obtain board resolutions, certificates of incorporation, or third-party confirmations.

The Financial Action Task Force (FATF), a global AML standard-setter, publishes guidance on EDD. National regulators enforce it with varying stringency.

AML (Anti-Money Laundering) Requirements

KYC is about identifying customers. AML is about watching what they do. A bank must have systems in place to detect and report transactions that could involve proceeds of crime.

Suspicious Activity Reports (SARs) are the core mechanism. If a bank detects a transaction or pattern that could involve money laundering, terrorist financing, fraud, or other criminal activity, it must file a SAR with the national financial intelligence unit (in the U.S., the Financial Crimes Enforcement Network, or FinCEN).

What triggers a SAR?

• A single large transaction without clear legitimate purpose (e.g., a business owner deposits $500K in cash with no explanation)
• Structuring: many small deposits just below reporting thresholds, designed to evade detection
• Circular patterns: money flowing in and immediately back out to unrelated parties
• Round-number transactions (e.g., exactly $100K, repeatedly)
• Transactions inconsistent with the customer’s profile (e.g., a retiree suddenly moving millions internationally)
• Transactions linked to known criminals, sanctioned entities, or high-risk jurisdictions
• Attempts to manipulate the bank’s transaction-monitoring system (e.g., split payments to avoid thresholds)

Threshold reporting is a separate requirement. In the U.S., banks must report all cash transactions >$10,000 via Currency Transaction Reports (CTRs). In the EU and many other jurisdictions, there is no universal cash threshold, but banks must report suspicious patterns regardless of size.

Critically: filing a SAR does not mean the customer is guilty. It means the bank has reasonable suspicion of involvement in a crime. The SAR is filed confidentially to the financial intelligence unit, which investigates. The bank does not tell the customer (in fact, doing so is illegal in most jurisdictions—it “tips off” the suspect).

Ongoing Monitoring and Transaction Testing

KYC is not a one-time exercise. Banks must conduct ongoing monitoring of customer accounts and transactions throughout the relationship.

This means:

• Regularly reviewing transactions against the customer’s profile and stated purpose
• Testing sample transactions (e.g., verifying that a business customer’s deposits are actually from the suppliers they claim)
• Re-verifying beneficial ownership and address information periodically (at least annually, more often for higher-risk customers)
• Updating customer risk ratings if circumstances change

Large banks use automated transaction monitoring systems that flag suspicious patterns (unusual volumes, new counterparties, round amounts, high-risk jurisdictions, etc.). Analysts then review flagged transactions and decide whether to file a SAR.

Correspondent Banking and Wire Transfer Controls

AML obligations extend beyond direct customers. Banks often use correspondent banks—other banks—to clear international transactions. If Bank A in Country X needs to move money to a bank in Country Y, it may route through an intermediate correspondent.

Under FATF and most national rules, a bank must apply KYC to its correspondents. It must verify that a correspondent bank has adequate AML controls; if not, the bank may not use it. This is called correspondent due diligence.

Similarly, for wire transfers, FATF rules require banks to include originator and beneficiary information (name, account number, address) on the wire. This “travel rule” lets regulators trace high-risk payments.

Customer Risk Ratings and Segmentation

Regulators expect banks to segment customers by risk and adjust AML controls accordingly.

Low-risk segments might include:

• Established local businesses with audited financials
• Salaried employees
• Non-profits with transparent funding

High-risk segments include:

• Cash-intensive businesses (restaurants, casinos, laundries)
• Import-export firms (vulnerable to trade-based money laundering)
• Charities (potential misuse for terror financing)
• Legal services, accountants, real estate agents (professional money launderers use them)
• PEPs and their families

Each segment receives different scrutiny levels. A bank’s AML policy should document these segmentations and controls.

Reporting to Regulators and Law Enforcement

In addition to filing SARs, banks must report to regulators on their AML programs. In the U.S., banks file Annual AML Compliance Certifications (FinCEN Form 106) and submit to periodic examinations by the federal-deposit-insurance-corporation or other primary regulators.

Regulators conduct AML examinations—on-site audits of a bank’s policies, procedures, staffing, training, and transaction monitoring. Examiners look for weaknesses: inadequate KYC, missed suspicious activity, weak correspondent controls, etc. Findings result in enforcement orders; repeated failures trigger fines or loss of banking license.

Sanctions Compliance

AML overlaps with sanctions compliance—the requirement that banks not transact with individuals or entities on government blacklists (e.g., terrorist organizations, countries under embargo, sanctioned businesses).

A bank must screen customers and transactions against Office of Foreign Assets Control (OFAC) lists in the U.S., and equivalent lists in the EU and other jurisdictions. If a match is found, the bank must freeze the account and report to authorities.

Cross-Border Transfers and Exchange of Information

Under international agreements (FATCA in the U.S., Common Reporting Standard globally), banks must report foreign customers and large transactions to tax authorities. This is distinct from AML but often implemented alongside AML infrastructure.

Additionally, banks in one country must respond to requests from regulators in other countries for information on customers suspected of crime. This requires legal gateways—bilateral agreements or mutual legal assistance treaties—that let authorities access banking data across borders.

Penalties for Non-Compliance

AML violations are serious:

• Civil penalties: Fines up to millions of dollars for systematic failures. Wells Fargo paid $3B in 2020 for AML lapses; HSBC paid $1.9B in 2012 for massive compliance failures.
• Criminal liability: Bank officers involved in deliberate violations can face imprisonment.
• Reputational damage: A bank caught with serious AML failures may be de-risked by correspondent banks, lose customers, or face license sanctions.

The Practical Burden

For banks, AML compliance is expensive. Large banks employ thousands of AML analysts, compliance officers, and technicians. Compliance costs exceed billions annually industry-wide.

For customers, the burden is higher KYC friction at account opening, ongoing monitoring, and occasional requests for additional documentation. Some banks, struggling with costs and enforcement risk, exit entire customer segments (a phenomenon called “de-risking”) or impose heightened scrutiny that slows transactions.

Regulators argue this is the price of preventing money laundering, terrorist financing, and corruption. Critics argue the burden falls disproportionately on legitimate customers, especially in developing countries where weak banking infrastructure means many people remain unbanked rather than face draconian KYC.

See also