As the anti-money laundering perimeter expands, who needs to be compliant, and how?

Anti-money laundering (AML) policies are getting stronger as countries crack down on any opportunity criminals might have to take advantage of services and resources to further their activity.


The US has the Bank Secrecy Act, the Patriot Act, and Anti-Money Laundering Act of 2020, which promote cooperation and the use of sophisticated technology to combat financial crimes and the funding of terrorism.

Especially noteworthy is that they’ve widened their nets over recent years so that it’s not just banks and financial institutions that must comply. More and more businesses are expected to obey AML regulations, if only to keep themselves and their customers safe.

Here’s everything you need to know about what services need an AML revamp and how they should go about it.

Who needs to comply with AML regulations?

These laws have two main goals: identify dangerous users and counter criminal activity.

Threats like these have always troubled businesses, but without proper tools and enough vigilance, it was easy for some bad actors to slip through. When it comes to high-risk customers in banking, for example, identity thieves are among the people to look out for as they use any data they can to trick verification processes and exploit systems. They might claim money, take over accounts, or even leak information.

The damage to a bank’s finances and reputation can be catastrophic, which AML policies aim to remedy and, ideally, prevent from happening ever again by improving measures like Know Your Customer (KYC) checks when onboarding or monitoring transactions.

But, as already mentioned, collaboration is key to AML protection, so customer-facing services must do their part to catch suspicious activity and report it. Now that the responsibility falls on the shoulders of other businesses besides banks, it should be harder for criminals to get a foothold.

As official US regulations relating to money and finance explain, there are specific steps that different services must take to tackle financial crime. First, let’s break down the entities this includes (but isn’t limited to):

  • Banks
  • Mutual funds
  • Credit card systems operators
  • Loan or finance companies
  • Insurance companies
  • Brokers or dealers in securities
  • Futures commissions merchants
  • Introducing brokers to commodities
  • Money services (e.g., check issuers and cashers, foreign exchange dealers, prepaid access providers, money transmitters, virtual currency and wallet providers)
  • Housing government-sponsored enterprises
  • Real estate brokers
  • Law firms
  • Precious metals dealers

Any US company that fits in a category on this list is expected to follow AML regulations. Even if we’re talking about a branch of an international entity or a foreign business processing transactions through US services, these rules apply.

The Financial Crimes Enforcement Network (FinCEN), the main regulating body in the US, even specifies what an obligated person means, namely:

“An individual, a corporation, a partnership, a trust or estate, a joint stock company, an association, a syndicate, joint venture, or other unincorporated organization or group, an Indian Tribe (as that term is defined in the Indian Gaming Regulatory Act), and all entities cognizable as legal personalities.”

In other words, if you run or work in a company with financial services or make a living as a sole trader in the same sector, you have to think about your AML responsibilities from an individual to a collective level.

How to comply with AML regulations

Firstly, besides risk assessing and onboarding customers and checking their transactions, AML policies also relate to a company’s reporting and training procedures.

But not all businesses are the same in terms of structure, services, and risks, so FinCEN and the Office of Financial Assets Control (OFAC) adapt their regulations for each sector and let companies within them develop their own compliance programs.

That said, there are seven core principles that all sectors share. If you tick all of these AML boxes, your business should be safe from non-compliance penalties.

1. Dynamic customer verification

Every time someone new wants to sign up to your service, you have to make sure they’re legit. To do that, you need lots of information, which you can get from the customer, as well as Customer Due Diligence (CDD) and KYC technology.

A dynamic AML system with all the right tools can start with a single email or IP address and end up creating a detailed profile about a person’s online activity. What platforms do they use? How long have they been active? Are they hiding behind proxies?

Gather enough data as fast as possible, and you can instantly spot bad actors and block them out, and move to more extensive KYC procedures to ensure their names do not appear on any AML lists and gauge the true intentions of suspicious users, saving money on unnecessary KYC and AML screenings. Meanwhile, your legitimate users can enjoy a seamless onboarding journey.

2. Risk-based screening and AML

Remember: It’s not just existing criminals you’re looking for, but also people that could become part of a money laundering scheme. One very specific category is politically exposed persons (PEP), which refers to government workers or high-ranking officials at risk of bribery or corruption.

Another category is people in sanctioned lists, like Specially Designated Nationals (SDN) composed by the Office of Foreign Assets Control (OFAC). They contain individuals and groups with links to high-risk countries.

Extra vigilance is also necessary when dealing with money service businesses (MSB), as they’re more likely to become targets for money launderers.

The point of all this is that a good AML program must include a thorough screening system that can detect high-risk customers before bringing them onboard.

3. Transaction monitoring

It’s great if you can stop criminals from accessing your system at all, but sometimes they slip through or influence existing customers. That’s why checking users’ backgrounds for red flags isn’t enough. You need to keep an eye on their current activity, too.

As they navigate your platform and use your services, make sure you stay alert for signs of misconduct, especially when it comes to transactions and financial information.

Besides keeping detailed records, companies are expected to file suspicious activity reports (SAR) when customers move over $3000 or set off alarm bells with their activities. Depending on local legislation, this threshold changes, but not observing it will always be a compliance issue for companies who have to follow AML regulations.

Once again, different companies have different red flags to look out for, so your program needs to lay out a clear action plan that fits its business and clientele, including points of interest like transaction thresholds.

4. Ongoing due diligence

AML measures aren’t just about setting up automated processes, nor can you verify IDs and then leave customers to their own devices without any supervision. Keeping your company safe from bad actors is a constant hands-on affair.

Ongoing CDD and EDD (enhanced due diligence, for higher-risk but still permitted customers) plays a vital role in monitoring user activity and updating their profiles with more data in order to detect criminal risk. 91% of customers themselves now demand high security standards from companies, while 85% of partners even expect proof of their security requirements being met.

AML regulating bodies want to see that your company has a complex program in place, combining automated and manual processes, that can constantly supervise customers, quickly spot suspicious activity, and report cases without delay.

5. AML training

AML policies are only as good as the people planning and enforcing them, which means that your organization needs employees who understand how it all works.

Based on resources like the BSA and AML examination manual for banks, your training program should cover the compliance requirements of your particular business and the responsibilities of different staff members, from collecting customer details and reporting suspicious behavior to supervising the whole program.

Regular and well-documented training ensures everyone is up to date on AML regulations and tasks. Bad actors will then have a hard time trying to trick your system.

6. Efficient reporting

With your money-laundering instincts sharp, you can flag up problems faster for your company and law enforcement agencies. It’s handy considering the BSA and Patriot Act relies on the SAR reports of banks and other financial entities to combat money laundering and terrorism funding.

Whether you’re dealing with a suspicious transaction or highlighting a flaw in your AML program, every report adds valuable information to FinCEN’s pool of knowledge and helps improve its frameworks.

In other words, streamlining your AML reporting system paints a clearer picture of your company’s performance and risks, while also benefiting law enforcement efforts.

7. In-depth testing of AML and fraud systems

Finally, to comply with AML regulations, don’t forget to test whatever policies you have in place. This means having someone with no knowledge of the system assess or even try to penetrate its defenses.

Depending on your resources and needs, this qualified professional can be an internal or external auditor or consultant. Even better, hire an ethical hacker to detect your vulnerabilities in the event of a full-on cyberattack.

The more customers and financial features your business deals with, the higher its risk factor, so you want to make sure your top-notch security measures are reliable. And the only way to truly reach that level of confidence is to put them to the test.

Strong plans and diligence ensure AML compliance

With such an expansive list of companies with AML responsibilities in the US, it’s important to check where your organization stands and how you can make it compliant.

Read up on official requirements in detail, develop a realistic AML program that reflects your business and is easy for your team to maintain, and stay on top of your system’s performance, good or bad, and any regulation updates.

The good news is that doing so will not just protect your business from fines but also often comes with a general reduction in fraud and malicious behavior.

Don't miss