AML/KYC Framework for Financial Services

Summary

Every financial institution and designated obliged entity must run a risk-based AML/KYC program built on five pillars: a board-approved written AML/CFT policy, a designated compliance officer (BSA Officer in the US, MLRO in the UK/EU), risk-based Customer Due Diligence (CDD) with Enhanced Due Diligence (EDD) for high-risk relationships, ongoing transaction monitoring with timely SAR/STR filing, and independent testing plus staff training. The framework rests on three pillars: FATF's 40 Recommendations globally, the US Bank Secrecy Act (BSA) administered by FinCEN, and EU Regulation 2024/1624 (AMLR) plus Directive 2024/1640 (6AMLD), which apply from 10 July 2027. Two late-2025/2026 US shifts materially narrow the regime: FinCEN's March 26, 2025 interim final rule exempts all domestic US companies from Corporate Transparency Act beneficial-ownership reporting (only foreign reporting companies remain in scope), and the FinCEN investment-adviser AML rule — originally effective 1 January 2026 — was postponed to 1 January 2028 by a final rule issued 31 December 2025. AML enforcement penalties totaled $4.6 billion in 2024 and $3.8 billion in 2025; partial compliance is never an option once an entity is an obliged entity in any jurisdiction. [src1, src2, src3, src9, src10]

Rule

Every financial institution and designated obliged entity must implement a risk-based Anti-Money Laundering (AML) and Know Your Customer (KYC) program comprising five core pillars: (1) a written AML/CFT policy approved by senior management, (2) a designated compliance officer, (3) risk-based Customer Due Diligence (CDD) with Enhanced Due Diligence (EDD) for high-risk relationships, (4) ongoing transaction monitoring with Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) filing, and (5) independent testing and staff training. This framework is mandated by FATF Recommendation 10 globally, the US Bank Secrecy Act (BSA) domestically, and EU Regulation 2024/1624 (AMLR) across the European Union. [src1, src2, src3]

Evidence

Global AML enforcement penalties totaled $4.6 billion in 2024 and $3.8 billion in 2025, with TD Bank receiving a $3.09 billion fine for systemic AML compliance failures — one of the largest AML penalties in history. [src5, src8] In the first half of 2025, regulators levied approximately 139 financial penalties totaling $1.23 billion — a 417% increase over the same period in 2024 — with OKX paying $504 million for failing to maintain an effective AML program. [src5, src8] FATF's fifth round of mutual evaluations (2024-2027) places heavy weight on effectiveness outcomes rather than technical compliance, and the EU's AMLR doubles maximum pecuniary sanctions to EUR 10 million or 10% of total annual turnover. [src1, src3] The EU has lowered the beneficial ownership threshold from over 25% to 25% or more, with 15% in high-risk cases. [src3] AMLA must deliver Regulatory Technical Standards on CDD and minimum data standards by July 10, 2026. [src3] On February 13, 2026, FinCEN issued Order FIN-2026-R001 granting exceptive relief from beneficial ownership identification at each new account opening. [src2] Two further US developments reshaped the 2025-2026 landscape: FinCEN's March 26, 2025 interim final rule narrowed the Corporate Transparency Act's "reporting company" definition to foreign entities only, exempting all domestic US companies and US persons from beneficial-ownership information (BOI) reporting (the Eleventh Circuit upheld the CTA as constitutional on December 16, 2025, but did not reinstate domestic reporting), and FinCEN postponed its investment-adviser AML/CFT program and SAR rule — originally effective January 1, 2026 — to January 1, 2028 via a final rule issued December 31, 2025. [src9, src10]

Key Properties

• FATF Standard: 40 Recommendations — the global baseline adopted by 200+ jurisdictions; Recommendation 10 (CDD), Recommendation 16 (Travel Rule), Recommendation 20 (SAR/STR filing)
• US Framework: Bank Secrecy Act (BSA) — administered by FinCEN; CDD Rule (2018, updated 2024); SAR threshold $5,000+; CTR threshold $10,000+ cash; Corporate Transparency Act BOI reporting now applies to foreign reporting companies only (FinCEN interim final rule, Mar 26, 2025 exempted all domestic US entities); FinCEN investment-adviser AML rule postponed to Jan 1, 2028 (final rule Dec 31, 2025)
• EU Framework: Regulation 2024/1624 (AMLR) + Directive 2024/1640 (6AMLD) — apply from July 10, 2027; supervised by AMLA (Frankfurt, operational July 1, 2025; direct supervision of first ~40 high-risk cross-border entities begins Jan 2028); EU-wide cash cap EUR 10,000; customer ID at EUR 3,000+
• Penalties: Up to $3+ billion (US), EUR 10 million or 10% global turnover (EU), criminal prosecution for willful violations
• Filing Deadlines: SAR within 30 calendar days of detection (US); STR timelines vary by EU member state (typically 24-48 hours for terrorist financing)
• Beneficial Ownership Threshold: 25% or more ownership or control (EU AMLR — lowered from over 25%); 15% in high-risk cases (EU); US CDD Rule requires identification of each individual with 25%+ equity or one individual with significant management control; FinCEN Order FIN-2026-R001 (Feb 2026) provides exceptive relief from per-account BO identification

Conditions

• Applies when: Any entity classified as a "financial institution" or "obliged entity" under applicable AML legislation — including banks, credit unions, broker-dealers, investment advisers, money services businesses, insurance companies, VASPs/crypto exchanges, real estate agents (EU), lawyers handling financial transactions, high-value goods dealers, and professional football clubs/agents (EU AMLR)
• Does NOT apply when: Entity is below jurisdictional thresholds; entity operates exclusively in a non-FATF jurisdiction (extremely rare — only North Korea, Iran, and Myanmar are fully non-compliant)
• Confidence degrades when: New regulations are pending implementation (EU AMLR not applicable until July 2027; AMLA RTS on CDD due July 10, 2026); FinCEN investment adviser rule not effective until January 2028; FinCEN BOI exceptive relief (FIN-2026-R001) may alter beneficial ownership requirements; FATF mutual evaluation outcomes may shift national requirements; Australia Tranche 2 entities coming under AML/CTF regime from March 2026

Constraints

• Jurisdiction-specific thresholds and filing requirements vary significantly — US uses $5,000 SAR threshold while EU member states set their own STR thresholds and timelines [src2, src3]
• EU AMLR (Regulation 2024/1624) and 6AMLD (Directive 2024/1640) were published July 9, 2024, but do not apply until July 10, 2027 — existing 5AMLD transpositions remain in force until then [src3, src7]
• US FinCEN's AML rule for investment advisers (finalized September 2024) was postponed from its original January 1, 2026 effective date to January 1, 2028 by a final rule issued December 31, 2025 — advisers are not yet obligated, and FinCEN intends to revisit the rule's substance before then [src9]
• AML record-keeping requirements (5-7 years typically) may conflict with GDPR data minimization principles — entities operating in the EU must reconcile both frameworks [src3]
• FATF Travel Rule implementation remains inconsistent — only 85 of 117 jurisdictions (73%) have passed implementing legislation as of 2025 [src6]
• AMLA must deliver Regulatory Technical Standards on CDD and minimum data standards by July 10, 2026 — these will create harmonized EU-wide KYC requirements [src3]
• FinCEN issued exceptive relief (FIN-2026-R001, Feb 13, 2026) from beneficial ownership identification at each new account opening — check current scope and expiry [src2]
• Beneficial Ownership Information (BOI) reporting under the US Corporate Transparency Act now applies to FOREIGN reporting companies only — FinCEN's March 26, 2025 interim final rule exempted all domestic US entities and US persons; the Eleventh Circuit upheld the CTA as constitutional (December 16, 2025) but did not reinstate domestic reporting, and a final rule is expected in 2026 [src10]

Rationale

AML/KYC frameworks exist because the UN estimates that 2-5% of global GDP ($800 billion to $2 trillion) is laundered annually. Without mandatory identification, due diligence, and transaction monitoring, financial institutions become conduits for drug trafficking, terrorist financing, tax evasion, and sanctions circumvention. The risk-based approach — rather than prescriptive rules — recognizes that ML/TF risk varies by customer type, geography, product, and delivery channel, and that compliance resources should be allocated proportionally to actual risk. [src1, src3]

Framework Selection Decision Tree

START — User needs AML/KYC compliance guidance
├── Which jurisdiction?
│   ├── United States (BSA/AML) → AML/KYC Framework ← YOU ARE HERE
│   ├── European Union (AMLR/6AMLD) → AML/KYC Framework ← YOU ARE HERE
│   ├── United Kingdom (MLR 2017) → AML/KYC Framework (UK aligns with FATF)
│   └── Multiple jurisdictions → Use FATF baseline + jurisdiction-specific add-ons
├── Is the entity a "financial institution" or "obliged entity"?
│   ├── YES → Apply this rule: implement 5-pillar AML program
│   └── NO → Check if entity is a DNFBP or newly designated obliged entity
├── Does the entity handle virtual assets or crypto?
│   ├── YES → Apply this rule + FATF Travel Rule (Rec. 16) + VASP registration
│   └── NO → Standard AML/KYC program under this rule
└── Does the entity have an existing AML program?
    ├── YES → Audit against this rule: check 5 pillars, risk assessment, SAR filing
    └── NO → Start with risk assessment, then build per Application Checklist

Application Checklist

Step 1: Determine applicability and scope

• Inputs needed: Entity type, jurisdiction(s) of operation, customer base geography, products/services offered, transaction volumes
• Output: Go/no-go on AML program obligation; list of applicable regulations (BSA, AMLR, FATF Recommendations, national AML laws)
• Constraint: If entity is an obliged entity in any jurisdiction, the entire AML program is mandatory — partial compliance is not an option [src1]

Step 2: Conduct enterprise-wide risk assessment

• Inputs needed: Customer risk factors (PEPs, high-risk jurisdictions, complex ownership), product risk (correspondent banking, private banking, crypto), geographic risk (FATF grey/black list), delivery channel risk
• Output: Written risk assessment categorizing ML/TF risks as low, medium, or high; risk appetite statement approved by board/senior management
• Constraint: Risk assessment must be updated at least annually or when material changes occur — static risk assessments are the most common deficiency in FATF mutual evaluations [src1]

Step 3: Implement CDD/EDD procedures

• Inputs needed: Risk assessment output, customer onboarding data requirements, identity verification technology
• Output: CDD procedures covering CIP, verification, beneficial ownership (25%+ threshold), ongoing monitoring; EDD for high-risk categories
• Constraint: CDD must be completed before or during establishment of business relationship — no exceptions for "pending verification." EDD requires source of wealth and source of funds documentation [src2, src3]

Step 4: Build transaction monitoring and SAR/STR filing

• Inputs needed: Transaction data, monitoring rules/scenarios, alert investigation workflow, SAR/STR filing templates
• Output: Operational transaction monitoring system with documented scenarios, alert triage, investigation procedures, SAR/STR filing workflow
• Constraint: SAR must be filed within 30 calendar days of initial detection (US). No regulatory requirement for post-SAR 90-day reviews per October 2025 FinCEN FAQs [src4]

Step 5: Validate, train, and independently test

• Inputs needed: Completed AML program documentation, training materials, independent audit plan
• Output: Annual independent testing report, documented training records, board-level AML program effectiveness reporting
• Constraint: Independent testing must be conducted by qualified personnel not involved in day-to-day AML operations. Escalate to legal counsel if material deficiencies are identified [src1, src2]

Decision Logic

If a US registered investment adviser or exempt reporting adviser is rushing to stand up an AML program for a January 2026 deadline

Stop and re-check the deadline: FinCEN postponed the investment-adviser AML/CFT and SAR rule from January 1, 2026 to January 1, 2028 (final rule issued December 31, 2025). Advisers are not yet obligated, though FinCEN may revisit the rule's substance — continue program design but do not treat 2026 as a hard cut-over. [src9]

If a US-formed company is being asked to file beneficial-ownership information under the Corporate Transparency Act

It almost certainly does not have to. FinCEN's March 26, 2025 interim final rule exempts all domestic US entities and US persons from BOI reporting; only foreign entities registered to do business in a US state/tribal jurisdiction remain reporting companies. The December 16, 2025 Eleventh Circuit ruling upheld the CTA but did not reinstate domestic obligations. [src10]

If the entity is an obliged entity in even one jurisdiction

Treat the full five-pillar AML program as mandatory — partial or "best-effort" compliance is never an option. Failure to determine scope correctly was a factor in a majority of recent enforcement actions. [src1, src5]

If the entity onboards a high-risk customer (PEP, correspondent-banking, FATF grey/black-list country, or opaque ownership)

Apply Enhanced Due Diligence: document source of wealth and source of funds, obtain senior-management approval, and set a heightened ongoing-monitoring cadence. Do NOT rely on Simplified Due Diligence unless lower risk is demonstrated and documented. [src1, src3]

If a compliance team is filing SARs purely because a transaction is at or near the $10,000 CTR threshold

Stop. FinCEN's October 2025 FAQs confirm there is no requirement to file a SAR solely on threshold proximity, and no requirement for post-SAR 90-day reviews; file on suspicion of illicit funds, structuring, or no lawful purpose instead. [src4]

If the entity operates in the EU and is preparing for the AMLR/6AMLD regime

Build to the harmonized standard now: AMLA must deliver Regulatory Technical Standards on CDD and group-wide controls by July 10, 2026, AMLR applies from July 10, 2027, and AMLA's direct supervision of the first ~40 high-risk cross-border entities begins January 2028. Until AMLR applies, existing 5AMLD national transpositions remain in force. [src3, src7]

If the question is really about payment-services/open-banking, investment-firm conduct, or the AML-vs-privacy data-retention conflict (not AML/KYC itself)

Route to the correct unit: PSD2/Open Banking, MiFID II, or GDPR. [src3]

Anti-Patterns

Wrong: Treating KYC as a one-time onboarding check

Many institutions collect identification documents at account opening and never revisit them. This approach fails to detect changes in customer risk profile, PEP status, or beneficial ownership structure, and was cited as a primary deficiency in TD Bank's $3.09 billion enforcement action. [src5]

Correct: Implement ongoing CDD with risk-based refresh cycles

CDD must be continuous. High-risk customers should be reviewed at least annually, medium-risk every 2-3 years, and low-risk every 5 years. Trigger events (large unusual transactions, adverse media, sanctions list changes) should prompt immediate review. [src1, src2]

Wrong: Filing SARs based on transaction amount alone

Some compliance teams file SARs on every transaction near the $10,000 CTR threshold, creating massive volumes of low-value reports that overwhelm FinCEN and dilute intelligence value. [src4]

Correct: File SARs based on suspicious activity indicators, not amount thresholds

FinCEN's October 2025 FAQs explicitly clarified that institutions are not required to file SARs solely because a transaction is at or near the $10,000 threshold. SARs should be filed when there is knowledge, suspicion, or reason to suspect involvement of illegal activity or BSA evasion. [src4]

Wrong: Applying identical CDD to all customers regardless of risk

A one-size-fits-all approach wastes resources on low-risk customers while under-scrutinizing high-risk relationships — this failure pattern led to multiple enforcement actions against banks processing correspondent banking from high-risk jurisdictions. [src5]

Correct: Apply tiered CDD based on documented risk assessment

Use Simplified Due Diligence (SDD) for demonstrably low-risk customers, standard CDD for medium-risk, and Enhanced Due Diligence (EDD) for high-risk categories including PEPs, correspondent banking, high-risk jurisdictions, and complex ownership structures. [src1, src3]

Counter-Arguments

• The risk-based approach grants institutions significant discretion, which can lead to inconsistent application and "de-risking" — banks exiting entire markets or customer segments rather than managing risk. [src1]
• Global AML/KYC compliance costs are estimated at $214 billion annually, yet less than 1% of illicit financial flows are successfully intercepted, raising questions about proportionality. [src8]
• Strict identity verification requirements contribute to financial exclusion — an estimated 1.4 billion adults globally lack access to formal financial services, partly because KYC requirements are impossible to meet in regions with limited civil registration. [src1]

Common Misconceptions

Misconception: AML/KYC programs only apply to banks and traditional financial institutions.
Reality: FATF Recommendations and most national laws extend AML obligations to DNFBPs including real estate agents, dealers in precious metals/stones, lawyers, notaries, accountants, and trust/company service providers. The EU AMLR further expanded scope to crypto-asset providers, crowdfunding platforms, and professional football clubs/agents. [src1, src3]

Misconception: Institutions must document their decision not to file a SAR.
Reality: FinCEN's October 2025 FAQs explicitly state there is no legal or regulatory requirement to document decisions not to file a SAR, though institutions may do so for internal risk management. [src4]

Misconception: The FATF Travel Rule for virtual assets is universally implemented and enforceable.
Reality: As of 2025, only 85 of 117 surveyed jurisdictions (73%) have passed Travel Rule legislation, and over 75% of jurisdictions remain only partially compliant with FATF's AML standards for virtual assets. [src6]

Misconception: The EU's new AML Regulation (AMLR) is already in effect.
Reality: Regulation 2024/1624 was published on July 9, 2024, but does not apply until July 10, 2027. The existing 5AMLD and its national transpositions remain applicable law until then. [src3]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about AML/KYC compliance obligations, anti-money laundering program requirements, customer due diligence procedures, suspicious activity reporting, beneficial ownership requirements, or when a financial institution, fintech, or VASP needs to understand its regulatory obligations for preventing money laundering and terrorist financing.