AML/KYC Framework for Financial Services

Rule

Every financial institution and designated obliged entity must implement a risk-based Anti-Money Laundering (AML) and Know Your Customer (KYC) program comprising five core pillars: (1) a written AML/CFT policy approved by senior management, (2) a designated compliance officer, (3) risk-based Customer Due Diligence (CDD) with Enhanced Due Diligence (EDD) for high-risk relationships, (4) ongoing transaction monitoring with Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) filing, and (5) independent testing and staff training. This framework is mandated by FATF Recommendation 10 globally, the US Bank Secrecy Act (BSA) domestically, and EU Regulation 2024/1624 (AMLR) across the European Union. [src1, src2, src3]

Evidence

Global AML enforcement penalties totaled $4.6 billion in 2024 and $3.8 billion in 2025, with TD Bank receiving a $3.09 billion fine for systemic AML compliance failures — one of the largest AML penalties in history. [src5, src8] In the first half of 2025, regulators levied approximately 139 financial penalties totaling $1.23 billion — a 417% increase over the same period in 2024 — with OKX paying $504 million for failing to maintain an effective AML program. [src5, src8] FATF's fifth round of mutual evaluations (2024-2027) places heavy weight on effectiveness outcomes rather than technical compliance, and the EU's AMLR doubles maximum pecuniary sanctions to EUR 10 million or 10% of total annual turnover. [src1, src3] The EU has lowered the beneficial ownership threshold from over 25% to 25% or more, with 15% in high-risk cases. [src3] AMLA must deliver Regulatory Technical Standards on CDD and minimum data standards by July 10, 2026. [src3] On February 13, 2026, FinCEN issued Order FIN-2026-R001 granting exceptive relief from beneficial ownership identification at each new account opening. [src2]

Key Properties

• FATF Standard: 40 Recommendations — the global baseline adopted by 200+ jurisdictions; Recommendation 10 (CDD), Recommendation 16 (Travel Rule), Recommendation 20 (SAR/STR filing)
• US Framework: Bank Secrecy Act (BSA) — administered by FinCEN; CDD Rule (2018, updated 2024); BOI reporting (effective Jan 1, 2024); SAR threshold $5,000+; CTR threshold $10,000+ cash
• EU Framework: Regulation 2024/1624 (AMLR) + Directive 2024/1640 (6AMLD) — apply from July 10, 2027; supervised by AMLA (Frankfurt); EU-wide cash cap EUR 10,000; customer ID at EUR 3,000+
• Penalties: Up to $3+ billion (US), EUR 10 million or 10% global turnover (EU), criminal prosecution for willful violations
• Filing Deadlines: SAR within 30 calendar days of detection (US); STR timelines vary by EU member state (typically 24-48 hours for terrorist financing)
• Beneficial Ownership Threshold: 25% or more ownership or control (EU AMLR — lowered from over 25%); 15% in high-risk cases (EU); US CDD Rule requires identification of each individual with 25%+ equity or one individual with significant management control; FinCEN Order FIN-2026-R001 (Feb 2026) provides exceptive relief from per-account BO identification

Conditions

• Applies when: Any entity classified as a "financial institution" or "obliged entity" under applicable AML legislation — including banks, credit unions, broker-dealers, investment advisers, money services businesses, insurance companies, VASPs/crypto exchanges, real estate agents (EU), lawyers handling financial transactions, high-value goods dealers, and professional football clubs/agents (EU AMLR)
• Does NOT apply when: Entity is below jurisdictional thresholds; entity operates exclusively in a non-FATF jurisdiction (extremely rare — only North Korea, Iran, and Myanmar are fully non-compliant)
• Confidence degrades when: New regulations are pending implementation (EU AMLR not applicable until July 2027; AMLA RTS on CDD due July 10, 2026); FinCEN investment adviser rule not effective until January 2028; FinCEN BOI exceptive relief (FIN-2026-R001) may alter beneficial ownership requirements; FATF mutual evaluation outcomes may shift national requirements; Australia Tranche 2 entities coming under AML/CTF regime from March 2026

Constraints

• Jurisdiction-specific thresholds and filing requirements vary significantly — US uses $5,000 SAR threshold while EU member states set their own STR thresholds and timelines [src2, src3]
• EU AMLR (Regulation 2024/1624) and 6AMLD (Directive 2024/1640) were published July 9, 2024, but do not apply until July 10, 2027 — existing 5AMLD transpositions remain in force until then [src3, src7]
• US FinCEN's AML rule for investment advisers (September 2024) has a compliance deadline of January 1, 2028 — advisers are not yet obligated [src2]
• AML record-keeping requirements (5-7 years typically) may conflict with GDPR data minimization principles — entities operating in the EU must reconcile both frameworks [src3]
• FATF Travel Rule implementation remains inconsistent — only 85 of 117 jurisdictions (73%) have passed implementing legislation as of 2025 [src6]
• AMLA must deliver Regulatory Technical Standards on CDD and minimum data standards by July 10, 2026 — these will create harmonized EU-wide KYC requirements [src3]
• FinCEN issued exceptive relief (FIN-2026-R001, Feb 13, 2026) from beneficial ownership identification at each new account opening — check current scope and expiry [src2]
• Beneficial Ownership Information (BOI) reporting under the US Corporate Transparency Act has faced legal challenges — enforcement status may shift based on court rulings [src2]

Rationale

AML/KYC frameworks exist because the UN estimates that 2-5% of global GDP ($800 billion to $2 trillion) is laundered annually. Without mandatory identification, due diligence, and transaction monitoring, financial institutions become conduits for drug trafficking, terrorist financing, tax evasion, and sanctions circumvention. The risk-based approach — rather than prescriptive rules — recognizes that ML/TF risk varies by customer type, geography, product, and delivery channel, and that compliance resources should be allocated proportionally to actual risk. [src1, src3]

Framework Selection Decision Tree

START — User needs AML/KYC compliance guidance
├── Which jurisdiction?
│   ├── United States (BSA/AML) → AML/KYC Framework ← YOU ARE HERE
│   ├── European Union (AMLR/6AMLD) → AML/KYC Framework ← YOU ARE HERE
│   ├── United Kingdom (MLR 2017) → AML/KYC Framework (UK aligns with FATF)
│   └── Multiple jurisdictions → Use FATF baseline + jurisdiction-specific add-ons
├── Is the entity a "financial institution" or "obliged entity"?
│   ├── YES → Apply this rule: implement 5-pillar AML program
│   └── NO → Check if entity is a DNFBP or newly designated obliged entity
├── Does the entity handle virtual assets or crypto?
│   ├── YES → Apply this rule + FATF Travel Rule (Rec. 16) + VASP registration
│   └── NO → Standard AML/KYC program under this rule
└── Does the entity have an existing AML program?
    ├── YES → Audit against this rule: check 5 pillars, risk assessment, SAR filing
    └── NO → Start with risk assessment, then build per Application Checklist

Application Checklist

Step 1: Determine applicability and scope

• Inputs needed: Entity type, jurisdiction(s) of operation, customer base geography, products/services offered, transaction volumes
• Output: Go/no-go on AML program obligation; list of applicable regulations (BSA, AMLR, FATF Recommendations, national AML laws)
• Constraint: If entity is an obliged entity in any jurisdiction, the entire AML program is mandatory — partial compliance is not an option [src1]

Step 2: Conduct enterprise-wide risk assessment

• Inputs needed: Customer risk factors (PEPs, high-risk jurisdictions, complex ownership), product risk (correspondent banking, private banking, crypto), geographic risk (FATF grey/black list), delivery channel risk
• Output: Written risk assessment categorizing ML/TF risks as low, medium, or high; risk appetite statement approved by board/senior management
• Constraint: Risk assessment must be updated at least annually or when material changes occur — static risk assessments are the most common deficiency in FATF mutual evaluations [src1]

Step 3: Implement CDD/EDD procedures

• Inputs needed: Risk assessment output, customer onboarding data requirements, identity verification technology
• Output: CDD procedures covering CIP, verification, beneficial ownership (25%+ threshold), ongoing monitoring; EDD for high-risk categories
• Constraint: CDD must be completed before or during establishment of business relationship — no exceptions for "pending verification." EDD requires source of wealth and source of funds documentation [src2, src3]

Step 4: Build transaction monitoring and SAR/STR filing

• Inputs needed: Transaction data, monitoring rules/scenarios, alert investigation workflow, SAR/STR filing templates
• Output: Operational transaction monitoring system with documented scenarios, alert triage, investigation procedures, SAR/STR filing workflow
• Constraint: SAR must be filed within 30 calendar days of initial detection (US). No regulatory requirement for post-SAR 90-day reviews per October 2025 FinCEN FAQs [src4]

Step 5: Validate, train, and independently test

• Inputs needed: Completed AML program documentation, training materials, independent audit plan
• Output: Annual independent testing report, documented training records, board-level AML program effectiveness reporting
• Constraint: Independent testing must be conducted by qualified personnel not involved in day-to-day AML operations. Escalate to legal counsel if material deficiencies are identified [src1, src2]

Anti-Patterns

Wrong: Treating KYC as a one-time onboarding check

Many institutions collect identification documents at account opening and never revisit them. This approach fails to detect changes in customer risk profile, PEP status, or beneficial ownership structure, and was cited as a primary deficiency in TD Bank's $3.09 billion enforcement action. [src5]

Correct: Implement ongoing CDD with risk-based refresh cycles

CDD must be continuous. High-risk customers should be reviewed at least annually, medium-risk every 2-3 years, and low-risk every 5 years. Trigger events (large unusual transactions, adverse media, sanctions list changes) should prompt immediate review. [src1, src2]

Wrong: Filing SARs based on transaction amount alone

Some compliance teams file SARs on every transaction near the $10,000 CTR threshold, creating massive volumes of low-value reports that overwhelm FinCEN and dilute intelligence value. [src4]

Correct: File SARs based on suspicious activity indicators, not amount thresholds

FinCEN's October 2025 FAQs explicitly clarified that institutions are not required to file SARs solely because a transaction is at or near the $10,000 threshold. SARs should be filed when there is knowledge, suspicion, or reason to suspect involvement of illegal activity or BSA evasion. [src4]

Wrong: Applying identical CDD to all customers regardless of risk

A one-size-fits-all approach wastes resources on low-risk customers while under-scrutinizing high-risk relationships — this failure pattern led to multiple enforcement actions against banks processing correspondent banking from high-risk jurisdictions. [src5]

Correct: Apply tiered CDD based on documented risk assessment

Use Simplified Due Diligence (SDD) for demonstrably low-risk customers, standard CDD for medium-risk, and Enhanced Due Diligence (EDD) for high-risk categories including PEPs, correspondent banking, high-risk jurisdictions, and complex ownership structures. [src1, src3]

Counter-Arguments

• The risk-based approach grants institutions significant discretion, which can lead to inconsistent application and "de-risking" — banks exiting entire markets or customer segments rather than managing risk. [src1]
• Global AML/KYC compliance costs are estimated at $214 billion annually, yet less than 1% of illicit financial flows are successfully intercepted, raising questions about proportionality. [src8]
• Strict identity verification requirements contribute to financial exclusion — an estimated 1.4 billion adults globally lack access to formal financial services, partly because KYC requirements are impossible to meet in regions with limited civil registration. [src1]

Common Misconceptions

Misconception: AML/KYC programs only apply to banks and traditional financial institutions.
Reality: FATF Recommendations and most national laws extend AML obligations to DNFBPs including real estate agents, dealers in precious metals/stones, lawyers, notaries, accountants, and trust/company service providers. The EU AMLR further expanded scope to crypto-asset providers, crowdfunding platforms, and professional football clubs/agents. [src1, src3]

Misconception: Institutions must document their decision not to file a SAR.
Reality: FinCEN's October 2025 FAQs explicitly state there is no legal or regulatory requirement to document decisions not to file a SAR, though institutions may do so for internal risk management. [src4]

Misconception: The FATF Travel Rule for virtual assets is universally implemented and enforceable.
Reality: As of 2025, only 85 of 117 surveyed jurisdictions (73%) have passed Travel Rule legislation, and over 75% of jurisdictions remain only partially compliant with FATF's AML standards for virtual assets. [src6]

Misconception: The EU's new AML Regulation (AMLR) is already in effect.
Reality: Regulation 2024/1624 was published on July 9, 2024, but does not apply until July 10, 2027. The existing 5AMLD and its national transpositions remain applicable law until then. [src3]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about AML/KYC compliance obligations, anti-money laundering program requirements, customer due diligence procedures, suspicious activity reporting, beneficial ownership requirements, or when a financial institution, fintech, or VASP needs to understand its regulatory obligations for preventing money laundering and terrorist financing.