Understanding Anti-Money Laundering (AML) Checks

Introduction

Regulators aren't just watching — they're acting. In 2024, FinCEN assessed a $1.3 billion penalty against TD Bank for willfully failing to maintain an adequate AML program, the largest penalty ever against a depository institution in U.S. Treasury history. A year earlier, Binance was hit with a $3.4 billion settlement for BSA violations. Enforcement actions like these have accelerated across every major jurisdiction, and regulators have made clear that program failures — not just intent — carry consequences.

According to the UNODC, an estimated 2% to 5% of global GDP — roughly $800 billion to $2 trillion — is laundered every year. Regulators across the US, UK, Canada, and EU are holding financial services companies directly accountable for stopping it.

For fintechs, crypto platforms, and embedded finance companies, the pressure is immediate: build a compliant, scalable AML program without the in-house expertise to do it correctly. This guide covers what AML checks are, how they work across each stage — from customer onboarding through transaction monitoring and SAR filing — and what gaps in your program can cost you.

TL;DR

AML checks are legally required processes that verify customer identities and confirm funds are not linked to criminal activity
Core components include Customer Due Diligence, sanctions screening, Enhanced Due Diligence, transaction monitoring, and SAR filing
These obligations apply to fintechs, crypto firms, payment providers, and embedded finance companies — not just banks
Penalties for non-compliance include fines exceeding $10M, license revocation, and personal criminal liability for responsible officers
Expect regulators to require a named compliance officer — BSA Officer, MLRO, or CAMLO — to own the program

What Is an AML Check?

An AML check is a structured set of compliance procedures that regulated businesses run to verify customers are who they claim to be, and that the money moving through their platform is not connected to fraud, drug trafficking, corruption, or terrorist financing. It is not a single action — AML compliance is a continuous obligation spanning customer onboarding, risk assessment, transaction oversight, and regulatory reporting.

KYC (Know Your Customer) is a component within AML, not a synonym for it. KYC covers identity verification. AML is the broader framework that includes KYC plus ongoing monitoring, sanctions screening, and suspicious activity reporting.

What Information Is Typically Collected

During an AML check, businesses typically gather:

Full legal name and date of birth
Government-issued photo ID
Proof of residential address
Source of funds
Intended purpose of the business relationship
For businesses: legal registration documents, ownership structure, and beneficial ownership details (anyone with 25%+ ownership or control)

Why AML Checks Are Non-Negotiable

The Legal Obligation

AML checks are legally mandated across every major jurisdiction. The core frameworks include:

Jurisdiction	Framework	Key Regulator
United States	Bank Secrecy Act (BSA)	FinCEN
United Kingdom	Proceeds of Crime Act 2002 + Money Laundering Regulations 2017	FCA / NCA
Canada	Proceeds of Crime (Money Laundering) and Terrorist Financing Act	FINTRAC
European Union	4AMLD, 5AMLD, and 2024 AML package (AMLR/AMLA)	National FIUs / AMLA
Global baseline	FATF Recommendations (followed by 200+ governments)	FATF

These obligations apply broadly. If your business moves money — whether through a payment app, crypto exchange, lending product, or embedded wallet — you are almost certainly a regulated entity under one or more of these frameworks.

That legal exposure translates directly into business risk. Regulatory failures rarely stay contained to the compliance team.

The Business Case Beyond Compliance

Getting AML wrong doesn't just attract regulators. It creates operational risk across the business:

Sponsor bank relationships: Banks and payment processors will offboard partners who can't demonstrate a functioning AML program
Investor confidence: Due diligence reviewers at Series A and beyond routinely flag AML gaps as deal risks
Reputational exposure: Being associated with financial crime — even unknowingly — erodes customer trust quickly

The FCA fined Starling Bank £28.9 million in 2024 for sanctions screening failures and repeated breaches around high-risk customer onboarding. Starling is a well-resourced firm. If a scaled neobank with dedicated compliance staff can draw an eight-figure fine, earlier-stage companies with thinner programs face even less margin for error.

AML non-compliance consequences showing fines reputational and operational business risks

How AML Checks Work: Step by Step

Each stage below builds on the last. Treating onboarding checks as a one-time event — rather than the start of an ongoing monitoring relationship — is one of the most common and costly mistakes compliance teams make.

Step 1 – Customer Due Diligence (CDD)

CDD is the entry point of every AML check. The goal is to collect and verify the customer's identity using reliable, independent sources.

For individuals: Photo ID, proof of address, date of birth
For businesses: Legal registration documents, ownership structure, and identification of beneficial owners (anyone holding 25% or more of the equity or control)

The quality of your CDD directly determines the accuracy of every downstream decision — risk ratings, screening outcomes, and your ability to defend compliance decisions during an audit.

Step 2 – Sanctions Screening and Watchlist Checks

Once identity is verified, the customer is screened against:

OFAC SDN List (US)
UK Sanctions List (UK — note: the former OFSI Consolidated List closed in January 2026)
UN Security Council Consolidated List
EU financial sanctions list
PEP databases (Politically Exposed Persons)
Adverse media sources

Automated screening tools cross-reference customer data against these lists in real time. The operational challenge here is false positives — a high volume of alerts requiring human review can slow onboarding and strain compliance resources if not managed carefully.

Step 3 – Risk Assessment and Customer Risk Rating

After screening, the business assigns each customer a risk rating — low, medium, or high — based on factors including:

Geographic location (high-risk jurisdictions)
Business type (cash-intensive industries, complex ownership structures)
Transaction behavior patterns
PEP status

This rating determines how intensively the customer is monitored going forward, whether Enhanced Due Diligence applies, and how defensible your compliance decisions are if a regulator examines your records.

Step 4 – Enhanced Due Diligence (EDD)

EDD is triggered when a customer presents elevated risk signals. It goes beyond standard CDD and typically involves:

Establishing source of funds and source of wealth
Collecting financial statements or professional references
More frequent transaction review cycles
Senior management sign-off before proceeding

EDD is mandatory for Politically Exposed Persons, customers from high-risk third countries, and businesses in high-risk sectors.

The most commonly missed step is documenting the rationale. Regulators don't just ask whether EDD was applied — they expect a clear, auditable record of why it was or wasn't required in each specific case.

Step 5 – Ongoing Transaction Monitoring and SAR Reporting

AML compliance doesn't end at onboarding. Transaction monitoring systems continuously analyze activity for patterns such as:

Sudden volume spikes with no clear business explanation
Transfers to high-risk jurisdictions
Unusual routing or layering behavior
Structuring — breaking large sums into smaller transfers specifically to evade reporting thresholds

When a red flag can't be resolved, the business must file a Suspicious Activity Report (SAR) with the relevant authority: FinCEN in the US, the National Crime Agency in the UK, FINTRAC in Canada, or the relevant FIU in EU jurisdictions. Disclosure laws in all four jurisdictions prohibit alerting the customer that a SAR has been filed.

All AML checks, monitoring decisions, and SAR filings must be retained for a minimum of five years across the US, UK, Canada, and EU. Inadequate record-keeping is a leading cause of regulatory penalties — even when the underlying compliance activity was sound.

5-step AML compliance process flow from customer due diligence to SAR filing

AML Checks in Practice: A Fintech Scenario

A fintech startup is onboarding a new business customer through its payments platform. Here's how each stage plays out:

The onboarding (CDD) stage: the team collects the company's registration documents, identifies the two beneficial owners above the 25% threshold, and verifies both individuals' IDs against independent sources
Screening: automated tools run both individuals and the entity against OFAC, the UK Sanctions List, and PEP databases — returning clear results
Risk rating: based on the business type (cross-border payments) and one owner's prior government role, the customer is rated medium-high risk
Transaction flag: three weeks after onboarding, the transaction monitoring system flags an unusually large inbound transfer, significantly above the customer's stated expected volume

That flag is where things go wrong most often. Common mistakes at this point:

Dismissing the alert without documented review because onboarding checks were clean
Relying solely on the automated flag without human investigation
Failing to update the customer's risk profile after the behavior change

Done right, the compliance team requests supporting documentation from the customer. The transfer is explained by a new contract, so the team reviews the evidence, documents their conclusion, and updates the risk profile accordingly. If a regulator ever asks, that documentation is what protects the business.

How Fraxtional Can Help You Build an AML-Compliant Program

Most growing fintechs, crypto firms, and embedded finance companies face the same problem: AML compliance requires experienced leadership, but hiring a full-time BSA Officer, MLRO, or CAMLO is expensive and often impractical at seed, Series A, or Series B stage.

Fraxtional provides director-level AML compliance leadership on a fractional basis. Clients get a named compliance officer — BSA Officer, MLRO, or CAMLO — who can be used in regulatory filings, sponsor bank submissions, and investor documentation, without the cost or hiring delay of a full-time executive hire.

What Fraxtional Delivers in Practice

Builds end-to-end AML frameworks tailored to your product, customer base, and jurisdiction — pre-approved by sponsor banks across lending, cards, and wallets
Configures transaction monitoring thresholds, triggers, and alert logic for your specific model (prepaid, lending, crypto, payments)
Constructs complete SAR/CTR reporting infrastructure with escalation paths and audit-ready documentation
Develops written policies with role-based responsibilities, version control, and usability for non-technical staff
Provides ongoing fractional oversight: responding to regulator and sponsor bank inquiries, managing monitoring, and owning day-to-day compliance decisions

$Fraxtional fractional compliance officer delivering AML program services to fintech clients$

One crypto wallet co-founder working with Fraxtional described the situation plainly: "We had an AML policy, but it didn't hold up during a sponsor bank review. Fraxtional fixed it within days and helped us avoid a delay in onboarding."

Fraxtional's directors hold CAMS, CCI, ACAMS FCI, and Certified Bitcoin Professional credentials. They have built programs across US, UK, Canadian, and EU regulatory requirements, including multi-jurisdiction engagements for companies operating across borders.

AML compliance is the foundation of a bankable, investable financial services business. Regulators and sponsor banks scrutinize programs closely, and a weak framework creates real delays — in partnerships, funding, and licensing. As regulations evolve and products grow, the program has to keep pace. Experienced compliance leadership, whether full-time or fractional, is what keeps it there.

Frequently Asked Questions

What is an AML check?

An AML check is a compliance process that regulated businesses use to verify customer identities and confirm the money flowing through their operations isn't linked to criminal activity. It covers identity verification, risk screening, ongoing transaction monitoring, and suspicious activity reporting — not just a one-time ID check at onboarding.

What are the five main indicators of money laundering?

Five widely recognized red flags regulators and compliance teams watch for:

Unusually large or frequent cash transactions
Activity inconsistent with the customer's known business or income
Structuring — breaking large sums into smaller transfers to avoid reporting thresholds
Involvement of high-risk jurisdictions or Politically Exposed Persons (PEPs)
Sudden, unexplained changes in transaction behavior

Are AML checks a legal requirement?

Yes. AML checks are legally mandated for regulated businesses under the Bank Secrecy Act in the US, Money Laundering Regulations 2017 in the UK, PCMLTFA/FINTRAC rules in Canada, and EU Anti-Money Laundering Directives. FATF recommendations provide the global baseline followed by more than 200 jurisdictions.

What's the difference between AML checks and KYC?

KYC (Know Your Customer) is the identity verification component within a broader AML program. AML also encompasses ongoing transaction monitoring, risk assessment, sanctions screening, and suspicious activity reporting — making it a far broader compliance obligation than identity verification alone.

What happens if a business fails to comply with AML regulations?

Non-compliance carries three main consequences:

Financial penalties — fines that can run into hundreds of millions of dollars
Reputational damage — eroding customer and investor confidence
Legal exposure — potential criminal liability for responsible individuals and loss of operating licenses

Who is responsible for overseeing AML compliance in a fintech company?

Most jurisdictions require a designated compliance officer — an MLRO in the UK, BSA Officer in the US, or CAMLO in Canada — with authority to oversee the AML program and file suspicious activity reports. For startups and growth-stage fintechs that aren't ready for a full-time hire, Fraxtional provides this role on a fractional basis.