AML Requirements for Payment Processors Compliance Payment processors occupy an uncomfortable position in the financial crime landscape. They move enormous transaction volumes at speed, often without a direct relationship to the end merchant or customer — and regulators across every major jurisdiction have taken notice.

Whether you're operating under FCA authorization in the UK, navigating FINTRAC's expanded MSB rules in Canada, or managing sponsor bank expectations in the US, the compliance bar for payment processors has risen sharply. AML failures aren't abstract risks anymore. They result in bank account terminations, enforcement actions, and in serious cases, criminal charges.

This guide covers what payment processors actually need to know: the AML obligations that apply by jurisdiction, the five core program components regulators look for, how CIP, CDD, and EDD work as a tiered framework, and how to build a defensible compliance program without a full-time executive team.

TL;DR

  • Payment processors in the US aren't automatically subject to BSA/AML law, but sponsor banks expect controls that mirror regulated institutions
  • UK and EU treat payment processors as regulated AML entities with mandatory CDD, SAR, and MLRO/compliance officer requirements
  • Canada's FINTRAC removed payment processing exemptions in April 2022 — many processors are now MSBs with registration and EFT reporting obligations
  • A compliant AML program rests on five pillars: compliance officer, written policies, transaction monitoring, sanctions screening, and independent audit
  • CIP, CDD, and EDD are distinct but linked — scrutiny must scale with the risk a customer actually presents

Why Payment Processors Are Uniquely Exposed to Money Laundering Risk

Most banks have a direct relationship with the merchants they serve. Payment processors often don't. They sit between the bank and the merchant, processing transactions for businesses they may never have meaningfully investigated — and that structural gap is exactly what bad actors exploit.

The FFIEC's BSA/AML Examination Manual is direct on this point: payment processors pose greater money laundering and fraud risk when they lack an effective means of verifying merchant clients' identities and business practices.

The bank often has no direct merchant relationship at all. That makes the processor the de facto gatekeeper, regardless of whether it ever set out to play that role.

Common Money Laundering Typologies Targeting Processors

Several patterns appear repeatedly when payment processors are implicated in financial crime:

  • Transaction laundering: processing payments for undisclosed or illicit merchants through a legitimate-looking merchant account
  • Structuring: breaking transactions into smaller amounts to avoid monitoring thresholds
  • High-risk merchant category abuse: categories like online gambling, telemarketing, or high-value goods used to obscure the true nature of transactions
  • Elevated ACH/RCC return rates used as cover for fraudulent merchant activity

Four common money laundering typologies targeting payment processors infographic

The FFIEC specifically flags internet-based businesses, prepaid travel services, telemarketers, and internet gaming enterprises as high-risk merchant categories requiring closer scrutiny. Treat them as typology indicators, not an exhaustive checklist. They should directly shape how processors approach merchant onboarding and ongoing transaction monitoring.

AML Requirements by Jurisdiction: US, UK, EU, and Canada

The regulatory picture isn't uniform across jurisdictions. Here's what actually applies where.

United States

Payment processors are not automatically classified as money services businesses (MSBs) under the BSA. The money transmitter definition explicitly excludes processors that only facilitate payment for goods or services through a clearance and settlement system by agreement with the seller. Whether MSB obligations apply depends on the specific business model.

FinCEN's 2012 Advisory (FIN-2012-A010) and FFIEC guidance make clear that banks expect processors to maintain AML controls consistent with regulated institutions. Sponsor bank relationships drive compliance requirements as much as formal law does.

When your banking partner demands a named BSA Officer, documented AML policies, and transaction monitoring, those requirements are non-negotiable — regardless of whether you technically qualify as an MSB.

The ENABLERS Act (introduced in the 117th Congress) would have extended formal AML obligations to payment processors, but it did not become law. FinCEN has signaled intent to expand coverage through rulemaking, and the broader direction is toward more obligations, not fewer.

United Kingdom

FCA-authorized payment institutions and e-money institutions are directly subject to the Money Laundering Regulations 2017. Obligations include:

  • Customer due diligence and enhanced due diligence for higher-risk customers
  • Suspicious Activity Reports filed to the National Crime Agency under POCA Part 7
  • A designated Money Laundering Reporting Officer (MLRO)
  • Documented policies, risk assessments, and staff training

The FCA's March 2024 Dear CEO letter identified specific AML control failings across business-wide risk assessments, CDD gaps, SAR handling, and governance. It's a direct signal of where supervisory scrutiny is focused — and what examiners will test first.

European Union

EU payment processors are regulated institutions under the AML Directives. 5AMLD tightened anonymous prepaid card rules and required customer identification for remote transactions over €50. 6AMLD expanded criminal liability and harmonized predicate offences across member states.

AMLA — the EU's new Anti-Money Laundering Authority, established June 2024 — will directly supervise up to 40 high-risk financial institutions from 2028 onward, with entity selection happening in 2027. Multi-country processors should expect more consistent EU supervision as AMLA stands up its direct oversight function.

Canada

FINTRAC's April 2022 regulatory update (SOR/2022-76) removed exemptions for payment processing of credit, debit, and prepaid products. Many processors that previously operated outside MSB classification must now register with FINTRAC and comply with PCMLTFA obligations, including:

  • Reporting international electronic funds transfers of CAD $10,000 or more
  • Meeting record-keeping requirements for transactions and client identification
  • Implementing a full AML compliance program

FINTRAC has since directed certain payment service providers to register and withdrawn prior policy interpretations that supported the exemption. If you're processing payments in Canada and haven't reassessed your registration status, that's an immediate gap to address.

Key Takeaway

Even where direct regulation doesn't apply — as in the US for many processors — the practical compliance expectation is the same. Sponsor banks require it. Investors expect it. And the trend across every jurisdiction points toward more formal obligations, not fewer.

The Core Components of an AML Compliance Program

Regardless of jurisdiction, a defensible AML program for a payment processor rests on five pillars.

1. Designated Compliance Officer

Every program needs a named individual accountable for it — a BSA Officer in the US, MLRO in the UK, or CAMLO in Canada. This person owns SAR filings, regulatory relationships, monitoring oversight, and program governance.

For early-stage or growth-stage processors, this role doesn't require a full-time executive hire. A fractional compliance officer provides director-level accountability and regulatory credibility at a fraction of the cost.

Fraxtional, for example, places named BSA Officers, MLROs, and CAMLOs who integrate directly with the client's team, interact with sponsor banks, and appear on regulatory filings — without the overhead of a permanent C-suite hire.

2. Written Policies and Procedures

Generic templates don't pass sponsor bank due diligence. Policies must cover:

  • Merchant onboarding and KYB requirements
  • Transaction monitoring thresholds and escalation procedures
  • SAR/STR filing protocols
  • Sanctions screening processes
  • Record retention requirements

The documentation should be tailored to the processor's specific business model, merchant risk profile, and payment channels. Generic frameworks rarely survive sponsor bank review.

3. Transaction Monitoring

Processors must monitor transactions on an ongoing basis for suspicious patterns. Key alert triggers include:

  • Sudden volume spikes or unusual transaction size patterns
  • Transfers to or from high-risk jurisdictions
  • Structuring behaviors (transactions just below reporting thresholds)
  • High ACH return rates or chargeback ratios
  • Activity inconsistent with the merchant's stated business type

Monitoring logic should be calibrated to the processor's specific risk exposure. Generic rulesets tend to generate hundreds of false positives while missing the alerts that actually matter.

4. Sanctions Screening

Processors must screen merchants, beneficial owners, and counterparties against applicable sanctions lists: OFAC (US), HM Treasury/OFSI (UK), EU consolidated sanctions lists, and UN lists. OFAC's Framework for Compliance Commitments strongly encourages risk-based screening of customers, counterparties, intermediaries, and transactions — at onboarding and on an ongoing basis.

Processing a payment for an OFAC-designated entity, even inadvertently, can result in civil penalties regardless of intent.

5. Employee Training and Independent Auditing

A complete program addresses three distinct requirements in this pillar:

  • Staff training covering red flags, escalation procedures, and SAR filing obligations
  • Independent testing through internal audit or an external third party to identify gaps before regulators do
  • Audit documentation structured to be board-ready, particularly for processors seeking or maintaining sponsor bank relationships

Five pillars of AML compliance program for payment processors process diagram

CIP vs. CDD vs. EDD: The Three Layers of Due Diligence

These three terms are often used interchangeably, but they represent distinct and sequential layers of scrutiny.

Layer What It Covers When It Applies
CIP Identity verification — name, address, date of birth, government ID Every customer/merchant at onboarding
CDD Business nature, transaction purpose, beneficial ownership All customers; required for legal entities
EDD Source of funds, senior management approval, heightened monitoring High-risk customers based on risk scoring

Customer Identification Program (CIP) sets the floor for every onboarding. For legal entity customers, it extends to beneficial ownership — FinCEN's CDD Rule (effective May 2018) requires identifying individuals who own 25% or more of the entity. The rule directly binds banks and broker-dealers, but sponsor banks expect processors to meet the same standard for their merchant clients.

For merchants, Customer Due Diligence (CDD) means understanding what the merchant actually does, what transaction volumes to expect, and who controls the business. For payment processors, CDD applies to merchant clients — and in some models, to the merchants' own customers as well.

Enhanced Due Diligence (EDD) kicks in for high-risk accounts: merchants in online gambling, crypto, high-value goods, or cross-border remittance; customers in FATF high-risk jurisdictions; entities with complex ownership structures.

In practice, EDD means source of funds verification, senior management sign-off on the relationship, and more frequent ongoing monitoring.

Most merchants go through CIP and CDD. A subset — flagged by your risk scoring at onboarding and periodic review — require EDD. Processors with heavy exposure to cross-border or high-risk verticals typically see a higher share of EDD-required accounts.

CIP CDD EDD three-tier due diligence framework comparison for payment processors

Consequences of AML Non-Compliance

The consequences of getting this wrong are concrete, not theoretical.

Regulatory enforcement actions carry real financial penalties. FinCEN's 2017 action against Western Union resulted in a $184 million civil money penalty for AML program and SAR filing failures. The DOJ went further with PacNet Services — charging four executives of the Canadian payment processor with fraud and money laundering for processing payments tied to mass-mailing fraud victims.

Criminal exposure isn't hypothetical. Processors that knowingly or recklessly facilitate illicit activity face personal liability, not just corporate fines.

Loss of banking access is often the more immediate threat. Banks face their own regulatory scrutiny over the processors they sponsor, and when a processor's AML program can't withstand review, the bank terminates the relationship. For a fintech relying on a single sponsor bank, that termination stops operations entirely.

OCC guidance confirms that banks assess compliance, transaction, strategic, and reputational risk from processor relationships — which means your AML program is their problem too.

Reputational and operational damage compounds quickly. Three consequences tend to stack fast once scrutiny begins:

  • Investor confidence: An enforcement action or enhanced regulatory scrutiny creates friction during Series A and B due diligence
  • Partnership risk: Banks and payment networks re-evaluate processor relationships when compliance flags surface
  • Operational continuity: A SAR filing or exam finding can trigger reviews that pause processing volumes mid-cycle

Each of these affects the business before any formal penalty is issued.

Building AML Compliance Without a Full-Time Team

Most early-stage payment processors don't need a full-time chief compliance officer. They need a defensible program that satisfies sponsor bank requirements, scales with transaction volume, and doesn't require rebuilding every time the business grows.

Start With a Risk Assessment

A formal enterprise-wide AML risk assessment is the foundation regulators look for when evaluating program adequacy. It maps merchant types, geographies, payment channels, and transaction volumes to pinpoint where risk is highest — driving proportionate resource allocation from day one.

Fraxtional's risk assessment service produces board-ready documentation grounded in the processor's actual product risk, geography, and merchant profile.

Fractional Compliance Leadership

The compliance officer requirement can be satisfied through a fractional model. Fraxtional places named BSA Officers, MLROs, and CAMLOs who take direct ownership of AML obligations — managing monitoring alerts, SAR workflows, sponsor bank interactions, and regulatory filings — without the cost of a full-time executive hire.

Each placed Director integrates into the client's organization, appears on regulatory filings, and represents the business to banks and investors. For processors operating across multiple jurisdictions, a single engagement can cover US, UK, and Canadian obligations.

Build Infrastructure That Scales

The practical build sequence:

  1. Document a formal AML policy tailored to your business model — not a generic template
  2. Implement a KYC/KYB workflow for merchant onboarding with clear CDD and EDD triggers
  3. Establish transaction monitoring thresholds calibrated to your payment channels and merchant risk mix
  4. Train your team on red flags, escalation procedures, and SAR obligations
  5. Schedule annual independent testing to identify gaps before your sponsor bank or regulator does

Five-step AML compliance infrastructure build sequence for payment processors

Build this infrastructure to grow with transaction volume. Processors that get the foundation right at seed or Series A rarely face the disruptive rebuilds that stall sponsor bank renewals and investor due diligence later.

Frequently Asked Questions

What are the main AML compliance requirements for payment processors?

The five core elements are: a designated compliance officer, written AML policies and procedures, KYC/CDD at merchant onboarding, ongoing transaction monitoring, and regular independent auditing. The specific rules that apply depend on jurisdiction — BSA in the US, MLRs 2017 in the UK, AMLDs in the EU, and PCMLTFA in Canada.

What is CIP vs. CDD vs. EDD?

CIP is identity verification at onboarding. CDD extends this to understanding the customer's business, transaction purpose, and beneficial ownership. EDD is a deeper investigation applied to high-risk customers — including source of funds verification and senior management approval.

What is AML in payment processing?

AML in payment processing refers to the policies, procedures, and controls a processor implements to prevent its platform from being used to launder illicit funds. This includes merchant verification, transaction monitoring, sanctions screening, and suspicious activity reporting.

Are payment processors required to have a dedicated compliance officer?

In the UK (MLRO), Canada (CAMLO), and under EU AMLDs, a designated compliance officer is a formal legal requirement. In the US, it's a strong regulatory expectation and a practical requirement for any processor seeking or maintaining a sponsor bank relationship, even where the BSA doesn't directly mandate it.

What are the penalties for AML non-compliance?

Penalties include monetary fines from FinCEN, the FCA, FINTRAC, and EU national authorities; license revocation; loss of banking relationships; and criminal prosecution in serious cases. Enforcement actions are increasingly targeting payment firms and fintechs, not just traditional banks.

Do AML requirements differ between the US, UK, and EU?

Yes. The EU and UK treat payment processors as regulated institutions with mandatory AML obligations. US processors are not directly subject to the BSA unless they meet the money transmitter definition, but face strong de facto compliance expectations from sponsor banks and regulators through FFIEC guidance and OFAC obligations.