AML Due Diligence Process and Practices AML due diligence is the regulatory process financial institutions use to identify, verify, and monitor customers to detect and prevent money laundering and terrorist financing. Simple enough as a definition — but the operational reality is considerably more demanding.

This article is for compliance teams, fintech founders, crypto operators, and banking professionals who need to understand how AML due diligence works in practice. Gaps in this process carry real consequences: NatWest was fined £264.8 million by the FCA in 2021, and USAA Federal Savings Bank paid $140 million to FinCEN in 2022 — both for failures that trace back to the fundamentals covered here.

What follows is a practical walkthrough of the complete AML due diligence process: the three tiers of checks, what factors shape how they're applied, and where organizations most commonly go wrong.

TL;DR

  • AML due diligence covers identity verification, beneficial ownership mapping, and ongoing transaction monitoring — a continuous program obligation, not a one-time check at onboarding.
  • The framework traces to FATF Recommendations 10–13, codified across BSA/AML (US), MLR 2017 (UK), PCMLTFA/FINTRAC (Canada), and EU Regulation 2024/1624.
  • Three tiers apply: Simplified Due Diligence (SDD), standard Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD) — selected based on assessed risk, not default.
  • Triggers include new onboarding, high-value occasional transactions, suspicion of illicit activity, and material changes in customer circumstances.
  • Misapplying a tier — or failing to document the rationale behind your selection — is among the most cited causes of regulatory enforcement action.

What Is AML Due Diligence?

AML due diligence is the compliance process regulated entities use to assess and manage the money laundering and terrorist financing risks posed by their customers, counterparties, and transactions. It begins at onboarding and continues for the life of the relationship.

The process is designed to accomplish four things:

  • Confirm identity — verify customers are who they claim to be
  • Understand funds — establish the source and nature of money flowing through the relationship
  • Map beneficial ownership — identify who ultimately owns or controls an account or entity
  • Flag anomalies early — catch transaction patterns inconsistent with the customer's stated profile

Four pillars of AML due diligence process framework infographic

AML Due Diligence vs. KYC

The four-element framework above is also where a common misconception takes root: treating KYC and AML due diligence as the same thing.

KYC (Know Your Customer) is the identity-verification component within the broader AML due diligence framework. FATF Recommendation 10 and FinCEN's CDD Final Rule both treat customer identification as one of four CDD elements. The other three are beneficial ownership identification, understanding the purpose of the relationship, and ongoing monitoring. KYC handles the first. AML due diligence covers all four.

How the AML Due Diligence Process Works

The AML due diligence process moves in sequence: risk-based customer classification at onboarding drives identity and beneficial ownership verification, which then feeds screening, risk rating, and finally ongoing monitoring. Each step shapes the one that follows.

Inputs to the process include:

  • Customer-provided information (name, address, ID documents, business purpose)
  • Third-party data sources (credit agencies, PEP lists, adverse media)
  • Internal risk appetite frameworks and AML policies

During verification, the institution compares submitted information against independent external data, maps ownership structures to identify the true beneficial owner, screens against relevant sanctions lists (OFAC SDN, the UK Sanctions List, and the UN Consolidated List), and assigns a risk rating.

Governance sits with a designated compliance officer: a BSA Officer in the US (required under 31 CFR 1020.210), an MLRO under FCA SYSC 6.3 in the UK, or a CAMLO for federally regulated institutions in Canada. Automated transaction monitoring tools apply rule-based logic to flag suspicious patterns between periodic reviews.

Fintech startups and crypto firms building this function from scratch often engage fractional compliance leadership — placing a BSA Officer, MLRO, or CAMLO as a named officer on regulatory filings before scaling to a full-time hire.

Step 1: Customer Risk Classification

Before any verification begins, the institution classifies the customer into a risk tier. Factors include:

  • Customer's jurisdiction and industry
  • Transaction types and volumes
  • Beneficial ownership complexity
  • Presence of any politically exposed persons (PEPs)

This classification determines which tier of due diligence applies — SDD, CDD, or EDD.

Step 2: Identity and Beneficial Ownership Verification

The institution collects and verifies identity documents against independent data sources. Document copies alone are insufficient under most regulatory frameworks — verification must use reliable, independent sources.

Beneficial ownership thresholds vary by jurisdiction:

Jurisdiction Ownership Threshold Additional Control Requirement
US (FinCEN CDD Rule) 25% or more of equity interests Plus one individual with significant management control
UK (MLR 2017 Reg. 28) More than 25% of shares or voting rights Look-through to natural persons required
EU (AMLR 2024/1624, Art. 52) 25% or more; can be lowered to ~15% for higher-risk entities Ownership chains calculated by multiplying through intermediate entities

Beneficial ownership thresholds comparison across US UK and EU jurisdictions

Where beneficial owners are held through shell companies or multi-layered corporate structures, the institution must trace through each layer to identify the natural person at the top.

Step 3: Ongoing Monitoring and Periodic Review

After onboarding, the institution monitors transactions continuously for activity inconsistent with the customer's stated profile and risk tier. Periodic reviews — triggered by the risk tier or by flagged activity — determine whether to:

  • Update the customer's risk classification
  • Request additional documentation
  • File a Suspicious Activity Report (SAR)

Risk ratings shift throughout the relationship. A change in ownership structure, unusual transaction volumes, or newly identified PEP status can all trigger re-evaluation mid-relationship.

The Three Tiers: SDD, CDD, and EDD

AML due diligence is not a uniform process. Regulators require a risk-based approach, meaning the depth of checks must reflect the level of risk. Applying the wrong tier is itself a compliance failure: under-doing checks on a high-risk customer, or over-investing on a demonstrably low-risk one.

Simplified Due Diligence (SDD)

SDD applies only where the risk of money laundering or terrorist financing is demonstrably low — for example, certain regulated financial institutions or specific low-risk product types.

Two points regulators consistently emphasize:

  1. SDD is not an exemption from due diligence. The institution must document the risk rationale that justifies reduced measures.
  2. SDD still requires sufficient monitoring to detect unusual or suspicious transactions (UK MLR 2017 Reg. 37).

UK and EU regulators are explicit on this point: SDD cannot be applied by default.

Standard Customer Due Diligence (CDD)

CDD is the baseline applied to the majority of customers. It requires:

  • Verifying the customer's identity using reliable, independent sources
  • Identifying the beneficial owner(s)
  • Understanding the purpose and intended nature of the relationship
  • Conducting ongoing monitoring

Transaction thresholds for occasional (non-relationship) customers are not uniform. The applicable figure depends on transaction type and sector:

  • €15,000 — general threshold for occasional transactions (UK MLR 2017 Reg. 27; EU AMLD Article 11)
  • €1,000 — funds transfers (UK-specific)
  • €10,000 — high-value dealer cash transactions (UK-specific)

Enhanced Due Diligence (EDD)

EDD is mandatory in higher-risk scenarios. Key triggers include:

  • Customers connected to high-risk third countries (as listed by FATF or the EU)
  • Politically exposed persons (PEPs) and their close associates or family members
  • Complex or opaque ownership structures
  • Non-face-to-face customer onboarding without compensating safeguards
  • Any situation where the institution has elevated suspicion

EDD adds several requirements on top of standard CDD:

  • Obtain senior management approval before onboarding
  • Collect additional identity documentation
  • Verify source of wealth and source of funds
  • Increase the frequency of ongoing monitoring

Three-tier AML due diligence levels SDD CDD and EDD comparison chart

The PEP nuance that's frequently misapplied: FCA Finalised Guidance FG25/3 (published July 2025) confirms that firms must apply a proportionate, risk-based approach to PEPs — particularly domestic PEPs. Blanket EDD treatment for all domestic PEPs is not compliant. The risk must be assessed individually and the rationale documented.

Key Factors That Affect the AML Due Diligence Process

Customer Jurisdiction

Customers or counterparties connected to high-risk third countries automatically trigger enhanced measures. FATF maintains both a call-for-action list (highest risk) and an increased-monitoring list (grey list), both updated after each plenary. The EU maintains a separate methodology for designating high-risk third countries.

Cross-border operations add complexity. A US-based fintech onboarding UK clients must align simultaneously with BSA/AML requirements and UK MLR 2017, including differences in:

  • CDD trigger thresholds
  • Beneficial ownership percentage requirements
  • Designated officer roles and accountability

Ownership Structure Complexity

Shell companies, nominee arrangements, and multi-layered corporate structures make beneficial ownership verification considerably harder. Under UK MLR 2017 Reg. 28, institutions must take reasonable measures to understand the full ownership and control structure where the beneficial owner sits behind a legal entity, trust, or similar arrangement.

EU AMLR 2024/1624 Articles 54–55 address look-through requirements for ownership chains specifically. The practical implication: more layers means more documentation, more time, and a higher residual risk rating.

Organizational Capacity

Structural complexity only matters if the team reviewing it has the right expertise. For fintech, crypto, and embedded finance firms that cannot justify a full-time Chief AML Officer, fractional compliance models have become an established solution.

Fraxtional provides fractional BSA Officers, MLROs, and CAMLOs through three engagement models:

  • On Demand Advisory — flat fee for discrete projects; suited to one-time needs like risk assessments, policy development, or audit support
  • Subscription Advisory — monthly or weekly retainer with a dedicated Director for ongoing program management
  • Fractional Advisory — monthly retainer with named title use (BSA Officer, MLRO, CAMLO) and full regulatory accountability

Fraxtional fractional compliance advisory service engagement model options overview

A seed-stage startup building its first AML framework has different needs than a Series B fintech preparing for a regulatory examination or sponsor bank review — and the engagement structure reflects that.

Common Misconceptions and Pitfalls in AML Due Diligence

Misconception 1: Onboarding checks close the file

Many organizations verify customers once and treat the relationship as compliant indefinitely. Regulators consistently identify the absence of ongoing monitoring and periodic review as a primary driver of enforcement action. The NatWest prosecution — a £264.8 million fine — involved failures to monitor an existing commercial customer relationship, not failures at onboarding.

Due diligence is a lifecycle obligation. The risk classification must be revisited whenever:

  • Transaction volumes spike unexpectedly
  • Ownership structure changes
  • The customer is newly identified as a PEP

Misconception 2: Applying EDD universally is the "safe" approach

Over-applying EDD — treating every non-face-to-face customer as high-risk, or extending blanket EDD to all domestic PEPs regardless of individual risk — is not conservative compliance. It signals a lack of genuine risk-based thinking and creates friction for legitimate customers while diverting resources away from actually elevated risks.

FCA FG25/3 makes this explicit for PEPs. The obligation is to assess each case individually and document the rationale, not to apply the most intensive check by default.

Misconception 3: Running checks is enough — documentation is secondary

Many institutions run adequate checks but fail to retain auditable records. Retention requirements vary by jurisdiction but share a consistent standard:

Jurisdiction Regulation Retention Period
UK MLR 2017 Reg. 40 5 years after relationship ends
US 31 CFR 1020.220 / 1010.230 5 years from account closure
Canada FINTRAC 5 years (most record types)

During a regulatory examination, an institution that ran checks but cannot produce documentation is treated the same as one that ran no checks at all. The record is the compliance.

Frequently Asked Questions

What is due diligence in AML?

AML due diligence is the process regulated entities use to verify customer identity, understand beneficial ownership, assess money laundering risk, and monitor transactions on an ongoing basis. It is required by law across the US, UK, Canada, EU, and most other jurisdictions, and applies throughout the life of the customer relationship — not just at onboarding.

What are the pillars of AML due diligence?

FATF Recommendation 10 defines four core pillars, codified into national AML laws across all major jurisdictions:

  • Customer identification and verification
  • Beneficial ownership identification
  • Understanding the purpose and intended nature of the business relationship
  • Ongoing transaction monitoring

What is the difference between CDD and EDD in AML?

CDD is the standard baseline applied to most customers, covering identity verification, beneficial ownership, and ongoing monitoring. EDD goes further, requiring source-of-wealth and source-of-funds verification, senior management approval, and more frequent monitoring. It applies when higher-risk factors are present, such as PEP status, high-risk jurisdictions, or complex ownership structures.

When is enhanced due diligence required?

EDD is mandatory in the following situations:

  • Customers connected to FATF or EU-listed high-risk third countries
  • Politically exposed persons and their close associates
  • Non-face-to-face onboarding without compensating safeguards
  • Any situation where the institution identifies elevated money laundering or terrorist financing risk

How long must AML due diligence records be kept?

Most jurisdictions require a minimum five-year retention period from the date the business relationship ends or the transaction is completed. This covers identity documents, risk assessments, screening records, and monitoring decisions. Failure to produce these records during a regulatory examination is treated the same as failure to conduct the checks.

What happens if a business fails to conduct proper AML due diligence?

Consequences include regulatory fines (reaching hundreds of millions in serious cases), loss of operating licenses, mandatory remediation programs, and reputational damage. Under UK MLR 2017 Reg. 92, personal liability can also attach to responsible officers where an offence is committed with their consent, connivance, or neglect.