What's changed is who regulators hold accountable. AML obligations once felt like a large-bank concern. They aren't anymore. Fintechs, payment processors, crypto exchanges, money transmitters, and embedded finance companies across the US, UK, and Canada now face the same regulatory obligations as traditional banks — and enforcement is accelerating.
This article covers:
- The AML regulatory frameworks by jurisdiction (US, UK, Canada, and EU)
- The five compliance pillars every regulated entity must implement
- Who is legally required to comply
- Key enforcement bodies and the consequences of failure
- The most significant regulatory changes expected through 2026
TLDR
- AML regulations require financial institutions to detect, prevent, and report money laundering and terrorist financing.
- Key frameworks: Bank Secrecy Act (US), MLR 2017 (UK), PCMLTFA (Canada), and EU Anti-Money Laundering Directives.
- Five core pillars: CIP/KYC, Customer Due Diligence, Transaction Monitoring, Suspicious Activity Reporting, and Sanctions Screening.
- Non-compliance carries multi-million dollar fines, license revocations, and criminal prosecution for both firms and individuals.
- Regulators are prioritizing beneficial ownership transparency, virtual asset regulation, and AI-assisted compliance monitoring through 2026.
AML Regulatory Frameworks by Jurisdiction
An AML regulatory framework combines primary legislation, secondary rules, and international standards — particularly FATF recommendations — to govern how institutions must prevent financial crime within a given jurisdiction. Each major market has its own structure, but the underlying obligations are broadly consistent.
United States: BSA and the PATRIOT Act
The Bank Secrecy Act (1970) is the foundation. FinCEN states that BSA regulations require financial institutions to maintain records, file Currency Transaction Reports (CTRs) for cash transactions exceeding $10,000, and report suspicious activity that may indicate money laundering or other criminal activity.
The USA PATRIOT Act (2001) expanded BSA significantly — mandating Customer Identification Programs (CIP), enhanced due diligence for foreign accounts, and AML program requirements across all financial institutions.
The Anti-Money Laundering Act of 2020 (AMLA 2020) is the most substantial overhaul since then. Its workstreams include BSA modernization, updated AML/CFT program requirements, a SAR sharing pilot, and the Corporate Transparency Act (CTA).
On the CTA: as of FinCEN's March 21, 2025 interim final rule, beneficial ownership reporting requirements have been removed for US companies and US persons. Foreign entities registered before March 26, 2025 faced an April 25, 2025 filing deadline. The direction of travel toward ownership transparency remains clear, even if the implementation timeline has shifted.
United Kingdom: POCA, MLR 2017, and FCA Oversight
UK AML law rests on two pillars:
- Proceeds of Crime Act 2002 (POCA) — defines money laundering offenses, including concealing, arrangements, and acquisition of criminal property
- Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) — sets out risk-based compliance obligations, CDD requirements, ongoing monitoring, and record retention
The FCA supervises most financial services firms and cryptoasset businesses. HMRC handles supervision for certain non-financial sectors. A critical operational requirement: firms must appoint a named Money Laundering Reporting Officer (MLRO) to receive internal suspicious activity disclosures.
Post-Brexit, the UK operates its own regime independently of EU directives. HM Treasury published a consultation response in July 2025 on improving the effectiveness of the Money Laundering Regulations — firms operating in the UK should monitor this closely.
Canada: PCMLTFA and FINTRAC
Canada's framework is frequently overlooked in global AML guides — but FINTRAC actively examines compliance programs and imposes administrative monetary penalties, making it a real enforcement risk for any business operating there.
The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) governs all Canadian AML obligations. FINTRAC — the Financial Transactions and Reports Analysis Centre of Canada — receives and analyzes financial reports, conducts compliance examinations, and imposes administrative monetary penalties.
MSBs, including crypto exchanges, must register with FINTRAC before operating. Virtual currency exchange and transfer services are explicitly classified as MSB activities. FINTRAC imposed a $6,002,000 penalty on Binance in May 2024 for failing to register as a foreign MSB. That enforcement action confirms the agency is not treating registration as optional.
EU and FATF's Global Role
FATF sets the global baseline standards that all major jurisdictions are expected to implement. Its mutual evaluations directly influence how aggressively national regulators enforce their frameworks.
Within the EU, three developments define the current regulatory landscape:
- EU AML Authority (AMLA) — will directly supervise 40 high-risk financial institutions from 2028 as member states complete the transition
- 6th Anti-Money Laundering Directive (6AMLD) — tightens beneficial ownership rules and extends obligations to crypto asset service providers
- MiCA — applied broadly from December 30, 2024, bringing crypto assets under a unified EU regulatory framework
The Five Core Pillars of AML Compliance
Regardless of jurisdiction, every robust AML program is built on five interconnected pillars. Regulators in the US, UK, and Canada don't just check whether these elements exist on paper — they examine whether they're working in practice.
Pillar 1 — Customer Identification Program (CIP/KYC)
Every regulated institution must verify who their customers are before establishing a relationship.
Minimum US requirements under BSA (31 CFR 1020.220):
- Full legal name
- Date of birth
- Address
- Identification number
Records must be retained for five years after account closure. For legal entities, beneficial ownership identification is mandatory — individuals owning 25% or more must be identified.
The 25% threshold is consistent across US, UK MLR 2017, and Canadian PCMLTFA requirements. Standardizing at that level globally is a reasonable baseline, with lower internal thresholds applied for higher-risk customers.
Pillar 2 — Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)
Standard CDD covers understanding the nature and purpose of a customer relationship and monitoring for changes over time.
Enhanced Due Diligence (EDD) applies to higher-risk customers, including:
- Politically exposed persons (PEPs)
- Customers from high-risk jurisdictions
- Businesses with complex or opaque ownership structures
EDD typically requires additional documentation, more frequent review cycles, and senior management sign-off. Triggering thresholds vary by jurisdiction, but the rule is the same everywhere: the higher the risk, the deeper the scrutiny required.
Pillar 3 — Transaction Monitoring
Identifying suspicious patterns requires ongoing monitoring — not just periodic review. Key red flags include:
- Transactions inconsistent with a customer's stated profile
- Structuring activity just below reporting thresholds
- Rapid movement of funds through accounts
- Unusual cross-border wire activity
Real-time monitoring is becoming a regulatory expectation, particularly in markets with instant payment infrastructure. Firms that rely on batch processing are increasingly vulnerable to supervisory criticism.
Pillar 4 — Suspicious Activity Reporting (SARs/STRs)
When a firm knows, suspects, or has reasonable grounds to suspect that a transaction involves proceeds of crime or terrorist financing, it must file a report.
Filing deadlines by jurisdiction:
- US: SAR within 30 calendar days of initial detection (up to 60 days if no suspect is identified)
- UK: Report to UKFIU as soon as practicable
- Canada: STR to FINTRAC as soon as practicable after establishing suspicion
Two rules apply universally across all three jurisdictions. First, the tipping-off prohibition: you cannot inform a subject that a report has been or will be filed. Second, document the decision-making process even when a SAR is not filed — that paper trail is what protects a firm during examination.
Pillar 5 — Sanctions Screening
All regulated institutions must screen customers and transactions against applicable sanctions lists:
| Jurisdiction | Sanctions List | Administrator |
|---|---|---|
| United States | Specially Designated Nationals (SDN) List | OFAC |
| United Kingdom | Consolidated Financial Sanctions List | HM Treasury/OFSI |
| Canada | Consolidated Canadian Autonomous Sanctions List | Global Affairs Canada |
Screening must occur at onboarding and on an ongoing basis — lists are updated continuously, and OFAC civil penalties can apply on a strict-liability basis, meaning intent is not required for a violation.
Who Must Comply with AML Regulations
The scope extends well beyond what most operators expect. FinCEN, the FCA, and FINTRAC all define "financial institution" broadly — and they've been expanding that definition steadily.
Banks, Credit Unions, and Traditional Financial Institutions
Banks and credit unions carry the most comprehensive AML obligations and face regular examination by prudential regulators — OCC, FDIC, and the Federal Reserve in the US; PRA and FCA in the UK. Deficient programs can result in formal enforcement actions, growth restrictions, and consent orders that remain in place for years.
Fintechs, Payment Processors, and MSBs
FinCEN has been explicit: innovative business models don't exempt firms from BSA requirements. Money services businesses must register with FinCEN and obtain required state licenses. UK firms must register under MLR 2017. Canadian MSBs — including fintechs handling payments or foreign exchange — must register with FINTRAC before operating.
The operational challenge for early-stage fintechs is real. Appointing a qualified BSA Officer (US), MLRO (UK), or Compliance Officer (Canada) requires expertise most seed-stage companies don't have in-house. Fractional compliance models — such as those offered by Fraxtional — let companies access director-level AML leadership with the named title that regulators and sponsor banks actually require, without the cost of a full-time executive hire.
Crypto and Virtual Asset Service Providers
Crypto is squarely in scope across all three jurisdictions:
- US: Virtual asset service providers must register as MSBs with FinCEN
- UK: Crypto exchanges and custodian wallet providers must register with the FCA under MLR 2017
- Canada: Crypto exchanges are classified as MSBs under PCMLTFA and must register with FINTRAC
Enforcement since 2022 has been substantial. The DOJ's $4 billion resolution with Binance in 2023, combined with FINTRAC's $6 million penalty on Binance in Canada in 2024, signals that crypto firms now face bank-grade regulatory scrutiny.
Consequences of AML Non-Compliance
Financial and Criminal Penalties
The numbers are not hypothetical:
| Entity | Year | Penalty | Key Failure |
|---|---|---|---|
| TD Bank | 2024 | $1.3B (FinCEN) | Inadequate AML program, SAR failures |
| Binance | 2023 | $4B+ (DOJ/FinCEN/OFAC) | No effective AML or KYC controls |
| Capital One | 2021 | $390M (FinCEN) | Willful BSA violations, failed SARs/CTRs |
| Santander UK | 2022 | £107.8M (FCA) | Persistent AML gaps in business banking |
FinCEN's civil penalty authority under 31 USC 5321 allows penalties per individual violation — meaning a systemic program failure compounds rapidly across multiple violations and locations.
Individual liability is real, not theoretical. In 2020, FinCEN assessed a $450,000 civil penalty against Michael LaFontaine, a former Chief Operational Risk Officer at U.S. Bank, for failures tied to corporate AML violations.
In 2022, BitMEX founders Arthur Hayes and Benjamin Delo each agreed to pay $10 million in criminal fines after pleading guilty to BSA violations.
Operational Consequences Beyond the Fine
Financial penalties draw attention — but for many firms, the operational fallout is more damaging:
- Loss of correspondent banking relationships
- Customer attrition following public enforcement actions
- Loss of sponsor bank partnerships — existential for embedded finance and fintech firms
- Difficulties attracting institutional investors post-enforcement
For early-stage companies, an AML enforcement action doesn't just cost money. It can end the business entirely.
Program Effectiveness vs. Paper Programs
Those operational risks share a common root: regulators no longer accept documentation as proof of compliance. Examiners now focus on whether AML programs actually work — not just whether written policies exist.
Firms with policies "on paper" that fail to detect or report actual suspicious activity face the same enforcement exposure as firms with no program at all. When building or auditing a compliance program, the practical test is whether the program would have caught the activity that triggered enforcement elsewhere.
What's Changing in AML Regulations for 2025 and 2026
Beneficial Ownership Transparency
The Corporate Transparency Act's BOI reporting requirements for US companies have been paused under FinCEN's March 2025 interim final rule — but the underlying direction is clear. Key distinctions firms need to track:
- Domestic companies: BOI filing paused; monitoring for final rule reinstatement required
- Foreign entities: CTA filing requirements remain in effect and unchanged
- Cross-jurisdictional exposure: The US, UK, and EU are all tightening beneficial ownership transparency in parallel
Treat this as an evolving obligation, not a resolved one.
Virtual Assets and Crypto Regulation
Several developments are converging:
- FinCEN's proposed rule (October 2023 NPRM) would identify convertible virtual currency mixing as a class of transactions of primary money-laundering concern — no final rule yet, but the proposal signals the direction
- MiCA applies broadly from December 30, 2024, bringing EU crypto asset service providers under a unified regulatory framework
- FINTRAC enforcement against crypto firms is accelerating — Xeltox Enterprises (operating as Cryptomus) was hit with a $176.9 million CAD penalty in October 2025 for 2,593 PCMLTFA contraventions
For crypto companies, this is no longer an environment where a one-time program build provides adequate coverage. Ongoing AML leadership — embedded in the compliance function as requirements shift — is an operational necessity. Fraxtional's fractional CAMLO and MLRO arrangements are built for exactly this: experienced compliance directors who stay current with these changes on your behalf.
AI and Machine Learning in AML Compliance
Regulators are discussing AI-assisted transaction monitoring, but no jurisdiction-specific AI AML obligations exist from FinCEN, FCA, or FINTRAC as of mid-2025. AI and machine learning tools can improve monitoring quality and cut false positives — but firms remain fully accountable for statutory AML outcomes regardless of the technology used. Regulators evaluate results, not tools.
Frequently Asked Questions
What are the AML regulations?
AML regulations are laws and rules requiring financial institutions to detect, prevent, and report money laundering and terrorist financing. Core obligations include customer identification, transaction monitoring, suspicious activity reporting, and sanctions screening. Specific requirements vary by jurisdiction.
What are the UK AML regulations?
UK AML law is built on the Proceeds of Crime Act 2002 (POCA) and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017). The FCA is the primary supervisor for financial services firms. All regulated firms must appoint a named MLRO and implement a risk-based compliance program.
What are the new AML regulations in 2026?
Key 2025–2026 developments include FinCEN's ongoing CTA/BOI rulemaking for foreign entities, MiCA's full implementation across the EU, accelerating FINTRAC enforcement against Canadian crypto firms, and FinCEN's proposed special measures targeting virtual currency mixing.
Who needs to comply with AML regulations?
AML obligations apply across banks, credit unions, money services businesses, fintechs, payment processors, crypto exchanges, insurance companies, and certain professional service firms. The exact scope depends on jurisdiction and business model — and the regulated population is broader than most operators initially assume.
What are the penalties for AML non-compliance?
Civil fines can reach hundreds of millions of dollars. Criminal prosecution, license revocation, and loss of banking relationships are additional consequences. Individual compliance officers and executives face personal liability — including criminal fines — for willful violations or gross negligence.
What is the difference between AML and KYC?
AML is the overarching regulatory framework for preventing financial crime. KYC (Know Your Customer) is a specific component of AML focused on verifying customer identity and assessing risk at onboarding and on an ongoing basis. KYC sits inside the broader AML program, not alongside it.
