That gap is expensive. This guide closes it.
Whether you're building a compliance program from scratch or stress-testing an existing one, here's what you'll walk away with:
- How money laundering actually works (the three-stage model)
- What a compliant AML program requires (the five pillars)
- Key regulatory obligations across the US, UK, EU, and Canada
- How to identify red flags before they become SAR filings
TL;DR
- AML refers to the laws, regulations, and internal controls that prevent criminals from disguising illegal proceeds as legitimate income
- Money laundering moves through three stages: placement, layering, and integration
- Compliant AML programs require five pillars: compliance officer, written policies, employee training, independent audit, and customer due diligence
- The US, UK, EU, and Canada have distinct but overlapping AML frameworks — all built on FATF Recommendations
- Red flags — unusual volumes, structuring behavior, high-risk geographies — trigger investigation and SAR/STR filing obligations
What Is Anti-Money Laundering (AML)?
AML is the collective body of laws, regulations, and internal controls requiring financial institutions to detect, prevent, and report attempts to disguise illegally obtained funds as legitimate income. Financial institutions sit at the center of this framework because criminals need the financial system to move and clean money. That makes banks, fintechs, and payment firms the first line of defense.
A Brief Legislative History
The term "money laundering" traces back to organized crime's use of cash-intensive laundromats to commingle illegal funds with legitimate revenue. The modern regulatory response began with the US Bank Secrecy Act (BSA) of 1970 — formally the Currency and Foreign Transactions Reporting Act — which established the first federal AML reporting requirements.
In 1989, the G7 established the Financial Action Task Force (FATF) to develop international AML standards. Following 9/11, FATF's mandate expanded in 2001 to include counter-financing of terrorism (CFT), and the US responded with the USA PATRIOT Act the same year.
AML vs. KYC vs. CDD — What's the Difference?
These three terms overlap, but each refers to something distinct:
- AML is the overarching framework — the laws, program requirements, and regulatory obligations
- KYC (Know Your Customer) is commercial shorthand for the customer identification and verification processes that feed into AML
- CDD (Customer Due Diligence) is the regulatory term for verifying customer identity, understanding the business relationship, assessing risk, and monitoring ongoing activity — a core component of any AML program
KYC and CDD operate within the AML framework — understanding where each fits helps clarify what your compliance program actually requires.
The Three Stages of Money Laundering
Every AML control framework is designed to interrupt the laundering process at one or more of three stages. Understanding each stage helps compliance teams know where their controls should focus.
Placement
Placement is the first stage, and the most detectable. This is where illegal cash physically enters the financial system.
Common methods include:
- Depositing cash directly into bank accounts
- Routing funds through cash-intensive businesses (restaurants, car washes, parking garages)
- Smurfing: breaking deposits into smaller amounts to stay below currency transaction reporting thresholds (in the US, that threshold is transactions over $10,000)
- Purchasing assets outright with illicit cash
Compliance teams have the best chance of catching money laundering here. Large or irregular cash inflows, structuring patterns, and sources of funds that don't match a customer's profile are all observable red flags at this stage.
Layering
Layering is where the paper trail gets complicated. The goal is to create distance between the funds and their criminal origin through multiple transactions that individually look legitimate.
Typical layering techniques include:
- International wire transfers across multiple jurisdictions
- Currency conversions between accounts
- Shell companies and nominee ownership structures
- Cryptocurrency mixing tools ("tumblers") that obscure transaction history
This stage is the hardest to detect because no single transaction is necessarily suspicious. Transaction monitoring systems and network analytics are essential here: a pattern of individually ordinary transactions can look very different when viewed collectively.
Integration
Integration is the endgame. Laundered funds re-enter the legitimate economy, often through:
- Real estate purchases
- Luxury goods and high-value assets
- Business investments or equity stakes
- Revenue commingled with a company's legitimate operations
Once integration is complete, the money has been effectively "cleaned." Retrospective detection is very difficult — which is why placement and layering controls deliver far more value than any attempt to unwind laundered funds at this stage.
Why AML Matters: The Real Cost of Non-Compliance
The scale is hard to overstate. UNODC estimates that between $800 billion and $2 trillion is laundered globally each year. That money funds organized crime, drug trafficking, human exploitation, and terrorism.
Regulatory Consequences
Non-compliant institutions face severe consequences, and the financial penalties are just the start:
- FinCEN assessed a $3.4 billion civil money penalty against Binance in 2023 for willful BSA violations, imposed a five-year monitorship, and required the firm to exit the United States
- FINTRAC fined TD Bank CA$9.185 million in 2024 for failures including suspicious transaction reporting and money laundering risk assessment
Beyond financial penalties, enforcement actions can bring consent orders, license revocations, and in serious cases, criminal liability for individual executives.
Operational and Reputational Fallout
For fintechs and crypto firms, the non-financial costs are often more damaging:
- Loss of sponsor bank relationships — and the ability to operate
- Investor distrust and derailed funding rounds
- Inability to scale into new markets or product lines
- Enhanced monitoring that slows onboarding and increases operational costs
AML also intersects directly with CFT, sanctions compliance, and fraud prevention. It's not a standalone checkbox — it's the foundation of a broader financial crime program.
Among early-stage clients, Fraxtional consistently finds that AML gaps rarely stem from bad intent. They come from compliance infrastructure that hasn't kept pace with business growth — generic policies that don't survive sponsor bank scrutiny, no designated officer, or monitoring controls never calibrated to actual risk.
Building the program proactively, before regulatory or banking pressure arrives, is always cheaper than remediating under scrutiny.
The Five Pillars of an AML Compliance Program
FATF, FinCEN, and FINRA guidance all converge on the same structural framework for a compliant AML program. These five pillars apply across banking, fintech, crypto, and money services businesses.
Pillar 1: Designate a Compliance Officer
Every regulated institution must have a qualified, named individual accountable for the AML program. The title varies by jurisdiction:
| Jurisdiction | Title |
|---|---|
| United States | BSA Compliance Officer |
| United Kingdom | MLRO (Money Laundering Reporting Officer) |
| Canada | Compliance Officer (under PCMLTFA/FINTRAC) |
This person must be genuinely qualified, not just named on paper. For early-stage companies that can't justify a full-time senior hire, fractional compliance leadership provides a direct solution. Fraxtional places named BSA Officers, MLROs, and CAMLOs who carry full accountability. They appear in regulatory filings, manage SAR workflows, and represent the firm directly to regulators and sponsor banks.
Pillar 2: Written Internal Policies and Procedures
Documented, risk-based policies are non-negotiable. These must cover:
- Customer onboarding and identity verification procedures
- Transaction monitoring thresholds and alert management
- Escalation procedures for suspicious activity
- SAR/STR filing requirements and timelines
- Recordkeeping obligations
Policies must be tailored to the firm's actual products, customer base, and risk profile. Generic off-the-shelf documents fail sponsor bank and regulatory reviews — a pattern Fraxtional's team encounters repeatedly when clients come in for remediation.
Pillar 3: Ongoing Employee Training
AML training must be:
- Ongoing, not a one-time onboarding exercise
- Tailored by role: what a customer service rep needs to know differs from what a compliance analyst needs
- Documented with evidence of completion — regulators will ask for it
- Refreshed as typologies and regulations change
Pillar 4: Independent Audit and Testing
FinCEN guidance establishes that the primary purpose of an independent review is to assess whether the AML program is actually working, not just whether it exists on paper. For most firms, this means an annual independent audit.
The audit should test control effectiveness, identify gaps between documented policy and actual practice, and produce findings that demonstrate to regulators the program is actively managed. Fraxtional's independent audit service covers regulatory framework mapping, policy and controls review, and a prioritized remediation plan. The output is structured to satisfy both sponsor bank reviews and investor due diligence.
Pillar 5: Customer Due Diligence (CDD) and KYC
CDD is where AML theory meets daily operations. FinCEN's CDD Final Rule requires covered institutions to verify customer identity, identify beneficial ownership, understand the nature and purpose of the business relationship, and conduct ongoing monitoring.
The program must be risk-based, applying different levels of scrutiny depending on the customer:
- Standard CDD — applied to the majority of customers through your onboarding process
- Simplified CDD — permissible for demonstrably lower-risk customers, where regulations allow
- Enhanced Due Diligence (EDD) — required for high-risk scenarios: Politically Exposed Persons (PEPs), customers from high-risk geographies, complex or opaque ownership structures
Key AML Regulations Across Jurisdictions
All four of Fraxtional's primary markets operate AML frameworks built on FATF Recommendations, but implementation varies. Here's the practical landscape:
| Jurisdiction | Core Framework | Key Regulator | SAR/STR Deadline | Records Retention |
|---|---|---|---|---|
| US | Bank Secrecy Act, USA PATRIOT Act | FinCEN | 30 calendar days after initial detection | 5 years |
| UK | Money Laundering Regulations 2017, POCA 2002 | FCA | As soon as suspicion arises (POCA s.330) | 5 years |
| EU | 4AMLD (2015/849), 5AMLD (2018/843), 6AMLD (2018/1673) | National FIUs + new AMLA authority | Per member state FIU requirements | 5 years |
| Canada | PCMLTFA and associated regulations | FINTRAC | As soon as practicable after reasonable grounds established | 5 years |
A few notable developments worth tracking:
- The EU's new Anti-Money Laundering Authority (AMLA) was legally established in June 2024, with direct supervision of high-risk obliged entities scheduled to begin in 2028
- 85% of crypto firms that applied to the UK FCA for AML registration were unable to demonstrate minimum standards, per a 2023 UK Treasury Committee report — a clear illustration of how compliance gaps look from a regulator's perspective
Those regulatory shifts add another layer of pressure on firms already navigating multi-jurisdictional obligations. A firm operating in both the US and UK must satisfy BSA/FinCEN requirements and FCA/MLRO obligations simultaneously — different reporting formats, different timelines, different supervisory relationships. Fraxtional's team covers all four jurisdictions under a single engagement structure, eliminating the coordination overhead of managing separate advisors per region.
Common AML Red Flags and How to Spot Them
Red flags don't prove money laundering. They create an obligation to investigate — and if suspicion isn't resolved, to file a SAR or STR with the relevant Financial Intelligence Unit.
The Five Main Red Flag Categories
- Unusual or inconsistent transaction patterns — large cash deposits immediately followed by wire transfers, activity that spikes without a business explanation
- Customer behavior inconsistent with their stated profile — a sole trader moving volumes typical of a large enterprise, or activity in sectors unrelated to the customer's declared business
- High-risk geographies or sanctioned jurisdictions — transactions routed through or to countries on FATF's high-risk lists or under active sanctions
- Complex ownership structures with no clear business purpose — layered entities, nominee directors, or beneficial ownership that cannot be clearly established
- Structuring — transactions consistently just below reporting thresholds (in the US, just under $10,000) with no plausible business reason
FINTRAC notes that "reasonable grounds to suspect" — a standard above simple suspicion — triggers the STR filing obligation. Missing that threshold isn't a defense; it's a separate violation.
Technology vs. Human Judgment
Spotting red flags at scale requires more than manual review. Modern AML programs use transaction monitoring systems and AI-driven anomaly detection to process volumes no human team could cover alone. FATF's 2021 technology guidance recognizes that machine learning applied to large transaction datasets can improve transaction monitoring coverage — but also cautions about implementation challenges including model bias and alert fatigue.
Technology surfaces alerts. Experienced compliance professionals assess context, make defensible decisions, and document the rationale. Programs that treat automated alerts as conclusions — rather than starting points — are the ones that fail regulatory scrutiny.
Frequently Asked Questions
What is anti-money laundering (AML)?
AML refers to the laws, regulations, and internal controls requiring financial institutions to detect, prevent, and report attempts to disguise illegally obtained funds as legitimate income. It covers everything from customer verification at onboarding to suspicious activity reporting and ongoing transaction monitoring.
What are the three stages of money laundering?
Placement introduces dirty money into the financial system, typically as cash deposits. Layering then obscures its origins through complex, multi-step transactions designed to break the audit trail. Integration completes the cycle — reintroducing the now-"cleaned" funds into the legitimate economy through assets, investments, or business revenue.
What are the five pillars of an AML compliance program?
Every effective AML program rests on five required pillars: a designated compliance officer (BSA Officer, MLRO, or equivalent), written policies and procedures, ongoing employee training, independent audit and testing, and customer due diligence (CDD/KYC). None of these are optional.
What are the main red flags indicating potential money laundering?
Key red flags fall into five categories: unusual transaction patterns, customer behavior inconsistent with their stated profile, high-risk or sanctioned geographies, opaque ownership structures, and structuring — where transactions are kept consistently just below reporting thresholds.
Who needs to comply with AML regulations?
AML obligations apply to banks, fintechs, money service businesses, crypto firms, payment providers, and certain non-financial businesses. In short, any regulated entity that moves, holds, or facilitates financial transactions. Specific obligations vary by jurisdiction and business type.
What's the difference between AML and KYC?
KYC (Know Your Customer) is a component of a broader AML program. It refers to verifying customer identity and assessing their risk at onboarding — which then feeds into the larger system of ongoing monitoring, suspicious activity reporting, and internal controls that constitute full AML compliance.
