AML Basics
Prerequisites
Before diving into AML, understand:
- Compliance overview and regulatory landscape
- Fraud types especially synthetic identity
- Identity verification techniques
- Your organization's risk appetite
TL;DR
- Bank Secrecy Act (BSA) is the foundation of US AML, enforced by FinCEN
- CIP requires verifying identity at account opening: name, DOB, address, ID number
- CDD involves understanding relationship nature/purpose and ongoing monitoring
- SARs within 30 days of detecting suspicious activity: $5K+ with suspect, $25K+ without
- CTRs required for cash transactions over $10,000
- Card networks require full AML programs
What Is AML?
Anti-Money Laundering (AML) refers to the laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. In the US, this framework is commonly called BSA/AML or AML/CFT (Combating the Financing of Terrorism).
Key Regulatory Bodies
| Agency | Role |
|---|---|
| FinCEN | Primary BSA enforcement (Treasury Department) |
| OCC, FDIC, Federal Reserve | Bank regulators with BSA examination authority |
| CFPB | Consumer-facing enforcement |
| DOJ | Criminal prosecution |
The Bank Secrecy Act Framework
The Bank Secrecy Act (1970) and its amendments establish requirements for:
- Recordkeeping of certain transactions
- Reporting suspicious and large cash transactions
- Compliance programs at financial institutions
- Customer identification and due diligence
Key BSA Amendments
| Legislation | Year | Key Additions |
|---|---|---|
| Money Laundering Control Act | 1986 | Made money laundering a federal crime |
| USA PATRIOT Act | 2001 | Enhanced CIP/KYC, expanded covered entities |
| CDD Final Rule | 2016/2018 | Beneficial ownership for legal entities |
| Anti-Money Laundering Act | 2020 | Modernization, beneficial ownership to FinCEN |
| Corporate Transparency Act | 2024 | Beneficial ownership reporting to FinCEN |
Know Your Customer (KYC)
KYC is the process of verifying customer identity and understanding the nature of their business relationship. This is your first defense against synthetic identity fraud and application fraud. See identity verification for implementation approaches.
Customer Identification Program (CIP)
Required information at account opening:
| Individual | Legal Entity |
|---|---|
| Full legal name | Legal name |
| Date of birth | Formation date/jurisdiction |
| Residential address | Principal place of business |
| ID number (SSN for US persons) | EIN or equivalent |
| Government-issued ID | Formation documents |
Verification methods:
- Documentary: Government-issued ID, passport, articles of incorporation
- Non-documentary: Third-party databases, credit bureaus, public records
Timing
CIP must be completed at or before account opening. Some institutions allow risk-based temporary access while verification completes, but this requires additional controls.
Customer Due Diligence (CDD)
Beyond basic identification:
- Understand the nature and purpose of the relationship
- Assign a risk rating based on customer profile
- Collect beneficial ownership information (25%+ ownership or control)
- Conduct ongoing monitoring of transactions
Beneficial Ownership Requirements
For legal entity customers, identify and verify:
- Beneficial owners: Individuals with 25%+ ownership
- Control person: CEO, CFO, managing member, general partner, or equivalent
Required information for each:
- Full legal name
- Date of birth
- Address
- ID number (SSN or passport)
Exemptions:
- Regulated financial institutions
- SEC-registered investment companies
- Public companies (US exchanges)
- Government entities
- Certain pooled investment vehicles
Corporate Transparency Act Impact
The CTA (effective 2024) requires companies to report beneficial ownership directly to FinCEN. However, financial institutions still have independent CDD obligations and cannot solely rely on the FinCEN database.
Enhanced Due Diligence (EDD)
Higher-risk customers require additional scrutiny:
- More thorough background research
- Senior management approval for relationship
- More frequent review and monitoring
- Source of funds/wealth documentation
Higher-risk categories:
- Politically Exposed Persons (PEPs)
- High-risk jurisdictions (FATF grey/black lists)
- Cash-intensive businesses
- Non-resident accounts
- Correspondent banking relationships
- Private banking
- Virtual currency businesses
Transaction Monitoring
What to Monitor
| Category | Examples |
|---|---|
| Amounts/frequency | Unusual transaction sizes, sudden volume changes |
| Geographic patterns | High-risk countries, unexpected jurisdictions |
| Behavior changes | Deviation from established patterns |
| Structuring | Multiple transactions avoiding $10K threshold |
| Round-dollar transactions | $9,999, $9,900 repeatedly |
| Rapid fund movement | Money in and out quickly |
Network-Specific Requirements
Mastercard monitoring (Rules Section 1.2.1.1):
- Cross-border activity
- Cardholder and merchant monitoring based on risk
- High-risk MCCs
- Products facilitating fund movement (crypto, transfers, cash-out)
- Activity changes over time
Mastercard ATM monitoring:
- Out-of-pattern withdrawal volume
- Sequential high-volume withdrawals
- Excessive at-limit transactions
- Out-of-pattern deposits
Card-Specific Red Flags
| Pattern | What It May Indicate |
|---|---|
| Bust-out | Rapid credit build-up → max out → disappear |
| Card testing | Multiple small transactions → large purchases |
| Cash-advance concentration | Unusual reliance on cash advances |
| Geographic anomalies | Transactions in unlikely locations |
| Velocity anomalies | Too many transactions in short time |
Building Effective Monitoring Rules
Rule design principles:
- Start with baseline behavior per customer segment
- Use statistical thresholds, not arbitrary numbers
- Combine velocity and volume triggers
- Factor combinations (multiple red flags together)
- Regular tuning based on outcomes
Rule categories:
| Type | Example |
|---|---|
| Threshold-based | Cash out >$5K in 24 hours |
| Pattern-based | Round-dollar transactions repeatedly |
| Behavioral | Deviation from 6-month average |
| Peer-based | Activity unusual vs. similar customers |
| List-based | Match against known bad actors |
Alert Investigation Process
Alert generated
↓
L1 review (triage)
↓
L2 review (detailed)
↓
Case escalation
↓
SAR decision
Suspicious Activity Reports (SARs)
When to File
For banks (thresholds vary by institution type):
| Situation | Threshold |
|---|---|
| Suspected violation with identifiable suspect | $5,000+ |
| Suspected violation without identifiable suspect | $25,000+ |
| Insider abuse | Any amount |
| Money laundering or BSA violation | $5,000+ |
Note: Money Services Businesses (MSBs) may have $2,000 threshold.
SAR Filing Timeline
| Event | Deadline |
|---|---|
| Detection | Start 30-day clock |
| Initial SAR | 30 calendar days from detection |
| Extension (if investigating) | Up to 60 days total |
| Continuing activity | Risk-based follow-up |
Continuing Activity SARs: Historically ~90 days, but current FinCEN guidance emphasizes risk-based timing rather than fixed cadence. Many institutions still use ~90 days as a default.
SAR Confidentiality
- Cannot disclose SAR filing to the subject
- No tipping off the subject of investigation
- Safe harbor for good-faith filings
What Goes in a SAR
- Subject information (name, address, DOB, SSN, account numbers)
- Suspicious activity description
- Dates and amounts involved
- Account information
- Narrative explaining why activity is suspicious
- Documentation references
Currency Transaction Reports (CTRs)
Requirement
File a CTR for cash transactions exceeding $10,000 in a single business day.
Key Points
- Aggregate multiple transactions by same person
- Structuring (breaking up transactions to avoid reporting) is illegal
- 15-day filing deadline
- Applies to deposits, withdrawals, exchanges
Exemptions
Certain customers may be exempt from CTR filing:
- Domestic banks
- Government entities
- Listed public companies
- Eligible non-listed businesses (requires risk assessment and documentation)
AML Program Requirements
Five Pillars
Every covered financial institution must maintain an AML program with:
- Written policies and procedures
- Designated compliance officer (BSA Officer with authority and resources)
- Ongoing training for relevant personnel
- Independent testing (regular audits)
- Risk assessment (periodic evaluation)
Mastercard Requirements (Rules Section 1.2)
- Client identification and due diligence
- Controls, resources, and monitoring systems
- Regulatory recordkeeping and reporting
- Risk assessment incorporating all products
- Training for AML personnel
- Independent audit processes
Visa Requirements
Visa's rules focus on data protection and risk, requiring members to:
- Investigate suspected compromise, fraud, or money laundering
- Report to Visa
- Maintain security
- Cooperate with investigations
Sanctions Compliance
Key Lists
| List | Maintained By |
|---|---|
| SDN List | OFAC (US Treasury) |
| Restrictive Measures | European Union |
| Consolidated List | UN Security Council |
Mastercard Requirements (Rules Section 1.2.2)
- Issuers: Screen cardholders, service providers, agents
- Acquirers: Screen merchants, service providers, agents
- Screening at onboarding and ongoing
- No activity with sanctioned persons, entities, or jurisdictions
Recordkeeping Requirements
| Record Type | Retention Period |
|---|---|
| Customer identification records | 5 years after account closure |
| Transaction records | 5 years from transaction |
| SAR filings and documentation | 5 years from filing |
| CTR filings | 5 years from filing |
| AML training records | 5 years |
Consequences of Non-Compliance
| Violation | Potential Consequence |
|---|---|
| Failure to file SARs | Up to $1M civil penalty, criminal penalties |
| Failure to maintain AML program | Enforcement actions, consent orders |
| Willful BSA violations | Criminal prosecution, $500K fines, 10 years |
| Repeat violations | License revocation, processing restrictions |
| Network non-compliance | License suspension, termination |
Recent Enforcement Examples
| Institution | Year | Penalty | Issue |
|---|---|---|---|
| TD Bank | 2024 | $3B | BSA/AML failures |
| Wells Fargo | 2023 | $97.8M | AML compliance failures |
| Bittrex | 2022 | $29M | Crypto SAR filing failures |
| HSBC | 2012 | $1.9B | Insufficient AML controls |
Issuer-Specific Considerations
Prepaid Card Programs (Visa Rules 10.5.1.1)
- Report approved/pending/declined enrollments
- Report loads, reloads, unauthorized requests
- Report fraud (prepaid, transaction load, enrollment)
- Participate in Prepaid Clearinghouse Service
Credit Card Applications (Visa Rules 10.5.1.2)
- Report approved/declined applications
- Report unauthorized requests and fraudulent applications
- Within 48 hours of approval/decline/fraud determination
- Submit per CCA requirements
First-Party Fraud Considerations
First-party fraud may indicate:
- Synthetic identity fraud
- Bust-out schemes
- Potential money laundering
- Account takeover for laundering purposes
Coordinate fraud and AML functions to identify overlapping patterns.
Practical Implementation Guidance
Building an AML Program from Scratch
Phase 1 (Foundation):
- Appoint BSA Officer
- Draft policies and procedures
- Implement basic CIP/KYC
- Establish CTR filing process
Phase 2 (Monitoring):
- Deploy transaction monitoring
- Define initial rules based on product risk
- Establish alert investigation workflows
- Implement SAR process
Phase 3 (Optimization):
- Tune rules based on outcomes
- Conduct first independent audit
- Formalize training program
- Establish ongoing risk assessment
Common Implementation Mistakes
- Over-reliance on automated systems without human review
- Insufficient investigator training
- Static rule sets that don't evolve
- Siloed fraud and AML teams
- Inadequate documentation of decisions
Coordinating AML with Fraud Prevention
Overlap: Both functions monitor patterns, investigate behavior, may terminate accounts, and deal with suspicious activity.
Integration opportunities:
- Shared case management systems
- Combined alerts for cross-functional review
- Joint training on overlapping typologies
- Coordinated customer communication
Next Steps
Building an AML program?
- Start with CIP/KYC - Foundation requirements
- Define risk ratings - Segment customers
- Set up transaction monitoring - Build initial rules
Improving existing program?
- Tune monitoring rules - Reduce false positives
- Coordinate with fraud team - Share insights
- Prepare for independent testing - Audit readiness
Handling a suspicious activity case?
- Review SAR requirements - Know thresholds
- Follow investigation process - Document thoroughly
- Maintain confidentiality - No tipping off
See Also
- Issuer Perspective - How issuers think about fraud
- Portfolio Monitoring - Cross-account detection
- Synthetic Identity - Fabricated identities
- Application Fraud - Origination-stage fraud
- Fraud Rings - Organized fraud attacks
- Identity Verification - Document and biometric checks
- PCI DSS Compliance - Payment security standards
- Dispute Monitoring Programs - Network requirements
- Regulation E - Consumer protections