Compliance & Reporting

What is AML (Anti-Money Laundering)?

AML is the framework of laws and procedures designed to prevent illicit funds from entering the financial system. Banks, EMIs, fintechs, and increasingly crypto platforms must run KYC, monitor activity, screen sanctions, and report suspicious transactions.

Last updated
Updated May 8, 2026
Reading time
3 min read

How it works

AML is built on three layers, applied by every regulated financial institution to every customer and transaction:

  1. Customer Due Diligence (CDD) — at onboarding, the institution collects identity documents, verifies the beneficial owner, screens against sanctions and PEP (Politically Exposed Persons) lists, and assesses risk. Enhanced Due Diligence (EDD) applies to higher-risk profiles. See KYC.
  2. Ongoing transaction monitoring — automated systems scan every transfer for risk indicators: round-number flows, sudden volume spikes, counter-parties in high-risk jurisdictions, structuring (multiple just-under-threshold transactions), unusual patterns vs. declared business activity.
  3. Suspicious Activity Reporting (SAR) — when a transaction triggers risk thresholds and cannot be cleanly explained, the institution files a SAR with its national Financial Intelligence Unit (FinCEN in the US, TRACFIN in France, NCA in the UK, AUSTRAC in Australia, etc.). The customer is not informed (anti-tipping-off rules).

The international framework

The Financial Action Task Force (FATF) sets the global AML / CFT (Counter-Terrorism Financing) standards through 40 Recommendations. Member countries implement them via national law:

  • EU: 6th AML Directive (6AMLD, in force from 2021), now followed by the AMLR Regulation + AMLA Authority in 2024-2025 reforms.
  • US: Bank Secrecy Act (1970) + USA PATRIOT Act + Anti-Money Laundering Act of 2020 + FinCEN regulations.
  • UK: Money Laundering Regulations 2017 (post-Brexit aligned with FATF + EU 5AMLD legacy).

The FATF maintains:

  • Black list (high-risk jurisdictions subject to counter-measures) — currently includes North Korea, Iran, Myanmar.
  • Grey list (jurisdictions under increased monitoring) — varies year-to-year, includes ~25 countries currently.

Transactions involving black/grey list jurisdictions face automatic enhanced scrutiny and frequent rejection.

What triggers SARs

Common AML alert patterns:

  • Round numbers — €10,000, €25,000 transfers without business documentation.
  • Structuring — multiple transfers just below CTR (Currency Transaction Report) thresholds (e.g., €9,999 transfers to dodge €10k reporting).
  • Mismatch with declared activity — your KYC said you're a SaaS founder, but flows look like an FX-trading or import/export business.
  • Pass-through patterns — funds in and out within days, no apparent commercial purpose.
  • High-risk corridors — payments to/from FATF grey-list jurisdictions, sanctioned individuals or entities.
  • Beneficial-owner ambiguity — multi-layered structures with unclear ultimate ownership.

How to keep a clean AML profile

Practical hygiene for cross-border founders:

  • Match KYC declarations to actual flows. If your business evolves (different products, markets, payment volumes), update the institution.
  • Document significant counter-parties — keep contracts, invoices, KYC on your largest customers and suppliers.
  • Avoid cash — non-traceable cash deposits / withdrawals are SAR magnets.
  • Avoid round-number transfers without clear documentation. Real business invoices rarely round.
  • Keep contracts for any unusual transfer — large one-offs, transfers to new jurisdictions, related-party movements.
  • Avoid FATF grey/black list corridors unless commercially essential and well-documented.

Examples

  • French SaaS founder receives a €25,000 transfer from a new Indonesian client. First payment, round number, mid-risk corridor. Bank flags. Founder pre-empts: emails the bank with the SaaS contract + invoice + Stripe screenshots showing the historical relationship. Bank approves, transaction clears.
  • US LLC owner makes weekly €9,500 personal-account transfers from his EU EMI to his French personal account. EMI's monitoring flags structuring (just under €10k threshold). Account frozen pending review. Funds returned 60 days later; account closed.

Common mistakes

  • Treating AML as a paperwork formality. It's the operational backbone of every financial relationship. Banks close accounts faster than they open them.
  • Failing to update declared activity. A business that grew from €10k/month to €500k/month with the same KYC declaration is risk-flagged automatically.
  • Concentrating banking dependency. A single AML closure can take down the entire operation. Maintain at least 2 active accounts across providers.
  • Believing crypto is exempt. EU MiCA + US AML enforcement now covers crypto exchanges, custody providers, and (increasingly) self-custodial wallet operators with similar AML obligations.

Frequently asked questions

What triggers an AML alert?

Round-number transfers, unusual counter-parties, mismatch between business model and flows, transfers to/from high-risk jurisdictions, and rapid in-and-out movement of funds.

What is a SAR?

A Suspicious Activity Report — an internal regulatory filing banks must make when they suspect, but cannot prove, illicit activity. The customer is rarely informed.

Can I appeal an account closure?

Sometimes, but most institutions provide no detail to avoid 'tipping off' under AML rules. Treat the closure as a fact, switch institution, and clean up the trigger.

How do I keep a clean AML profile?

Match flows to the business model in your KYC, document significant counter-parties, avoid cash, and keep contracts and invoices for any unusual transfer.

Ready to act on AML (Anti-Money Laundering)?

IRS Tax Filing

Professional U.S. tax return preparation and filing for individuals and LLCs.

Get started with IRS Tax Filing