A Guide to AML Regulations in the US: Requirements, Compliance & Regulatory Bodies

AT A GLANCE

US financial institutions must comply with Anti-Money Laundering (AML) regulations mandated by the Bank Secrecy Act (BSA) and USA PATRIOT Act. The Financial Crimes Enforcement Network (FinCEN)  serves as the primary regulatory body, requiring institutions to implement Customer Identification Programs (CIP), conduct customer due diligence (CDD), file Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs), and screen against OFAC sanctions lists. In the United States alone, it is estimated that between $300 billion and $1 trillion is laundered every year.

Which regulation requires financial institutions to have AML compliance programs?

The Bank Secrecy Act (BSA) of 1970 is the primary federal regulation requiring brokerages and trusts  to establish and maintain AML compliance programs. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act.

Under Section 352 of the USA PATRIOT Act, all financial institutions must implement a written AML compliance program containing four mandatory components: designated compliance officer responsible for day-to-day AML operations, ongoing employee training programs, independent testing or audit function to evaluate program effectiveness, and policies, procedures, and internal controls designed to ensure ongoing compliance.

The BSA applies to banks and credit unions, money services businesses (MSBs), securities broker-dealers, casinos and card clubs, insurance companies, and payment processors. The definition continues expanding as FinCEN issues new rulings to address emerging financial service models.

Financial institutions that fail to maintain adequate AML programs face severe consequences. Civil penalties can reach $250,000 per violation or twice the transaction amount. Criminal penalties include fines up to $500,000 and imprisonment up to 10 years. Beyond monetary penalties, institutions risk losing their operating licenses and suffering irreparable reputational damage.

What are the key US regulatory bodies for AML?

Three primary federal agencies oversee AML compliance in the United States, each with distinct responsibilities and enforcement powers.

FinCEN (Financial Crimes Enforcement Network) serves as the lead AML regulator within the US Department of Treasury. Established in 1990, FinCEN collects and analyzes financial transaction data, issues regulations and guidance, receives and processes SARs and CTRs, disseminates financial intelligence to law enforcement, and coordinates with international Financial Intelligence Units (FIUs). FinCEN processes over 20 million reports annually, including approximately 2.8 million SARs.

Office of Foreign Assets Control (OFAC) administers and enforces economic sanctions against targeted foreign countries, terrorist organizations, narcotics traffickers, and individuals involved in weapons proliferation. Financial institutions must screen all customers and transactions against OFAC's Specially Designated Nationals (SDN) list, which contains over 6,000 names. Since 2010, OFAC has assessed over $7 billion in penalties for sanctions violations.

Federal banking regulators including the Office of the Comptroller of the Currency (OCC), Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA) examine financial institutions for BSA/AML compliance during regular examinations. These agencies can issue enforcement actions including cease and desist orders, civil money penalties, and removal of institution-affiliated parties.

What is AML compliance and why does it matter?

AML compliance refers to the policies, procedures, and controls financial institutions implement to prevent their services from being exploited for money laundering or terrorist financing.

Money laundering is the process of disguising illegally obtained funds to make them appear legitimate. United Nations, it is estimated that between $800 billion and $2 trillion (or 2-5% of global GDP) is laundered annually. In the United States alone, estimates range from $300 billion to $1 trillion laundered each year.

Why AML compliance is essential:

Regulatory obligation and legal exposure. AML compliance is a federal requirement. Non-compliance exposes institutions to civil and criminal penalties, regulatory sanctions, and potential license revocation. Enforcement actions have increased significantly, with FinCEN assessing over $3 billion in penalties since 2015.

Reputational protection. A single major AML compliance failure can destroy an institution's reputation built over decades. News of money laundering through a financial institution triggers customer exodus, investor concerns, and media scrutiny.

Operational risk management. Effective AML programs protect institutions from becoming conduits for criminal proceeds. When criminals use financial services for illicit purposes, institutions face not only regulatory consequences but also potential civil liability.

Competitive advantage. Strong AML compliance demonstrates to customers, partners, and regulators that an institution takes combat financial crime seriously, facilitating business relationships and cross-border transactions.

How can I meet AML requirements?

Financial institutions meet AML requirements by implementing comprehensive compliance programs addressing five core pillars mandated by federal regulations.

Customer Identification Program (CIP) forms the foundation of AML compliance. Under Section 326 of the USA PATRIOT Act, institutions must verify customer identities when opening accounts by collecting customer information (full legal name, date of birth, address, identification number), verifying identity through documentary or non-documentary methods, maintaining records of verification methods, and providing adequate customer notice about CIP requirements.

For business customers, requirements expand to articles of incorporation, business licenses, and beneficial ownership information identifying individuals who own 25% or more of the entity.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) require institutions to understand the nature and purpose of customer relationships. FinCEN's 2016 CDD Rule established four core requirements: customer identification and verification, beneficial ownership identification for legal entities, understanding the nature and purpose of relationships, and ongoing monitoring for suspicious activity.

Enhanced due diligence applies to higher-risk customers including politically exposed persons (PEPs), customers from high-risk jurisdictions, businesses with complex ownership structures, and customers in high-risk industries. EDD measures include obtaining additional information about sources of wealth, conducting more frequent reviews, requiring senior management approval, and obtaining additional documentation.

Transaction Monitoring and Suspicious Activity Reporting represent critical AML elements. Institutions must monitor customer transactions for patterns indicative of money laundering including transactions inconsistent with customer profile, structured transactions designed to avoid reporting thresholds, rapid movement of funds, wire transfers to/from high-risk jurisdictions, and transactions involving shell companies or sanctioned entities.

When suspicious activity is identified, institutions must file Suspicious Activity Reports (SARs) with FinCEN within 30 days of initial detection. Financial institutions filed approximately 2.8 million SARs in 2023.

Currency Transaction Reporting (CTR) Financial institutions must file CTRs for cash transactions exceeding $10,000, including single transactions and multiple transactions aggregating to more than $10,000 in a single business day. CTRs must be filed electronically within 15 days.

OFAC Sanctions Screening ensures institutions don't conduct business with prohibited individuals, entities, or countries. Financial institutions must screen customers at account opening, screen transactions in Flagright's real-time transaction monitoring, conduct periodic rescreening of existing customers, and screen business partners.

What are AML requirements for banks and payment processors?

Banks and payment processors face comprehensive AML requirements tailored to their specific risk profiles and business models.

Traditional banks must maintain full BSA/AML compliance programs including all five core requirements. Additional bank-specific requirements include correspondent banking due diligence for relationships with foreign financial institutions, private banking oversight for high-net-worth customer accounts, and suspicious activity identification for specific typologies.

Banking regulators examine BSA/AML compliance during regular examinations. Banks with deficient AML programs may receive enforcement actions including cease and desist orders and civil money penalties.

Payment processors and money services businesses (MSBs) face heightened AML scrutiny. FinCEN requires MSBs to register federally, maintain state licenses, implement comprehensive AML programs, and file SARs for transactions exceeding $2,000 (lower threshold than banks' $5,000).

Payment processors must conduct enhanced due diligence on merchant customers, particularly high-risk categories including online gambling, adult entertainment, pharmaceuticals, and third-party payment processors. Money transmitters face specific requirements including funds transfer recordkeeping, travel rule compliance, and agent monitoring.

Fintech companies and digital payment platforms must comply with the same AML requirements as traditional financial institutions. Cryptocurrency exchanges and wallet providers must register as MSBs, implement Know Your Customer (KYC) and transaction monitoring, file SARs for suspicious  crypto and stablecoin, and maintain records of cryptocurrency transactions exceeding $3,000.

How does AML screening prevent financial crimes?

AML screening serves as a critical control preventing financial institutions from facilitating money laundering, terrorist financing, and sanctions violations through multi-layered approaches.

Customer onboarding screening occurs when individuals or businesses establish relationships with financial institutions, identifying high-risk customers before account opening and preventing sanctioned parties from accessing the financial system. Screening processes compare customer information against OFAC SDN list, FBI Most Wanted lists, Politically Exposed Persons (PEP) lists, and adverse media databases.

Transaction screening analyzes payments in real-time before processing to block prohibited transactions. This is particularly critical for wire transfers and international payments. Transaction screening examines originator and beneficiary information, intermediary financial institutions, and transaction descriptions. Financial institutions must make blocking decisions rapidly—typically within minutes.

Periodic rescreening of existing customers identifies individuals or entities newly added to sanctions lists. OFAC continuously updates its lists, adding dozens of entries monthly. Financial institutions must rescreen their entire customer base at least weekly, though many institutions rescreen daily.

Preventing specific financial crime typologies includes terrorist financing prevention (disrupting terrorist funding by identifying designated individuals and organizations), drug trafficking interdiction (preventing traffickers from using legitimate financial channels), proliferation financing disruption (preventing funds from reaching sanctioned regimes), and corruption deterrence (making it harder for kleptocrats to hide stolen assets).

What are the consequences of AML non-compliance?

AML non-compliance exposes financial institutions to severe regulatory, financial, and reputational consequences that can threaten their viability.

Civil money penalties represent the most direct financial consequence. FinCEN can assess penalties up to $250,000 per violation or twice the transaction amount. Between 2010 and 2024, US regulators assessed over $15 billion in AML-related penalties. Major enforcement actions include HSBC's $1.9 billion settlement, JPMorgan Chase's $1.7 billion settlement, and Standard Chartered's settlements totaling over $1 billion.

Criminal prosecution can result from willful BSA violations. Individuals face imprisonment up to 5 years for BSA violations and up to 10 years for violations committed during another crime.

Regulatory enforcement actions beyond monetary penalties include cease and desist orders, consent orders imposing business restrictions, requirements to retain independent consultants, restrictions on growth or new activities, and removal or prohibition orders against responsible individuals.

Reputational damage and business impact often exceed direct financial penalties. AML compliance failures attract intense media coverage, trigger customer attrition, damage correspondent bank relationships, result in loss of investor confidence, and cause difficulties attracting talent. Some institutions have lost correspondent banking relationships following AML scandals.

What are the latest AML compliance trends for 2026?

The AML regulatory landscape continues evolving rapidly with challenges in achieving and maintaining AML compliance.

Beneficial ownership transparency has become central following implementation of the Corporate Transparency Act (CTA). Effective January 1, 2024, most US companies must report beneficial ownership information to FinCEN identifying individuals who ultimately own or control the entity.

Focus on virtual assets and cryptocurrency has intensified. FinCEN and other regulators have clarified that virtual asset service providers including cryptocurrency exchanges, wallet providers, and DeFi protocols are money services businesses subject to full BSA requirements. Major cryptocurrency exchanges now implement comprehensive AML programs comparable to traditional financial institutions.

Artificial intelligence and machine learning are revolutionizing AML compliance. Traditional rules-based transaction monitoring systems generate excessive false positives—often 95-99% of alerts prove false. AI-powered systems reduce false positives by 50-70% through behavioral analysis, network analysis, and predictive modeling.

Real-time payment monitoring is becoming essential as payment speed increases. The launch of FedNow in 2023 enables instant payments 24/7, requiring institutions to screen and monitor transactions in seconds rather than hours or days.

Increased focus on effectiveness over mere compliance marks a significant regulatory shift. Regulators increasingly examine whether programs actually detect and prevent money laundering rather than just checking compliance boxes.

Regulatory technology (RegTech) adoption accelerates as institutions seek efficiency gains. RegTech solutions automate manual compliance processes, integrate data from multiple sources, provide real-time risk dashboards, and enable rapid regulatory reporting.

Frequently Asked Questions

What is the difference between AML and KYC?

AML (Anti-Money Laundering) is the broader regulatory framework designed to prevent money laundering and terrorist financing. KYC (Know Your Customer) is a specific component of AML focused on customer identification and verification. KYC establishes who customers are; AML monitors what they do. Flagright simplifies KYC and KYB processes through a centralized platform that automates customer due diligence and risk assessment.

How long must financial institutions retain AML records?

The Bank Secrecy Act requires financial institutions to retain most AML records for 5 years. This includes customer identification records, transaction records, SARs and supporting documentation, CTRs, and funds transfer records.

Who needs to file SARs and CTRs?

All financial institutions subject to the Bank Secrecy Act must file SARs when they detect suspicious activity. This includes banks, credit unions, money services businesses, casinos, securities dealers, and insurance companies. SARs have different thresholds—$5,000 for banks, $2,000 for MSBs. CTRs must be filed for cash transactions exceeding $10,000.

What is the USA PATRIOT Act's role in AML?

The USA PATRIOT Act of 2001 significantly strengthened AML regulations in response to 9/11. Title III added mandatory Customer Identification Programs (CIP), enhanced due diligence requirements, information sharing provisions, expanded coverage to more financial institutions, and increased penalties.

What are politically exposed persons (PEPs) in AML?

PEPs are individuals who hold or have held prominent public positions, their immediate family members, and close associates. This includes senior foreign government officials, executives of state-owned enterprises, and senior political party officials. Financial institutions must apply enhanced due diligence to PEP relationships due to increased corruption risks.

How often should AML compliance programs be audited?

Federal regulations require independent testing or auditing of AML programs at least every 12-18 months depending on the institution's risk profile. Higher-risk institutions should conduct audits annually. Independent audits must be performed by parties not involved in AML compliance functions.

What is the difference between CDD and EDD?

Customer Due Diligence (CDD) is the standard level of information collection and monitoring applied to all customers. Enhanced due diligence (EDD)is a higher level of scrutiny applied to higher-risk customers requiring additional information, more frequent monitoring, senior management approval, and additional documentation.

Are fintech companies subject to AML regulations?

Yes, fintech companies providing financial services must comply with the same AML regulations as traditional financial institutions. FinCEN has clarified that innovative business models don't exempt companies from BSA obligations. Digital payment platforms, cryptocurrency exchanges, and peer-to-peer lenders must register with FinCEN and implement full AML programs.

What happens if a financial institution files a SAR late?

Late SAR filing constitutes a regulatory violation that can result in enforcement action. However, regulators typically consider late filing less severe than failure to file. Institutions should file late SARs as soon as the deficiency is discovered and document the reasons for delay.

Can banks share AML information with each other?

Yes, under Section 314(b) of the USA PATRIOT Act, financial institutions can voluntarily share information regarding suspected money laundering or terrorist financing. Institutions must register with FinCEN to participate. Over 9,000 institutions now participate in 314(b) information sharing.

Essential AML Compliance Tips

For Compliance Officers:

• Conduct annual AML conduct a risk assessment evaluating customer types, geographic exposures, products/services, and delivery channels
• Implement transaction monitoring rules generating investigable alerts with false positive rates below 20%
• Document SAR filing decisions thoroughly including why activity is suspicious and reportable
• Maintain independent testing schedules ensuring audits occur within regulatory timeframes
• Establish escalation procedures allowing front-line staff to quickly report suspicious transactions

For Financial Institutions:

• Designate a qualified BSA/AML compliance officer with appropriate authority and direct access to senior management
• Train all employees on AML red flags relevant to their roles with ongoing refreshers on emerging typologies
• Invest in technology solutions that automate manual processes and reduce false positives
• Build relationships with law enforcement and FinCEN to understand how SAR information is used
• Review and update AML policies at least annually or whenever regulations change

For Banks and Payment Processors:

• Screen all customers against OFAC lists at onboarding and rescreen at least weekly—daily or real-time is best practice
• Set transaction monitoring thresholds based on customer risk profiles rather than one-size-fits-all rules
• Document CDD and EDD decisions contemporaneously rather than retroactively
• Conduct merchant due diligence for payment processing relationships focusing on business model and processing volumes
• Collect beneficial ownership information for all legal entity customers per FinCEN's CDD Rule

For Startups and Fintechs:

• Consult with experienced BSA/AML counsel early in product development to understand regulatory obligations
• Register with FinCEN and obtain required state licenses before commencing operations
• Build compliance into product design rather than bolting it on afterward
• Partner with established compliance technology vendors rather than building systems from scratch
• Maintain sufficient compliance staffing as you scale—don't let customer growth outpace compliance capabilities

Technology Implementation Priorities:

• Prioritize transaction monitoring systems using machine learning and AI to reduce false positives
• Ensure watchlist screening tools provide fuzzy matching, phonetic algorithms, and false positive management workflows
• Implement case management systems tracking investigations from alert through disposition
• Deploy automated reporting tools that generate SARs and CTRs with required fields populated
• Select vendors offering continuous regulatory updates so systems remain current

Conclusion

US AML regulations create comprehensive requirements that financial institutions must navigate to maintain compliance and protect themselves from exploitation by money launderers and financial criminals. The regulatory framework built on the Bank Secrecy Act and USA PATRIOT Act establishes clear mandates for customer identification, due diligence, transaction monitoring, suspicious activity reporting, and sanctions screening.

Success in AML compliance requires understanding not only the letter of regulations but their spirit and purpose. Regulators increasingly focus on program effectiveness rather than mere checkbox compliance. Institutions must implement risk-based programs that actually detect and prevent money laundering, provide useful intelligence to law enforcement through quality SARs, and maintain strong cultures of compliance.

The AML landscape continues evolving with new threats, technologies, and regulatory expectations. Financial institutions that embrace innovation, invest in effective compliance technology, and maintain robust programs will be best positioned to meet both current requirements and future challenges. This involves conducting regular audits, analyzing program performance, and making data-driven adjustments to policies and procedures.

Ready to streamline your AML compliance? Flagright offers a comprehensive, no-code AML compliance and fraud prevention platform designed for financial institutions, payment processors, and fintech companies. With AI-powered transaction monitoring, automated sanctions screening, customer risk assessment, and real-time SAR/CTR reporting, Flagright reduces false positives by 60%, ensures regulatory compliance, and integrates fully within 3-10 days. Schedule a free demo to discover how Flagright can transform your AML compliance solution.