AT A GLANCE

AML regulations are enforced by both international bodies (like FATF, which sets global standards) and national regulators (like FinCEN in the US, FCA in the UK, and AUSTRAC in Australia). Each has specific requirements for customer verification, transaction monitoring, suspicious activity reporting, and record-keeping. Non-compliance can result in significant fines, operational restrictions, or criminal penalties.

Which International Body Sets Global AML Standards?

The Financial Action Task Force (FATF) is the primary international organization that establishes global anti-money laundering and counter-terrorist financing standards. Created in 1989, FATF comprises 37 member jurisdictions and two regional organizations representing major financial centers worldwide.

FATF doesn't directly regulate financial institutions including brokerages and trusts. Instead, it develops recommendations that member countries adopt into their national laws. These recommendations create a unified framework for combating money laundering and terrorist financing globally.

What Does FATF Require?

FATF's 40 Recommendations form the international standard for AML/CFT compliance. Financial institutions in member countries must:

Implement customer identification and verification processes that follow Know Your Customer (KYC) principles. This means collecting and verifying customer identity documents, understanding the nature of customer relationships, and conducting ongoing monitoring.

Apply risk-based due diligence measures that match the level of scrutiny to customer risk profiles. High-risk customers require enhanced due diligence, including deeper investigation into funding sources and business relationships.

Maintain detailed records on customers and transactions, especially for high-risk clients. These records must be accessible for regulatory review and typically must be retained for at least five years.

Monitor accounts for suspicious financial activity and report findings to national financial intelligence units. This includes implementing transaction monitoring systems that flag unusual patterns.

Enforce sanctions against non-compliant entities, including penalties for individuals and organizations that fail to meet AML obligations.

How Does FATF Enforcement Work?

FATF conducts mutual evaluations of member countries to assess compliance with its recommendations. Countries that fail to implement adequate measures may be placed on "grey lists" or "black lists," which can result in increased scrutiny of their financial transactions globally and reduced access to international banking systems.

What Are the Major AML Regulatory Bodies in North America?

Who Regulates AML in the United States?

The Financial Crimes Enforcement Network (FinCEN) enforces the Bank Secrecy Act (BSA), which is the primary anti-money laundering legislation in the United States. Operating under the U.S. Department of Treasury, FinCEN has expanded its jurisdiction beyond money laundering to encompass various financial crimes, including terrorist financing under the USA PATRIOT Act.

What Does the Bank Secrecy Act Require?

The BSA mandates that U.S. financial institutions establish comprehensive AML programs tailored to their risk profiles. Non-compliance can result in criminal prosecution, with penalties including imprisonment and fines up to $250,000.

Compliance Program Requirements:

  • Written AML policies and procedures specific to the institution's risk profile
  • Designated compliance officer with clear authority and accountability
  • Regular employee training on AML detection and reporting
  • Independent audit function to test program effectiveness
  • Ongoing program updates to address emerging risks

Reporting Obligations:

  • Suspicious Activity Reports (SAR): Filed when transactions suggest money laundering, terrorist financing, or other illegal activity
  • Currency Transaction Reports (CTRs): Required for cash transactions exceeding $10,000
  • Form 8300: Filed for cash payments over $10,000 in trade or business transactions

Record-Keeping Requirements: Financial institutions must maintain comprehensive records of customer identities, account activity, and all suspicious transactions. These records must be readily accessible for regulatory review and law enforcement investigations.

Who Regulates AML in Canada?

The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) serves as Canada's financial intelligence unit. FINTRAC operates under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, focusing on detecting, preventing, and deterring money laundering and terrorist financing activities that threaten Canada's security.

FINTRAC requires reporting entities to verify customer identities, monitor transactions, keep detailed records, and report suspicious transactions and large cash transactions. The agency analyzes this information and shares intelligence with law enforcement and international partners when financial crimes are suspected.

What Are the Key AML Regulatory Bodies in Europe?

What Are the EU's 5AMLD and 6AMLD?

The European Union issues Anti-Money Laundering Directives that member states implement into national law. These directives establish minimum standards across the EU while allowing individual countries to enforce stricter requirements.

What Does the Fifth Anti-Money Laundering Directive (5AMLD) Cover?

The Fifth Anti-Money Laundering Directive (5AMLD), effective January 10, 2020, primarily addresses cryptocurrency regulation and emerging payment methods:

Cryptocurrency Provisions:

  • Legal definition of virtual currencies and crypto and stablecoin
  • Registration and licensing requirements for cryptocurrency exchanges
  • Customer due diligence requirements for crypto transactions
  • Crypto wallet provider oversight and reporting obligations

Additional Requirements:

  • Stricter controls on prepaid cards, including lower anonymous spending limits
  • Enhanced due diligence for high-value goods transactions (art, precious metals, luxury items)
  • Expanded beneficial ownership registries with public access requirements
  • Enhanced scrutiny for customers from high-risk third countries
  • Updated politically exposed persons (PEPs) screening and monitoring

What Does the Sixth Anti-Money Laundering Directive (6AMLD) Cover?

The 6AMLD, effective June 2021, harmonizes money laundering enforcement across EU member states:

Key Provisions:

  • Unified definition of 22 predicate offenses that constitute money laundering across all EU states
  • Expanded criminal liability including corporate criminal responsibility and "aiding and abetting" provisions
  • Harsher penalties with minimum prison sentences of four years for serious money laundering offenses
  • Extended jurisdictional reach allowing prosecution of offenses committed partially within EU territory

Who Regulates AML in the United Kingdom?

The Financial Conduct Authority (FCA) is the UK's primary financial regulator responsible for anti-money laundering enforcement. As an independent, non-governmental body, the FCA regulates approximately 50,000 financial services firms and financial markets in the UK.

What Authority Does the FCA Have?

Regulatory Authority: The FCA establishes minimum standards for financial products and can prohibit products that don't meet regulatory requirements. This includes setting AML compliance standards for customer onboarding, transaction monitoring, and suspicious activity reporting.

Supervisory Functions: The FCA ensures financial institutions implement effective AML controls through regular examinations, risk assessments, and enforcement actions. Institutions must demonstrate robust systems for identifying suspicious activity and reporting to the National Crime Agency.

Authorization Requirements: Financial institutions must register with the FCA and meet specific conditions before operating in the UK. This includes demonstrating adequate AML compliance programs, qualified personnel, and sufficient resources to maintain ongoing compliance.

What Are the Major AML Regulatory Bodies in Asia-Pacific?

Who Regulates AML in Singapore?

The Monetary Authority of Singapore (MAS) serves as both Singapore's central bank and its integrated financial regulator. MAS supervises banks, insurance companies, securities firms, and payment service providers to maintain financial system integrity.

MAS requires financial institutions to implement risk-based AML/CFT programs that include customer due diligence, ongoing monitoring, suspicious transaction reporting, and record-keeping. The authority conducts regular inspections and imposes significant fines on institutions with inadequate controls. MAS also promotes Singapore as a leading financial center while ensuring robust AML compliance standards.

Who Regulates AML in Hong Kong?

The Hong Kong Monetary Authority (HKMA) oversees AML/CFT compliance for Hong Kong's banking sector. Operating under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, HKMA ensures financial institutions maintain effective AML programs.

HKMA Requirements:

Risk Assessment: Financial institutions must design AML programs based on comprehensive assessments of the specific money laundering and terrorist financing risks they face. This includes evaluating customer types, products offered, delivery channels, and geographic risk exposures.

AML/CFT Program Components:

  • Independent audit functions with regular testing schedules
  • Comprehensive employee training and screening programs
  • Compliance management structure with clear reporting lines
  • Ongoing monitoring systems for detecting suspicious activity

Compliance Officer Requirements: Each institution must appoint a compliance officer with adequate authority, resources, and direct access to senior management. This officer oversees the AML/CFT program and ensures suspicious activity reports are filed appropriately.

Who Regulates AML in India?

The Financial Intelligence Unit - India (FIU-IND) is the national agency responsible for receiving, processing, analyzing, and disseminating suspicious transaction reports. Established in 2004, FIU-IND operates under the Ministry of Finance and serves as India's central repository for financial intelligence.

The Financial Intelligence Unit (FIU) requires reporting entities to file suspicious transaction reports (STRs), cash transaction reports (CTRs), and cross-border wire transfer reports. The unit analyzes this information and shares intelligence with law enforcement agencies, tax authorities, and international financial intelligence units. India's primary AML legislation is the Prevention of Money Laundering Act (PMLA), which FIU-IND helps enforce through its intelligence gathering and analysis functions.

Who Regulates AML in Japan?

The Financial Services Agency (FSA) is Japan's integrated financial regulator overseeing banking, securities, insurance, and financial markets. The FSA ensures the stability and integrity of Japan's financial system through prudential supervision and AML/CFT enforcement.

Japanese financial institutions must adopt risk-based approaches to AML/CFT compliance, including comprehensive screening for international sanctions, adverse media, and politically exposed persons. The FSA conducts regular examinations to assess compliance effectiveness and can impose administrative penalties, business improvement orders, or license revocations for serious violations.

Who Regulates AML in China?

The China Banking and Insurance Regulatory Commission (CBIRC) supervises the banking and insurance sectors throughout mainland China. As a ministry-level agency reporting to the State Council, CBIRC has jurisdiction over all banking and insurance activities in the People's Republic of China except Hong Kong and Macau.

CBIRC enforces AML regulations through supervisory examinations, regulatory requirements for customer due diligence, and enforcement actions against non-compliant institutions. The commission works to maintain fair competition, protect consumer rights, and prevent financial system abuse for money laundering or terrorist financing purposes.

Who Regulates AML in Australia?

The Australian Transaction Reports and Analysis Centre (AUSTRAC) serves as Australia's financial intelligence agency and AML/CFT regulator. AUSTRAC operates under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, which establishes comprehensive obligations for reporting entities.

AUSTRAC requires financial institutions, remittance providers, casinos, and other designated businesses to enroll with the agency, implement AML/CFT programs, verify customer identities, and report suspicious matters and threshold transactions. The agency monitors compliance through audits and examinations, with significant penalties available for violations—recent enforcement actions have resulted in fines exceeding hundreds of millions of dollars.

What Requirements Do AML Regulatory Bodies Commonly Enforce?

While specific requirements vary by jurisdiction, most AML regulatory bodies enforce similar core obligations:

Customer Due Diligence (CDD) and Know Your Customer (KYC)

What is required: Financial institutions must verify customer identities using reliable, independent documents or information. This includes collecting names, addresses, dates of birth, and government-issued identification numbers.

When it applies: CDD is required when establishing business relationships, conducting transactions above specified thresholds, suspecting money laundering or terrorist financing, or doubting previously obtained customer information.

Enhanced Due Diligence (EDD): Higher-risk customers require additional scrutiny, including understanding the source of funds, purpose of transactions, and anticipated account activity. EDD applies to politically exposed persons, customers from high-risk jurisdictions, and complex corporate structures.

Transaction Monitoring and Suspicious Activity Reporting

What is required: Institutions must implement systems that monitor customer transactions for patterns consistent with money laundering, terrorist financing, or other financial crimes. Suspicious activity must be reported to the relevant financial intelligence unit.

How it works: Transaction monitoring systems use rules, scenarios, and anomaly detection to flag unusual activity. Common red flags include structuring deposits to avoid reporting thresholds, rapid movement of funds, transactions inconsistent with customer profiles, and involvement of high-risk jurisdictions.

Reporting timelines: Most jurisdictions require suspicious activity reports within 30 days of detecting suspicious activity, though some require faster reporting for ongoing or imminent threats.

Record-Keeping Requirements

What must be retained:

  • Customer identification documents and verification records
  • Transaction records including amounts, dates, parties, and purposes
  • Account opening documents and beneficial ownership information
  • Risk assessment documentation
  • Suspicious activity report supporting documentation
  • Communications related to high-risk transactions

Retention periods: Most jurisdictions require record retention for at least five years after account closure or transaction completion. Some require longer periods for specific record types.

Compliance Program Requirements

Program components:

  • Written policies and procedures tailored to institutional risk
  • Designated compliance officer with appropriate authority
  • Regular employee training on AML obligations
  • Independent audit or testing function
  • Ongoing program updates to address regulatory changes and emerging risks

Risk-based approach: Programs must be proportionate to the institution's money laundering and terrorist financing risks based on customer types, product offerings, delivery channels, and geographic exposures.

Practical Tips for Multi-Jurisdiction AML Compliance

Start with FATF recommendations as your baseline. Since most national regulators align with FATF standards, implementing the 40 Recommendations provides a solid foundation for multi-jurisdiction compliance. You can then layer on jurisdiction-specific requirements.

Map your regulatory obligations by business operation. Create a compliance matrix showing which regulatory bodies govern each business line, jurisdiction, and product. This prevents gaps where activities aren't covered and overlaps where you're duplicating efforts.

Designate regional compliance specialists. For institutions operating across multiple jurisdictions, assign compliance officers with deep expertise in specific regulatory frameworks (EU directives, US BSA, Asian regulators). This specialization improves compliance quality and efficiency.

Implement a unified AML platform with jurisdiction-specific configurations. Rather than managing separate systems for each country, use technology that allows you to customize rules, monitoring scenarios, and reporting formats while maintaining centralized oversight and data management.

Monitor regulatory updates through official channels. Subscribe to updates from FATF, relevant national regulators, and industry associations. Regulations change frequently—the EU issued 5AMLD in 2018 and 6AMLD in 2021, while many jurisdictions updated crypto regulations in 2023-2024.

Conduct gap analyses when expanding to new markets. Before launching in a new jurisdiction, compare your existing AML program against local requirements. Identify and remediate gaps before beginning operations to avoid costly retrofitting or regulatory sanctions.

Maintain evidence of compliance efforts. Regulators increasingly expect institutions to demonstrate ongoing compliance through documented risk assessments, audit reports, training records, and escalation procedures. Good documentation protects you during examinations.

Build relationships with local regulators. When appropriate, engage with regulatory bodies through official channels to clarify expectations, discuss implementation challenges, and stay informed about enforcement priorities. Some regulators offer guidance consultation processes.

Frequently Asked Questions

Which international body sets global standards for anti-money laundering efforts?

The Financial Action Task Force (FATF) sets international standards for combating money laundering and terrorist financing. FATF's 40 Recommendations provide a comprehensive framework that member countries implement through national legislation. While FATF itself doesn't regulate financial institutions directly, its standards influence AML laws in over 200 jurisdictions worldwide.

Who enforces anti-money laundering laws in the United States?

FinCEN (Financial Crimes Enforcement Network) enforces the Bank Secrecy Act, which is the primary AML regulation in the United States. FinCEN operates under the U.S. Department of Treasury and works with federal banking regulators, law enforcement agencies, and prosecutors to ensure compliance and investigate violations.

What regulation requires financial institutions to have AML compliance programs?

In the United States, the Bank Secrecy Act requires financial institutions to establish AML compliance programs. Internationally, FATF Recommendation 1 requires countries to mandate that financial institutions implement AML/CFT programs. The specific regulation varies by country—the EU uses AML Directives, the UK relies on Money Laundering Regulations, and other countries have jurisdiction-specific laws implementing these requirements.

Who regulates AML in India?

The Financial Intelligence Unit - India (FIU-IND) serves as India's primary AML regulatory body. FIU-IND receives and analyzes suspicious transaction reports and disseminates intelligence to law enforcement. India's AML framework is established under the Prevention of Money Laundering Act (PMLA), which is enforced by FIU-IND in coordination with the Enforcement Directorate and other agencies.

What are the main differences between 5AMLD and 6AMLD?

5AMLD (Fifth Anti-Money Laundering Directive) primarily expanded AML requirements to cover cryptocurrencies, prepaid cards, and high-value goods, while also enhancing beneficial ownership transparency. 6AMLD (Sixth Anti-Money Laundering Directive) focused on harmonizing the definition of money laundering offenses across EU member states, expanding criminal liability to include corporations and aiding/abetting, and establishing harsher penalties with minimum four-year prison sentences for serious violations.

Which regulatory body provides global standards for AML and CFT?

FATF (Financial Action Task Force) provides the global standards for anti-money laundering (AML) and combating the financing of terrorism (CFT). FATF's standards are recognized as the international benchmark, with countries evaluated on their implementation through mutual evaluation processes.

Is FATF a regulatory body?

FATF is an intergovernmental policy-making body, not a regulatory body. It develops recommendations and standards that member countries implement through their national laws and regulators. FATF conducts evaluations and can issue compliance warnings, but it doesn't directly regulate financial institutions or impose penalties.

What are the consequences of non-compliance with AML regulations?

Consequences vary by jurisdiction but typically include substantial monetary fines (often millions or billions of dollars for major violations), criminal prosecution of individuals including imprisonment, license revocations or restrictions on business operations, reputational damage affecting customer relationships and partnerships, and increased regulatory scrutiny including more frequent examinations and consent orders requiring remediation.

Do AML requirements apply to cryptocurrency businesses?

Yes, most major jurisdictions now require cryptocurrency exchanges, wallet providers, and other virtual asset service providers to comply with AML regulations. The EU's 5AMLD explicitly included crypto businesses, while countries like the United States, UK, Singapore, and Japan have extended AML requirements to cover virtual asset activities. These businesses must typically register with financial regulators, verify customer identities, monitor transactions, and report suspicious activity.

How often should AML compliance programs be updated?

AML compliance programs should be reviewed and updated at least annually, or more frequently when there are significant regulatory changes, institutional changes (new products, markets, or delivery channels), or emerging risk trends. Major regulatory updates like new directives or guidance may require immediate program revisions. Additionally, independent audits should test program effectiveness regularly, with findings prompting updates as needed.

How Flagright Helps with Multi-Jurisdiction AML Compliance

In case you missed it, we recently published a blog post on how to build a comprehensive AML policy. Navigating multiple regulatory frameworks becomes increasingly complex as your business expands across borders. Each jurisdiction has unique requirements for transaction monitoring, customer due diligence, and suspicious activity reporting—and staying compliant with all of them simultaneously requires sophisticated technology and expertise.

Flagright’s AML compliance solution is designed for financial institutions operating across multiple jurisdictions. Our solution includes:

Real-time transaction monitoring with jurisdiction-specific rules and scenarios that adapt to local regulatory requirements while providing centralized oversight across your entire operation.

Customer risk assessment that evaluates customers against global sanctions lists, PEP databases, and adverse media while incorporating jurisdiction-specific risk factors and regulatory expectations.

AML case management that streamlines investigations and ensures suspicious activity reports meet the format, content, and timing requirements of each relevant regulator.

Watchlist screening across comprehensive global databases including OFAC, UN, EU, DFAT, and hundreds of other sanctions lists, PEP databases, and adverse media sources.

AI forensics that uncover complex money laundering schemes and network patterns that traditional rules-based systems miss, helping you meet regulators' expectations for sophisticated risk detection.

Whether you're a fintech startup entering your first international market or an established institution managing compliance across dozens of jurisdictions, Flagright provides the technology and support you need to maintain effective, efficient AML compliance programs.

Ready to see how Flagright can simplify your multi-jurisdiction AML compliance? Contact us here to schedule a free demo and learn how our platform addresses the specific regulatory requirements outlined in this guide.