AML program requirements, KYC compliance steps, Bank Secrecy Act obligations, FinCEN CDD Rule, the 5 BSA pillars, SAR/CTR filing thresholds, beneficial ownership rules, and how to build an AML program from scratch.
✓ FinCEN Official SourceCTA BOI Rule — 2024Updated March 2026
What Is AML / KYC?
✓ Verified DataVerified: FinCEN official BSA documentation
Anti-Money Laundering (AML) refers to the laws, regulations, and programs designed to detect and prevent the conversion of illegally-obtained funds ("dirty money") into seemingly legitimate assets ("clean money"). The three stages of money laundering are placement (introducing illicit cash into the financial system), layering (concealing the trail), and integration (making funds appear legitimate). (FinCEN BSA Overview)
Know Your Customer (KYC) is the due diligence process by which financial institutions verify customer identity, assess customer risk, and monitor ongoing account activity. KYC is the customer-facing component of a broader AML compliance program. (FinCEN CDD Final Rule)
The primary US law governing AML is the Bank Secrecy Act (BSA) of 1970 (31 U.S.C. 5311–5336), as amended by the USA PATRIOT Act (2001), the Anti-Money Laundering Act of 2020 (AMLA), and the Corporate Transparency Act (2021). Enforcement is led by FinCEN (US Treasury), with examination by federal banking regulators (OCC, FDIC, Fed, NCUA). (31 U.S.C. 5311)
1970
Bank Secrecy Act Enacted
5
BSA Program Pillars
$10K
CTR Threshold
30 days
SAR Filing Deadline
$1.9B
Largest AML Fine (HSBC)
The 5 BSA / AML Program Pillars
✓ Verified DataFinCEN CDD Final Rule adds 5th pillar, effective May 2018
FinCEN requires covered financial institutions to maintain a written AML compliance program with at minimum five elements. (FinCEN CDD Final Rule, May 2018)as of March 2026
Pillar 1
Internal Controls & Policies
Written BSA/AML policies, procedures, and controls that identify and manage money laundering risks. Must be approved by the board of directors and reviewed annually.
Pillar 2
BSA Compliance Officer
Designate a qualified individual responsible for day-to-day BSA/AML program management, filing SARs and CTRs, and coordinating with law enforcement.
Pillar 3
Ongoing Employee Training
Annual AML training for all applicable employees covering red flags, reporting obligations, tipping-off prohibition, and institution-specific procedures.
Pillar 4
Independent Testing (Audit)
Annual independent testing of the BSA/AML compliance program by qualified internal audit staff or an external firm. Must evaluate effectiveness of controls and CDD procedures.
Pillar 5
Customer Due Diligence (CDD)
The fifth pillar added by the FinCEN CDD Final Rule (2016, effective May 2018): Know your customers, understand the nature of their transactions, and conduct ongoing monitoring. Includes Beneficial Ownership for legal entities.
SAR & CTR Filing Requirements
✓ Verified DataFinCEN official SAR/CTR requirements
Currency Transaction Reports (CTRs)
Financial institutions must file a CTR for any single or aggregated cash transaction(s) of more than $10,000 by or for the same person in a business day. CTRs must be filed within 15 days of the transaction. (31 CFR § 1010.311)
Structuring Warning: Breaking up transactions specifically to avoid the $10,000 CTR threshold ("structuring" or "smurfing") is itself a federal crime under 31 U.S.C. 5324, punishable by up to 5 years imprisonment, regardless of whether the underlying funds are legitimate.
Suspicious Activity Reports (SARs)
Financial institutions must file a SAR when they know, suspect, or have reason to suspect that a transaction involves funds from illegal activity, is designed to evade BSA requirements, lacks a lawful purpose, or involves potential insider fraud exceeding $5,000. (31 CFR § 1020.320)
Customer Due Diligence (CDD) & Beneficial Ownership
✓ Verified DataFinCEN CDD Final Rule, effective May 2018; CTA BOI Rule effective 2024
The FinCEN CDD Final Rule (effective May 11, 2018) requires covered financial institutions to identify and verify the beneficial owners of legal entity customers — individuals who own 25%+ or exercise significant control. (FinCEN CDD Final Rule)
CDD Four Core Elements
Customer Identification (CIP): Collect and verify customer name, date of birth, address, and identification number (SSN or EIN)
Beneficial Ownership Identification: Identify individuals owning 25%+ of legal entities; identify one control prong individual
Customer Risk Assessment: Understand the nature and purpose of customer relationships to develop a risk profile
Ongoing Monitoring: Monitor for suspicious activity and maintain current customer information
Corporate Transparency Act (CTA) — Beneficial Ownership Information (BOI)
Effective January 1, 2024, the Corporate Transparency Act requires most US companies (LLCs, corporations, etc.) to report beneficial ownership information directly to FinCEN. Note: In early 2025, BOI reporting was subject to court injunctions; consult FinCEN.gov for current status. (FinCEN BOI Rule)
AML Penalties — Historical Enforcement Actions
✓ Verified DataVerified from FinCEN/DOJ public enforcement records
Institution
Year
Fine
Violation
HSBC
2012
$1.9 billion
Laundered $881M for drug cartels; failed SAR filing; Iran sanctions violations
Deutsche Bank
2017
$630 million
Russian mirror trading scheme; $10B in suspicious equities transactions
Western Union
2017
$586 million
Anti-money laundering failures; willfully failed to maintain effective AML program
BitMEX
2021
$100 million
Failure to implement required BSA/AML program; KYC failures for crypto exchange
Binance
2023
$4.3 billion
BSA/AML failures; OFAC sanctions violations; failure to file SARs
Source: FinCEN enforcement actions, DOJ press releases, and FinCEN/CFTC published settlement documents.
AML / KYC Compliance Checklist
~ AI-EstimatedBased on FinCEN BSA examination manual and FFIEC guidelines
This checklist reflects BSA/AML program requirements for US financial institutions. Non-bank financial institutions (NBFIs), crypto businesses, and international entities may have different requirements.
Designate a BSA Compliance Officer with adequate authority and resources
Conduct an enterprise-wide BSA/AML risk assessment (at minimum annually)
Document written BSA/AML policies, procedures, and internal controls
Implement a Customer Identification Program (CIP) for all new accounts
Collect and verify beneficial ownership information for legal entity customers
Screen customers against OFAC SDN List and PEP databases at onboarding and ongoing
Establish risk-based customer due diligence tiers (standard, enhanced, simplified)
Implement transaction monitoring system for unusual activity detection
File SARs within 30 days (60 if no suspect identified) — never tip off the subject
File CTRs for cash transactions exceeding $10,000; monitor for structuring
Conduct annual BSA/AML training for all applicable employees
Perform independent annual audit of BSA/AML program effectiveness
Maintain SAR/CTR records for 5 years
Implement enhanced due diligence (EDD) for high-risk customers (PEPs, correspondent banks, MSBs)
How to Build an AML Compliance Program — Step by Step
Whether you're building an AML program from scratch or strengthening an existing one, these are the seven required elements under FinCEN guidance and the BSA examination manual. (FFIEC BSA/AML Manual)
Conduct an Enterprise-Wide BSA/AML Risk Assessment.
Assess money laundering risks across your products, customers, services, and geographies. Document it. Review at minimum annually. This drives everything downstream — the intensity of your monitoring, your CDD thresholds, your training focus.
Appoint a Designated BSA Compliance Officer.
Must have sufficient authority, resources, and independence. Cannot be a perfunctory title — examiners will test whether this person actually manages the program. Board approval or acknowledgment is standard practice.
Write Board-Approved BSA/AML Policies and Internal Controls.
Cover CIP, CDD, transaction monitoring, SAR/CTR procedures, record retention (5 years), and escalation paths. Must be reviewed and approved by the board or a senior committee at least annually.
Implement Customer Identification Program (CIP) and CDD.
Verify customer identity at onboarding using documents (passport, driver's license) or non-documentary methods. Collect beneficial ownership for legal entity customers (any individual with ≥25% ownership, plus one control person). Assign risk ratings. Conduct ongoing monitoring.
Deploy Risk-Based Transaction Monitoring.
Implement automated monitoring calibrated to your risk assessment. Document alert thresholds and the rationale for them. Investigate alerts in a timely manner and document outcomes. Retention: 5 years minimum.
Conduct Annual AML Employee Training.
Train all applicable staff on red flags, tipping-off prohibition, and institution-specific procedures. Document completion. New employee training should occur within 30 days of hire.
Perform Independent Annual Testing of the BSA/AML Program.
Must be conducted by qualified internal audit or an external firm. Must cover policy adequacy, training completion, CDD quality, monitoring calibration, and SAR/CTR accuracy. Address all findings. Testing independence from BSA function is required.
Ask our AI: "What should be in a BSA/AML risk assessment?" or "How do I set transaction monitoring thresholds?"
Frequently Asked Questions
What are AML program requirements?
AML program requirements under the Bank Secrecy Act include five mandatory pillars: (1) written internal controls approved by the board, (2) a designated BSA Compliance Officer, (3) ongoing annual employee training, (4) independent annual program testing, and (5) Customer Due Diligence (CDD) including beneficial ownership. Additional operational requirements include transaction monitoring, SAR filing for suspicious transactions over $5,000, CTR filing for cash transactions over $10,000, and 5-year record retention for all BSA records.
What is KYC AML compliance?
KYC (Know Your Customer) AML (Anti-Money Laundering) compliance refers to the combined set of obligations financial institutions must meet to prevent illicit finance. KYC covers the customer onboarding phase: identity verification, risk classification, and understanding the customer's expected transaction behavior. AML is the broader operational program: transaction monitoring, red flag detection, SAR/CTR filing, and employee training. Together, KYC AML compliance is required under the Bank Secrecy Act for banks, credit unions, broker-dealers, MSBs, insurance companies, and other covered financial institutions.
Do cryptocurrency exchanges need BSA/AML programs?
Yes. FinCEN has clarified since 2013 that money services businesses (MSBs) engaging in virtual currency exchange or transmission must register with FinCEN and implement BSA/AML programs — including CIP, SAR filing, and CTR filing. The 2023 Binance settlement for $4.3 billion underscores enforcement severity in the crypto space.
What is the difference between AML and CFT?
AML (Anti-Money Laundering) focuses on preventing profits of crime from entering the financial system. CFT (Countering the Financing of Terrorism) addresses preventing funds from reaching terrorist organizations. While distinct legal frameworks exist, in practice compliance programs address both together — referred to as AML/CFT. The FATF 40 Recommendations cover both.
What is a Politically Exposed Person (PEP)?
A PEP is a current or former senior government official, political party official, or closely associated individual who presents elevated corruption and money laundering risk. US banks must apply enhanced due diligence (EDD) to PEPs and their immediate family members and close associates. FATF defines the PEP standard internationally.
What is FATF and how does it affect US compliance?
The Financial Action Task Force (FATF) is an intergovernmental body that sets international AML/CFT standards through its 40 Recommendations. Countries on the FATF "grey list" or "black list" require enhanced due diligence from US financial institutions when processing transactions from those jurisdictions. The US is a founding FATF member; US laws substantially implement the 40 Recommendations.