Anti-Money Laundering (AML): Definition and Use in Compliance

What is Anti-Money Laundering (AML)?

Anti-Money Laundering (AML) is the body of laws, regulations, and procedures financial institutions must follow to detect, prevent, and report the conversion of illegally obtained funds into apparently legitimate income. The global estimate from FATF puts the annual volume of laundered money at $800 billion to $2 trillion, roughly 2–5% of global GDP.

Money laundering moves through three sequential stages. Placement is the entry point: criminal proceeds enter the financial system through cash deposits, monetary instruments, or payments through a front business. Layering follows: the funds move through wire transfers, currency conversions, or securities transactions to obscure their origin. At integration, the money re-enters the economy looking clean, typically invested in real estate, luxury goods, or a legitimate business.

AML programs disrupt each stage. Detection at placement often means identifying structured cash deposits. At the layering stage, it means recognizing unusual transaction patterns that don't fit the customer's profile. At integration, it means understanding who actually controls an account, which brings in Ultimate Beneficial Owner (UBO) verification.

The framework isn't optional and it isn't new. The US Bank Secrecy Act of 1970 is the foundational statute. The Financial Action Task Force (FATF), established in 1989, sets the international standards that over 200 jurisdictions have committed to implementing. The EU has issued six Anti-Money Laundering Directives; the sixth, in force since 2021, harmonized predicate offenses across member states and extended criminal liability to legal persons.

Non-compliance carries real costs. HSBC paid $1.9 billion to US authorities in 2012 for AML failures tied to drug cartel transactions. Standard Chartered paid $1.1 billion in 2019. Both cases resulted in deferred prosecution agreements and years of enhanced supervision. Regulators have made clear since then that they'll also pursue individual officers, not just institutions.

How is Anti-Money Laundering (AML) used in practice?

The operational reality of AML is a layered set of workflows running across multiple functions simultaneously.

Onboarding is where AML starts. Before a customer relationship begins, compliance teams complete Customer Due Diligence (CDD): verifying identity, understanding the expected nature of the relationship, and assigning a risk rating. Customers with elevated risk profiles, including Politically Exposed Persons (PEPs) and entities with complex ownership, require Enhanced Due Diligence (EDD) before the relationship can proceed.

Transaction monitoring runs after onboarding. Detection systems generate alerts when customer activity deviates from its established baseline or matches a known typology. At a large bank, this can mean 50,000 to 100,000 alerts per month, with a true positive rate below 1%. Analysts review each alert, document their reasoning, and escalate when they identify activity that can't be explained by normal behavior.

Escalated cases go to the Money Laundering Reporting Officer (MLRO), who decides whether to file a Suspicious Activity Report (SAR). In the US, the parallel function is the BSA Officer, and the report goes to FinCEN.

Cash transactions above $10,000 trigger a mandatory Currency Transaction Report (CTR), regardless of whether they appear suspicious.

At the governance level, the MLRO reports to the board on program health: alert volumes, SAR rates, model performance, and training completion. Regulators expect documented board-level oversight. Annual independent testing reviews whether controls are working as designed, including model validation and CDD file sampling.

We've seen banks with strong onboarding controls but weak monitoring. The two functions depend on each other. An accurate customer risk rating means little if the monitoring system can't act on it.

Anti-Money Laundering (AML) in regulatory context

AML regulation sits on two tiers: international standards from FATF and national legislation that implements those standards within each jurisdiction.

FATF's 40 Recommendations are the global template. They cover customer due diligence, record-keeping, suspicious transaction reporting, and governance requirements. Countries are assessed against these through mutual evaluations. Failure to meet them puts a jurisdiction on the FATF Grey List, which triggers heightened scrutiny from correspondent banks worldwide and can effectively raise the cost of cross-border transactions. Persistent failures risk FATF Black List designation.

In the US, the Bank Secrecy Act, amended by the USA PATRIOT Act (2001) and the Anti-Money Laundering Act of 2020, is the primary statute. FinCEN administers it. Examination and enforcement fall to sector-specific regulators: OCC for national banks, the Federal Reserve for bank holding companies, FDIC for state-chartered non-member banks. The 2020 Anti-Money Laundering Act was the most substantial BSA reform in decades: it established national AML/CFT priorities, strengthened whistleblower protections, and expanded FinCEN's authorities to gather beneficial ownership data.

In the EU, six Anti-Money Laundering Directives have progressively tightened requirements since 1991. A new EU Anti-Money Laundering Authority (AMLA) will begin directly supervising the highest-risk obliged entities from 2025. The UK applies the Proceeds of Crime Act 2002 and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, overseen by the FCA and HMRC.

AML connects directly to Counter-Financing of Terrorism (CFT). Most frameworks treat these together. The risk-based approach runs through all of them: institutions focus their resources on the highest-risk customers, products, and geographies rather than applying identical controls to everything.

Common challenges and how to address them

Four problems appear consistently across AML programs, regardless of institution size.

Alert fatigue. Transaction monitoring systems generate far more alerts than analysts can meaningfully review. At some banks, 95% of alerts close without a SAR. That's operationally costly, but the bigger risk is real suspicious activity getting buried in the noise. Threshold tuning and scenario redesign can reduce volume without sacrificing detection. Any change to a monitoring model requires validation and documentation, which adds time. That tradeoff is worth it.

Fragmented data. AML decisions require a unified customer view: account activity, ownership structure, adverse media, sanctions matches, and SAR history. Most institutions store this across five or more systems that don't communicate. Analysts manually reconcile fragments, which adds latency and creates gaps. Data integration projects are expensive and slow, but the return is measurable in reduced investigation time and fewer regulatory findings.

Beneficial ownership gaps. Identifying the Ultimate Beneficial Owner of a corporate customer with a layered structure across three jurisdictions is genuinely hard. FinCEN's 2024 Corporate Transparency Act reporting requirements shift some verification burden to the entities themselves, but banks still own the obligation to verify what they're told. Automated entity resolution tools help. Human judgment remains essential at complex structures.

Model drift. A transaction monitoring model calibrated in 2020 reflects 2020 typologies and customer behavior. Both change. A model that performed well at launch can degrade quietly without anyone noticing until regulators flag it. Model monitoring and periodic model validation are baseline expectations under FinCEN's guidance and the Federal Reserve's SR 11-7 supervisory letter on model risk management, not optional enhancements.

Related terms and concepts

AML is the program. Several more specific terms define what it consists of and where it connects to adjacent disciplines.

Know Your Customer (KYC) is the identification component of AML. Before monitoring can be meaningful, the institution needs to know who it's dealing with, what their normal activity looks like, and who actually controls the account. For corporate customers, Know Your Business (KYB) extends this to understanding ownership structure and beneficial control.

Counter-Financing of Terrorism (CFT) runs alongside AML in almost every regulatory framework. AML targets proceeds of past crimes. CFT targets funds moving toward future harm. Detection challenges differ because terrorist financing often involves small amounts with legitimate-looking sources, but reporting obligations overlap substantially.

Sanctions screening is operationally integrated with AML but legally distinct. A match on the SDN list or an OFAC-designated entity isn't a SAR decision. It's a legal prohibition. Compliance teams handle these through connected but separate workflows.

Trade-Based Money Laundering (TBML) is a typology that standard transaction monitoring frequently misses. It involves manipulating invoice values or descriptions in international trade to move value across borders. Catching it requires trade finance, compliance, and customs data to work together. Most banks have those functions siloed.

Smurfing and structuring are the most common placement-stage patterns. Money mule accounts and mule networks are the infrastructure through which layering typically operates.

The Financial Crime Compliance (FCC) function in many banks now combines AML, sanctions, fraud prevention, and bribery controls under a single leadership structure. The discipline boundaries are blurring as criminals actively exploit the gaps between them.