AML Regulations in the USA: Everything You Should Know as a Business Owner

Since 2002, more than 38 institutions in USA have reached settlements or pled guilty due to non-compliance with AML regulatory requirements and paid substantial fines in settlements.

AML policies in USA and compliance guide

A civil penalty was issued to Apple Bank by the Federal Deposit Insurance Corporation (FDIC) for violations of the Bank Secrecy Act (BSA), costing USD 12.5 million. It was also reported that Apple Bank failed to comply with an FDIC consent order relating to the BSA anti-money laundering (AML) breaches.

A money transmitter company was imposed with a fine of USD 8.25 million, by the New York Department of Financial Services (NYDFC), due to the failure of adequate supervision of local agents, which resulted in the processing of an unusual volume of suspicious transactions.

In the United States of America (USA), the financial institutions and other non-financial businesses which are required to comply with AML regulations are supervised by the Financial Crime Enforcement Network (FinCEN), which aims to safeguard the financial system from money laundering activities, through receiving, analyzing, and disseminating financial data for law enforcement purposes.

This article provides an overview of the AML compliance requirements in the USA, to help you avoid possible fines and penalties due to AML regulatory non-compliances.

What are the money laundering regulations in the USA?

In the USA, the AML requirements are prescribed by significant laws and regulations to combat the risks of money laundering and terrorist financing. These laws and regulations are as follows:

Bank Secrecy Act 1970 (BSA)

The Bank Secrecy Act of 1970 (BSA) is one of the most significant AML laws and regulations in the US, which was substantially amended by the Patriot Act in 2001, and provides the basis for most of the preventative measures applied to the financial sector and other businesses. It was intended to prevent the use of secret foreign bank accounts and assist law enforcement agencies by legislating for regulatory reporting and record keeping by financial institutions.

The USA Patriot Act

The USA Patriot Act or just the ‘Patriot Act’ was signed by President George W. Bush on 26 October 2001, barely seven weeks after the September 11 terrorist attacks. The Patriot Act has had far-reaching consequences for financial institutions both within the US and throughout the world, and it made several significant enhancements to pre-existing US AML legislation, including obligations concerning customer due diligence (CDD) procedures for US private banking and correspondent bank accounts involving non-US persons. It introduced the need for financial institutions to have customer identification programs, known as CIPs for new customers and specifying enhanced due diligence (EDD) measures for correspondent banking and private banking customers.

Money laundering Control Act of 1986

Money laundering Control Act prohibits individuals from engaging in financial transactions with proceeds generated from “specified unlawful activities SUAs”.  As per law, a financial transaction includes passing money from one person to another, so long as it is done with the intent to disguise the source, ownership, location, or control of the money.

Who regulates AML In the USA?

Several law enforcement authorities supervise the AML regime in the USA, including:

Financial Crimes Enforcement Network (FinCEN):

The Financial Crimes Enforcement Network (FinCEN), delegated by the Secretary of the Treasury, and the other primary federal regulators or self-regulatory organizations such as the Financial Industry Regulatory Authority (FINRA) and the US Securities Exchange Commission (SEC), regulates the AML regime. FinCEN acts as FIU for the US and supports law enforcement through the collection, analysis, and dissemination of information obtained through suspicious activity reports (SAR) and currency transaction reports (CTR). It has, the Law Enforcement and Financial Institution Information Sharing system enabling both the sharing of information among financial institutions and feedback to FinCEN.

Other US authorities that establish AML and CFT policy and strategy include:

Office of Foreign Asset Control:

Economic and trade sanctions are administered by the Office of Foreign Asset Control (OFAC) of the US Department of Treasury. OFAC’s sanctions lists help institutions to screen out criminals and avoid the risk of onboarding them leading to penalties and fines by regulatory authorities.

Who is subject to AML regulations in the USA?

There are different financial institutions and other non-financial businesses and professions which are subject to AML regulations in the USA. These institutions, businesses, and professions are as follows:

  • Banks
  • Broker-dealers in securities
  • Money Service Businesses (MSBs), including
  • Money transmitters
  • Foreign exchange dealers
  • Issuers and sellers of traveler’s cheques
  • Issuers and sellers of money orders
  • Insurance companies
  • Dealers of precious stones, metals, or jewels
  • Casinos
  • Credit card operators
  • Non-bank mortgage originators and lenders
  • Real estate agents
  • Crypto exchanges

What are the AML compliance programs?

As institutions are exposed to ML/TF risks, including cryptocurrency businesses, they need to implement appropriate AML compliance programs. Due to factors such as cross-border and non-face-to-face crypto asset transactions, there is a high degree of ML/TF risks involved in cryptocurrency business activities.

In the USA, cryptocurrency exchanges must comply with the Bank Secrecy Act (BSA) AML requirements and register with the FinCEN, to combat money laundering and terrorism financing. AML/CFT compliance requirements may vary depending on the volume of cryptocurrency business volume, nature, and type of customers, and jurisdictions involved, the management or owners of cryptocurrency exchanges are required to establish and implement relevant and appropriate AML compliance programs, to counter the existing and potential ML/TF risks.

How to get compliant with US AML regulations?

Financial institutions, other non-financial businesses, and professions, which are under the ambit of the AML regime, are required to follow following broader AML procedures to avoid the risks of money laundering and terrorist financing activities:

Performing ML/TF risk assessment

Performing money laundering and terrorist financing (ML/TF) risks is one of the important AML regulatory requirements to understand the risks faced by institutions, non-financial businesses, and designated professions. ML/TF risks are identified through understanding:

  • clients or customers
  • products and services offered to customers or clients
  • delivery channels used to deliver services
  • company or business jurisdiction/s
  • nature and type of transactions

ML/TF risks are increased due to the non-face-to-face dealing with customers. The online onboarding process increases the risk of onboarding criminals because of the possibility of bypassing the controls of criminals. Ineffective due diligence measures and controls, cause criminals to exploit financial systems, by using fake documents for verification and onboarding. The online verification and onboarding process requires the use of techniques, such as NFC based verification and facial recognition of customers, which may cause minimization of ML/TF risks to some extent.

Smaller institutions, non-financial businesses, or designated professions offering simple products/services, and having no international exposure, may not need to extensively perform the ML/TF risk assessment. However, ML/TF risk assessment process enables the identification of current and potential risks, faced by an institution that enables the development and implementation of relevant AML controls and systems, to prevent the risk of onboarding criminals and imposition of fines by regulatory authorities.

Development of a risk-based AML compliance program

Once the organization performs the ML/TF risk assessment, then based on the assessment results, an appropriate AML compliance program is developed, considering the applicable AML legislative and regulatory requirements.  ML/TF risks identified are accounted for through an effective risk-based compliance program, which is approved by the board of directors and supervised by AML officers. Board-approved risk-based compliance program is implemented, at all levels, by management and employees.

Customer Due Diligence and Identification Program

Performing appropriate customer due diligence (CDD) measures, is one of the core requirements of the AML regime, to prevent the onboarding of criminals, including money launderers and terrorists. The CDD requires identification and verification of the customers and their beneficial owners (for entities, if any), before opening accounts and establishing business relationships. The CDD process requires institutions and businesses to:

  1. identify and verify the customers.
  2. identify and verify the beneficial owners of corporates or companies.
  3. understand the nature and purpose of accounts or relationships.
  4. develop customer risk profiles.
  5. conduct ongoing monitoring to identify and report suspicious transactions.
  6. maintain and update customer information on an ongoing basis.

A customer is Identified and verified by obtaining initial information including name, national ID card/ passport, photo, residential address, registered business address, detail of beneficial owner (for the company or corporate customer), the purpose of opening the account, source of income/ funds, etc. Information obtained is verified from reliable sources and customers are screened from sanctions lists, including the Office of Foreign Asset Control’s (OFAC) Specially Designated Nationals Lists (SDN), and Consolidated Sanctions list.

CDD is an ongoing process, applied to identify, screen, and verify customers both before and after onboarding, to establish and maintain relevant risk profiles of customers, all the time. This also helps to address high ML/TF risks caused due to high-risk category customers and transactions, for which enhanced due diligence (EDD) measures are required to be applied.

Designation of a compliance officer and Transactions Monitoring

To ensure that AML regulatory requirements are complied with, a compliance officer is hired who works as a subject matter expert to implement the compliance program and provide day-to-day assistance and advisory to employees, to ensure compliance with applicable AML compliance requirements.

AML compliance officers take a senior management position in financial institutions, and they report to the chief executive officer (CEO), on matters and issues related to the implementation of the AML compliance program and identify money laundering and terrorist financing risks.

Compliance officers usually are certified compliance professionals, or degree holders in law, having a specialty in AML regulatory regime. One of the best certifications of anti-money laundering in the United States is the “Certified Anti-Money Laundering Specialist (CAMS), which is a global standard in AML certifications.

The compliance officer develops and implements the compliance program, allied policies, and procedures considering the nature and complexity of the business, operations, delivery channels, and the laws of the jurisdictions.

The compliance officer ensures that CDD measures are applied for all high-risk category accounts and they are approved by senior management, before onboarding. The compliance officer monitors customers’ transactions and activities periodically, considering the relevant risk profiles and transaction thresholds. Suspicious transactions are identified, investigated, and reported to the regulatory authority.

Independent testing of the AML program and activities

To assess the effectiveness of the AML system and processes, independent testing is to be performed by AML subject matter experts, who may be external third parties. Independent testing highlights the strong and weak AML processes and controls, which are addressed by enhancing the operating effectiveness of AML controls. The whole process contributes to reducing the ML/TF risks and potential fines and penalties by regulatory authorities.


To comply with applicable AML regulatory requirements on an ongoing basis, the employees need AML training. Training help in avoiding risks of misinterpretation of regulatory requirements and provide a roadmap, to employees who are required to perform due diligence measures and onboard customers.

Employees responsible for customer onboarding, monitoring transactions, and performing compliance reviews are encouraged by institutions to enroll in globally accepted and professional AML certification programs, such as certified anti-money laundering specialists (CAMS). Other courses are designed to educate employees about specific AML compliance requirements, such as to understand the applicable AML regulatory requirements prescribed by BSA, and these training courses are offered by different institutions, for corporate employees. The purpose of training is to enable employees, to demonstrate a commitment to a standardized risk-based approach of AML and prevent the institution from ML/TF risks.

Institutions perform training need assessments regularly to appropriately identify the training needs of employees, and accordingly training sessions are planned and arranged for them, under the supervision of the compliance officer.

Ongoing compliance monitoring

Ongoing and periodic compliance reviews, help to identify weaknesses and lapses in AML processes and controls. AML control weaknesses or issues are identified by the compliance officer and AML team related, such as related to customer identification process, screening and onboarding process, verification of ultimate beneficial owners (UBOs), establishing customers risk profiles, the performance of appropriate ML/TF risk assessments, setting transaction thresholds, monitoring of transactions, investigation, and closure of alerts.

AML regulatory non-compliances are identified, during a particular period, and reviewed by the compliance officer. Significant AML issues and non-compliances are shared with management, for review and appropriate remediation.

The process must be highly automated and bulletproof of possible sanction list accessibility and connectivity issues.

Record retention

Record retention requirements are one of the core requirements of AML regulations. AML records are of different types, including the record of customer due diligence (CDD/EDD), transaction alerts generated, investigations performed and relevant conclusions, suspicious transactions/ activities identified reported to FinCEN, AML training sessions, compliance reviews, and testing results. Records are required to be maintained in an appropriate form and manner for the specified period.

What other sanctions can be imposed by regulatory authorities?

In addition to imposing monetary penalties on the institutions and businesses, and their directors, officers, and employees, due to non-compliance with applicable AML regulatory requirements, FinCEN may impose a wide range of other undertakings. These include the hiring of qualified independent third parties, to perform certain AML functions, such as performing the review of transactions, identification of previously unreported suspicious transactions, etc.

Don’t hesitate to reach out, since we are keen on analyzing your requirements to successfully comply with AML in the USA!

Save costs by onboarding more verified users

Join hundreds of businesses that successfully integrated iDenfy in their processes and saved money on failed verifications.