Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Anti-money-laundering (AML) program

aml-programDomain: paymentsType: mixed

Description

An anti-money-laundering program is the operational system that money services businesses, payment institutions, e-money issuers, and crypto-asset service providers run to detect and report financial-crime risk in real time. The program is not a document set; it is a working pipeline that ingests customer onboarding, runs ongoing transaction analysis, escalates anomalies, files suspicious-activity reports through the jurisdictional financial intelligence unit, retrains itself against emerging typologies, and submits to periodic independent testing. The documentation matters as evidence of the program's design and execution, but most enforcement actions in the space turn on operational failure (failure-to-file SARs that should have been filed, failure-to-monitor that allowed suspicious activity to go undetected) rather than documentation gaps. The canonical five-pillar shape has converged across regimes. Customer due diligence at onboarding handles identity verification, beneficial-ownership identification for entity customers, and risk-rating that triggers enhanced due diligence for politically-exposed persons and other high-risk profiles. Ongoing transaction monitoring runs both rules-based typology checks (structuring patterns, velocity anomalies, geographic-risk indicators) and increasingly machine-learning anomaly detection that supplements rather than replaces the rules. Suspicious-activity reporting funnels alerts through analyst review and, where the threshold is met, files SARs to the jurisdictional FIU (FinCEN in the US via the BSA E-Filing System, the NCA in the UK, the national FIUs in each EU member state). Staff training is proportional to role and is itself audited for completion. Independent testing audits the program annually or biennially with scope covering both design adequacy and operational effectiveness. The named compliance-officer or MLRO role deserves separate attention: the individual carries personal regulatory accountability for program adequacy and SAR-filing decisions, which makes the reporting line up to the board (rather than just to a CFO or general counsel) genuinely consequential, and most jurisdictions require the role to have unfettered access to senior management. The statutory anchors define both the obligation and the supervisory architecture. The US Bank Secrecy Act (31 U.S.C. §§5311 to 5336 and 31 CFR Chapter X §1022.380) sets the four-pillar program shape for MSBs with per-state Money Transmitter Acts layering state-level obligations on top, with SAR thresholds at $2,000 with suspicion and CTR thresholds at $10,000 cash, and the AML Act 2020 plus 2024 BOI reporting framework recently expanding the scope. The EU 2024 AML package (Regulation 2024/1624, Directive 2024/1640 with AMLD6 effective 2027, and AMLA Regulation 2024/1620) consolidates and phases in direct EU-level supervision of largest EMIs across 2026-2028; CASPs are obliged entities under MiCA (Regulation (EU) 2023/1114) plus Travel Rule under Regulation 2023/1113. UK MLRs 2017 (SI 2017/692) layer with JMLSG Guidance, FCA examination cycles, HMRC supervision for lower-tier firms, and the Economic Crime Acts 2022 and 2023 that expanded operational scope materially. The Financial Action Task Force 40 Recommendations sit above all of these as the international floor most jurisdictions reference.

Applicability

Applies when: sector is fintech.

How predicates are evaluated

Required by (4 regulations)

  • US MTL

    Bank Secrecy Act four-pillar AML program (compliance officer, written policies, training, independent audit); SAR ≥$2K with suspicion / CTR >$10K cash; FinCEN BSA E-Filing System; AML Act 2020 + 2024 BOI reporting framework.

    Bank Secrecy Act, 31 U.S.C. §§5311-5336; 31 CFR Chapter X; per-state Money Transmitter Acts

    Source →

  • EU EMD2

    EU AML/CFT obliged-entity framework; 2024 AML Regulation (2024/1624) + Directive 2024/1640 (AMLD6 effective 2027) + AMLA Regulation 2024/1620; transition to direct EU-level supervision of largest EMIs phased 2026-2028.

    Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009

    Source →

  • EU MiCA

    CASPs as obliged entities under EU AML/CFT; Regulation 2023/1113 Travel Rule for crypto-asset transfers; 2024 AML package + AMLA centralized supervision phased 2026-2028; STR/CTR filing to Member State FIU.

    Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023

    Source →

  • UK FCA Payments

    UK MLRs 2017 + JMLSG Guidance; FCA examination cycles + HMRC MLR-supervisor for lower-tier firms; Economic Crime Acts 2022 + 2023 expanded the operational scope.

    Payment Services Regulations 2017 (SI 2017/752); Electronic Money Regulations 2011 (SI 2011/99); FCA Handbook

    Source →

Fulfilled by (3)

  • comply-advantage · full · medium effort · $$
  • sumsub · full · medium effort · $$
  • In-house build · high effort

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • AML policy
  • risk assessment
  • SAR filings
  • training records
  • independent test report

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn