How Anti-Money Laundering (AML) Works
Anti-money laundering compliance is not a single action but an ongoing programme of interlocking controls. Payment businesses must build systems that catch suspicious activity at every stage of the customer lifecycle — from onboarding through to ongoing transaction monitoring. The following steps outline how a modern AML programme operates in practice.
Customer Risk Assessment
Before accepting a customer, a business must assess their money-laundering risk. This involves know-your-customer checks: collecting identity documents, verifying them against authoritative sources, and screening the individual or entity against sanctions lists and adverse media. The outcome determines the level of ongoing scrutiny applied to the account.
Customer Due Diligence (CDD)
Customer due diligence translates the risk assessment into concrete verification steps. Standard CDD applies to most customers; enhanced due diligence (EDD) is required for high-risk relationships such as politically exposed persons, customers from high-risk jurisdictions, or unusual business structures. CDD must be refreshed periodically — not just at onboarding.
Transaction Monitoring
Every payment flowing through the system is analysed against rules and machine-learning models looking for anomalies. Red flags include rapid fund movements inconsistent with customer profile, structuring (breaking large sums into smaller deposits to avoid thresholds), high-velocity transactions to unrelated counterparties, and payments routed through high-risk geographies.
Suspicious Activity Reporting
When a transaction or customer behaviour cannot be explained by legitimate means, compliance teams must file a suspicious activity report (SAR) with the relevant financial intelligence unit. This is a legal obligation in most jurisdictions. Tipping off the customer that a SAR has been filed is itself a criminal offence.
Record-Keeping and Audit Trail
AML regulations require businesses to retain transaction records, identity documents, and internal investigation notes for a minimum period — typically five to seven years depending on jurisdiction. These records must be available to regulators on request and are essential evidence in any subsequent prosecution.
Governance, Training, and Testing
A compliant AML programme requires a nominated Money Laundering Reporting Officer (MLRO), regular staff training, and independent audits. Regulators assess not just whether controls exist on paper, but whether they are genuinely embedded in day-to-day operations and are effective in practice.
Why Anti-Money Laundering (AML) Matters
The scale of money laundering is enormous, and the payment industry sits at the centre of most schemes. Understanding the stakes is essential context for any merchant or payment professional building compliance infrastructure.
The United Nations Office on Drugs and Crime estimates that between 2% and 5% of global GDP — approximately $800 billion to $2 trillion — is laundered annually. Yet fewer than 1% of illicit funds are seized and frozen by authorities, which means the burden on private-sector compliance programmes to act as the first line of defence is immense.
Regulatory enforcement has intensified sharply in recent years. Global AML fines against financial institutions exceeded $5 billion in 2023 alone, according to Fenergo's annual financial crime report. Payment service providers and fintechs now account for a growing share of enforcement actions as regulators extend scrutiny beyond traditional banks. In the EU, the new Anti-Money Laundering Authority (AMLA) — set to be fully operational by 2027 — will have direct supervisory powers over high-risk obliged entities across member states, creating a single enforcement standard for the first time.
FATF's Role
The Financial Action Task Force (FATF) is the intergovernmental body that sets global AML standards. Its 40 Recommendations form the basis of AML legislation in over 200 jurisdictions. FATF's mutual evaluation process — where countries review each other's compliance — creates significant pressure to implement and enforce robust frameworks.
Anti-Money Laundering (AML) vs. Counter-Terrorist Financing (CTF)
AML and CTF are closely related but address distinct threats. Most regulators combine them under a single "AML/CTF" framework, but the underlying objectives and methodologies differ in important ways.
| Dimension | Anti-Money Laundering (AML) | Counter-Terrorist Financing (CTF) |
|---|---|---|
| Primary goal | Detect proceeds of crime entering the financial system | Prevent funds reaching terrorist organisations |
| Direction of money flow | Illicit → legitimate (laundering) | Legitimate → illicit (financing) |
| Transaction size | Often large, structured to avoid detection | Often small — terrorists may move minimal amounts |
| Source of funds | Illegal activity (drugs, fraud, corruption) | Can be entirely legal (donations, businesses) |
| Key detection method | Behavioural anomalies, high-value thresholds | Sanctions screening, network analysis |
| Reporting obligation | Suspicious Activity Report (SAR) | SAR + immediate sanctions obligations |
| Regulatory overlap | FATF Recommendations, EU AML Directives | FATF Special Recommendations, UN Resolutions |
Both regimes require the same foundational controls — identity verification, monitoring, and reporting — which is why they are typically addressed in a combined compliance programme.
Types of Anti-Money Laundering (AML) Controls
AML compliance encompasses several distinct categories of control, each targeting a different vulnerability in the financial system.
Preventive controls stop suspicious actors from entering the system in the first place. These include sanctions screening at onboarding, negative news checks, and PEP screening. The goal is to refuse relationships that pose unacceptable risk before any transaction occurs.
Detective controls identify suspicious activity that has already entered the system. Transaction monitoring rules, anomaly detection models, and peer-group analysis fall into this category. Effective detective controls require calibration to the specific customer base — rules tuned for a B2B SaaS platform will look very different from those designed for a consumer remittance service.
Responsive controls govern what happens when suspicious activity is detected. These include the SAR filing process, account restriction procedures, and escalation pathways to law enforcement. The speed and accuracy of the response matters significantly to regulators — a slow or incomplete SAR can itself constitute a compliance failure.
Governance controls provide the overarching framework: the MLRO role, board-level risk appetite statements, independent audit, and regulatory reporting. Regulators assess the entire governance stack, not just the technology.
Best Practices
For Merchants
Merchants operating in higher-risk sectors — digital goods, travel, gaming, or cross-border services — face heightened AML scrutiny from their acquiring banks and payment service providers. Building good compliance habits reduces friction at every stage.
- Know your own risk profile. Understand why your business model may attract money laundering risk: high average order values, cross-border transactions, anonymous payment methods, or refund abuse are all red flags for acquirers. Proactively document your controls.
- Collect and verify customer information proportionately. You don't always need the same level of identity verification for every transaction, but high-value or high-risk purchases may warrant additional checks. Build this into your checkout flow without creating unnecessary friction for low-risk customers.
- Monitor for suspicious refund and chargeback patterns. Money laundering through merchant accounts often involves fraudulent purchases, refunds to a different payment method, or systematic return schemes. Anomalous refund rates should trigger internal review.
- Maintain clean transaction records. Your acquirer or PSP may request evidence of specific transactions during a regulatory review. Structured, accessible records protect you and speed up any investigation.
For Developers
Developers building payment systems carry direct responsibility for the technical controls that underpin AML compliance. Architecture decisions made early have lasting consequences.
- Build monitoring as a first-class feature, not an afterthought. Transaction monitoring requires clean, structured event streams. Design your data model to capture counterparty details, payment purpose, and channel metadata from day one — retrofitting this is expensive.
- Implement real-time sanctions screening at the API layer. Sanctions lists change daily. Your screening service must be called at transaction initiation, not just at customer onboarding. Batch screening overnight is not sufficient for most payment use cases.
- Use risk scoring to route transactions, not just block them. Binary block/allow decisions produce too many false positives. A tiered risk score allows low-risk transactions to pass seamlessly while routing higher-risk ones to manual review or step-up authentication.
- Ensure your audit log is tamper-evident. Regulators need to verify that records have not been altered. Append-only logs, cryptographic hashing, or purpose-built compliance data stores provide the necessary guarantees.
Common Mistakes
Even well-intentioned compliance programmes frequently fail in predictable ways. These are the most common errors seen in payment businesses facing regulatory action.
Treating AML as a one-time onboarding check. Customer risk profiles change. A business that was low-risk at signup may become high-risk following changes in ownership, geography, or transaction patterns. AML programmes must include periodic re-screening and ongoing monitoring, not just upfront verification.
Over-relying on rules-based transaction monitoring. Static rules — flag any transaction over €10,000, flag more than five transactions per day — are easy for sophisticated launderers to circumvent. Effective programmes layer rules with behavioural models that detect deviation from a customer's own historical patterns.
Failing to calibrate for the actual customer base. A monitoring system built on generic thresholds will generate excessive false positives for legitimate high-volume merchants and miss suspicious activity that falls under generic radar. Calibration requires statistical analysis of your actual transaction population.
Inadequate documentation of risk decisions. Regulators expect to see not just that a decision was made, but why. Compliance teams that cannot produce written rationale for why a suspicious alert was closed without filing a SAR are exposed in any audit.
Siloing compliance from product and engineering. AML failures often originate in product decisions — launching a new payment method, entering a new market, or changing onboarding flows — without compliance review. The MLRO must have visibility into product roadmaps and a formal sign-off process for changes that affect the risk profile.
Anti-Money Laundering (AML) and Tagada
Tagada is a payment orchestration platform that routes transactions across multiple processors, acquirers, and payment methods. Because orchestration sits at the intersection of multiple financial flows and counterparties, AML considerations are directly relevant to how payment routing is configured and monitored.
AML-aware orchestration
When building payment flows on Tagada, define routing rules that account for the AML risk profile of specific payment methods, geographies, and transaction sizes. For example, routing high-value transactions through processors with stronger fraud and AML tooling, or applying additional verification steps for payments originating from high-risk jurisdictions, reduces your aggregate compliance exposure. Tagada's routing logic can be combined with your own risk scoring layer to create a unified AML-aware payment stack.