What is AML in banking and how does it work?

In October 2024, FinCEN assessed a $1.3 billion penalty against TD Bank, the largest fine ever levied against a US depository institution. The bank had allowed trillions of dollars in annual transactions to go unmonitored, missed thousands of Suspicious Activity Reports, and failed to act on known risks for more than a decade. That outcome was not a surprise. It was the predictable outcome of treating AML compliance as an administrative overhead rather than a risk management function.

According to the UNODC, between 2% and 5% of global GDP flows through the money laundering cycle annually, an estimated $800 billion to $2 trillion. Banks sit at the centre of that problem, and regulators hold them responsible for catching the suspicious transactions that pass through their systems.

This article covers how AML works in banking, what the regulatory framework requires, and what separates programmes that withstand regulatory examination from those that generate enforcement actions.

How money laundering works in the banking system

Money laundering is the process of making illegally obtained funds appear to come from legitimate sources. Criminals cycle money through three stages, and a bank’s controls are designed to interrupt each one.

The three stages of money laundering

There are 3 stages of Money Laundering. And Placement is the first stage, where illicit cash enters the financial system through deposits, wire transfers, or trade-based transactions. Layering comes next, where funds are moved through a sequence of transactions to obscure their origin. Integration is the final stage, where cleaned money re-enters the economy as apparently legitimate income.

Banks face the greatest exposure at placement and layering. A single account used for funnel activity, a series of structured deposits just below the federal reporting threshold, or a shell company receiving unexplained transfers are the patterns AML controls are built to catch. The TD Bank case centred on exactly this kind of activity. Accounts showing consistent funnel behaviour had gone unmonitored because the bank’s automated controls were inadequately resourced. A broader look at banking sector AML penalties shows why underinvestment in detection infrastructure has become an expensive mistake.

AML regulatory requirements for banks

No bank operates outside a regulatory AML framework. Obligations vary by jurisdiction but share a common architecture rooted in international standards.

FATF recommendations and the risk-based approach

The FATF 40 Recommendations are the global standard for AML and counter-terrorist financing compliance. They require financial institutions to identify and assess money laundering risks, apply customer due diligence proportional to those risks, monitor transactions continuously, and report suspicious activity to the relevant financial intelligence unit. The risk-based approach is the cornerstone. Banks are expected to direct more scrutiny toward higher-risk customers and relationships, not to apply the same controls uniformly across every account regardless of the risk it presents. In the EU, the new Anti-Money Laundering Authority (AMLA) will directly supervise the highest-risk financial institutions from 2025 onward, adding a centralized enforcement layer on top of existing national frameworks.

Bank Secrecy Act requirements in the US

The Bank Secrecy Act requires US banks to maintain AML programs built on four minimum elements. These are internal policies and procedures, a designated compliance officer, an ongoing employee training program, and an independent audit function. Banks must also file Currency Transaction Reports for cash transactions above $10,000 and Suspicious Activity Reports for activity suggesting illicit finance, as required by FinCEN under the BSA. FinCEN’s review of TD Bank found failures across all four programme pillars, compounded by a backlog of unreviewed SARs that had accumulated over years of inadequate oversight.

Key components of AML compliance in banking

A functional AML program runs five interlocking processes. A gap in any one of them creates the kind of exposure that draws attention during regulatory examinations.

Customer due diligence and enhanced due diligence

Customer Due Diligence (CDD) covers collecting and verifying identity information before onboarding, and assessing the risk a customer presents. For higher-risk customers, including Politically Exposed Persons (PEPs), customers in high-risk jurisdictions, or entities with complex ownership structures, Enhanced Due Diligence (EDD) applies, requiring deeper investigation, source-of-funds review, and more frequent ongoing reviews of the relationship.

Sanctions screening, watchlist checks, and adverse media

Every new customer and most existing ones are screened against sanctions lists, PEP databases, and global watchlists, including those issued by OFAC, the UN Security Council, the EU, and HM Treasury. Adverse media screening runs alongside those checks, scanning news and legal databases for negative coverage that a structured list may not yet reflect.

The volume of watchlists in active circulation and the frequency with which they are updated make manual screening impractical for any institution processing more than a handful of new customers per week.

Transaction monitoring and SAR filing

Once a customer is onboarded, transaction monitoring runs continuously. Rules and machine learning models flag patterns that deviate from expected behaviour, including structuring, rapid movement between accounts, transfers to high-risk jurisdictions, or spikes inconsistent with a customer’s profile. When a flagged transaction warrants escalation, the bank files a SAR with its financial intelligence unit. Failure to file SARs on time was central to the TD Bank enforcement action, where thousands of suspicious transactions went unreported because the monitoring system lacked adequate resources to review them.

How AML screening software works in a bank’s compliance stack

Manual AML processes break down quickly at scale. A mid-sized bank onboarding hundreds of customers per day cannot run watchlist checks, adverse media searches, and PEP lookups by hand without introducing delays and errors into the process. AML screening software automates those checks and feeds the results into the bank’s existing compliance workflow.

The core functions a banking institution needs from screening software include real-time watchlist and sanctions checks at onboarding, ongoing monitoring that re-screens existing customers whenever lists are updated, adverse media coverage that surfaces risk signals before they appear on a formal list, and a case management interface where analysts can investigate, document, and close flagged alerts.

False positives are the operational reality that most banks underestimate. A common name in a given region, a partial match on a politically sensitive surname, or an outdated entry on a legacy watchlist will generate alerts that analysts must manually resolve. Good screening software reduces false positive rates through fuzzy matching logic, risk-scoring, and configurable alert thresholds. Poor calibration generates noise. Proper calibration surfaces the matches that matter.

Data freshness matters just as much as coverage breadth. A platform that updates its watchlists daily or weekly will miss names added to a sanctions list in the intervening period. Near-real-time data updates are not a nice-to-have feature for banks running correspondent banking relationships or cross-border payments.

For compliance teams managing the broader overlap between identity verification and post-onboarding monitoring, KYC and AML compliance in fintech covers how the two functions connect in practice.

How Shufti’s AML screening addresses banking compliance requirements

Shufti’s AML screening covers more than 100,000 data sources, 3,500+ global watchlists, and 2.6 million PEP profiles across 215+ sanction regimes. Data is updated every 15 minutes, which means ongoing monitoring reflects list changes as they occur rather than at a nightly batch cycle.

Adverse media screening runs across 50,000+ news sources and classifies results across 415+ risk categories using natural language processing. Compliance teams receive context on a match, not just a raw alert. That context matters in a banking environment where analyst bandwidth is finite and false positive rates need to stay low enough for the team to focus on genuine risk signals.

For banks managing compliance across multiple jurisdictions, Shufti’s banking compliance solution connects AML screening to identity verification and business verification checks through a single API. Teams running separate tools for KYC, AML, and business verification deal with integration overhead and audit gaps that examiners notice. Consolidating those checks into one platform reduces both the operational burden and the documentation gaps that regulatory reviews tend to surface.