AML Compliance: KYC, CDD, and Suspicious Activity Reporting

AML compliance rests on knowing your customer, conducting proportionate due diligence, and reporting suspicious transactions to the financial intelligence unit. This topic covers the operational mechanics from customer onboarding through enhanced PEP checks to SAR/STR filing obligations.

Last updated: 10 Jun 2026

The global AML framework ultimately works, or fails, at the level of individual institutions deciding whether to accept a customer and whether to report a transaction. A compliance officer at a bank in Lagos, a trust company in Luxembourg, or a currency exchange in Mumbai is the front line. The standards they apply, the records they keep, and the reports they file are the data that flow into Financial Intelligence Units and from there into investigations. Get this layer wrong and the most sophisticated FATF framework in the world produces nothing.

This topic covers the operational core of AML compliance. Customer due diligence (CDD) is the structured process of identifying who you are dealing with and why. Enhanced due diligence (EDD) applies extra scrutiny to higher-risk relationships, especially politically exposed persons (PEPs) who control public funds or decisions. Beneficial ownership identification pierces the corporate veil to find the human beings who ultimately own or control a legal entity. Suspicious Transaction Reports (STRs) or Suspicious Activity Reports (SARs) are the intelligence product that gets filed when something looks wrong.

The topic also addresses two structural problems in the current system: correspondent banking risk, where a small bank with weak controls can push suspicious flows through a larger bank's infrastructure, and de-risking, where compliance pressure causes banks to exit entire markets rather than manage the risk, with counterproductive effects on financial inclusion and on law enforcement's ability to follow the money.

Key terms

Customer Due Diligence (CDD): The FATF-mandated set of measures requiring financial institutions to identify and verify customers and beneficial owners, understand the purpose and nature of the business relationship, and conduct ongoing monitoring of transactions.
Enhanced Due Diligence (EDD): A heightened set of CDD measures applied to higher-risk customers or relationships, including PEPs, high-risk jurisdictions, and certain business types. EDD typically requires senior management approval, source-of-wealth verification, and more intensive monitoring.
Politically Exposed Person (PEP): An individual who holds or has held a prominent public function, together with family members and known close associates, who presents a higher corruption and bribery risk because of their position and their ability to misuse public funds.
Beneficial owner: The natural person who ultimately owns or controls a legal entity or arrangement, or on whose behalf a transaction is conducted, even if a nominee or intermediary appears on the face of the transaction.
Suspicious Activity Report (SAR) / STR: A confidential report filed by a reporting entity to the national Financial Intelligence Unit when a transaction or pattern gives rise to a suspicion of money laundering or terrorist financing. Filing is mandatory; disclosing the report to the subject (tipping off) is a criminal offence.
Correspondent banking: A relationship in which one bank (the correspondent) provides services such as clearing and settlement to another bank (the respondent), allowing the respondent's customers to access markets and payment systems they cannot reach directly.

Customer due diligence: identifying who you are dealing with

A bank that cannot name its customer cannot monitor its customer.

CDD is triggered at account opening, at the formation of a business relationship, and when a one-time transaction exceeds a threshold (typically USD/EUR 15,000, or USD 3,000 for wire transfers in the United States). It has four components under FATF Recommendation 10: identify and verify the customer, identify and verify the beneficial owner, understand the purpose and intended nature of the relationship, and conduct ongoing monitoring.

Customer identification
For natural persons: full legal name, date of birth, nationality, and government-issued identity document number, verified against the original document. For legal entities: registered name, registration number, legal form, registered address, and identity of directors and authorized signatories.
Beneficial ownership identification
Identifying natural persons who own 25 percent or more of the entity (10 percent in some jurisdictions for PEP-connected entities), or who exercise effective control through other means. Where ownership is obscured by corporate layers, the institution must look through each layer. If no individual meets the threshold, the senior managing official is identified as a fallback.
Purpose and nature of relationship
Understanding what the customer does, why they need this account or product, the expected transaction volumes and counterparties, and the source of funds. This builds the baseline against which future transactions are assessed for anomalies.
Ongoing monitoring
Screening transactions against the expected profile, updating CDD records when circumstances change, and re-performing CDD for existing customers periodically or when triggered by a suspicious event or change in risk rating.

Enhanced due diligence for PEPs and high-risk relationships

Senior management approval is required because a compliance officer alone cannot manage political risk.

Politically exposed persons receive enhanced scrutiny because their position gives them the opportunity to misuse public funds or exert influence over government processes, and because their wealth may be the product of bribery or corruption. FATF Recommendation 12 requires that for foreign PEPs (individuals from other countries), institutions must apply EDD automatically. For domestic PEPs and international organization PEPs, EDD is triggered by a risk-based assessment.

EDD element	What it requires in practice
Senior management approval	A person at vice-president level or above must approve establishing or continuing the relationship
Source of wealth	Understanding how the PEP accumulated their overall wealth, not just the specific funds involved in this transaction
Source of funds	Identifying the specific origin of the funds in the transaction or account
Enhanced ongoing monitoring	More frequent and more detailed review of transactions than standard CDD, with lower thresholds for escalation

The Riggs Bank case (2004) illustrates what happens when EDD fails. Riggs, a Washington DC bank with a niche in diplomatic accounts, maintained accounts for the government of Equatorial Guinea and for former Chilean dictator Augusto Pinochet. FinCEN and the OCC found that Riggs had failed to apply EDD to either relationship, had filed inadequate SARs, and had allowed tens of millions of dollars of suspect funds to move through the accounts without scrutiny. Riggs was fined USD 41 million, the largest US bank AML fine at the time, and was subsequently acquired and wound down.

Beneficial ownership registers

The shell company problem has one solution: who actually owns it?

Beneficial ownership transparency is FATF Recommendation 24's core requirement. For years, satisfying it relied on financial institutions conducting their own CDD to look through corporate structures. The global push since 2015 has been toward central government-maintained registers that record who ultimately owns and controls each legal entity, accessible to competent authorities and, in many jurisdictions, to the public.

UK: the People with Significant Control (PSC) register at Companies House, in force since 2016, requires UK companies to record any person owning more than 25 percent or exercising significant influence. The Register of Overseas Entities (2022) extended this to foreign companies owning UK property.
EU: the 4th AMLD required member states to create central beneficial ownership registers accessible to competent authorities and obliged entities. The 5th AMLD made registers publicly accessible. The European Court of Justice's November 2022 ruling in Joined Cases C-37/20 and C-601/20 (Luxembourg Business Registers) found that unconditional public access breached the Charter of Fundamental Rights, prompting member states to restrict access to entities demonstrating a legitimate interest.
US: the Corporate Transparency Act (2021, in effect from January 2024) requires most US entities to report beneficial owners to FinCEN's Beneficial Ownership Information system. Reports are accessible to law enforcement and, with customer consent, to financial institutions for CDD purposes, but not to the general public.

Suspicious activity reporting: the intelligence pipeline

The SAR system is only as good as the analysts reading the filings.

The obligation to report suspicious transactions is the diagnostic tool of the AML system. A reporting entity, typically a bank, money service business, securities firm, or DNFBP, files a SAR (US) or STR (most other jurisdictions) when it has a suspicion of money laundering or terrorist financing. The suspicion standard is intentionally low: reasonable grounds to suspect, not proof. The institution is not required to investigate to certainty before filing.

SAR pipeline from alert through FIU filing to law enforcement.

In the United States, FinCEN received more than 3.6 million SARs in fiscal year 2022. The utility of the system depends on the quality of filings: a SAR with adequate detail about the transaction, the suspicious indicators, the parties, and the accounts is a usable intelligence product. A SAR that says only 'unusual transaction' is nearly worthless. FinCEN's guidance and the Financial Crimes Enforcement Network's SAR activity reviews emphasize that the narrative section is the most important part of the filing.

Correspondent banking risk and de-risking

When the compliance cost of serving a respondent exceeds the revenue, exit looks rational. It often is not.

Correspondent banking is a critical infrastructure risk in the AML system. A US or European correspondent bank providing dollar or euro clearing to a respondent bank in a smaller jurisdiction cannot apply its own CDD to the respondent's customers. It must rely on the respondent's AML program. If the respondent has weak controls, the correspondent's infrastructure becomes a conduit. The BIS reports that the number of active correspondent banking relationships has been declining since 2011.

Nested correspondent accounts: a respondent bank allows its own respondents (sub-correspondents) to access the correspondent's infrastructure indirectly, creating additional layers the correspondent cannot see into. FATF Recommendation 13 prohibits entering correspondent relationships with shell banks and requires measures to prevent accounts being used by other undisclosed respondents.
De-risking consequences: when major banks exit correspondent relationships with entire regions or categories of customer, including remittance companies, money service businesses, and small Pacific island or Caribbean jurisdictions, the flows do not stop. They migrate to informal value transfer channels, hawala networks, or cryptocurrency, which are harder for investigators to follow and carry no STR reporting obligations.
The World Bank-CPMI survey: a 2015 survey by the World Bank and the Committee on Payments and Market Infrastructures found that 75 percent of large international banks had terminated some correspondent relationships in the prior five years, with Caribbean, Central Asian, and Pacific island banks most affected.

Worked example

HSBC deferred prosecution agreement: correspondent risk in practice

When the compliance gap in one respondent costs a global correspondent USD 1.9 billion.

In December 2012, the United States Department of Justice announced a deferred prosecution agreement with HSBC Holdings plc and HSBC Bank USA, N.A. (HBUS), requiring HSBC to pay USD 1.921 billion in penalties. The factual statement attached to the DPA provides a detailed account of how correspondent banking failures facilitated large-scale money laundering.

HSBC Mexico was rated high-risk by HBUS's own compliance function, which had identified concerns about the Mexican affiliate's AML controls. Despite this, HBUS continued providing US dollar clearing services to HSBC Mexico and did not apply enhanced scrutiny.
Between 2006 and 2010, HSBC Mexico exported approximately USD 7 billion in physical cash to HBUS. FinCEN analysis established that the volume was inconsistent with Mexico's legitimate dollar economy and correlated with shipment timing of bulk cash by the Sinaloa cartel.
HBUS also provided US dollar clearing to Saudi Arabia's Al Rajhi Bank, which had been the subject of Treasury terrorism financing concerns, and to Banco Continental in Honduras, whose principal was subsequently convicted of drug trafficking.
The DPA required HSBC to install an independent compliance monitor for five years, implement structural reforms to its AML program, and pay the largest US bank AML penalty at the time. The case accelerated the global shift toward de-risking, as banks concluded that the reputational and financial penalty for correspondent AML failures could exceed the revenue from the relationship.

Check your understanding

Question 1 of 4· 0 answered

A customer opens an account at a bank. The bank identifies and verifies the customer's identity but does not ask about the source of funds or expected transaction volume. Which CDD component has been omitted?

Key Takeaways

CDD has four components: customer identification, beneficial ownership identification, understanding the relationship's purpose, and ongoing monitoring. All four must be applied; omitting any one creates a compliance gap.
PEPs require EDD automatically if they are foreign nationals; EDD includes senior management approval, source-of-wealth verification, and enhanced monitoring.
Beneficial ownership registers in the UK, EU, and US are closing the gap created by anonymous shell company structures, though access rules differ by jurisdiction.
SARs and STRs are the financial intelligence pipeline; the narrative quality of the filing determines whether law enforcement can use it, and tipping off the subject is a criminal offence.
Correspondent banking risk and de-risking are structural weaknesses: the first allows weak respondent controls to compromise correspondent infrastructure; the second pushes high-risk flows into informal channels beyond the reporting system.

What is the difference between KYC and CDD?

KYC (Know Your Customer) is the broader concept of identifying and verifying who a customer is, typically focused on natural persons or entities. CDD (Customer Due Diligence) is the FATF-standard term for the structured set of measures an institution must apply: identifying the customer and beneficial owner, understanding the purpose of the relationship, and conducting ongoing monitoring. KYC is often used informally to refer to the onboarding process; CDD is the regulatory standard.

Who is a politically exposed person (PEP) and what additional checks apply?

A PEP is an individual who holds or has held a prominent public position, such as a head of state, senior government official, judicial officer, military commander, or senior executive of a state-owned enterprise, along with their family members and close associates. FATF requires enhanced due diligence for PEPs: senior management approval for the relationship, identifying the source of wealth and funds, and enhanced ongoing monitoring.

What is a Suspicious Activity Report and who must file one?

A Suspicious Activity Report (SAR) in the United States, or Suspicious Transaction Report (STR) in many other jurisdictions, is a confidential report filed by a financial institution or designated non-financial business to the national FIU when a transaction or activity gives rise to a suspicion of money laundering or terrorist financing. Filing is mandatory; tipping off the subject is prohibited. In the US, SARs are filed with FinCEN.

What is de-risking and why is it a problem?

De-risking is the practice of banks exiting entire categories of customers, jurisdictions, or correspondent relationships to avoid the compliance cost and regulatory risk of dealing with high-risk clients. While rational for individual institutions, de-risking at scale drives vulnerable populations and high-risk jurisdictions out of formal banking and into informal value transfer channels, which are harder to monitor and often more opaque.

What are the risks specific to correspondent banking?

In a correspondent relationship, a large 'correspondent' bank provides services to a smaller 'respondent' bank's customers, often across borders. The correspondent bank cannot apply its own CDD to the respondent's customers and must rely on the respondent's AML program. If the respondent has weak controls, criminal funds pass through the correspondent's system without adequate screening, as occurred in the HSBC and Riggs Bank cases.

Test yourself on Forensic Accounting and Financial Forensics with free, timed mocks.

Practice Forensic Accounting and Financial Forensics questions

Found this useful? Pass it along.

Spotted an error in this page? Report a correction or read our editorial standards.

AML Compliance: KYC, CDD, and Suspicious Activity Reporting

Last updated: 10 Jun 2026

EDD element

What it requires in practice

Senior management approval

A person at vice-president level or above must approve establishing or continuing the relationship

Source of wealth

Understanding how the PEP accumulated their overall wealth, not just the specific funds involved in this transaction

Source of funds

Identifying the specific origin of the funds in the transaction or account

Enhanced ongoing monitoring

More frequent and more detailed review of transactions than standard CDD, with lower thresholds for escalation

Key Takeaways

CDD has four components: customer identification, beneficial ownership identification, understanding the relationship's purpose, and ongoing monitoring. All four must be applied; omitting any one creates a compliance gap.

PEPs require EDD automatically if they are foreign nationals; EDD includes senior management approval, source-of-wealth verification, and enhanced monitoring.

Beneficial ownership registers in the UK, EU, and US are closing the gap created by anonymous shell company structures, though access rules differ by jurisdiction.

SARs and STRs are the financial intelligence pipeline; the narrative quality of the filing determines whether law enforcement can use it, and tipping off the subject is a criminal offence.

Correspondent banking risk and de-risking are structural weaknesses: the first allows weak respondent controls to compromise correspondent infrastructure; the second pushes high-risk flows into informal channels beyond the reporting system.

What is the difference between KYC and CDD?

Who is a politically exposed person (PEP) and what additional checks apply?

What is a Suspicious Activity Report and who must file one?

What is de-risking and why is it a problem?

What are the risks specific to correspondent banking?

Your journey to becoming a forensic professional starts here.

Key Takeaways

Key Takeaways