Why developers need to care about AML
Most developers treat compliance as someone else's problem — a checkbox for the legal team to handle before launch. This works fine until it doesn't. In 2025, global AML-related penalties reached $3.8 billion. The targets were not just legacy banks. Fintechs bore a disproportionate share: Block's Cash App paid $40 million for inadequate customer due diligence, Monzo was fined £21 million for controls that failed to scale with its growth, and BitMEX paid $100 million for operating without a functioning AML program.
The pattern is consistent: regulators penalise programs that don't scale with the business. By the time your compliance team is involved, the architecture is already decided. The data models, the onboarding flows, the transaction pipelines — these are engineering decisions, and they determine whether AML can be done properly.
AML is not a legal problem bolted onto a technical product. It is a technical problem that requires legal understanding. The earlier developers engage with it, the cheaper and cleaner compliance becomes.
What AML actually requires
At its core, AML regulation requires three things of financial institutions — and increasingly, of fintechs that look like them:
- Know Your Customer (KYC) — verify who your users actually are before they transact.
- Transaction monitoring — watch for patterns that suggest money laundering: structuring, rapid movement across accounts, unusual cross-border flows.
- Suspicious Activity Reporting (SAR) — when you detect something, you are legally required to report it to the relevant authority, and usually prohibited from telling the customer you have done so.
These requirements look deceptively simple. The complexity comes from the fact that every jurisdiction implements them differently, with different thresholds, different reporting timelines, different definitions of who qualifies as a "politically exposed person," and different penalties for getting it wrong.
The global AML framework landscape
There is no single global AML regulator. Instead, the Financial Action Task Force (FATF) sets international standards — its 40 Recommendations form the baseline that most national regulators implement. But "implement" leaves a lot of room for variation. Here is how the major jurisdictions compare:
| Jurisdiction | Key Framework | Regulator | Max Penalty |
|---|---|---|---|
| US | Bank Secrecy Act (BSA) / USA PATRIOT Act / FinCEN CDD Rule | FinCEN, OFAC | $1M+ per violation |
| EU | AMLD6 / AML Regulation (AMLR) 2025 | AMLA (from 2025), national FIUs | €5M or 10% turnover |
| UK | Money Laundering Regulations 2017 (MLR 2017) | FCA, HMRC | Unlimited |
| SG | MAS AML/CFT Guidelines | Monetary Authority of Singapore | SGD 1M per breach |
| AU | AML/CTF Act 2006 | AUSTRAC | AUD 22.2M per breach |
| GLOBAL | FATF 40 Recommendations | FATF (standards body, not enforcer) | N/A — implemented nationally |
The US: BSA and FinCEN
The Bank Secrecy Act is the foundation of US AML law. It requires financial institutions — and many fintechs are now classified as Money Services Businesses (MSBs) under it — to maintain AML programs, file Currency Transaction Reports (CTRs) for cash transactions over $10,000, and file Suspicious Activity Reports (SARs) within 30 days of detecting suspicious activity.
In February 2026, FinCEN streamlined Customer Due Diligence requirements, narrowing some beneficial ownership reporting obligations under the Corporate Transparency Act. The direction is towards fewer checkbox requirements but more effective risk-based detection. If your AML program consists of a questionnaire that nobody reads, you are exposed.
For crypto platforms and VASPs (Virtual Asset Service Providers), FinCEN has been expanding AML expectations significantly. If you are building anything involving digital assets and US users, assume BSA applies to you.
The EU: AMLD6 and the new AMLR
The EU's AML framework has been through six iterations of its Anti-Money Laundering Directive (AMLD). The sixth directive (AMLD6) harmonised the definition of money laundering offences across member states and extended criminal liability to legal persons, not just individuals.
More significantly, 2025 saw the establishment of the Anti-Money Laundering Authority (AMLA) in Frankfurt — a new EU-level supervisor that centralises oversight of high-risk financial institutions and begins harmonising AML rules across member states. The AML Regulation (AMLR) that underpins it will have a 2028 enforcement deadline for full compliance, but technical standards are being finalised now.
If you are building for EU users, you now have a single rulebook to target rather than 27 national implementations. The tradeoff is that the AMLA regime is stricter and more consistent than many of the national rules it replaces. Real-time transaction monitoring and beneficial ownership disclosure are explicit requirements.
The EU also updated its Transfer of Funds Regulations to cover crypto asset transfers, reflecting the growing importance of digital assets. Fintechs operating in the EU must comply with enhanced due diligence and third-party risk management obligations.
The UK: MLR 2017 and FCA supervision
Post-Brexit, the UK maintains its own AML framework under the Money Laundering Regulations 2017 (MLR 2017), which implements FATF standards domestically. The FCA is the primary supervisor for fintech firms, and it has shown it is willing to use its powers.
In 2024, the FCA fined Starling Bank £28.96 million for financial crime failings, including deficiencies in sanctions screening and repeated breaches of a restriction against onboarding high-risk customers. In July 2025, Monzo was fined £21 million because its onboarding and transaction-monitoring controls failed to scale with rapid growth.
The lesson from both: the FCA does not care how fast you are growing. Your AML controls need to grow with you, not be retrofitted after the fact.
Singapore: MAS AML/CFT Guidelines
The Monetary Authority of Singapore (MAS) operates a risk-based AML framework aligned with FATF standards. Singapore is significant for fintech because it is the gateway to Southeast Asia for many platforms, and MAS has actively positioned itself as a progressive regulator that wants innovation without sacrificing compliance.
MAS requires customer due diligence, ongoing monitoring, and suspicious transaction reporting to the Suspicious Transaction Reporting Office (STRO). For payment service providers and digital asset operators, MAS has specific licensing requirements under the Payment Services Act.
Australia: AUSTRAC and the AML/CTF Act
AUSTRAC (Australian Transaction Reports and Analysis Centre) administers Australia's AML/CTF Act. It requires designated service providers — which includes most fintech payment platforms — to enrol with AUSTRAC, maintain an AML/CTF program, and report suspicious matters and threshold transactions.
AUSTRAC has a track record of very large enforcement actions. The framework is being updated through the AML/CTF Amendment Act, which extends obligations to lawyers, accountants, and real estate agents — sectors previously outside the regime.
How to query AML regulations by jurisdiction
Understanding the frameworks is one thing. Embedding that knowledge into your product is another. The RegIntel API lets you query structured AML regulatory data by jurisdiction and category — obligations, penalties, scope, and status — so you can build compliance-aware features without manually maintaining a regulatory database.
Here is how to pull all AML regulations for a specific jurisdiction:
curl "https://api.regintelapi.com/regulations" \ -H "x-api-key: YOUR_API_KEY" \ -G \ -d "jurisdiction=EU&category=AML"
The response returns structured JSON with obligations, penalty ranges, and source URLs for each regulation. You can query across multiple jurisdictions to build a comparison view:
import requests API_KEY = "YOUR_API_KEY" BASE_URL = "https://api.regintelapi.com" HEADERS = {"x-api-key": API_KEY} # Jurisdictions your product operates in jurisdictions = ["US", "EU", "GB", "SG", "AU"] for jur in jurisdictions: res = requests.get( f"{BASE_URL}/regulations", headers=HEADERS, params={"jurisdiction": jur, "category": "AML"} ) data = res.json() regs = data.get("data", []) print(f"\n{jur}: {len(regs)} AML regulations") for r in regs[:2]: print(f" - {r['regulation']}") print(f" Penalty: {r['penalties']}")
You can also track regulatory changes over time using the /updates endpoint — useful for building alert systems that notify your compliance team when a relevant regulation is amended:
curl "https://api.regintelapi.com/updates" \ -H "x-api-key: YOUR_API_KEY" \ -G \ -d "since=2025-01-01&category=AML"
What is changing in 2025–2026
The AML landscape is not static. Three developments deserve attention if you are building for the next 12–18 months:
1. EU AMLA goes live
AMLA became operational in mid-2025. Its first public hearing on draft technical standards under the AMLR was held in March 2026. The 2028 enforcement deadline is the hard line, but financial institutions that wait until 2027 to start adapting will face a very difficult runway. If you are building for EU financial institutions, understand AMLR now.
2. Crypto AML obligations are tightening globally
The EU updated its Transfer of Funds Regulations to cover crypto asset transfers. FinCEN is expanding AML expectations for VASPs. MAS has specific licensing requirements for digital payment token services. If your product touches crypto and you have not yet mapped your AML obligations, this is the year to do it.
3. AI in AML is now formally recognised — with guardrails
The AMLR explicitly acknowledges AI as a legitimate AML tool for the first time under EU law. This is significant — it opens the door to AI-powered transaction monitoring as a compliance-grade control. However, the regulation draws clear boundaries: AI models must be explainable, auditable, and compliant with the EU AI Act's requirements for high-risk systems. "We use AI" is not a compliance strategy. "We use explainable AI with documented training data and human oversight" might be.
Practical checklist for fintech developers
- Map your jurisdictions early. Which countries do your users come from? Which countries does money move through? Each adds regulatory obligations.
- Classify your product. Are you an MSB under BSA? A payment institution under PSD2? A VASP under MiCA? Classification determines which rules apply.
- Design for KYC at the data model level. Adding identity verification to an existing schema is painful. Build it in from the start.
- Build transaction monitoring as a first-class feature. Not an afterthought. The FCA and AUSTRAC have both penalised firms for monitoring systems that did not scale.
- Keep your regulatory data fresh. AML regulations change. A rule that was accurate six months ago may have been amended. Use an API or a structured update process to stay current.
- Document everything. Regulators want to see evidence of a functioning program, not just assertions that one exists. Audit trails, risk assessments, training records — these matter at examination time.
AML is not one regulation — it is a family of overlapping frameworks across 40+ jurisdictions, all implementing FATF standards differently. The US uses BSA/FinCEN, the EU is moving to AMLR under AMLA, the UK runs MLR 2017 under FCA supervision, Singapore uses MAS guidelines, and Australia uses AUSTRAC's AML/CTF Act. Penalties are large and enforcement is increasing. Build compliance into your architecture early, keep your regulatory data current, and document your controls.
Query AML regulations via API
RegIntel covers AML regulations across 41 jurisdictions — structured JSON with obligations, penalties, scope and status. Free to start, no credit card required.
Get free API key →