Compliance

AML (Anti-Money Laundering)

Anti-Money Laundering (AML) is the body of US laws, regulations, and supervisory practices, anchored in the Bank Secrecy Act, that requires financial institutions and certain businesses to detect, prevent, and report the use of the financial system for money laundering, terrorist financing, and other illicit activity.

Anti-Money Laundering (AML) is the system of laws, rules, supervision, and operating practice that the United States uses to keep illicit money out of the financial system. The legal core is the Bank Secrecy Act, codified at 31 USC 5311 et seq. and implementing regulations at 31 CFR Chapter X. The Financial Crimes Enforcement Network (FinCEN), part of the Treasury, is the primary administrator. For US founders running payroll, contractor payouts, or platform marketplaces, AML touches onboarding, payments, recordkeeping, and reporting end to end.

How AML Works

The BSA requires covered financial institutions to do three things: identify customers, watch transactions, and report patterns that match anti-money-laundering risk indicators. A modern AML program operates on four pillars (plus a fifth for the largest banks and many non-bank institutions):

  • Internal controls. Written policies and procedures, board-approved, risk-based, and applied consistently.
  • AML Compliance Officer. A designated officer with authority and resources to run the program.
  • Training. Ongoing employee training tailored to roles.
  • Independent testing. Audit of the program at least annually for higher-risk institutions, with findings reported to senior management.
  • Customer due diligence (CDD). Risk-based procedures for understanding the nature and purpose of customer relationships, including identifying and verifying beneficial owners of legal-entity customers under the 2018 CDD Rule.

The operating model produces three primary reports:

  • Currency Transaction Report (CTR). Filed on FinCEN Form 112 for every cash transaction (or aggregated same-day cash transactions) over 10,000 dollars conducted by, through, or to a financial institution.
  • Suspicious Activity Report (SAR). Filed on FinCEN Form 111 for suspicious activity, typically at a 5,000 dollar aggregate threshold for banks (2,000 dollars for MSBs in certain scenarios), within 30 days of detection.
  • Currency and Monetary Instrument Report (CMIR). Filed on FinCEN Form 105 for physical transport of more than 10,000 dollars in currency or monetary instruments into or out of the US.

Who Must Comply

The covered-institution list at 31 USC 5312 is broad:

  • Banks, credit unions, and savings associations
  • Broker-dealers in securities
  • Mutual funds
  • Insurance companies (for permanent life, annuity, and similar products)
  • Futures commission merchants and introducing brokers
  • Money services businesses (MSBs), including money transmitters, check cashers, prepaid access providers, and dealers in foreign exchange
  • Casinos and card clubs
  • Dealers in precious metals, precious stones, and jewels
  • Loan and finance companies
  • Housing GSEs
  • Certain investment advisers (since 2024 final rule, with implementation in phases)
  • Administrators and exchangers of convertible virtual currency (under FinCEN MSB guidance)

Non-financial trades and businesses are generally not subject to a full AML program but must still meet specific reporting duties, such as filing Form 8300 for cash transactions over 10,000 dollars under IRC 6050I and 31 USC 5331.

Reporting Thresholds

ReportTriggerFormDeadline
Currency Transaction ReportCash transaction over 10,000 dollarsFinCEN Form 11215 days after the transaction
Suspicious Activity ReportSuspicious transaction at or above the institution’s thresholdFinCEN Form 11130 days after detection (extendable to 60)
Form 8300Cash payment over 10,000 dollars received in a trade or businessIRS/FinCEN Form 830015 days after receipt
FBARUS person with foreign financial accounts aggregating over 10,000 dollars at any point in the yearFinCEN Form 114April 15, with automatic extension to October 15

Penalties

The BSA penalty stack is layered:

  • Civil penalties under 31 USC 5321. Up to 25,000 dollars per violation for negligent violations, up to the greater of the transaction amount or 100,000 dollars for willful violations, with higher amounts for pattern violations.
  • Criminal penalties under 31 USC 5322. Up to 250,000 dollars and 5 years of imprisonment per violation, doubled for violations committed while violating another US law or as part of illegal activity exceeding 100,000 dollars in a 12-month period.
  • Civil money penalties for SAR or CTR failures. Specific per-form penalties indexed for inflation each year.
  • Operating-license risk. Banking and MSB licenses can be suspended or revoked for systemic AML failures.

Common Pitfalls

  • Treating AML as a financial-services-only problem. Form 8300 reaches any trade or business that receives cash. KYC and OFAC screening reach any US person paying internationally.
  • Skipping beneficial-ownership data. The CDD Rule requires verification of beneficial owners of legal entities at 25 percent ownership and one control person. Skipping this is a frequent enforcement finding.
  • Static thresholds. Suspicious activity is pattern-based. A program that only screens for transactions over 10,000 dollars misses the structuring patterns the BSA was designed to catch.
  • Late SARs. The 30-day clock starts at detection, not at investigation completion. Long investigations that delay the SAR are themselves a violation.
  • Outdated training. Typology-specific training (such as sanctions evasion, fraud rings, contractor-payout abuse) needs annual refresh.
  • BSA Reporting: the specific reports the BSA requires (CTR, SAR, Form 8300, FBAR).
  • KYC: the customer-identification component of an AML program.
  • OFAC Sanctions Screening: the parallel screening regime, often run from the same workflow.
  • FATF: the global standard-setter whose 40 Recommendations align national AML regimes.

Omnivoo Contract Management integrates KYC, OFAC screening, and Form 8300 cash-payment monitoring into contractor onboarding and payouts, with the audit trail and beneficial-ownership data a US AML examiner expects.

Frequently asked questions

What are the four pillars of an AML program?
The traditional four pillars of an AML program are (1) internal policies, procedures, and controls reasonably designed to detect and report money laundering, (2) a designated AML compliance officer responsible for day-to-day implementation, (3) ongoing employee training, and (4) independent testing of the program. Following the 2018 Customer Due Diligence Rule, a fifth pillar was added for covered financial institutions: risk-based procedures for customer due diligence, including identifying and verifying beneficial owners of legal entity customers.
What is the difference between AML, KYC, and BSA?
The Bank Secrecy Act is the foundational US law that imposes recordkeeping and reporting on financial institutions to combat financial crime. AML is the broader operational program that institutions run to comply with the BSA. KYC, or Know Your Customer, is the specific subset of an AML program that focuses on identifying and verifying customers and their beneficial owners. BSA is the statute, AML is the program, and KYC is one component of that program.
Who must run an AML program?
All financial institutions defined in the Bank Secrecy Act must have an AML program. This includes banks, credit unions, savings associations, broker-dealers, mutual funds, money services businesses (MSBs), futures commission merchants, casinos, insurance companies (with respect to certain products), and dealers in precious metals and gems. The list is in 31 USC 5312 and 31 CFR Chapter X. Non-financial businesses can also have AML obligations under specific rules, such as Form 8300 cash reporting under IRC 6050I.
What is a SAR and when is it filed?
A Suspicious Activity Report (SAR) is filed with FinCEN by a financial institution that detects a transaction or pattern of transactions involving known or suspected money laundering, terrorist financing, BSA violations, or other criminal activity. For banks, the threshold is generally any transaction aggregating 5,000 dollars or more (2,000 dollars for money services businesses in some scenarios). The SAR must be filed within 30 days of detection (extendable to 60 days while a suspect is identified).
Are crypto exchanges covered by AML rules?
Yes. FinCEN has classified administrators and exchangers of convertible virtual currency as money services businesses since its 2013 guidance. They must register with FinCEN, run a full AML program, file SARs and CTRs as applicable, conduct KYC on customers, and screen against OFAC sanctions lists. The same rule applies to certain wallet and custodial services.

How Omnivoo handles AML (Anti-Money Laundering)

SOLUTIONS

Omnivoo Contract Management

Compliant agreements, IP assignment, and audit-ready records in one place.

Related Terms

Compliance

BSA Reporting (Bank Secrecy Act)

BSA reporting is the set of forms US financial institutions and certain non-financial businesses must file under the Bank Secrecy Act (31 USC 5311 et seq.) to record currency transactions, suspicious activity, foreign financial accounts, and cross-border movements of monetary instruments.
Compliance

FATF (Financial Action Task Force)

The Financial Action Task Force is the intergovernmental body that sets the global standards for combating money laundering, terrorist financing, and proliferation financing, embodied in its 40 Recommendations and enforced through mutual evaluations and the public grey and black lists.
Compliance

KYC (Know Your Customer)

Know Your Customer (KYC) is the set of procedures US financial institutions and certain other businesses use to identify and verify the people they do business with, anchored in the Customer Identification Program rule at 31 CFR 1020.220 and the broader Customer Due Diligence (CDD) framework under the Bank Secrecy Act.
Compliance

OFAC Sanctions Screening

OFAC sanctions screening is the process US persons use to check counterparties, contractors, and payees against the lists administered by the Office of Foreign Assets Control to ensure that funds and services do not flow to blocked persons or sanctioned jurisdictions.

Related articles

COMPLIANCE

AB5 California Contractor Law: A US Company Compliance Guide

California's AB5 codified the ABC test for nearly every contractor relationship in the state. The exemptions in Labor Code 2778 to 2784 are narrow. Misclassification penalties under Labor Code 226.8 reach $25,000 per violation. Here is what every US company paying California contractors needs to know.

May 15, 2026 11 min read
GUIDE

Arbitration vs Litigation for International Contractor Disputes

The single biggest reason to arbitrate cross-border contractor disputes is the New York Convention. Here is how the Federal Arbitration Act, the AAA, JAMS, ICC, SIAC, and LCIA stack up, what they cost, and when each one wins.

May 15, 2026 12 min read
COMPLIANCE

Backup Withholding 24% Rule: When US Companies Must Withhold from Contractor Payments

The four triggers for backup withholding under IRC 3406, the 24% rate, the B-notice and C-notice procedures, and how US companies stop backup withholding correctly.

May 15, 2026 11 min read

Omnivoo handles this for you

Stop worrying about Indian payroll and compliance terms. Omnivoo manages everything (PF, ESI, TDS, professional tax, and more) across all 28 states.

Get started