KYC vs AML vs CFT
What’s the Real Difference?
Candidates mix these three up in interviews every single week — and lose the job. This guide makes the distinction airtight, with real-world examples from Goldman Sachs, Barclays, Emirates NBD, and Revolut.
If an interviewer at Barclays or Goldman Sachs asks you “what’s the difference between KYC, AML, and CFT?” — and you answer by listing three synonyms — you have already lost the interview. These three frameworks are related, often overlap in day-to-day work, but they solve fundamentally different problems with different regulatory bases, different primary data sources, and different outcomes when they fail.
This guide gives you the clean one-sentence distinction, the expanded explanation, a side-by-side comparison card, a regulation map, and real-world scenarios that show each framework in action. By the end, you will be able to explain KYC, AML, and CFT in any interview at an investment bank, custody firm, KPO, or fintech — with confidence.
The One-Sentence Distinction
KYC is the foundation — you identify who walks in the door. AML is the house built on that foundation — the full framework that detects and prevents money laundering. CFT is the security system inside the house — specifically designed to stop funds from reaching terrorist networks, even when those funds come from legal sources.
Know Your Customer
What it is: The process of verifying a customer’s identity, understanding their risk profile, and monitoring their activity over time.
Primary question answered: Who is this customer, and what kind of customer are they?
Typical activities:
- Document collection & verification (CIP)
- Customer Due Diligence (CDD)
- Enhanced Due Diligence (EDD)
- Periodic review & refresh
Anti-Money Laundering
What it is: The broader institutional framework to detect, prevent, and report money laundering across the customer lifecycle.
Primary question answered: Are the funds moving through this bank legitimate?
Typical activities:
- KYC (as the foundation)
- Transaction monitoring & alerts
- SAR / STR / CTR filing
- AML training & governance
- Independent testing (audit)
Counter-Terrorist Financing
What it is: The specific set of controls designed to prevent financial resources — legal or illegal — from reaching terrorist organisations or acts.
Primary question answered: Could this money, even if legal in origin, fund terrorism?
Typical activities:
- Sanctions screening (OFAC, UN, EU, UK OFSI)
- PEP screening
- High-risk geography monitoring
- Small-value, high-frequency transfer pattern detection
- NPO / charity enhanced scrutiny (FATF R8)
The 7 Real Differences Hiring Managers Want You to Know
| Dimension | KYC | AML | CFT |
|---|---|---|---|
| Scope | Customer-level process | Institution-wide program | Specialised sub-program within AML |
| Primary data source | Customer documents & attestations | Transactions + KYC + context | Sanctions lists, intelligence feeds, patterns |
| Origin of funds | Must be documented | Assumed illegal if laundering detected | May be legal (donations, salaries, trade) |
| Trigger | Onboarding, periodic review, event | Transaction alert, typology match | Sanctions match, geography, behavioural flag |
| Primary output | KYC file with risk rating | SAR / STR / CTR filings | Sanctions freeze, SAR with CFT tag |
| Regulator expectation | Accurate identification & risk rating | Effective detection & reporting | Zero tolerance on sanctioned parties |
| Failure cost | Regulatory fines, remediation | Large fines ($100M–$2B+) | Criminal liability, licence loss |
Regulatory Framework Map
Each framework has its own statutory base. Mixing these up in an interview is an instant red flag for hiring managers.
United States
- KYC: FinCEN 2016 CDD Rule — requires beneficial owner identification at onboarding for legal entity customers.
- AML: Bank Secrecy Act (1970) — SAR/CTR obligations, 5 program pillars.
- CFT: USA PATRIOT Act (2001) — sanctions enforcement via OFAC, correspondent banking controls, 314(a)/314(b) information sharing.
United Kingdom
- KYC & AML: Money Laundering Regulations 2017 (MLR 2017), updated via MLR 2019 and 2022 amendments.
- CFT: Terrorism Act 2000 + UK OFSI sanctions (post-Brexit UK-specific sanctions regime).
European Union
- KYC & AML: 6th Anti-Money Laundering Directive (6AMLD), in force from December 2020.
- CFT: Sanctions implemented via EU Council regulations; AMLA (Anti-Money Laundering Authority) launching 2026.
UAE (Dubai DIFC + Abu Dhabi ADGM)
- KYC & AML: DFSA AML Module (DIFC), ADGM AML Rulebook (Abu Dhabi).
- CFT: UAE Federal Decree-Law No. 20 of 2018, plus UAE Cabinet targeted financial sanctions regulations.
India
- KYC: RBI Master Direction on KYC (2016, regularly updated).
- AML: Prevention of Money Laundering Act (PMLA) 2002; PMLA Rules 2005.
- CFT: Unlawful Activities (Prevention) Act, FIU-IND reporting requirements.
Canada, Singapore, Hong Kong
- Canada: PCMLTFA (AML), CCFA sanctions regime, FINTRAC oversight.
- Singapore: MAS AML/CFT Notices (separate notices for banks, capital markets, insurance, payment services).
- Hong Kong: AMLO (Anti-Money Laundering Ordinance), HKMA supervisory guidance, SFC AML Guideline.
Real-World Scenarios — See the Difference in Action
The fastest way to internalise the distinction is through scenarios a KYC analyst might actually see at a global bank GCC or custody firm.
Scenario 1 — Pure KYC issue (no AML, no CFT)
Context: A corporate customer onboarded at State Street India has completed its 3-year periodic review cycle. The KYC team refreshes documents, confirms UBOs are unchanged, updates the Nature of Business description, and re-confirms the risk rating at Low.
Why this is KYC-only: No transaction alerts have fired. No sanctions hits. The work is a clean customer-level refresh. There is no AML investigation, no suspicious activity, no terrorism link. This is 80% of what a Level 1 KYC Analyst does day-to-day.
Scenario 2 — AML escalation (triggered by transaction activity, no CFT link)
Context: A small trading company onboarded at Barclays Mumbai GCC shows unusual transaction patterns — nine deposits of $9,500 each over two weeks. The customer is not a PEP, not from a high-risk jurisdiction, and sanctions screening is clean.
Why this is AML, not CFT: The pattern is classic structuring (smurfing) — an attempt to evade the $10K Currency Transaction Report threshold. This is a money-laundering typology. The KYC team flags it to the AML investigations team, who draft a SAR. No terrorism signal is present.
Scenario 3 — CFT scenario (legal-looking funds, high CFT risk)
Context: A charity registered in a FATF-grey-list jurisdiction opens a USD account at a bank’s Dubai DIFC branch. Funds arrive from multiple individual donors, each sending small amounts. The charity’s stated purpose is “community education in conflict regions.”
Why this is CFT-specific: Every donation could be legal. No laundering typology fires. But the combination — charity + conflict-zone beneficiaries + small-value donations — is the classic CFT risk pattern identified by FATF Recommendation 8. EDD applies, enhanced monitoring is triggered, and the bank screens all beneficiary countries and onward payments carefully.
Scenario 4 — All three active simultaneously
Context: A Foreign PEP opens a private banking relationship at HSBC London. SoW is reconstructed across a 25-year government career. Six months later, transactions to a shell company in a sanctioned-adjacent jurisdiction trigger alerts.
Why all three engage: KYC reclassifies the PEP to high-risk at onboarding. AML investigates the transactions for laundering indicators. CFT controls trigger secondary sanctions review because the destination jurisdiction is sanctions-adjacent. The KYC file, AML investigation file, and sanctions investigation file are all open in parallel. This is the reality of complex private banking.
Common Interview Traps on KYC vs AML vs CFT
Hiring managers at Goldman Sachs, JPMorgan, Barclays, and custody firms know exactly which wrong answers signal a weak candidate. Avoid these.
Saying “KYC and AML are basically the same thing” is the single most common weak answer. They are related but distinct. KYC is customer-centric; AML is transaction + institution-centric.
CFT is about funds reaching terrorism — regardless of whether the customer’s jurisdiction is sanctioned. Domestic terrorism funding, NPO-routed financing, and crypto-based transfers all fall under CFT controls in clean jurisdictions.
A SAR (Suspicious Activity Report) is a confidential filing to a financial intelligence unit. A sanctions freeze is an operational action against a customer account. They have different legal effects and different procedural steps.
Candidates often assume all CFT targets must have a laundering story. They don’t. A legitimate business generating legal revenue, donating legally, but with funds ultimately flowing to a terrorist organisation — is a pure CFT case with zero AML component.
How a KYC Interviewer Would Mark Your Answer
If the question is “explain the difference between KYC, AML, and CFT,” a strong candidate answer (Senior Analyst or above) sounds like this:
“KYC is the customer-level process of verifying identity, assessing risk, and refreshing information over time. AML is the broader institutional framework that includes KYC plus transaction monitoring, SAR filing, training, and governance — it exists to detect and prevent money laundering specifically. CFT is a specialised sub-programme within AML, focused on preventing financial flows to terrorist organisations. CFT is distinctive because the underlying funds may be entirely legal — the focus is the destination, not the origin. In practice, all three overlap daily: a single PEP case can have active KYC, AML, and CFT files simultaneously.”
Practising answers like this out loud — not reading them — is where candidates differentiate themselves. That’s what AGZIT’s voice-based AI Mock Interview is designed for.
Related Reading
- What Is KYC? A Simple Guide for Beginners (With Real Examples)
- Top 100 KYC Interview Questions & Model Answers
- The KYC Career Path: Roles, Salaries & 5-Year Roadmap
Practise KYC vs AML vs CFT Out Loud
Reading this guide is step one. Saying it clearly under pressure — with regulatory references and scenario examples — is what gets you the offer. AGZIT AI Mock Interview puts you in front of a voice-based AI interviewer that asks exactly these kinds of conceptual questions.
ATS Resume Builder
Voice-based
10-dimension
Coaching
Elevator pitch
DPR-based
30-day roadmap
Silver/Gold/Platinum
Trusted by KYC candidates targeting roles in Mumbai · Dubai · London · New York · Toronto · Singapore