FATF — Financial Action Task Force

Founded: 1989, at the G7 Paris Summit. Members: 39 member jurisdictions plus regional bodies.

What it is: FATF is the global standard-setting body for AML/CFT. Its 40 Recommendations are not law in themselves — each country implements them into domestic legislation. However, FATF’s Mutual Evaluation process means non-compliant countries end up on the grey list (increased monitoring) or black list (call for action), which has severe real-world consequences for their banks’ international access.

Key Recommendations you must know:

• R1: Risk-based approach (RBA) — foundation of all modern KYC
• R10: Customer Due Diligence (CDD) — the CIP + CDD + EDD framework
• R12: Politically Exposed Persons (PEPs) requirements
• R13: Correspondent banking relationships
• R16: Wire transfer / Travel Rule (extended to virtual assets)
• R20: Suspicious Transaction Reporting (STR/SAR)
• R24 & R25: Beneficial ownership transparency for legal persons and arrangements

2026 context: UAE exited the FATF grey list in February 2024, transforming Dubai and Abu Dhabi into major KYC hiring markets. Several jurisdictions including Jamaica, Nigeria, and the Philippines remain on active monitoring lists.

Bank Secrecy Act (1970) + USA PATRIOT Act (2001)

The BSA was the world’s first modern AML statute. The PATRIOT Act expanded it post-9/11 to require customer identification and extend KYC into counter-terrorist financing. Together they form the backbone of US financial-crime compliance.

What it requires from you:

• A written AML program with five pillars: designated AML officer, written policies, independent testing, ongoing training, and CDD (the fifth pillar added in 2016)
• Customer Identification Program (CIP) at account opening
• Suspicious Activity Report (SAR) filing within 30 days of detection
• Currency Transaction Report (CTR) for cash transactions above $10,000
• Record retention for at least 5 years

Primary enforcers: FinCEN (administers the BSA), OCC (national banks), Federal Reserve (bank holding companies), OFAC (sanctions), FBI + DOJ (criminal enforcement).

FinCEN 2016 CDD Rule & 2024 Corporate Transparency Act

The 2016 CDD Rule formalised beneficial owner requirements for legal entity customers — banks must identify any individual owning 25% or more, plus one control person, at account opening. The Corporate Transparency Act (CTA) extended this by creating a central FinCEN beneficial ownership register; however, enforcement of the CTA BOI reporting requirement has been paused for domestic reporting companies in 2025 following litigation.

Why this matters for KYC analysts: You are the team that collects, verifies, and documents beneficial ownership. A missing or incorrect UBO is the single most common regulatory finding in BSA enforcement actions.

Office of Foreign Assets Control Sanctions

OFAC administers US economic and trade sanctions — including the SDN (Specially Designated Nationals) list, sectoral sanctions, country-based sanctions (Iran, North Korea, Syria, Cuba, Russia), and secondary sanctions reaching non-US persons.

Critical rules every KYC analyst should know:

• 50% Rule: any entity owned 50% or more by sanctioned parties is itself sanctioned, even if not explicitly listed
• Primary vs secondary sanctions: primary binds US persons; secondary threatens non-US persons with loss of US financial access
• General vs Specific Licences: limited exceptions permitting otherwise prohibited transactions

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

MLR 2017 (updated by MLR 2019 and 2022 amendments) is the core UK framework. It transposes EU 4AMLD and has been updated post-Brexit to incorporate elements of 5AMLD and 6AMLD standards without being an EU directive.

What it requires:

• CDD at onboarding, EDD for PEPs, high-risk third countries, and complex structures
• Beneficial owner identification at 25% threshold
• Senior-management approval for PEP relationships
• Suspicious Activity Report filing to the UK National Crime Agency (NCA)
• 5-year record retention

Financial Conduct Authority Sourcebook

The FCA is the primary conduct and AML supervisor for UK financial services firms. Its Financial Crime Guide (FCG) and SYSC 6.3 rules operationalise MLR 2017 for regulated firms. FCA enforcement actions against HSBC, Standard Chartered, NatWest, and others have all been based on KYC/AML control failures.

Senior Managers & Certification Regime (SMCR): Under SMCR, named individuals (Heads of Compliance, MLROs) are personally accountable for AML effectiveness and can be individually fined, banned from financial services, or prosecuted.

Office of Financial Sanctions Implementation

OFSI administers UK sanctions (separate from EU sanctions since Brexit). Since 2022 it has significantly expanded the Russia sanctions regime. UK sanctions apply to all UK persons worldwide and all persons within the UK — making compliance critical for any bank with a UK branch or UK-based relationships.

6th Anti-Money Laundering Directive

Adopted in 2018 and in force across EU member states from December 2020 (June 2021 for regulated firms), 6AMLD represented the most comprehensive update to EU AML law in a decade.

What changed with 6AMLD:

• Harmonised 22 predicate offences across all 27 member states (previously each country defined its own list)
• Extended criminal liability to legal persons — companies themselves can now be prosecuted for AML failures, not just individuals
• Increased minimum criminal penalties to at least 4 years imprisonment
• Strengthened cross-border cooperation and information exchange between FIUs
• Tightened beneficial ownership register requirements

Anti-Money Laundering Authority (AMLA) — Launching 2026

AMLA is the new EU-level AML supervisor, headquartered in Frankfurt, which begins operations in 2026. It will directly supervise approximately 40 of the largest cross-border financial institutions in the EU, taking over from national regulators for those entities.

Why this matters: For tier-1 EU banks, AMLA supervision means centralised, harmonised enforcement for the first time. For KYC teams, it means consolidated reporting expectations, AML methodology convergence, and a single European regulator with significant fine-setting authority. Many banks are restructuring their EU compliance functions specifically in anticipation of AMLA.

UAE Federal Decree-Law No. 20 of 2018

The UAE’s federal AML/CFT law, administered by the Central Bank of the UAE (CBUAE) and the UAE FIU (goAML). It applies to all UAE onshore banks and financial institutions. Supplemented by the UAE Cabinet targeted financial sanctions regulations.

DFSA AML Module (Dubai International Financial Centre)

The Dubai Financial Services Authority (DFSA) regulates firms in the DIFC free zone. Its AML Module follows FATF Recommendations closely and is broadly aligned with UK and international standards. Goldman Sachs, JPMorgan, Morgan Stanley, Barclays, and HSBC all operate regulated entities in DIFC.

Notable features:

• Foreign PEP classification is highest tier — always EDD, always senior approval
• Strong emphasis on adverse media screening in multiple languages
• DFSA publishes Dear SEO letters that function as directly enforceable expectations

ADGM Anti-Money Laundering and Sanctions Rules

The Abu Dhabi Global Market (ADGM) operates its own common-law framework with the FSRA (Financial Services Regulatory Authority) as supervisor. The ADGM AML Rulebook closely follows FATF standards. Growing hiring centre for international banks, private banking, and fintech firms.

Prevention of Money Laundering Act 2002 + PMLA Rules 2005

India’s foundational AML statute. Administered by the Enforcement Directorate (ED) for criminal enforcement and the Financial Intelligence Unit of India (FIU-IND) for reporting. Scheduled offences under PMLA include a broad range of predicate crimes.

RBI Master Direction — Know Your Customer 2016

The operational KYC rulebook for all RBI-regulated entities. Regularly updated; now includes detailed provisions for video KYC (V-CIP), digital onboarding, central KYC registry (CKYCR), and re-KYC cycles. Applies to banks, NBFCs, payment banks, and co-operative banks.

Also relevant: SEBI KYC regulations for securities market intermediaries, IRDAI norms for insurance companies, and PFRDA rules for pension providers.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act + FINTRAC

PCMLTFA is Canada’s foundational AML statute. FINTRAC is the Financial Intelligence Unit and supervisor. Recent developments have been significant — the 2024 TD Bank $3.09B US settlement included Canadian regulatory coordination, and FINTRAC has issued several substantial enforcement actions since 2023.

What it requires:

• Client identification with documentary verification
• PEP and HIO (Head of International Organisation) screening
• Beneficial ownership at 25%
• Suspicious Transaction Report (STR) filing to FINTRAC
• Large Cash Transaction Reports (LCTR) for transactions $10K CAD+

Employers: TD, RBC, Scotiabank, BMO, CIBC, HSBC Canada all run large KYC teams in Toronto, plus US investment bank Canadian branches.

MAS AML / CFT Notices (Banking, Capital Markets, Insurance, Payment Services)

The Monetary Authority of Singapore (MAS) issues separate AML Notices for each regulated sector — Notice 626 (banks), SFA-N03 (capital markets), MAS Notice 314 (insurance), PSN01 (payment services). All follow FATF Recommendations closely with Singapore-specific enhancements.

Singapore-specific features:

• Strong tone-at-the-top expectations — board-level accountability
• Detailed wealth management KYC expectations given Singapore’s private banking hub status
• Post-2023 Singapore money laundering case (S$3 billion seized), significantly tightened ongoing monitoring expectations for high-net-worth foreign residents

Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO)

AMLO is the primary AML statute. The Hong Kong Monetary Authority (HKMA) supervises banks; the Securities and Futures Commission (SFC) supervises capital market intermediaries. Both issue detailed AML Guidelines that function as directly enforceable supervisory expectations.

Relevance for international KYC careers: Despite shifts in cross-border dynamics, Hong Kong remains a major KYC hub for private banking, securities services, and corporate banking with deep mainland China exposure.