AML Laws and Regulations in the US 2024—What Has Changed?

The United States is a leader in the fight against money laundering and the financing of terrorism. Still, up to $300 billion is laundered through the US annually. 

The US was one of the first countries in the world to make money laundering a federal crime with its Money Laundering Control Act of 1986 (Public Law 99-570). Today, the US is a member of the Financial Action Task Force (FATF) and has a strong AML/CFT framework that imposes heavy penalties for noncompliance. Just recently, in October 2024, TD Bank was hit with a record $3 billion fine over money laundering.

To avoid severe penalties and keep reputation clean, financial institutions must know the relevant AML requirements in the US and understand how to stay compliant. We’ve come up with the following guidelines to help.

Who do AML regulations in the US apply to?

The following institutions must comply with AML regulations in the US and maintain risk-based AML programs:

• Banks (Credit Institutions)
• Money-service businesses (currency dealers or exchangers, check cashers, issuers of traveler’s checks or money orders, sellers or redeemers of traveler’s checks or money orders, money transmitters)
• Insurance companies
• Brokers/dealers in securities
• Casinos
• Domestic financial institutions
• Cryptocurrency service providers
• US-based branches of foreign financial institutions
• Non-US operations of foreign financial institutions due to their legal relationship with their US-based operations, particularly through correspondent banking relationships
• Financial institutions operating exclusively outside the US and whose transactions are processed through another US financial institution. Also, Financial Institutions affected by US sanctions or the target countries they provide services to or countries in which they operate
• US legal and/or natural persons, defined as “an individual, a corporation, a partnership, a trust or estate, a joint stock company, an association, a syndicate, joint venture, or other unincorporated organization or group, an Indian Tribe (as that term is defined in the Indian Gaming Regulatory Act), and all entities cognizable as legal personalities.”

Foreign subsidiaries of US financial institutions must also comply with United States anti-money laundering laws. 

AML and cryptocurrency in the US

US AML laws are increasingly targeting cryptocurrency providers due to their role in money laundering and illicit finance, as these platforms offer greater anonymity.

For instance, the Bank Secrecy Act (BSA) requires cryptocurrency exchanges and wallet providers classified as Money Services Businesses (MSBs) to implement risk-based AML programs, conduct Customer Due Diligence (CDD), and report suspicious activity. Recent developments include proposed rules to regulate cryptocurrency mixers and ongoing enforcement by agencies like FinCEN, the SEC, and CFTC. These efforts aim to strengthen crypto regulations in traditional financial sectors while addressing complex challenges, such as anonymity and cross-border transactions.

Check out this detailed guide to learn how the crypto industry is regulated in the USA: What is the FATF Travel Rule? The Ultimate Guide to Compliance (2024)

Who regulates AML in the US?

The Financial Crimes Enforcement Network (FinCEN)

The main US financial regulator and Financial Intelligence Unit (FIU) is the Financial Crimes Enforcement Network (FinCEN) which operates under the authority of the US Department of the Treasury. 

FinCEN oversees all financial institutions in the US to prevent money laundering and the financing of terrorism. Its responsibilities involve the collection of transaction data from local companies and distribution of that data for law enforcement purposes. FinCEN can partner with law enforcement agencies at the state and federal levels to assist in criminal investigations. The watchdog also cooperates with its international counterparts in order to fight global financial crimes.

The Office of Financial Assets Control (OFAC)

The Office of Financial Assets Control (OFAC) works to identify already known criminals and enforce economic sanctions on countries, individuals and legal persons that are engaged in criminal/illegal activities and actions. The regulator as a watchdog oversees US sanctions programs to ensure that companies comply with the trade prohibitions on targets inscribed in the relevant sanctions lists.

There are a number of sanctions lists in the US, but the main one is the Specially Designated Nationals and Blocked Persons List (SDN) published by the US Department of Treasury. The SDN list includes the names of persons designated for economic sanctions within a US global sanctions program. 

The Securities and Exchange Commission (SEC)

The US Securities and Exchange Commission (SEC) plays a key role in combating money laundering by enforcing AML regulations for securities brokers, dealers, and investment advisors. Under the Bank Secrecy Act (BSA), the SEC ensures these entities implement risk-based AML programs, conduct Customer Due Diligence (CDD), and file Suspicious Activity Reports (SARs). The SEC also collaborates with FinCEN and other agencies to oversee compliance and investigate securities-related money laundering. It focuses on risks in areas such as cryptocurrency, market manipulation, and unregistered securities offerings.

The Federal Reserve Board (FRB)

The Federal Reserve Board (FRB) oversees AML compliance for banks and financial institutions (members of the Federal Reserve System) under its supervision, ensuring they adhere to the Bank Secrecy Act (BSA) and related regulations. The FRB examines banks for compliance during routine inspections, focusing on policies for detecting and preventing money laundering and terrorist financing. It also collaborates with other federal and state agencies, such as FinCEN, to enforce AML laws and share financial intelligence.

What are the main AML regulations in the US?

The Bank Secrecy Act

The primary AML legislation in the US is the Bank Secrecy Act (BSA). Implemented in 1970, the BSA imposes reporting and record-keeping obligations on US financial institutions (including banks, brokerage firms, insurance companies, etc.) in order to prevent criminals using their products and services to launder the proceeds of their crime.

Under the Bank Secrecy Act (BSA) and related anti-money laundering laws, financial institutions must:

• Design and implement effective BSA compliance programs
• Create and implement effective customer due diligence systems and monitoring programs
• Screen Office of Foreign Assets Control (OFAC) and other government lists
• Establish an effective suspicious activity monitoring and reporting program
• Develop risk-based anti-money laundering and compliance monitoring programs.

In most cases, financial institutions are obliged to collect tax identification numbers  of US citizens or residents, such as social security numbers (SSNs), together with their full name, date of birth, and address.

The Patriot Act

After 9-11, the US passed the USA Patriot Act as an amendment to the BSA. The Patriot Act empowered US law enforcement agencies with further authorities when investigating suspected terrorism financing.

In particular, the Patriot Act imposes a range of Customer Due Diligence (CDD) and screening responsibilities on US companies, with a focus  on international transactions. The Patriot Act imposes criminal and financial penalties for persons found to be in violation of CFT compliance regulations. 

AMLA 2020

In 2021, the US introduced the Anti-Money Laundering Act (AMLA) 2020, the most notable reform to the country’s AML/CFT legislation since the Patriot Act.

Its purpose is to manage the threats posed by new technologies and criminal methodologies. The regulatory measures introduced by the AMLA include broadened international information sharing rules, new beneficial ownership requirements to prevent the misuse of shell companies, increase penalties for money laundering and enforce new whistleblower protections.

Anti-money laundering guidelines in the US

As a FATF member state, the US requires financial institutions to take a risk-based approach to AML/CFT. This means that they must conduct a Know Your Customer (KYC) assessment to identify clients at the onboarding process, establish the level of compliance risk they wish to tolerate and deploy AML/CFT measures in proportion to that risk. 

Another important procedure for certain businesses in the US is the Customer Identification Program (CIP). CIP has to be implemented by all banks, credit unions, saving and loan associations operating in the US as part of their BSA/AML compliance program. Check this detailed guide on CIP to understand who must comply with CIP and how it’s different from KYC.

A proper US AML program

A good AML compliance program for a US institution must include the following procedures:

• Customer identification. Firms in the US must establish and verify the identities of their customers in order to conduct  effective risk assessment. The Customer Due Diligence (CDD) process should involve the collection of names, addresses, dates of birth, tax identification number and beneficial ownership information.
• Ongoing monitoring. Businesses must refresh KYC data held on customers in order to ensure it’s complete and up-to-date, and reflects current circumstances. Businesses are also obliged to conduct monitoring for any suspicious activity or behavior.
• Transaction screening. US institutions must screen their customers’ transactions for signs of suspicious activity, including unusual transactions, transactions with high-risk customers and jurisdictions, inconsistencies between the declared profile and the actual transactions or transactions involving sanctions targets.
• Politically Exposed Persons (PEPs). High-ranking public officials as well as their close associated represent an increased risk of money laundering. US firms should therefore screen customers against PEP lists to determine the level of compliance risk they present.
• Sanctions screening. US companies must screen their customers against  relevant sanctions lists, including the SDN list, and the UNSC sanctions list.

Enhanced due diligence

Under the risk-based approach to AML/CFT, the US requires firms to impose on their  higher-risk customers Enhanced Due Diligence (EDD) checks/make them subject to EDD measures. The EDD process includes a larger degree of AML/CFT scrutiny, stronger identity verification measures, and additional checks such as checks on the source of customer funds and wealth.

Adverse media checks

Criminal cases may be reported in the news before official sources confirm them. Accordingly, the EDD process may also include adverse media screening, which requires financial institutions to search news sources for the customer’s involvement in negative stories (including terrorism, terrorist financing, financial crime, organized crime, kidnapping, corruption, and tax crime).

Suggested read: 5 Best Practices for Adverse Media Screening

Suspicious Activity Reports

Financial institutions must submit a Suspicious Activity Report (SAR) using a special Bank Secrecy Act BSA E-Filing System no later than 30 calendar days after the date when signs of money laundering were initially detected. 

Further reporting obligations

• Financial institutions are required to assist US government bodies in detecting and preventing money laundering by keeping records of cash purchases of negotiable instruments
• Filing reports of cash transactions exceeding $10,000 (daily aggregate amount)
• Reporting suspicious activity that might signal criminal activity (e.g., money laundering, or tax evasion).

What changed in 2024?

In 2024, several updates to the USA’s Anti-Money Laundering (AML) laws were proposed or implemented, focusing on modernizing compliance requirements and addressing emerging financial threats. Key changes include:

Beneficial Ownership Information (BOI) rule enforcement:

The Financial Crimes Enforcement Network (FinCEN) began enforcing the Beneficial Ownership Information (BOI) rule. This rule mandates businesses to report information about individuals with significant control or ownership stakes (at least 25%). This aims to close loopholes that previously allowed the misuse of opaque corporate structures for money laundering. Compliance is required by millions of businesses, with phased access for government agencies and financial institutions.

Proposed rule for AML program standardization:

FinCEN introduced a proposed rule to harmonize AML and Countering the Financing of Terrorism (CFT) programs across various financial institutions (e.g., banks, broker-dealers, and MSBs). This includes:

1. Risk-based assessments tailored to each institution’s unique risks, client base and business model.
2. Mandatory designation of a qualified full-time AML officer
3. Enhanced governance, requiring board oversight for AML/CFT programs
4. Regular independent program testing and staff training.

Increased focus on cryptocurrency:

FinCEN issued a Notice of Proposed Rulemaking targeting cryptocurrency mixers, designating them as potential money laundering tools. This would impose stricter obligations under the Bank Secrecy Act, reflecting the increasing regulatory focus on the crypto sector. The SEC’s ongoing legal actions against major crypto platforms (e.g., Coinbase) will further shape the AML landscape for digital assets.

Broader compliance updates:

The new rules seek to align AML obligations across all financial institutions, eliminating disparities in regulatory requirements. This approach emphasizes consistency while maintaining robust mechanisms to combat financial crimes.

What is the punishment for money laundering in the US?

Criminal penalty

The maximum BSA-related criminal penalty is $250,000 and up to five years’ imprisonment. However, if the violation is part of a pattern of conduct involving more than $100,000 over a 12-month period and involves the violation of another US criminal law, the penalty increases to $500,000 and up to 10 years’ imprisonment.

Civil penalty

The maximum BSA-related civil penalty may also differ. For example, federal banking regulators have the authority to impose penalties from $5,000 per violation to $1,000,000, or 1% of the assets of a financial institution, whichever is greater, for every day that the violation occurs.
Other federal watchdogs and self-regulatory organizations have independent civil penalty authorities. Penalties are mainly assessed for AML compliance program deficiencies, failures to file suspicious activity reports (SARs), and the presence of other BSA violations.

FAQ

• What are the AML requirements in the USA?

  AML requirements in the US mandate financial institutions to implement a compliance program including risk-based policies, customer due diligence (CDD), suspicious activity reporting (SAR), recordkeeping, independent audits, employee training, and adherence to FinCEN’s regulations under the Bank Secrecy Act (BSA).

• What is the 6 AML policy in the US?

  The ‘6 Pillars’ of an AML policy in the US are core components of a compliance program, which include risk assessment, written internal policies, procedures and controls, an appointment designated compliance officer, ongoing training for employees, independent testing and auditing, as well as customer due diligence (CDD).

• What is the US Anti-Money Laundering law?

  The key AML laws are the Bank Secrecy Act and the Patriot Act.

• What is the KYC requirement in the USA?

  KYC verification is the process of verifying a customer’s identity to help comply with the AML regulations in the US.

• Is KYC required in the USA?

  Yes. The US Financial Crimes Enforcement Network (FinCEN) requires financial institutions to comply with KYC standards to prevent criminal activity.