AML compliance for digital banking

As banks and other financial institutions (FIs) embrace advances in financial technology, the digital banking sector has grown dramatically. This trend shows no signs of slowing down: one survey suggests 86 percent of UK adults use some form of online or remote banking in 2024, while 36 percent have a digital-only bank account, compared with 24 percent in 2023. 

However, as digital banking services become more sophisticated, so do the criminal methodologies designed to target them. To combat these, firms must be aware of their regulatory obligations, with the banking sector suffering the second-heaviest fines for breaches in 2023. They must then prioritize developing robust anti-money laundering and countering the financing of terrorism (AML/CFT) measures to ensure their appeal to consumers does not come at the cost of compliance. 

AML regulations for digital banking

Most countries worldwide have developed specific and comprehensive AML/CFT regulatory frameworks, which apply equally to digital banks, traditional FIs, and certain non-financial sectors such as casinos, high-value dealers, and real estate firms. 

As digital banking grows, these institutions face the same regulatory obligations as their traditional counterparts. However, due to the high costs and complexity of obtaining a banking license, many digital banks opt to partner with fully licensed, established banks. While such partnerships may help digital banks navigate certain regulatory requirements, they remain fully responsible for their own compliance with AML laws. Relying solely on their partners’ compliance measures is insufficient to mitigate their legal responsibilities or risks.

Therefore, all digital banks must be aware of the specific AML/CFT laws in each jurisdiction in which they operate, as well as the regulatory bodies responsible for enforcement. The following outlines key legislation and regulators in major jurisdictions:

• United States: The Bank Secrecy Act (BSA), the Anti-Money Laundering Act, and the USA Patriot Act are the major pieces of legislation firms should consult. US digital banks are regulated by the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) on AML/CFT matters. 
• United Kingdom: The Proceeds of Crime Act (POCA), the Money Laundering, and Transfer of Funds (Information on the Payer) Act, and the Terrorism Act are at the center of UK AML/CFT regulation. All FIs are regulated by the Financial Conduct Authority (FCA). 
• European Union: The ‘new’ Sixth Anti-Money Laundering Directive (6AMLD) is the EU’s main piece of AML legislation. A 2024 package of new AML rules established an EU-wide regulator, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). Digital banks should also comply with the Payment Services Directive (PSD2), which sets rules on handling consumer data. 
• Singapore: The Monetary Authority of Singapore (MAS) is the financial regulator for Singapore, while the Corruption, Drug Trafficking, and Other Serious Crimes Act (CDSA) is the country’s primary AML legislation alongside the Payment Services Act (PSA). Unlike some jurisdictions, Singapore has a banking license specifically for digital-only banks. 

Most jurisdictional AML regulations take their cue from the Financial Action Task Force’s (FATF) International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, or ‘40 Recommendations’. These set the standard for international AML and center around a core set of principles: 

To develop a risk-based approach, firms should conduct initial (and frequently updated) risk assessments to determine the kinds of risk they are most likely to face, laying the ground for their AML policies. 

Ongoing customer monitoring is one key internal control firms should adopt; per EU regulations introduced in 2024 requiring payment service providers (PSPs) to be able to send and receive instant payments, FIs must be able to conduct at least daily customer screening. Another is transaction monitoring, which enables firms to detect and flag any unusual transactions or suspicious patterns that develop. When this happens, FIs should report it using a suspicious activity report (SAR). 

As technology-focused businesses, digital banks should be fully capable of developing electronic know your customer (KYC) and customer due diligence (CDD) processes, though they should ensure their processes align with the FATF’s published guidance for FIs using digital ID. 

Compliance challenges in digital banking

Digital banks face both conventional money laundering risks and those that have emerged from advances in financial technology. However, although they may encounter the same financial crime typologies and regulations as other kinds of banks and FIs, this does not mean they share the exact same set of compliance challenges. For digital banks, these challenges are often caused by: 

• Speed: Digital banks are defined by operational speed and efficiency, which tends to be how they draw customers away from legacy banks. However, not only is this at odds with the safety-first ethos of compliance, but it’s exactly what makes them attractive targets for money launderers, who look to take advantage of quick, easy onboarding and payment processing. Digital banks must find ways to maintain seamless onboarding and customer experiences to grow their business, while detecting and preventing AML/CFT risks at the same time. 
• A comparative lack of resources: As younger, leaner ventures, digital banks often lack the resources to devote compliance that more established FIs can afford to spend. Investment in hiring, staff training, and specialist software are all necessary steps in implementing a strong AML/CFT compliance program. 
• Cross-border payments: One selling point for digital banks is often the ability to send money abroad easily that they offer. Again, though, this leaves them vulnerable to criminals trying to evade detection by creating a complex web of international transactions that is difficult to trace and slips through regulatory inconsistencies across jurisdictions. 

A Guide to Anti-Money Laundering for Digital Banks

Based on expert advice and interviews with sector leaders, our comprehensive guide takes you through every step in the compliance process for digital banks.

Download your copy

How digital banks can comply with AML regulations

To manage AML risks, digital banking service providers must take clearly defined approaches to regulatory compliance. In practice, this means firms should optimize their processes for collecting and analyzing customer data in a digital landscape. Effective components of an AML compliance program for digital banks include:

• Business-wide risk assessments: These should be based on factors like the customers a firm serves, its products and services, and where it operates around the world. Some jurisdictions, such as those on the FATF ‘grey’ and ‘black’ lists, indicate a higher risk level, as do certain customer occupations. Banking services that allow customers to transact anonymously should also be treated as higher-risk. 
• Appointing a compliance officer: Compliance programs should be overseen by an experienced, specialist officer responsible for implementing a firm’s AML policies, submitting SARs, and communicating with auditors and regulators. 
• Staff training: While the compliance officer takes ultimate responsibility for the effectiveness of a firm’s AML program, any business should have multiple lines of defense in place against financial crime. Firms should ensure staff, from compliance teams to customer-facing employees, receive regular AML training. 
• CDD: When onboarding customers, banks should collect data such as their name, address, and the nature of their intended relationship with the bank. CDD also includes establishing ultimate beneficial ownership (UBO). Customers deemed higher risk should be subject to enhanced due diligence (EDD) measures, such as screening for sanctions and watchlists, adverse media, and politically exposed person (PEP) status. 
• Transaction monitoring measures: These should be in place to detect any red flags associated with customer transactions, which might include unusual transaction patterns, transactions above a reporting threshold, or transactions with high-risk countries or sanctioned entities. 
• Advanced AML software: In an increasingly digitalized banking landscape, effective compliance requires firms to collect and process large volumes of data, especially when onboarding customers at scale and delivering instant payments. Digital banks must take advantage of the specialist AML software available in the marketplace. 

Integrating smart technology for digital banking compliance

Implementing advanced AML software should be a natural step for innovative FIs such as digital banks. However, with multiple options available to them, firms should consider their specific needs and which of the advantages this technology can provide will serve them best. Specific factors to look out for include: 

• Data sources: When screening customers against sanctions lists, watch lists, PEPs and RCAs, adverse media, and enforcement data, firms need their data to be accurate, relevant, and derived from multiple reliable sources. They should also receive updates on data as soon as they occur. 
• Machine learning (ML) capabilities: Software enhanced by ML can offer firms a significant advantage in ensuring data quality by performing semantic and statistical analysis. ML can also minimize false positive rates – which can be a substantial drain on resources – with matching algorithms that can take into account global naming conventions, differences in spellings, and aliases. 
• User-friendliness: An effective AML software solution should combine technical sophistication with practical ease for compliance teams. Features like consolidated customer profiles and automated event and customer risk rating can noticeably lighten workloads and allow compliance teams to prioritize higher-risk cases.