A guide to anti-money laundering regulations in the US

As the largest economy in the world and an influential political power, the United States plays a vital role in the global fight against money laundering and the financing of terrorism. The US is a member of the Financial Action Task Force (FATF) and has developed a robust anti-money laundering and combating the financing of terrorism (AML/CFT) framework that reflects international regulatory standards and imposes significant penalties for non-compliance. 

An overview of US AML regulations

The US AML regime consists of a series of laws introduced since 1970. These vary in purpose, from establishing money laundering as a criminal offense to listing specific obligations for firms. In practice, the compliance requirements US firms need to know are contained within three key regulations. 

The Bank Secrecy Act (BSA) 

The BSA, a foundational piece of AML legislation in the US, was introduced in 1970 and has been updated regularly to keep pace with developments in financial crime. Banks and other financial institutions (FIs) must conform to its requirements, which include: 

• Internal AML controls: FIs must create, implement, and maintain AML compliance programs. These must have written policies and procedures to help employees detect and prevent financial crime, be overseen by a compliance officer, and include compliance training for all employees. Crucially, these measures must be based on the results of business-wide risk assessments, while compliance programs must undergo a regular schedule of independent audits to confirm their continued effectiveness. 
• Customer due diligence (CDD): Firms must have customer identification programs to establish and verify all customer identities and the nature of their relationship with them. The ‘CDD Final Rule’ is an amendment to the BSA that obliges firms to establish all ultimate beneficial owners (UBOs) of any of their business customers to prevent the misuse of corporate ownership structures. 
• Monitoring: Firms must monitor both customers and transactions on an ongoing basis, enabling them to detect suspicious transactions and update customer data to maintain its accuracy. 
• Reporting: Firms must report all transactions they believe may be linked to the proceeds of a crime to the Financial Crimes Enforcement Network (FinCEN) through suspicious activity reports (SARs). They must also file currency transaction reports (CTRs) for cash transactions exceeding $10,000 (whether as a single transaction or several in 24 hours). Finally, businesses must use Form 8300 whenever they receive a cash payment of more than $10,000. 
• Record-keeping: FIs must keep records relating to their compliance policies, customer accounts, and transaction reports for five years. They must also maintain records of particular transactions, like purchases of monetary instruments over $3000, international payments over $10,000, and credit extensions over $10,000. 

The USA Patriot Act

Adopted in the wake of the September 11, 2001 terror attacks, the Patriot Act gave new investigative powers to law enforcement and amended the BSA to tighten the US AML framework, explicitly requiring firms to develop measures to counter terrorist financing. The Patriot Act’s most significant rules cover:  

• Customer identification: The Patriot Act first introduced mandatory customer identification programs for FIs – a requirement later reinforced and clarified by the CDD Final Rule. 
• Compliance policies and procedures: Whereas FIs were previously only required to develop policies to guard against money laundering, the Patriot Act extended these obligations to include protections against terrorist financing. 
• Reporting: Similarly, firms have been required to report transactions linked to suspected terrorist financing, alongside other financial crimes, since the Act was introduced. The Act also imposed a 120-hour limit for responding to requests for information from regulators or law enforcement agencies. 
• Enhanced due diligence (EDD): Firms must apply EDD to institutions conducting correspondent banking on behalf of foreign financial institutions or holding private bank accounts for non-US citizens. The Patriot Act also prevented US banks from engaging in relationships with foreign shell banks (banks lacking a physical location in which they are regulated). 

The Anti-Money Laundering Act (AMLA) 

The most recent major AML regulation to be introduced in the US, AMLA was passed into law in 2020 and included provisions to increase the detection and prosecution of money laundering offenses, such as: 

• Beneficial ownership registration: The Corporate Transparency Act (CTA) falls under AMLA’s umbrella and requires US “reporting companies” (corporations and limited liability companies) to identify and declare their beneficial owners. The Act defines these as any entity owning or controlling 25 percent or more of the company or able to exercise significant control over it. However, a December 3, 2024 ruling by a Texas federal judge enjoining the CTA because it is “likely unconstitutional” has put all of its compliance requirements on hold. As of mid-December 2024, beneficial ownership reporting is, for now, voluntary. 
• Expansion of regulatory oversight: AMLA expands the scope of the BSA to include FIs involved in non-traditional exchanges of value, such as virtual currency providers or antiquities dealers. 
• Whistleblower protection: Firms cannot retaliate against employees who disclose information about possible AML regulatory violations. 

US AML regulators 

Responsibility for implementing and enforcing these laws falls to the AML regulatory bodies of the US, which issue rules and guidance for firms and punish those who do not comply. 

The Financial Crimes Enforcement Network (FinCEN) 

Established in 1990, FinCEN is the United States’ main financial regulator and supervises the AML/CFT compliance of banks and other financial service providers. It operates under the authority of the United States Treasury Department. It is the financial intelligence unit (FIU) of the US, analyzing firms’ transaction reports and passing on financial intelligence to state and federal law enforcement bodies to assist with investigating financial crime cases. FinCEN issues regular advisories to firms to assist them with practical compliance points and is part of the Egmont Group, a body of global FIUs for collaboration and information-sharing. 

While FinCEN maintains AML oversight over all US FIs, certain institutions have their own regulators. For example: 

• The Office of the Comptroller of the Currency (OCC) regulates all national banks, federal savings associations, and federal branches and agencies of foreign banks. 
• The Federal Reserve regulates bank holding companies, state member banks, savings and loan holding companies, some foreign bank offices in the US, foreign branches and operations of US banks, and non-bank financial entities designated as “systemically important.” 
• The Federal Deposit Insurance Corporation (FDIC) regulates all banks that are not members of the Federal Reserve. 
• Credit unions are regulated by the National Credit Union Administration (NCUA). 

In these cases, FinCEN can delegate AML supervisory authority to these agencies, and often collaborates closely with them on issuing advisories and enforcement actions. 

The Office of Foreign Assets Control (OFAC) 

OFAC implements and enforces sanctions imposed by the US against individuals, groups, and other states to achieve its foreign policy and national security goals. OFAC maintains the various US sanctions lists and issues fines where it discovers that any sanctions violations have occurred.  

Which businesses are regulated in the US? 

All FIs are subject to AML regulations in the US, including: 

• Banks and credit unions 
• Brokers and dealers
• Currency exchanges and other money services businesses (MSBs)
• Credit card operators
• Cryptocurrency and virtual asset service providers (VASPs) 
• Insurance companies
• Real estate firms: In August 2024, FinCEN issued a rule strengthening regulatory obligations around real estate with reporting requirements for high-risk real estate transfers, such as non-financed residential property transfers to trusts or legal entities. 
• Casinos
• Dealers in precious metals, stones, or jewels
• Pawnbrokers
• Loan and finance companies
• Travel agencies
• Futures commission merchants and commodity trading advisors
• Telegraph companies
• Vehicle retailers
• Informal financial businesses
• Investment advisers (IAs): Ass per another August 2024 rule introduced by FinCEN, the BSA covers all IAsA. 

The consequences of non-compliance

Breaches of US AML regulations can result in severe civil and criminal penalties for firms. FinCEN maintains a public list of enforcement actions it has taken against firms, which have reached into the billions of dollars and have been applied to even the largest organizations, with several high-profile cases in 2024. Specific penalties include: 

• A civil fine of up to $278,000 for a single breach of the BSA. 
• A criminal fine of up to $250,000, or a prison sentence of five years, or both for an individual guilty of violating the BSA. 
• A fine of the higher figure out of $1 million or twice the value of the transaction(s) responsible for the breach for a company. 
• Loss of banking licenses and bans from working in financial services. 

These financial losses can be compounded by the reputational damage caused by non-compliance. Customers are likely to punish an association with financial crime tolerance by switching to other institutions, meaning firms will find it hard to scale or reach growth targets without protecting themselves with the necessary compliance measures. 

A Guide to the Essentials of Anti-Money Laundering

Our expert guide explains how firms of all sizes can create effective AML programs, build trust with regulators, and turn compliance into a business advantage.

Download your copy

AI regulation in the US and its impact on compliance 

Artificial intelligence (AI) and machine learning (ML) systems have a wide range of effective use cases in AML/CFT, from identifying matches between FIs’ customers and high-risk entities to analyzing transactions for suspicious patterns. The US Treasury Department’s 2024 National Strategy for Combatting Terrorist and Other Illicit Financing, for example, highlighted the transformative potential of AI-based technologies in enhancing FIs’ AML compliance. With this in mind, the emerging area of AI regulation is also relevant to firms with AML obligations. 

However, the regulation of AI in the US remains in its early stages, and so implementation has been fragmented: there exists no federal law specifically designed to regulate AI. However, at a state level, some legislation has been passed, including: 

• The Utah Artificial Intelligence Policy Act, which requires firms to disclose whether they use generative AI (GenAI), and makes them liable for any violations of consumer protection law committed through the use of GenAI. 
• The Colorado AI Act, covering issues related to algorithmic discrimination across financial services, insurance, health, welfare, and employment. The Act is due to come into effect in February 2026. 

At a federal level, the US government has made some moves towards regulating firms’ use of AI, such as: 

• The National Artificial Intelligence Act 2020: While not explicitly devoted to regulating the use of AI, this legislation does include measures around risk management, privacy and security, 
• A Blueprint for an AI Bill of Rights (2022), which offers guidance on the ethical use of AI, including testing, algorithmic discrimination protections, data privacy, explainability, and opt-out measures. 
• The Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, a 2023 White House Executive Order focusing on AI standards for government agencies, including content verification. 
• A Roadmap for Artificial Intelligence Policy written by a bipartisan Senate working group, noting the importance of protecting workforce rights, privacy, and transparency alongside encouraging AI innovation. 
• Guidance from agencies such as the Federal Reserve, the Office of the Comptroller of the Currency (OCC), and the New York Department of Financial Services (NYDFS), relating to AI transparency and fairness. 

How to comply with US AML regulations

To avoid these consequences, firms should develop comprehensive AML/CFT compliance programs, appoint experienced specialists in senior compliance roles, and conduct at least basic AML training for all staff. Beyond these crucial governance and hiring elements of compliance, firms can optimize their compliance programs in several ways. 

• Adapt due diligence to customer risk levels: The US AML regime dictates that firms adopt a risk-based approach to compliance. To do this, firms need to know how to assign risk scores based on customer, product, and jurisdictional factors. They should also be aware of the range of CDD checks they can implement, including EDD measures, and deploy these where appropriate to safeguard against risk. 
• Use the highest-quality data possible: Customer screening – whether for sanctions, politically exposed person (PEP) status, or adverse media – is only effective when it is based on relevant, accurate, and recent data. Firms should establish where the data they use comes from and ensure it is updated in good time to maintain accurate customer risk scores. 
• Use appropriate AML software: AML compliance presents major technical and administrative challenges for firms operating in the US. Relying on manual CDD or transaction monitoring is, for the majority of businesses, no longer efficient or realistic: it requires significant time and resources and carries the ongoing risks of human error. FIs should look to automate parts of their AML compliance program where they can, taking advantage of the data analysis capabilities of AI and machine learning (ML) systems, leaving higher-risk tasks to human compliance experts. 
• Implement smart transaction monitoring: To fulfill their various reporting requirements with effective SARs, CTRs, and Form 8300s, firms should develop automated transaction monitoring to detect large, unexplained, or suspicious payments. Transaction monitoring is one area of compliance where ML can be particularly valuable to firms. ML uncovers new patterns in the data, allowing firms to detect suspicious payments with greater insight and accuracy. 
• Integrate AML functions where possible: Siloed datasets, customer profiles, and cases are virtually guaranteed to make compliance processes slower and less effective. Firms should seek out software solutions that allow them to consolidate screening solutions, risk intelligence data, and customer profiles. This means analysts do not have to switch between different systems when assessing cases and can instead view all customer risks in one place. 

AI-enhanced AML compliance for US firms

ComplyAdvantage Mesh is a cutting-edge AML compliance software solution designed to complement and augment the expertise of compliance teams. Firms using Mesh can reduce customer friction while delivering the compliance standards regulators expect with: 

• Smart transaction monitoring: In addition to a comprehensive rules library of known industry typologies, ComplyAdvantage transaction monitoring uses ML to fill any gaps in existing rulesets. Firms can create their own rules with a no-code, self-serve rules builder and apply different thresholds to customer segments for a risk-based compliance solution. 
• Market-leading proprietary data: Firms can screen customers against the very latest data for sanctions, watchlists, PEP and RCA, and adverse media. ComplyAdvantage’s AI-powered risk intelligence is updated in near-real time, well ahead of competitors, supporting effective customer screening and ongoing monitoring without delay. 
• Streamlined compliance processes: Advanced matching algorithms minimize false positives by applying semantic and statistical analysis to ensure searches only bring up relevant results. Automated, configurable risk scoring gives firms a data-driven understanding of their customer base.