obOpen Banking Lab
GlossarySTETBlogContact
Regulation

AML / LCB-FT

Anti-Money Laundering / Combating Money Laundering and Terrorist Financing (AML/CFT)

The family of obligations that require financial players to know their customers (KYC), monitor their transactions and report any suspicious activity to TRACFIN. Framed by the European AML directives and the upcoming AMLR / AMLA regulation.

See also:KYC / KYBTRACFINScreening sanctionsPEPTransaction monitoringACPR

Definition

AML / CFT (Anti-Money Laundering / Combating the Financing of Terrorism) covers the obligations that require a regulated entity to know its customers, monitor their flows and report any suspicion.

It targets financial players but also many non-financial ones (notaries, real-estate agents, art dealers above thresholds, casinos, CASPs…), and rests on four duties: identify the customer (KYC/KYB), understand their activity, monitor their transactions, and report any suspicious operation to TRACFIN, keeping the evidence for at least 5 years.

The European framework — the AMLD 4, 5 and 6 directives — is shifting towards the AMLR regulation and the AMLA authority.

The European history

  • AMLD1 (1991) — the first directive, focused on banks and drug trafficking.
  • AMLD2 (2001) — extension to terrorist financing after 9/11.
  • AMLD3 (2005) — introduction of the risk-based approach.
  • AMLD4 (2015) — beneficial-owner registers (UBO), enhanced due diligence.
  • AMLD5 (2018) — extension to CASPs (crypto), art dealers, wallet providers.
  • AMLD6 (2018) — criminal harmonisation, liability of legal persons.
  • AMLR (2024-2027) — move to a directly applicable regulation and the creation of the AMLA (Frankfurt).

The 3 pillars

  1. Customer knowledge (KYC/KYB) — identification, verification and updating. See KYC / KYB.
  2. Ongoing due diligence — comparing operations with the customer's profile and spotting anomalies.
  3. Suspicious activity report — reporting to TRACFIN any operation that could be linked to money laundering or terrorist financing.

The 3 levels of due diligence

The risk-based approach distinguishes:

  • Simplified due diligence — low risk, lighter controls.
  • Standard due diligence — the default regime.
  • Enhanced due diligence — mandatory for PEPs, high-risk countries (EU/FATF lists), atypical operations and anonymous counterparties.

The risk assessment is specific to each player and subject to ACPR inspection.

The operational obligations

  • Onboarding: full KYC/KYB before opening an account.
  • Sanctions screening: continuous checking against OFAC, EU, UN and national lists.
  • Ongoing due diligence: file reviews, at least annually, more frequently depending on risk.
  • Transaction monitoring: alerts on unusual operations (amounts, destinations, frequencies).
  • Suspicious activity report: sent to TRACFIN at the slightest doubt — the threshold is low ("knowing, suspecting or having good reason to suspect").
  • Internal training: all relevant staff, at least once a year.
  • ACPR reporting and designation of a reporting officer and a TRACFIN correspondent.

The sanctions

The ACPR is the supervisory authority. The range goes from a public warning to financial sanctions (up to €100M or 10% of turnover), to bans on directors from operating, and to the withdrawal of authorisation in extreme cases. Notable cases: N26 (growth cap, 2021), Solaris (operational restrictions, 2024), Wirecard (bankruptcy, 2020).

What AML/CFT is not

  • Not a marketing argument: it is a legal obligation.
  • Not reserved for banks: PSPs, EMIs, CASPs, financial investment advisers (CIF), credit intermediaries (IOBSP), brokers, notaries, real-estate agents, casinos, art dealers and dealers in precious metals above the thresholds are all subject to it.
  • Not a FICP check: it targets money laundering and terrorism, not creditworthiness — not to be confused with credit scoring.
  • Not an absolute secret: reports are confidential vis-à-vis the customer (no tipping off), but TRACFIN can pass them on to the justice system.

In the PSD2 ecosystem

AML/CFT applies to all PSPs within the PSD2 meaning, including AISPs and PISPs: an AISP must perform KYC and monitor atypical usage, while payment players (PISP, EMI) have enhanced obligations. DORA adds to this for operational resilience, MiCA for CASPs.

Concrete examples

  • Transaction monitoring: Hawk (DE), ComplyAdvantage (UK), Sardine (US), Featurespace (UK), Feedzai (PT), NICE Actimize and SAS AML at large accounts.
  • Sanctions screening: Refinitiv World-Check (LSEG), Dow Jones Risk & Compliance, ComplyAdvantage, Lexis Diligence.
  • Fintech case: a neobank must deploy full KYC, continuous screening, real-time monitoring and a dedicated compliance team — a typical operational cost of €5 to €20 per customer per year.
  • Volume of reports: TRACFIN received 211,165 suspicious activity reports in 2024, of which ~93% came from the financial sector. Only a minority lead to an investigation: the reporting filter is deliberately broad.
  • Notable sanctions: Société Générale (reprimand + €5M by the ACPR in 2017), N26 (growth restrictions by BaFin in 2021), Solaris (BaFin constraints 2022-2024).
  • Cost: for a large European bank, the compliance headcount runs into the hundreds and the AML/CFT cost into the tens of millions of euros per year (sector estimates, consolidated data not public).
  • AMLR + AMLA evolution: from 2026-2027, the AMLA will directly supervise the forty or so large cross-border banks and the AMLR will harmonise the rules — less fragmentation, with an expected tightening on crypto and fintechs.

Sources

Back to glossary