AML Due Diligence: Complete Guide to Anti-Money Laundering Requirements, Process & Best Practices

Last Updated on November 13, 2025

If you work in finance, banking, crypto, or any regulated business, weak AML due diligence can cost you more than money, it can cost your reputation, your license, or worse. You need to know who your customer is, why they’re doing business with you, and whether their funds are clean.

Here’s what makes this guide worth your time: by the end, you’ll understand the requirements, the step-by-step process, and best practices you should follow so you stay compliant and avoid big fines.

To show you how serious this is: in 2024, regulators imposed US $4.6 billion in penalties globally for AML and compliance failures. That’s not a drop in the ocean. Some of the biggest fines hit banks and fintechs for poor customer due diligence or bad transaction monitoring.

So this isn’t theory. This is your roadmap to doing due diligence right, to protect your operations and stay on the right side of regulators.

Core Concepts & Definitions 

Before you dig into rules and process, you must get clear on key terms. These are the building blocks of AML due diligence.

What AML & CFT Mean

• AML stands for Anti-Money Laundering. It means rules and processes to prevent dirty money (from crimes) entering the clean financial system.

• CFT means Counter-Financing of Terrorism. That’s about stopping funds being used to support terror acts.

• You’ll see AML and CFT often paired, because criminals may mix money laundering and terror funding.

KYC, KYB, KYT, KYCC, What You Must Know

These are the tools you use to check who is behind transactions.

Abbreviation	Full Term	What You Do / Look For
KYC	Know Your Customer	Identify and verify individuals you deal with
KYB	Know Your Business	Do the same for companies / legal entities
KYT	Know Your Transaction	Monitor transactions for strange patterns
KYCC	Know Your Customer’s Customer	When your customer has another layer (e.g. in a chain)

You’ll use these as part of your AML due diligence workflow. For example, with KYB, you want to understand who owns the business (beneficial ownership).

Onboarding, Ongoing & Event-Driven Due Diligence

You’ll hear these three modes:

• Onboarding due diligence, checks you do before accepting a customer.

• Ongoing due diligence, periodic checks after a customer is active (refresh information, monitor behavior).

• Event-driven due diligence, triggered by certain events (e.g. major transaction, change in structure, regulatory change).

Red Flags, Suspicious Activity, & Risk Signals

Your job is to look for signals that something might be off. These are sometimes called “red flags”:

• Unusual large cash deposits or withdrawals

• Frequent transfers to high-risk jurisdictions

• Complex ownership structures without clear reason

• Negative media / news about the customer

• Inconsistent information across documents

When red flags are present, you escalate your due diligence.

A Quick Reality Check 

• Global money laundering is estimated to account for 2% to 5% of global GDP per year, which is around USD 800 billion to USD 2 trillion in illicit flows.
  
• About 77% of financial institutions said they detected or suspected money laundering in their operations in the latest data. 

Knowing these terms isn’t optional, it sets you up to understand the process and rules you’ll face.

Regulatory & Legal Frameworks (What You Must Follow)

You can’t run effective AML due diligence without knowing which rules apply. These are the walls you have to build inside.

Global Standards: FATF & Guidance

The Financial Action Task Force (FATF) is the chief standard setter you must know. Its 92 Recommendations are the global benchmark for anti-money laundering and counter-financing of terrorism.

Countries adapt those recommendations into law. You’ll often see “FATF-compliant” used to show legitimacy.

U.S. & Federal Laws

In the U.S., you operate under rules like the Bank Secrecy Act (BSA) and Patriot Act. Together, these require you to identify your customers, file suspicious activity reports (SARs), and keep records. The Anti-Money Laundering Improvement Act (2022) strengthened some of those laws. So if you’re in or interacting with U.S. financial institutions, you’ll need to adhere to those.

EU & Regional Rules

In the European Union, a new EU AML Regulation augments previous directives. Some key changes:

• The definition of “obliged entities” now includes crypto-asset services, crowdfunding, and trading in high-value goods.

• Customer due diligence (CDD) requirements are stricter: you must collect more data and refresh it more often.

• The EU created a new body, AMLA (Anti-Money Laundering Authority), to centralize oversight across member states.

Levels of Due Diligence

When you do AML due diligence, it’s not “one size fits all.” You’ll apply different levels depending on how risky the customer or transaction is. The three main levels are Simplified Due Diligence (SDD), Standard / Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD).

Simplified Due Diligence (SDD)

You use SDD when a customer or business is considered low risk. Under SDD:

• You collect less information than in standard checks.

• You monitor less frequently.

• You’re not expected to dig deep into source of funds or ownership.

But SDD is rare in practice. Use it only when regulations explicitly allow it and when the risk truly is low.

Standard / Customer Due Diligence (CDD)

This is your baseline. CDD is what you should do for most customers. In CDD:

• You identify and verify who your customer is (individual or business).

• You collect basic information (name, address, legal documents).

• You screen against sanctions, watchlists, and adverse media.

• You assign a risk level (low, medium, high) based on factors like geography, business type, and volume.

• You monitor activity and update information periodically.

If nothing unusual shows up, CDD is often enough.

Enhanced Due Diligence (EDD)

You step into EDD when risks are higher or red flags appear. EDD goes deeper:

• You investigate source of funds and source of wealth.

• You make extra checks on ownership (identify UBOs) and complex structures.

• You perform more frequent reviews and monitoring.

• You gather more documentation, background checks, possibly using third-party data.

You must document why you chose EDD so auditors or regulators can follow your reasoning.

When Do You Escalate to EDD?

You don’t randomly choose EDD, certain triggers push you there. Common risk triggers include:

• Customer located in a high-risk jurisdiction

• Use of shell companies or opaque ownership structures

• Politically exposed persons (PEPs)

• Large or unusual transactions

• Adverse media / negative news

• Transactions with counterparties in high-risk sectors

For example, regulators globally issued USD 3.3 billion in fines in 2024 for failures in transaction monitoring and due diligence controls. That shows how seriously mistakes are penalized.

AML Due Diligence Process: Step by Step

You don’t just check once and forget, it’s a journey. Below is how you systematically perform AML due diligence so nothing slips through your hands.

Onboarding & Identity Verification

First, when someone wants to become your customer, you collect their details: name, birth date, address, identity documents (for individuals) or registration papers (for companies). You must verify that these documents are real and actually belong to them. 

As part of that, you run screening checks, against sanctions lists, negative news, or watchlists. If something doesn’t make sense, you pause and dig deeper.

Risk Profiling & Classification

Once identity is confirmed, you decide how much risk that customer poses. You consider things like where they live (is it in a high-risk country?), what kind of business they do, how much money they might move, how complicated their ownership structure is, and whether they are a politically exposed person (PEP). Based on those factors, you give them a risk score or place them in a risk band (low, medium, high). And importantly, you write down reasons for your decision.

Enhanced Checks (When Risk Is High)

When risk is high or warning signs appear, you move into Enhanced Due Diligence (EDD). Here, you investigate deeper. You ask: Where did their money come from? How did they get their wealth? You look harder into ownership chains to pinpoint the actual person in control (the beneficial owner). 

You also use background checks and extra documents, possibly from external data sources. The idea is to reduce uncertainty as much as possible.

Ongoing Monitoring & Transaction Monitoring

Due diligence isn’t a one-time task—it continues. After the customer is onboarded, you watch their transactions in real time (or near real time) to spot behavior that doesn’t match the profile you expected. You set rules and thresholds—say, large transfers or sudden jumps in volume—that trigger alerts. Periodically, you also refresh the customer’s data: re-verify documents, reassess their risk. When alerts arise, you review and decide whether to escalate.

Handling Suspicious Activity & Escalation

When your system or your team sees something that looks suspicious, you investigate further. You gather more details, compare them against expectations, and decide whether there is real risk. If yes, you file a regulatory report (for example, a Suspicious Activity Report or equivalent). In serious cases, you might halt transactions or close the account. Record every step—what triggered the alert, what you did, how you decided.

Recordkeeping & Audit Trail

From start to finish, you keep records of documents, decisions, risk scores, alerts, investigations, reports—everything. These records form an audit trail so regulators or auditors can trace back your logic. In many places, you’re required to keep records for a number of years (often 5 to 7 years or more).

Why This Matters

In 2024, regulators around the globe imposed USD 4.6 billion in enforcement actions related to AML failures, and USD 3.3 billion of that was tied to failures in transaction monitoring and due diligence controls.

That shows: most penalties aren’t from sloppy onboarding alone—they come from weak monitoring, failure to escalate, or not documenting properly. If you follow this full process—onboarding, risk profiling, enhanced checks, ongoing surveillance, escalation, and recordkeeping—you reduce your exposure significantly.

Risk Assessment & Scoring (How You Judge Risk)

Risk assessment is your compass. You can’t know where to dig deeper unless you assign a risk level first. That’s what scoring does: it helps you see which customers need extra work and which can be handled normally.

What Risk Factors Do You Consider?

You look at many factors and combine them to form a risk score. Some of the key ones are:

• Geography / Jurisdiction Risk
  If your customer is in a country with weak AML laws, or on FATF grey/black lists, that raises risk. You can use indices like the Basel AML Index to benchmark country risk. (Basel AML Index)

• Customer / Business Type
  A business that deals in high-value goods, or uses many cash transactions, or operates in sectors known for corruption, is riskier.

• Ownership Structure & Beneficial Ownership
  If a company’s ownership is opaque or has many layers, it’s harder to trust. You want to know the ultimate beneficial owner (UBO).

• Transaction Behavior / Volume
  Big transfers, sudden spikes, or odd patterns (like many small payments to many accounts) can signal trouble.

• PEP / Adverse Media / Negative News
  Politically exposed persons (PEPs) or people who appear in negative media reports require closer scrutiny.

• Product / Service Risk
  Some services are inherently riskier, for example, cross-border payments, virtual assets, or private banking.

You don’t treat every factor equally; you assign weights depending on how risky you think each factor is for your business model.

Technology & Automation in AML Due Diligence

You can’t manually police every transaction—too many slip through. That’s where smart tools and automation come in. When you use technology well, you increase your detection power, cut costs, and free your team to focus on the hard cases.

Why Technology Matters in AML Due Diligence

First, some scale facts:

• The global AML/KYC tech spend is projected to hit USD 2.9 billion in 2025. That’s how much institutions are investing to build stronger systems

• In a survey by PwC, 62% of financial institutions already use AI / ML in AML functions, and that number is expected to reach 90% by 2025.

• A single bank cut its compliance costs by 60% after deploying smarter AML software. (Tookitaki)

These numbers tell you this isn’t optional—it’s central. If your competitors are automating, you don’t want to rely on manual work.

Key Automation Tools & Capabilities You Should Use

Here are the kinds of technology you’ll want, and how they help you:

Capability	What It Does	Why It Helps You
Real-Time Transaction Monitoring	Scans every transaction as it happens.	Lets you catch suspicious transfers immediately, not days later.
Risk Scoring & Predictive Models	Uses patterns & data to assign a risk score.	Prioritizes which alerts or customers you should examine.
Screening & Sanctions / Watchlist Checks	Automatically checks names, entities, etc.	Eliminates manual errors and ensures up-to-date coverage.
Behavioral Analytics / Anomaly Detection	Detects patterns, device signals, relationships between accounts.	Finds hidden or subtle laundering methods.
Adverse Media & Negative News Monitoring	Continuously watches news sources, social media.	Alerts you when a customer appears in negative press.
Workflow & Case Management Automation	Routes alerts to people, structures the investigation steps.	Makes your team more efficient and consistent.

When these modules work together, your AML due diligence becomes a living, breathing system—not just a checklist.

Best Practices & Common Pitfalls (How to Do This Right, and Avoid Mistakes)

When you build your AML due diligence program, following best practices is what gives you strength. But even the smartest systems fail when people make simple mistakes. In this section, I’ll walk you through both: things you should always do, and traps you must avoid.

Best Practices You Should Follow

• Ensure Strong Governance & Responsibility
  Assign a clear compliance officer or money laundering reporting officer (MLRO). Make sure senior management is involved, gets real data, and understands the alert backlogs or weak spots.

• Train Your Team Often
  A well-trained team is your line of defense. Teach staff how to spot red flags, how your processes work, and what to do when they see something odd. Training should be regular, updated, and role-specific.

• Adopt a Risk-Based Approach
  Don’t treat every customer the same. Let your risk assessment guide how deeply you dig. High-risk customers get more checks; low-risk ones get lighter reviews. This helps you use resources wisely. Using this approach is cited as essential in AML control frameworks.

• Document Everything
  As you run due diligence, record every decision: who you checked, what you found, how you scored risk, what you escalated, and why. If it’s not in writing, regulators might treat it as if you didn’t do it. Poor documentation is one of the pitfalls many firms face.

• Review & Refresh Regularly
  Customer risk profiles change. Regulations change. Your thresholds and rules must be rechecked. Always have a schedule to revisit your policies, your models, and your monitoring logic.

Common Pitfalls You Must Avoid

Here are mistakes many institutions make, and how you sidestep them:

• Skipping EDD on high-risk clients
  Some firms don’t apply enhanced due diligence (EDD) when they should, often because no one wrote down when to do it.
  
• Weak Ongoing Monitoring
  You could do perfect onboarding, but if you fail to monitor later, criminals may slip in. Static reviews aren’t enough; you need dynamic checks.
  
• Alerts with no rationale or narrative
  Regulators often flag reports or SARs that lack clear explanations. If your staff just flags “suspicious” without saying why or how, that’s a gap.
  
• Outdated thresholds / rule logic
  Many programs leave their transaction monitoring rules unchanged for too long. What was “unusual” years ago may not be today.
  
• Overreliance on spreadsheets
  Some teams use spreadsheets to track risk, alerts, or KYC files. Spreadsheets lack version control, audit trails, and visibility. That’s a weakness.

Real-World Examples & Case Studies 

Seeing what’s gone wrong, in real settings, helps you avoid making the same mistakes. Here are some notable AML failures, what went bad, and what you can learn from them.

TD Bank: A $3 Billion Wake-Up Call

TD Bank’s AML failures became one of the biggest recent headlines. Regulators found that over 92% of its transactions went unmonitored over a span of years, representing more than USD 18 trillion in unreviewed movement.

The bank was fined around USD 3 billion across U.S. agencies for violations of the Bank Secrecy Act (BSA), poor monitoring, and weak due diligence. Institute for Financial Integrity Some key breakdowns:

• Their AML program was under-resourced and outdated.

• They failed to apply proper monitoring to peer-to-peer and cross-border transactions.

• Internal signals about weak compliance were ignored by management.

What you should take from this: even a big bank isn’t immune. If your monitoring is weak, or if you under-invest into compliance, it can spiral into massive liability.

Danske Bank: The Estonian Branch Scandal

Danske Bank’s Estonian arm became a conduit for huge volumes of suspicious funds between 2007 and 2015. The non-resident portfolio was used to route money from opaque sources, especially from former Soviet states.  In 2022, Danske Bank pled guilty and settled for around USD 2 billion with U.S. and Danish regulators. Failures included:

• Inadequate customer due diligence and risk monitoring.

• Poor oversight of non-resident accounts.

• Weak recordkeeping and transparency of ownership.

Lesson for you: Be especially cautious with accounts in foreign jurisdictions, non-resident clients, or complex ownership. Those are high risk and must be handled with strong EDD and monitoring.

HSBC & Swiss PEP Accounts

HSBC’s Swiss private banking arm came under fire for AML failures tied to politically exposed persons (PEPs). Swiss regulator FINMA found that money from Lebanese state institutions (over USD 300 million) passed through accounts without proper checks or reporting.

As a result, HSBC was ordered to:

• Fully review all its high-risk / PEP accounts

• Freeze opening new PEP accounts until audit approval

• Reassess its governance and control structure

For you, that’s a reminder: PEPs require extra scrutiny and you must be ready to justify every decision about them.

Conclusion

You’ve learned that AML due diligence is not optional—it’s the backbone of compliance. Weak checks, missing alerts, or sketchy documentation can lead to massive fines, legal trouble, or reputational damage.

To act now:

• Strengthen your risk model and transaction monitoring

• Apply enhanced checks where needed

• Keep crisp documentation + audit trails

• Mix smart automation with human judgment

When it comes to handling sensitive documents, secure collaboration, or compliance reporting, a tool like SmartRoom can make your life easier. SmartRoom is a virtual data room built for legal and compliance teams, offering bank-grade security, detailed audit trails, and collaboration features that support due diligence workflows.