AML/CFT Policy Framework
A full financial crime compliance program for a dual US-UK FinTech platform: thirteen sections spanning governance, risk appetite, KYC tiers, transaction monitoring, SAR filing, sanctions, terrorist financing, and audit.
| Scope | Anti-Money Laundering · Counter-Terrorist Financing · Fraud · Sanctions · Market Abuse |
| Regulatory framework | US (BSA/FINRA/FinCEN) · UK (FCA/MLRO) · Dual-jurisdiction design |
| Platform type | P2P payments / digital wallet / alternative asset platform |
1. Executive summary
A FinTech platform operating in the payments, digital assets, or securities space must maintain a risk-based financial crime compliance program proportionate to its business model, customer base, and jurisdictional exposure. This document outlines the framework, procedural architecture, and key policy positions for such a program, structured around six core financial crime risk categories: money laundering, terrorist financing, fraud, bribery and corruption, market abuse/manipulation, and sanctions/embargoes.
The program is designed for a platform operating under dual US-UK regulatory oversight; a structure increasingly common as US FinTechs expand into European markets. The UK regulatory framework (FCA, MLRO requirements, Proceeds of Crime Act) is treated as the higher standard where the two frameworks diverge, ensuring that compliance with UK requirements simultaneously satisfies or exceeds US requirements in most areas. Key exceptions (FINRA-specific requirements, FinCEN reporting) are handled as additive US-layer obligations.
2. Program governance
2.1 Compliance ownership. The program is owned by the Chief Compliance Officer (CCO), who serves concurrently as the Money Laundering Reporting Officer (MLRO) under UK FCA requirements and as the AML Compliance Person under FINRA Rule 3310 for platforms with broker-dealer registration. The CCO/MLRO carries full responsibility and authority to enforce the program, file regulatory reports, and escalate to the board where material risk events occur.
2.2 Policy review cadence. The program is reviewed no less than annually, with triggered reviews required upon: material changes to the platform’s product offering or customer base; significant regulatory guidance or rule changes in either jurisdiction; and any material financial crime event (SAR filing, regulatory inquiry, or confirmed fraud loss above defined thresholds).
3. Financial crime risk appetite
The platform maintains zero tolerance for knowingly facilitating money laundering, terrorist financing, sanctions violations, or fraud. The program is risk-based: controls are calibrated to the actual risk profile of the platform’s customer base and transaction types, not applied uniformly across all activity regardless of risk level.
Risk appetite is expressed in three tiers:
| Zero tolerance | AML/CFT, sanctions violations, bribery/corruption, fraud facilitation |
| Low tolerance | Transaction fraud, market abuse, identity fraud |
| Managed tolerance | Operational risk, KYC data quality gaps in lower-risk customer segments |
4. Customer identification and KYC
4.1 Customer Identification Program (CIP). Prior to account opening, the platform collects minimum required identification information for all customers: full legal name; date of birth (individuals) or incorporation date (entities); residential or business address; government-issued identification number (SSN/EIN for US persons; passport/national ID for non-US persons); and for entities, legal structure, jurisdiction of incorporation, business description, and beneficial ownership information.
Verification is conducted through a combination of documentary and non-documentary means. Documentary verification relies on government-issued photo identification. Non-documentary verification uses third-party identity verification services, credit bureau lookups, and database checks. Enhanced verification is triggered for higher-risk customer profiles, PEPs, and customers from higher-risk jurisdictions.
4.2 Risk-based customer segmentation. Customers are assigned an initial risk profile at onboarding based on: customer type (individual/entity/institution); jurisdiction of residence or incorporation; source of funds declaration; product and transaction type; and PEP/sanctions screening results. Risk profiles are dynamic and updated based on ongoing transaction monitoring alerts, behavioral changes, and periodic review cycles.
Three risk tiers govern the level of due diligence and ongoing monitoring applied:
| Standard Due Diligence (SDD) | Low-risk customers; standard onboarding and periodic review |
| Enhanced Due Diligence (EDD) | Higher-risk customers, PEPs, high-value transaction customers; enhanced verification, senior management approval, more frequent review |
| Simplified Due Diligence (SiDD) | Where permitted by regulation for demonstrably low-risk customer types |
4.3 Beneficial ownership. For entity accounts, the platform collects and verifies beneficial ownership information for all natural persons owning 25% or more of the entity, and for the individual with significant control or management authority. Beneficial ownership is verified at onboarding and re-verified upon material changes to the entity’s structure.
5. Transaction monitoring
5.1 Monitoring architecture. Transaction monitoring operates across two layers: rule-based alerts triggered by predefined thresholds and behavioral patterns, and machine learning-based anomaly detection that identifies deviations from a customer’s established behavioral baseline. Both layers feed into a unified alert queue for analyst review.
The monitoring system ingests data from: the platform’s internal transaction ledger; linked external bank accounts (via open banking/Plaid integration); and, for platforms with crypto/digital asset functionality, on-chain wallet analytics.
5.2 Key risk indicators. Rule-based alerts are triggered by, among others: transaction velocity exceeding defined thresholds within a rolling period; structuring patterns (multiple transactions just below reporting thresholds); unusual counterparty geography; first-time large transactions; rapid movement of funds in and out; and transactions involving known high-risk jurisdictions or counterparties.
For platforms with digital asset functionality, additional crypto-specific risk indicators include: wallet interactions with mixing/tumbling services; exposure to sanctioned addresses; chain-hopping patterns; and interactions with darknet market-adjacent wallets.
5.3 Alert disposition. Alerts are triaged by risk level. High-risk alerts require analyst review within 24 hours and senior compliance review within 48 hours. Standard alerts are reviewed within a defined SLA window. All alert dispositions are documented with supporting rationale. Alerts resulting in confirmed suspicious activity are escalated to SAR filing consideration.
6. Suspicious Activity Reporting
The platform files Suspicious Activity Reports (SARs) with FinCEN when it knows, suspects, or has reason to suspect that a transaction involves funds from illegal activity, is designed to evade reporting requirements, lacks a lawful purpose, or involves use of the platform to facilitate criminal activity. Under UK obligations, Suspicious Activity Reports are filed with the National Crime Agency (NCA) under the Proceeds of Crime Act (POCA).
SAR filing decisions are made by the CCO/MLRO. The tipping-off prohibition is strictly observed: no customer subject to an active SAR investigation is notified of the filing or the existence of the investigation. SAR filing does not require certainty — reasonable suspicion is sufficient and the standard is intentionally low.
7. Sanctions and embargoes
The platform screens all customers and counterparties against: OFAC SDN list; UN consolidated sanctions list; EU consolidated sanctions list; HM Treasury (UK) financial sanctions list; and applicable domestic terrorist designation lists. Screening is performed at onboarding, at each transaction, and on a triggered basis when sanctions lists are updated.
A confirmed sanctions match results in: immediate transaction blocking; asset freezing where required by applicable law; notification to OFAC (US) or HMT (UK) within required timeframes; and escalation to senior management and legal counsel.
8. OFAC and law enforcement requests
The platform responds to FinCEN 314(a) requests by searching records within the required 14-day response window. Matches are reported via FinCEN’s secure web system. The platform participates in 314(b) voluntary information sharing with other financial institutions for AML/CFT purposes, filing the required FinCEN notice before any sharing occurs.
National Security Letters and grand jury subpoenas are processed under strict confidentiality. Receipt is not disclosed to the subject of the investigation. If suspicious activity is identified in connection with a subpoena, a separate SAR is filed on the underlying activity without referencing the subpoena.
9. Terrorist financing
Terrorist financing controls are maintained separately from AML controls, recognizing that TF may involve legitimately-sourced funds. The platform screens for TF indicators including: transactions to known high-risk jurisdictions for TF; unusual transaction patterns consistent with cell financing (small, regular, multi-directional transfers); and counterparty connections to designated terrorist organizations. Transactions with any nexus to sanctioned jurisdictions are subject to enhanced review regardless of amount.
10. Bribery, corruption, and market abuse
The platform maintains a zero-tolerance policy for bribery and corruption in its own operations and for facilitating bribery through customer transactions. Transactions with government-connected counterparties are subject to enhanced scrutiny. The platform does not accept or make facilitation payments.
For platforms with securities or digital asset trading functionality, market abuse controls include monitoring for wash trading, layering, spoofing, and coordinated pump-and-dump activity. Anomalous trading patterns are escalated to the compliance team for investigation.
11. Staff training and awareness
All staff with customer-facing or transaction-processing responsibilities receive AML/CFT training at onboarding and annually thereafter. Training covers: recognition of money laundering typologies relevant to the platform’s business; the tipping-off prohibition; SAR filing obligations; and the platform’s escalation procedures. Completion is tracked and documented. Refresher training is triggered by material regulatory changes or following any significant financial crime event.
12. Record keeping
The platform retains all KYC documentation, transaction records, alert dispositions, SAR filings (under separate secure access controls), and training records for a minimum of five years from the date of account closure or transaction, in compliance with BSA and POCA requirements. Records are stored in tamper-evident systems with access logging.
13. Audit and independent review
The AML program is subject to independent review no less than annually, conducted by a party without operational responsibility for compliance. Audit scope includes: adequacy of KYC procedures; transaction monitoring coverage and alert quality; SAR filing practices; training completion; and regulatory change tracking. Audit findings are reported to senior management and the board, with defined remediation timelines for any material gaps.
14. Technical Implementation
The companion FinTech Platform Architecture document covers the technical implementation of this framework — funds flow, transaction risk assessment model, and the four-phase KYC/AML onboarding process.