AML
What Is AML in Payments? Definition and How It Works
Definition
AML (Anti-Money Laundering) in payments refers to the regulatory obligations and operational controls that payment companies and certain merchants must implement to detect, prevent, and report transactions that may involve the proceeds of criminal activity.
How it works
AML requirements in payments flow from national and international regulatory frameworks, the EU's Anti-Money Laundering Directives (AMLD), the US Bank Secrecy Act (BSA), and FATF recommendations globally. Payment companies holding licences as payment institutions, e-money institutions, or money service businesses are directly regulated for AML compliance. Merchants are generally not directly regulated for AML unless they operate in specific high-risk categories.
The core AML obligations for payment companies are: customer due diligence (CDD) at onboarding and on an ongoing basis, transaction monitoring to identify suspicious activity patterns, Suspicious Activity Report (SAR) filing when suspicious activity is detected, record-keeping of transactions and customer data for a minimum period (typically 5 years in the EU), and regular staff training.
Transaction monitoring systems analyse payment data for indicators associated with money laundering: structuring (breaking large transactions into smaller amounts to stay below reporting thresholds), rapid movement of funds through multiple accounts, transactions inconsistent with the customer's stated business, high-value transactions to or from high-risk jurisdictions, and volume spikes inconsistent with normal operating patterns.
For merchants using payment providers, the payment provider typically handles primary AML compliance obligations. Merchants who are themselves regulated (because they operate as payment facilitators, handle customer funds, or operate in regulated categories such as gambling or crypto) have direct AML obligations.
Why it matters
AML and KYC are distinct but related: KYC (Know Your Customer) is the identity verification and due diligence process at onboarding. AML is the broader ongoing monitoring and reporting obligation. KYC feeds AML: the customer profile established through KYC is the baseline against which ongoing transaction behaviour is assessed.
Payment facilitators have direct AML obligations for sub-merchants: a merchant who operates as a PayFac onboarding sub-merchants must conduct KYC/AML checks on those sub-merchants. The PayFac is responsible for the compliance of its sub-merchant portfolio.
High-risk merchant categories face enhanced due diligence: gambling, crypto, adult content, pawn shops, and money service businesses face heightened AML scrutiny from acquirers and payment providers. These merchants should expect more extensive onboarding due diligence and ongoing monitoring requirements.
SAR filing obligations are strict and confidential: when suspicious activity is identified, the obligation to file a SAR is not discretionary. And critically, tipping off the subject of a SAR that a report has been filed is itself a criminal offense in most jurisdictions. Payment compliance teams must manage SAR workflows with strict confidentiality controls.
With PXP
PXP holds payment institution licences in its operating jurisdictions and maintains a full AML compliance program including transaction monitoring, CDD procedures, and SAR filing capabilities. Merchants onboarding to PXP undergo AML-compliant due diligence as part of the underwriting process.
Frequently asked questions
What is the difference between AML and KYC?
KYC (Know Your Customer) is the identity verification and due diligence process conducted at customer or merchant onboarding, confirming who the customer is, their business purpose, and their expected transaction profile. AML is the broader ongoing obligation: monitoring transactions against the established customer profile, detecting suspicious patterns, and filing SARs when suspicious activity is identified. KYC creates the baseline; AML monitors against it continuously.
Which payment entities are directly regulated for AML?
Licenced payment institutions, e-money institutions, banks, and money service businesses are directly regulated for AML in most jurisdictions. Standard e-commerce merchants are generally not directly regulated unless they operate in specific categories (gambling, crypto, money transfer) or become PayFacs. Merchants using licenced payment providers benefit from the provider's AML framework at the transaction level, but may still have their own obligations depending on business model.
What transaction patterns does AML monitoring look for?
Common AML indicators in payment data include: structuring (multiple transactions just below reporting thresholds); rapid cycling (funds received and immediately transferred out); transactions to high-risk jurisdictions disproportionate to the business profile; sudden volume spikes inconsistent with seasonal patterns; transactions inconsistent with the stated business category; and high volumes of refunds or reversals relative to sales.
What is the 5-year data retention requirement in AML?
EU AML directives (6AMLD and predecessors) require payment companies and obligated entities to retain transaction records and customer due diligence documentation for a minimum of 5 years. This retention period supports law enforcement investigations and regulatory audits. This AML retention obligation interacts with GDPR's data minimization principle, requiring organisations to document the legal basis for the extended retention period.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started