The complete guide to AML and KYC compliance for high-risk businesses across all verticals — iGaming, crypto, forex, adult content, CBD, and more. Covers CDD, source of funds, transaction monitoring, sanctions screening, and building an AML policy that passes bank review.
AML and KYC compliance is the single most important factor in whether a high-risk business can open and keep a bank account. Banks do not reject high-risk businesses because they are high-risk — they reject businesses whose compliance documentation does not demonstrate credible, business-specific controls. The quality of your AML framework directly determines your banking options, your processing rates, and your vulnerability to account closure.
This guide covers the complete AML/KYC compliance requirements for high-risk businesses across all major verticals — iGaming, crypto, forex, adult content, CBD, and more — including what banks actually check, how to build a compliant framework from scratch, and how to maintain it as your business scales.
When a bank reviews a high-risk business application, the compliance team is not primarily evaluating the business model. They are evaluating whether the business can demonstrate that it takes its own compliance obligations seriously. A well-drafted, business-specific AML framework is evidence that you understand your risk environment, have implemented proportionate controls, and will not create compliance problems for the bank.
The inverse is equally powerful: a generic AML policy downloaded from the internet, a source of funds declaration that doesn't actually explain where the money came from, or an absent transaction monitoring procedure tells the bank's compliance officer everything they need to know about how seriously you take AML — and that application is declined.
The practical stakes:
For the broader banking strategy that your AML compliance supports, see our High-Risk Business Banking: The Complete 2026 Guide.
AML compliance for high-risk businesses is shaped by a layered regulatory framework operating at global, regional, and national levels.
The Financial Action Task Force (FATF) is the intergovernmental body that sets global AML/CTF standards. Its 40 Recommendations are the baseline framework adopted by 200+ jurisdictions and all major international financial institutions. Key FATF concepts that appear throughout bank compliance reviews:
The EU has implemented successive AML Directives that apply to all EU-incorporated businesses in regulated sectors:
The Proceeds of Crime Act 2002 (POCA) and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs) (as amended) govern AML compliance for UK businesses. The Financial Conduct Authority (FCA) supervises financial services firms; HMRC supervises certain non-financial businesses.
The Bank Secrecy Act (BSA), administered by FinCEN, is the primary US AML statute. Financial businesses — including money services businesses, crypto exchanges, and payment processors — must register with FinCEN and implement BSA-compliant AML programs. The Corporate Transparency Act (CTA) introduced beneficial ownership reporting to FinCEN from January 2024.
KYC (Know Your Customer) refers to the identity verification and due diligence you conduct on your customers — the individuals or businesses that use your product or service.
KYB (Know Your Business) refers to the due diligence that your bank, EMI, or payment processor conducts on your business before onboarding you as a client.
High-risk businesses need to manage both:
| Purpose | Verify customer identity; assess customer risk | Verify your business legitimacy; assess your compliance framework |
|---|---|---|
| Who conducts it | You (the regulated business) | Your bank, EMI, or payment processor |
| What is verified | Customer name, address, ID, source of funds | Corporate structure, UBOs, AML policy, licence status |
| Ongoing obligation | Transaction monitoring, periodic review | Annual compliance updates, event-driven notifications |
| Failure consequence | Regulatory fine; account closure by your bank | Rejection or closure of your own banking relationship |
The key connection: banks conducting KYB on your business will ask to review how you conduct KYC on your customers. A weak customer KYC framework is a red flag in your banking application — it signals that your business may be processing funds from unverified sources.
FATF Recommendation 10 requires regulated businesses to apply CDD measures to all customers. The intensity of CDD is calibrated to risk:
Applied to customers assessed as presenting average risk. Requires:
Accepted verification methods in 2026: traditional document collection (certified copies of passport + proof of address), electronic verification via databases (GBG, Jumio, Onfido, Veriff), biometric verification, and certified video identification.
Permitted for customers assessed as presenting lower risk — typically institutional counterparties, listed companies, or government entities. Requires reduced documentation and less frequent monitoring.
Mandatory for:
EDD requires: more extensive identity verification, source of funds documentation, senior management approval before onboarding, and enhanced ongoing monitoring.
Banks will ask: how do you identify PEPs in your customer base? Your answer should reference a named PEP screening database (Refinitiv World-Check, Dow Jones Risk & Compliance, LexisNexis, Acuris Risk Intelligence) and a documented escalation procedure.
KYB is the process your bank applies to your business. Understanding what they check — and why — allows you to prepare documentation that directly addresses their concerns.
Banks need to trace the ownership chain from the legal entity to the natural persons who ultimately control and benefit from the business. This means:
Common problem: complex multi-layer offshore structures where it takes 4+ corporate entities to get from the operating company to a natural person. Banks treat this as a red flag unless each layer has a clear, legitimate business rationale (tax treaty access, IP ring-fencing, investor requirements).
For each UBO:
Banks need to understand precisely how your business makes money:
Vague descriptions — "digital services" or "online entertainment" — are immediate red flags. Specificity and precision are what banks need to complete their internal risk classification.
Banks will independently verify your regulatory status against public registers:
Ensure your licence is in good standing, your regulatory contact details are current, and any regulatory actions or warnings are disclosed proactively in your application.
Source of Funds (SoF) and Source of Wealth (SoW) requirements are the most frequently misunderstood and poorly executed elements of KYB documentation. They are also the most common reason for application rejection or extended due diligence.
Source of Funds refers to how the money entering your business account was generated. Banks want to understand:
What works: a clear, written narrative that matches your bank statements. If you funded the business from the sale of a prior company, provide the sale agreement. If from savings, provide 12 months of personal bank statements showing accumulation.
What does not work: a one-line statement saying "from business operations" without any supporting documentation.
Source of Wealth refers to how the UBO accumulated their net worth — not just how the business was funded. Banks need to understand the financial history of the person behind the business:
What works: a letter from a qualified accountant or solicitor summarising the UBO's wealth history, supported by documentary evidence for the largest components.
What does not work: a self-written declaration with no supporting evidence; or a declaration that identifies a wealth source that cannot be independently verified.
The standard: the more your wealth has passed through regulated institutions (banks, accountants, solicitors), the easier it is to document. Wealth generated in cash or crypto — or in jurisdictions with weak financial record-keeping — requires more creative but credible documentation strategies.
Transaction monitoring is the ongoing process of analysing your customers' transactions to identify patterns that may indicate money laundering, fraud, or terrorist financing. It is a regulatory requirement for all regulated businesses and a key assessment criterion in banking applications.
iGaming and sports betting:
Crypto and blockchain:
Forex and financial services:
General high-risk businesses:
What banks want to see: not necessarily the most expensive platform, but evidence that you have a system in place, you know how to use it, you review alerts, and you have a documented escalation procedure for flagged transactions.
Sanctions screening is the process of checking customers, counterparties, and transactions against international sanctions lists. It is non-negotiable — violating sanctions is a criminal offence with severe penalties including the loss of correspondent banking access for the entire institution caught processing a sanctioned transaction.
Sanctions lists update continuously — sometimes multiple times per week. Screening must be:
Technology: manual screening against downloaded lists is not compliant for any business above minimal scale. Automated screening tools (Refinitiv World-Check, ComplyAdvantage, LexisNexis Bridger Insight) are the standard for regulated businesses.
The Fourth Anti-Money Laundering Directive and the UK Proceeds of Crime Act 2002 apply directly to online gambling operators. AML requirements include:
For gambling-specific AML requirements in detail, see our AML Compliance for Online Gambling Guide. For iGaming banking specifically, see our iGaming Business Bank Account Guide.
As discussed in our Crypto Business Banking & VASP Compliance Guide, crypto-specific AML requirements include:
For forex banking requirements, see our Forex Broker Bank Account Guide.
Adult content businesses face concentrated scrutiny on two AML-adjacent issues:
For adult content banking, see our Adult Content Business Banking Guide.
CBD businesses' AML obligations are standard for retail businesses but require additional documentation:
For CBD banking, see our CBD Business Banking Guide.
A compliant AML policy for a high-risk business must be:
Business-specific. A generic template from a compliance consultancy that has been lightly edited to include your company name is recognisable to every experienced bank compliance officer. It does not demonstrate understanding of your specific risk environment.
Risk-based. The policy must identify the specific ML/TF risks relevant to your business — not the generic risks applicable to all financial businesses — and explain how your controls are calibrated to those specific risks.
Operational. It must describe what your staff actually do — not abstract principles. Which system do you use for KYC? Who approves high-risk customers? What triggers a SAR report? How often do you review customer risk ratings?
Current. The policy must reflect your actual current procedures. A policy describing a compliance process you abandoned 18 months ago is worse than no policy at all.
A bank-grade AML policy for a high-risk business should include:
All regulated businesses must have a procedure for identifying, escalating, and reporting suspicious transactions. The MLRO (Money Laundering Reporting Officer) is the designated individual responsible for receiving internal reports, making filing decisions, and managing FIU relationships.
SAR/STR filing obligations:
Tipping-off prohibition: once a SAR/STR has been filed, you are legally prohibited from informing the subject of the report. Violating this prohibition is a criminal offence.
What banks check: that your business has a designated MLRO, a documented internal reporting procedure, and a record of SAR/STR filings (the existence of filings, not the content). Zero filings over multiple years from a high-volume high-risk business is itself a compliance concern.
Under FATF Recommendation 11 and its national implementations, regulated businesses must retain AML records for a minimum period:
| Record Type | Retention Period | Notes |
|---|---|---|
| Customer CDD/KYC documents | 5 years from end of relationship | EU 5AMLD; UK MLRs 2017 |
| Transaction records | 5 years from date of transaction | All jurisdictions |
| SAR/STR filings and internal reports | 5 years from date of filing | |
| Source of funds / wealth documentation | 5 years from end of relationship | |
| Risk assessment documentation | 5 years from date of assessment | |
| Training records | 5 years | |
| PEP and sanctions screening records | 5 years |
Format: records may be retained in electronic form provided they are accessible within a reasonable timeframe and are protected against unauthorised modification. Cloud storage with audit logs is widely accepted.
Banks will ask: where are your compliance records stored? How quickly can you produce a specific customer file? Who has access? Do you have a data retention and deletion policy?
What is the difference between AML and CTF?
AML (Anti-Money Laundering) covers controls designed to prevent the financial system from being used to conceal the proceeds of crime. CTF (Counter-Terrorist Financing) covers controls designed to prevent funds from reaching terrorist organisations or individuals. In practice, the controls overlap significantly — the same KYC, transaction monitoring, and sanctions screening procedures serve both objectives. The regulatory frameworks in most jurisdictions address both together (AML/CTF).
Do I need a Money Laundering Reporting Officer even if I'm a small business?
In most regulated sectors, yes. The MLRO does not need to be a full-time role for small businesses, but you must designate a specific individual as responsible for receiving internal reports, making SAR/STR filing decisions, and managing your AML programme. That individual must have appropriate authority and access to complete this function effectively.
What happens if my AML controls are inadequate?
Consequences range from informal regulatory guidance to formal enforcement: fines, licence suspension, licence revocation, and — in cases of systematic non-compliance — criminal prosecution. From a banking perspective: your account is closed and you may be added to internal watchlists shared across the correspondent banking network.
How often should I review my AML policy?
At minimum annually, plus whenever there is a material change to your business (new product, new market, new UBO, change of licence), or following any regulatory update that affects your obligations. Banks expect to see the policy dated within the last 12 months and versioned to show review history.
Can I use a third party to conduct KYC for me?
Yes, with conditions. Third-party reliance (outsourcing CDD to a third party) is permitted under FATF Recommendation 17 provided: the third party is subject to equivalent AML regulation, you have a written reliance agreement, the third party provides immediate access to CDD documentation on request, and the underlying regulatory responsibility remains with you. You cannot outsource the liability — only the execution.
Is a blockchain analytics tool required for crypto businesses?
Not strictly mandated by any regulation as of 2026, but practically required for any crypto business seeking banking or EMI services. Financial institutions treating crypto businesses as clients apply EDD, and the most effective evidence of blockchain AML competence is a subscription to Chainalysis, Elliptic, or TRM Labs with documented alert review procedures. Without it, banking applications from crypto businesses face significant additional scrutiny.
What is the difference between Source of Funds and Source of Wealth?
Source of Funds is transaction-specific — where did the money in this particular account come from? Source of Wealth is biographical — how did the individual accumulate their overall net worth? Both are required for UBOs of high-risk businesses. Source of Wealth requires a broader, documented financial history — not just a reference to the current business.
GetBanked works with high-risk businesses to prepare AML and KYB documentation that meets the actual standards of the banks and EMIs we work with. Our compliance review identifies the gaps in your documentation before you submit — so your application lands complete and credible, not requiring weeks of back-and-forth.
Submit a free pre-approval in 2 minutes. We respond within 24 hours with a realistic outcome.
Get Free Pre-Approval