Bring all your client data up to date - get ready for AMLA with EC Review Find out more

AML compliance for global financial institutions: a guide to UK, EU, US and Hong Kong regulations

By David Williams | Mon 11 March, 2019
UK, HK and US | encompass blog

If your institution operates across more than one jurisdiction, AML compliance is not a single program. It’s several, each with its own rules, its own regulators, and its own enforcement teeth.

The frameworks in the UK, the European Union, the United States, and Hong Kong share common foundations. All are shaped by FATF standards. Furthermore, all require a risk-based approach to customer due diligence as the foundation of their AML compliance programs. All impose beneficial ownership obligations. But the differences between them matter enormously in practice, and getting them wrong carries consequences that range from regulatory censure to criminal liability.

This guide cuts through the complexity. It covers what each jurisdiction requires, where the frameworks diverge, and how financial institutions operating globally can build a strong AML program that holds up under scrutiny in all of them.

What AML compliance actually requires

Anti-money laundering (AML) compliance means having systems, controls, and processes in place to detect, prevent, and report money laundering activities and terrorism financing. At its core, every major framework requires the same building blocks:

  • Customer due diligence (CDD): identifying and verifying who your customers are, conducting risk assessments to build accurate customer risk profiles, and understanding the nature of the relationship
  • Enhanced due diligence (EDD): deeper scrutiny for higher-risk customers, relationships, and transactions
  • Beneficial ownership identification: establishing who ultimately owns or controls the entity you’re doing business with
  • Transaction monitoring: ongoing surveillance to detect suspicious activity
  • Suspicious activity reporting: an obligation to report suspicious transactions to the relevant financial intelligence unit, whether that’s the NCA in the UK, FinCEN in the US, or the JFIU in Hong Kong
  • Record-keeping: maintaining evidence of compliance for regulatory inspection

Where jurisdictions differ is in how prescriptively these requirements are defined, who they apply to, what the reporting thresholds are, and how aggressively they’re enforced.

The FATF framework: the global baseline

The Financial Action Task Force (FATF) sets the international standard. Its 40 Recommendations, last updated in October 2025, form the baseline against which every jurisdiction’s AML regime is assessed through a program of mutual evaluations.

FATF’s fifth round of evaluations began in 2024 under a revised assessment methodology, placing greater emphasis on effectiveness rather than technical compliance alone. A country can have the right laws on paper and still receive a poor rating if those laws aren’t working in practice.

The FATF estimates that money laundering accounts for between 2% and 5% of global GDP annually. A 2023 report found that approximately $3.1 trillion in illegal funds circulated through the global financial system that year, funding crimes from drug trafficking to human exploitation.

For institutions operating internationally, FATF ratings matter. They signal how seriously a jurisdiction takes financial crime, and regulators in stricter jurisdictions pay attention to the exposure their institutions have in weaker ones.

UK and EU AML compliance

The regulatory landscape

The UK’s AML framework was historically shaped by EU directives and continues to align closely with them post-Brexit, though divergence is increasing. The relevant UK legislation includes the Proceeds of Crime Act 2002, the Terrorism Act 2000, and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended.

In the EU, a comprehensive AML overhaul is now in progress. The package — adopted in 2024 — consists of three interlocking instruments:

  • AMLD6 (Directive (EU) 2024/1640): the sixth Anti-Money Laundering Directive, published in the Official Journal on 19 June 2024. Member states must transpose it into national law by 10 July 2027.
  • AMLR (Anti-Money Laundering Regulation): a directly applicable EU regulation creating a single AML rulebook across all member states — removing the inconsistency that came from each country implementing directives differently.
  • AMLA: a new EU-wide Authority for Anti-Money Laundering, established to provide centralized oversight and direct supervision of the highest-risk obliged entities across the bloc.

Together, these represent the most significant structural reform of EU AML rules since the framework began.

What AMLD6 changes

For compliance teams, the key changes under AMLD6 are:

Expanded predicate offenses. AMLD6 defines 22 specific predicate offenses, the underlying crimes that generate the funds being laundered, including cybercrime, environmental crime, and tax offenses. The list is harmonized across all EU member states, removing the loophole that allowed launderers to exploit jurisdictional gaps.

Criminal liability for enablers. AMLD6 explicitly extends criminal liability to aiding and abetting. Anyone who facilitates money laundering, not just those who directly profit, is now legally culpable. This has significant implications for professional services firms, legal advisers, and any institution whose services could be used to move illicit funds.

Stricter penalties. The minimum custodial sentence for money laundering offenses is now four years, up from one. Judges can additionally impose fines and exclude convicted entities from public funding. Across European financial firms, AML fines exceeded €36 million between March 2024 and March 2025.

Beneficial ownership registers. AMLD6 maintains the requirement for central beneficial ownership registers, with access extended to journalists, civil society organizations, and others with legitimate interest — building on the transparency agenda established by its predecessors.

Enhanced accountability for senior management. Supervisors now have explicit power to remove individuals convicted of money laundering from senior management roles, and to bar those deemed to lack integrity from leadership positions in obliged entities.

Beneficial ownership: the UK position

The UK was the first country in the world to introduce a publicly searchable beneficial ownership register — the People with Significant Control (PSC) register, launched in 2016. The threshold for disclosure is ownership of more than 25% of shares or voting rights, or other significant control.

The UK’s approach remains more advanced in terms of public transparency than most other jurisdictions, though the accuracy of register data continues to be an area of regulatory focus.

US AML compliance

The core framework

US AML compliance is governed primarily by the Bank Secrecy Act (BSA), enforced by the Financial Crimes Enforcement Network (FinCEN). The BSA requires covered financial institutions to maintain written AML/CFT programs, file Suspicious Activity Reports (SARs), conduct customer due diligence, and keep records sufficient for regulatory examination.
Covered institutions must appoint a designated AML compliance officer responsible for overseeing the program and ensuring ongoing adherence to BSA obligations.

In April 2026, FinCEN proposed a significant reform to the BSA program requirements — the first fundamental overhaul in decades. The proposed rule reorients compliance expectations away from volume of activity (numbers of SARs filed, records maintained) and towards demonstrated effectiveness in identifying and mitigating actual illicit finance risk. The comment period closes June 2026, with implementation expected to reshape how US institutions design and document their AML controls.

Beneficial ownership: a complex picture

The US beneficial ownership landscape has shifted substantially in the past two years — and not in a straightforward direction.

The Corporate Transparency Act (CTA), enacted in 2021, created a requirement for companies to report beneficial ownership information (BOI) to FinCEN, using the same 25% ownership threshold applied in the UK and EU. This was intended to close a significant gap: when FATF assessed the US framework in 2016, it found strong AML laws but rated the country non-compliant on beneficial ownership. The introduction of the CTA prompted FATF to upgrade the US to largely compliant on this measure in 2024.

However, in March 2025, FinCEN issued an interim final rule that removed the BOI reporting requirement for US domestic companies. The rule now applies only to foreign companies registered to do business in the US. The practical effect is a significant reduction in the number of entities subject to the reporting requirement — from an estimated 32 million to a far smaller pool of foreign registrants.

There is no publicly accessible beneficial ownership register in the US. Verified BOI data held by FinCEN is accessible to law enforcement and authorized government bodies, but not to the public or to financial institutions directly.

For global institutions, this creates a practical asymmetry: European counterparts operating under AMLD6 or UK rules have access to public registers to support their own due diligence, while US-side verification relies on direct disclosure from the entity rather than independent public data.

Expanding scope

FinCEN has also extended AML requirements to new sectors. From December 2025, professionals involved in residential real estate closings and settlements are required to report information on non-financed transfers to legal entities and trusts — including beneficial owner identification. This follows a long-running effort to combat money laundering through anonymous all-cash property purchases.

Investment advisers are the next expansion: a 2024 final rule subjects SEC-registered investment advisers and exempt reporting advisers to full BSA program requirements, though the effective date has been extended to January 2028.

Hong Kong AML compliance

The regulatory framework

Hong Kong’s AML framework is governed by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615). The AMLO imposes customer due diligence, record-keeping, and ongoing monitoring obligations on financial institutions and, following 2018 amendments, on designated non-financial businesses and professions (DNFBPs) — including lawyers, accountants, real estate agents, and trust and company service providers.

The regulatory bodies include the Hong Kong Monetary Authority (HKMA) for banks, the Securities and Futures Commission (SFC) for securities firms, and the Insurance Authority for insurers, among others.

FATF evaluation: where things stand

Hong Kong’s 2019 FATF mutual evaluation found the territory to have a sound legal framework but identified two persistent weaknesses: limited prosecution of money laundering involving predicate crimes committed abroad, and inconsistent supervision of the non-financial sector.

A 2023 follow-up report noted progress on DNFBP supervision — Hong Kong was upgraded from partially compliant to largely compliant on Recommendation 28 — but the territory remains in regular follow-up. It is scheduled for assessment in FATF’s 5th round of mutual evaluations.

Research benchmarking Hong Kong against comparable Asia-Pacific financial centers finds its technical compliance score of 70/100 to be competitive, though cross-border prosecution gaps and DNFBP oversight remain the areas most likely to draw scrutiny in the next assessment cycle.

Beneficial ownership

Following the Panama Papers, Hong Kong was identified as one of the most active centers for the formation of shell companies. The response was the introduction of the Significant Controllers Register (SCR) in March 2018. Private companies are required to identify and maintain records of their significant controllers — those owning or controlling more than 25% — but unlike the UK’s PSC register, the SCR is not publicly accessible. It is available to law enforcement on demand.

For institutions conducting due diligence on Hong Kong-incorporated entities, this means beneficial ownership verification is dependent on disclosure by the entity itself, rather than on independent register search. Enhanced due diligence procedures should account for this.

Comparing the three frameworks: What Global Institutions need to know

 

UK EU (AMLD6) US Hong Kong
Primary legislation  MLR 2017 (as amended)  AMLD6 / AMLR (2024)  Bank Secrecy Act  AMLO (Cap. 615)
Regulator FCA/HMRC AMLA and national supervisors FinCEN HKMA / SFC / IA
Beneficial ownership threshold 25% 25% 25% (foreign entities only) 25%
Public BO register Yes (PSC register) Yes (member state registers) No No
DNFBP scope Yes Yes Expanding Yes (post 2018)
Criminal liability for enablers Yes Yes (AMLD6) Yes Yes
Technology mandate Encouraged Mandated for large/global firms Encouraged Encouraged

 

Across all four frameworks, regulation requires financial institutions to demonstrate effectiveness, not just procedural compliance. The consistent theme is risk-based compliance. Regulators have moved away from prescriptive rule-following and towards demonstrated effectiveness. The question is no longer whether you have a policy, it’s whether your program actually identifies and mitigates risk.

The main objection: “we’re already compliant in our home jurisdiction”

It’s a common position, and it’s insufficient for institutions with cross-border operations.

Each jurisdiction imposes its own AML obligations, independently of what you do elsewhere. A US institution operating in the UK cannot rely on its BSA compliance to satisfy the FCA. A Hong Kong bank with EU clients needs to consider whether AMLD6’s expanded predicate offense list affects its transaction monitoring. An EU firm conducting CDD on a US-incorporated entity cannot use a public register that doesn’t exist.

Regulatory compliance with your home jurisdiction’s rules is the floor, not the ceiling. Building an effective AML compliance program means accounting for the most stringent applicable standard in every jurisdiction you operate in — not just your home market.

The role of technology in multi-jurisdictional AML

All four jurisdictions now recognize that manual AML compliance processes are not sustainable at scale. AMLD6 explicitly mandates the use of technological solutions for large companies and those operating across multiple markets. FinCEN’s proposed 2026 reform emphasizes effectiveness over volume — a shift that favors automation over checkbox processes.

The practical case for technology in AML is clear:

  • KYC onboarding: automated identity verification and document checks reduce manual error and speed up onboarding without compromising rigor
  • Ongoing monitoring: automated alerts to changes in risk profile, adverse media, or sanctions status replace periodic manual reviews that create blind spots between cycles
  • Beneficial ownership verification: automated corporate structure mapping surfaces complex ownership chains that manual research routinely misses
  • PEP and sanctions screening: real-time screening against global watchlists, with consistent application across jurisdictions.

The institutions that will struggle most under tightening global AML regulation are those still running fragmented, manual compliance processes across different jurisdictions. Automation doesn’t remove the need for human judgment, but it ensures that judgment is applied to the right cases, rather than being consumed by administrative overhead.

FAQs

What is anti-money laundering compliance?

AML (anti-money laundering) compliance refers to the policies, controls, and procedures that financial institutions and other obliged entities must have in place to detect, report, and prevent money laundering and terrorist financing. Requirements are set by national legislation and shaped by international standards established by FATF.

What are the core components of an AML compliance program?

An effective AML compliance program typically includes customer due diligence (CDD), risk assessments, enhanced due diligence (EDD) for higher-risk clients, beneficial ownership identification, ongoing transaction monitoring, suspicious activity reporting (SAR filing), and staff training. Most jurisdictions now emphasize program effectiveness — the ability to actually identify and mitigate risk — over procedural completeness alone.

What is the beneficial ownership threshold?

The 25% threshold is standard across the UK, EU, US, and Hong Kong — meaning any individual who owns or controls 25% or more of an entity must be identified as a beneficial owner. In practice, EDD may require investigation of control relationships even below this threshold, particularly in complex or opaque corporate structures.

How does AMLD6 affect non-EU institutions?

Non-EU institutions with EU clients, EU operations, or EU-incorporated counterparties may be affected by AMLD6 indirectly. EU-based obliged entities conducting CDD on those institutions will be subject to AMLD6 requirements, including enhanced due diligence for higher-risk relationships. Non-EU institutions that are subsidiary to or own EU entities will face AMLD6 obligations through those entities.

What changed with US beneficial ownership reporting in 2025?

In March 2025, FinCEN removed the requirement for US domestic companies to report beneficial ownership information under the Corporate Transparency Act. The reporting requirement now applies only to foreign entities registered to do business in the US. There remains no publicly accessible beneficial ownership register in the United States.

Is AML compliance the same as KYC?

Not exactly. KYC (Know Your Customer) is a component of AML compliance — specifically, the processes used to identify customers, verify their identity, understand the nature of the relationship, and assess risk. AML compliance is broader, encompassing ongoing monitoring, transaction screening, SAR filing, record-keeping, and program governance. KYC is the foundation; AML compliance is the full structure built on it.

What are the penalties for AML compliance failures?

Penalties vary by jurisdiction but are significant across all four covered here.

  • In the EU, AMLD6 increases criminal penalties to a minimum four-year custodial sentence, with additional financial penalties and exclusion from public funding.
  • In the UK, FCA enforcement can include unlimited financial penalties, public censure, and withdrawal of authorization.
  • In the US, BSA violations can result in civil money penalties, criminal prosecution, and deferred prosecution agreements.
  • In Hong Kong, AMLO violations can attract criminal prosecution and license revocation.

 

How Encompass helps global compliance teams

Managing AML compliance across multiple jurisdictions means coordinating different regulatory requirements, different data sources, and different enforcement environments. All while keeping pace with rule changes that come faster than most compliance teams can manually absorb.

Encompass automates KYC and corporate due diligence for financial institutions operating globally, giving compliance teams a real-time, evidence-backed view of financial crime risks across their entire customer base.

  • Automated beneficial ownership discovery across complex, multi-layered corporate structures
  • Real-time PEP and sanctions screening against global watchlists
  • Audit-ready documentation of every due diligence step taken
  • Faster onboarding without compromising on compliance quality

Explore how Encompass supports multi-jurisdictional AML compliance →

This article provides general information on AML regulations and is not legal advice. Regulatory requirements change frequently. Institutions should seek qualified legal counsel for advice specific to their circumstances.

 
Author: David Williams

David has over twenty years of Financial Services experience working in banks and solution providers solving challenges and managing risks across Onboarding, Data, KYC and Collateral (PB & OTC), and has a strong understanding of the front to back and end to end process and business. He is an experienced BAU manager with a track record for bringing transformational change by defining or refining Operating and engagement models, establishing or aligning functions and creating a culture and passion for change within teams. David is a recognised industry thought leader and transformational change agent across the regulatory landscape within Asia Pacific for local rules and the impact of global reforms to local business.

LinkedIn Profile | David Williams

You also might be interested in

west
east

Discover corporate digital identity from Encompass

 

Find out more