The short answer
AML (Anti-Money Laundering) and KYC (Know Your Customer) are linked regulatory frameworks that require every entity touching money-movement rails — banks, acquirers, payment facilitators, crypto exchanges — to verify the identity of their customers, monitor transactions for suspicious patterns, and report to FinCEN (U.S.) or equivalent authorities. KYC is the "verify the identity" piece; AML is the "monitor activity and report suspicious transactions" piece. They flow from the Bank Secrecy Act, USA PATRIOT Act, FinCEN's Customer Due Diligence rule, and FATF international guidance.
What KYC looks like at merchant onboarding
- Entity verification: Articles of incorporation, EIN, state registration.
- Beneficial ownership (CDD rule): Every individual owning 25%+ of the entity, plus one control person. Each with full personal KYC — name, DOB, SSN, address, government ID.
- Business legitimacy: Website, invoices, bank statements, prior processing statements if switching, customer contracts for B2B.
- Sanctions screening: OFAC SDN list, PEP (politically exposed persons) screening on every owner.
- Industry alignment: The MCC must match actual business activity. Misrepresenting MCC is AML/KYC failure that can trigger MATCH-list placement.
This is the core of KYB (Know Your Business) — KYC applied to entities. See also KYC for the individual-consumer version.
What AML monitoring looks like
- Transaction monitoring rules: Sudden volume spikes, round-dollar patterns, split-transaction behavior, geographic anomalies, velocity clusters.
- Structuring detection: Multiple transactions just under $10k reporting thresholds — a classic money-laundering tactic.
- SAR (Suspicious Activity Report) filings: When a bank detects suspicious patterns it files a SAR with FinCEN. Merchants never see these, but they're the reason accounts get frozen without explanation.
- CTR (Currency Transaction Report): Cash transactions over $10k — less relevant to card merchants, central to cash-heavy businesses.
What operators need to know
- Beneficial ownership isn't optional. Every 25%+ owner, plus a control person, with full KYC. Refusing to disclose triggers declined underwriting and possible MATCH placement.
- Corporate Transparency Act (2024) updates. U.S. entities must file beneficial-ownership reports directly with FinCEN. Payment facilitators leverage these filings for KYC reconciliation.
- Sudden account freezes are usually AML, not risk. If your account is suspended with "compliance review" language and no specifics, it's likely an AML investigation. They're not allowed to tell you (tipping-off prohibition under BSA).
- High-risk verticals face heavier AML scrutiny. Adult, gambling, firearms, supplements, crypto-adjacent — more transaction monitoring, more frequent reviews, lower thresholds for flags.
- Multi-brand operators need clean cross-brand separation. Common ownership with no disclosed relationship between brands looks like structuring. Always disclose common ownership at onboarding.
- Record retention is 5 years minimum. Post-relationship, all KYC and transaction records stay accessible for 5 years under BSA.