What is the difference between KYC and AML?

KYC is the identity verification layer at the start of a customer relationship: ID document, biometric liveness, sanctions and PEP screening at onboarding. AML is the broader regulatory framework that includes KYC and extends to ongoing customer due diligence, transaction monitoring, sanctions screening, suspicious activity reporting, internal controls, training, and audit across the entire customer lifecycle.

Is KYC a part of AML?

Yes. Under FATF Recommendation 10 and most national AML frameworks, KYC and customer due diligence are mandated components of a complete AML program. KYC is the entry-point identity layer; AML is the continuous compliance infrastructure built on top. A program can have strong KYC and still fail its AML obligations because monitoring or reporting broke.

What happens if you have KYC but no effective AML monitoring?

You produce the TD Bank pattern: well-onboarded customers whose subsequent transactions go uninspected. TD Bank paid USD 3.09 billion in October 2024 because its transaction monitoring system was outdated and failed to cover significant transaction classes. KYC at onboarding was not the cited problem; the program failed at the AML monitoring layer.

What happens if you have AML monitoring but weak KYC?

You produce the OKX pattern: a sophisticated downstream layer running against unverified or under-verified identity records. OKX paid USD 504 million in February 2025 after pleading guilty to operating without adequate KYC identity verification or sanctions screening at onboarding. The monitoring couldn’t compensate for the front-door failure.

Which industries must implement both KYC and AML?

Banks, fintechs, payment providers, money transmitters, crypto exchanges, casinos and online gambling operators, securities firms, insurance companies, real estate professionals in many jurisdictions, dealers in precious metals and stones, and now registered investment advisers in the US under FinCEN’s 2026 rule. The exact perimeter depends on jurisdiction.

What is the FATF Travel Rule and how does it relate to KYC and AML?

The FATF Travel Rule sits at the intersection: it requires VASPs and financial institutions to share originator and beneficiary identifying information on cross-institution transfers above the threshold. Good KYC produces clean Travel Rule payloads; the AML transaction-monitoring layer uses them. FATF revised Recommendation 16 in June 2025 to explicitly include fraud and proliferation financing.

How often should KYC be updated?

On a risk-based schedule. High-risk customers should be re-reviewed at least annually, with continuous sanctions and PEP re-screening. Standard-risk customers are typically re-reviewed every two to three years or on a trigger event (large transaction, jurisdiction change, sanctions-list update). Continuous CDD via behavioural triggers is increasingly the regulatory expectation.

What are the maximum penalties for AML non-compliance?

In the US, individuals violating the Bank Secrecy Act can face up to USD 250,000 in fines and five years in prison, rising to USD 500,000 and ten years for compound violations. Companies face fines of USD 1 million or double the transaction amount. EU MiCA caps administrative fines at EUR 15 million or 12.5% of annual turnover for legal persons.

KYC vs AML: What 2026 Fines Show

KYC vs AML comparison icons showing identity verification and compliance protection

KYC vs AML in 2026: fines showing how each fails differently, the operational distinction, and what to fix first.

Table of contents

KYC vs AML gets answered with a dictionary on most websites. KYC is identity verification at onboarding, AML is the broader anti-money-laundering program around it. Fine. But that framing hides the question compliance teams actually need answered: where, in our KYC vs AML program, are we more likely to get fined? The 2025 and 2026 enforcement record shows KYC vs AML failing in completely different ways. OKX paid USD 504 million for a KYC failure. TD Bank paid USD 3.09 billion for an AML failure. The same word, "compliance," does not cover the KYC vs AML split.

Why is KYC vs AML more than a definitions question in 2026?

Because the regulator now treats KYC vs AML as two separable risks and prices them separately. On April 13, 2026, FinCEN proposed a comprehensive AML overhaul that, for the first time in a decade, distinguishes operational standards for customer identification from operational standards for transaction monitoring and reporting. The proposal is in consultation, but the direction is clear: the all-in-one "AML program" framing is moving towards a layered KYC vs AML model where each layer carries its own audit, its own evidence base, and its own potential fine.

The 2025 numbers tell the same KYC vs AML story. Total penalties for AML, KYC, sanctions, and customer due diligence reached USD 3.8 billion globally, down from USD 4.6B in 2024 but with regional enforcement diverging sharply: North American fines fell 58%, while EMEA penalties rose 767% and APAC rose 44%. Within that pool, the cases that anchor specific KYC vs AML failures sit on opposite ends of the program.

For the broader regulatory backdrop on the EU side, see our GDPR transparency enforcement 2026 EDPB sweep breakdown.

What is KYC, and where does it sit in the KYC vs AML program?

KYC, Know Your Customer, is the identity-verification layer at the front of the customer relationship. In the KYC vs AML model, KYC is the door; AML is everything inside the building. The regulator wants to know that the person opening the account is who they say they are, that they aren't on a sanctions or PEP list, that their address is real, and that their stated reason for using your service is plausible. In FATF Recommendation 10 and most national derivatives, KYC is described as part of customer due diligence (CDD), with enhanced due diligence (EDD) layered on top for higher-risk profiles.

Operationally, KYC means:

Customer Identification Programme (CIP): name, date of birth, address, ID document, biometric liveness.
Sanctions and PEP screening at onboarding.
Risk-tiering: standard CDD, simplified for low-risk, EDD for high-risk.
Document validation against the issuing authority where available.
A single, defensible pass / fail / refer decision.

KYC is the point of entry. It is not the whole program, and treating it as such is one of the recurring patterns in enforcement actions where the regulator concluded the program was incomplete.

For the structural breakdown, see the three pillars of customer verification (CIP, CDD, EDD).

What is AML in the KYC vs AML split, and what's beyond KYC?

AML, Anti-Money Laundering, is the regulatory framework that includes KYC and extends well beyond it. In the KYC vs AML split, AML is everything you do across the customer lifecycle, not just at the front door. The mistake compliance leads make most often in their KYC vs AML thinking is calling the whole program "AML" and assuming KYC is a synonym; the regulator does not.

The AML scope, in operational terms:

KYC at onboarding (covered above).
Ongoing customer due diligence: re-verification on a risk-based schedule, source of funds and source of wealth checks for higher-risk customers.
Transaction monitoring: rule-based and behavioural detection of suspicious activity.
Sanctions screening at every transaction, not just at onboarding.
Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) filed with the FIU.
Internal controls, training, audit, recordkeeping.
Independent testing of the program.

The single most important KYC vs AML operational distinction: KYC is a one-shot decision. AML is continuous. A program can pass its KYC audit and still fail the AML one because it never invested in the monitoring layer. That's the KYC vs AML split that consent orders pick apart.

For the operator-side detail, see building a robust AML strategy for crypto exchanges and adverse media screening AML guide.

How do regulators tell a KYC failure from an AML failure?

By the wording of the consent order. Two recent enforcement actions show the KYC vs AML distinction in operational terms.

OKX (February 2025): a KYC failure case. OKX pleaded guilty and paid USD 504 million for operating an unlicensed money transmitting business and failing to maintain an effective AML program. The DOJ-cited evidence was a "growth at all costs" mentality where the platform onboarded millions of users without adequate KYC identity verification or sanctions screening. The failure was at the front door. The transaction monitoring layer didn't even get to fail because the identity layer never produced a clean record to monitor.

TD Bank (October 2024), an AML failure case. TD Bank paid USD 3.09 billion for systemic compliance failures and weak AML governance. The specific finding: the transaction monitoring system was outdated and failed to cover key risk areas, including a significant share of ACH transactions that simply weren't monitored at all. KYC at onboarding was not the cited issue. The program identified the customer at the door and then stopped looking.

Capital One (2025): a reporting failure case. FinCEN fined Capital One USD 390 million for failing to file more than 20,000 SARs covering USD 160 million in transactions and 50,000 CTRs covering USD 16 billion. The customer record was correct. The transactions were even visible. The reporting layer broke.

Robinhood (2025): also a reporting failure. Robinhood Securities and Robinhood Financial paid USD 45 million for failures in suspicious activity reporting and other AML compliance deficiencies.

The KYC vs AML pattern is clear. KYC failures look like "you onboarded a customer you shouldn't have." AML failures look like "you onboarded the customer correctly and then stopped watching them." The KYC vs AML wording in the consent order is the regulator telling you which layer broke.

Failure pattern: Identity verification gap · Where it lives: KYC · What the regulator finds: Customers cleared without adequate ID, biometric, or sanctions check · Recent example: OKX: USD 504M (Feb 2025)
Failure pattern: Sanctions / PEP miss at onboarding · Where it lives: KYC · What the regulator finds: Restricted person onboarded; sanctions screen not run or not effective · Recent example: OKX (cited alongside KYC)
Failure pattern: Outdated transaction monitoring · Where it lives: AML · What the regulator finds: Significant transaction classes uncovered or rules stale · Recent example: TD Bank: USD 3.09B (Oct 2024)
Failure pattern: SAR/CTR filing breakdown · Where it lives: AML reporting · What the regulator finds: Tens of thousands of reports not filed; volumes in the billions · Recent example: Capital One: USD 390M; Robinhood: USD 45M (2025)
Failure pattern: Problem-gambling / behavioural-trigger miss · Where it lives: AML monitoring · What the regulator finds: Operator failed to identify at-risk customer fast enough · Recent example: Flutter / Paddy Power: £2M (Dec 2025)
Failure pattern: Combined systemic failure · Where it lives: KYC + AML · What the regulator finds: Both layers cited; usually the largest fines · Recent example: Binance: USD 4.3B (Nov 2023); TD Bank (Oct 2024)

For the gambling-specific corollary, see our /industry/kyc-for-casino and /industry/kyc-for-igaming pages.

How does KYC feed into the AML lifecycle in the KYC vs AML model?

KYC is the data-quality input for everything downstream in the KYC vs AML lifecycle. A weak KYC layer doesn't just create an onboarding gap. It pollutes every AML control that runs after it.

The lifecycle, with KYC's role in each stage:

Onboarding. KYC produces the verified identity record. Sanctions and PEP screening run for the first time. Risk tier is assigned.
Account funding. Source of funds is verified for higher-risk tiers. KYC's risk-tier assignment determines what evidence is required.
Steady-state activity. Transaction monitoring runs against the customer's verified profile. Behavioural baselines are derived from the KYC-assigned risk tier and stated activity.
Periodic review. KYC is re-run on a schedule keyed to risk tier: annually for high-risk, less often for low-risk. Sanctions and PEP are re-screened continuously.
Trigger event. A new red flag (large unexpected deposit, sanctions-list update, jurisdiction change) fires re-verification. The original KYC record is the baseline against which the change is assessed.
SAR/CTR filing. When a report is filed, the customer's KYC record is what the regulator uses to identify them.

In other words: in any KYC vs AML conversation, AML is only as strong as KYC is accurate. A bank that nails its monitoring rules but onboarded the customer with a weak ID check will produce SARs against the wrong identity, a KYC vs AML failure that masquerades as a reporting problem. Read the deeper detail in the KYC onboarding process: ultimate guide.

Where do compliance teams get the KYC vs AML split right and wrong?

Two KYC vs AML failure modes show up repeatedly in the cases above and in our own conversations with compliance leads.

Pattern one: strong KYC, weak ongoing monitoring. Common at fast-growing fintechs and at banks with legacy core systems. Onboarding is well-engineered, the document checks are clean, the sanctions screening fires correctly. But the transaction monitoring layer was bolted on years ago, the rules haven't been retuned, the alerts are mostly false positives, and analysts triage them in a way that misses the structurally suspicious flows. This is the TD Bank pattern. The KYC team passes its audit. The AML team fails its.

Pattern two: heavy AML investment, leaky KYC. Common at platforms that grew fast and patched their identity layer later. Transaction monitoring is sophisticated, the SAR pipeline is hot, the analyst team is well-staffed. But the original KYC was a basic photo upload check that let through synthetic identities, deepfaked liveness, or addresses that don't exist. The downstream monitoring is technically working but it's working on records the regulator considers unverified. This is the OKX pattern. AML can be a 9 out of 10. KYC is a 3.

Both KYC vs AML patterns end up in the same place: a regulator review that concludes the program is not effective. The fix is not "more compliance"; it's targeting the KYC vs AML layer that's actually broken. For tactical onboarding fixes, see reduce KYC onboarding drop-off and how fraudsters are beating your KYC with deepfakes.

What changed for KYC vs AML under FinCEN's April 2026 overhaul?

FinCEN's April 13, 2026 proposed overhaul is the most significant restructuring of US AML standards in over a decade. The text is in consultation, but the direction matters:

Layer-specific standards. The proposal moves from a single "effective AML program" requirement to layer-specific operational standards for customer identification, ongoing monitoring, and reporting. Each layer becomes separately auditable.
Risk-based prioritisation. Programs must explicitly demonstrate they are calibrated to the actual money-laundering risks the institution faces, with documented assessment.
Investment adviser inclusion. A FinCEN rule taking effect in 2026 brings registered investment advisers into the AML perimeter for the first time. The compliance lift is substantial.
Independent testing requirements expanded. The independent test of the program is extended in scope and frequency.

The practical upshot: compliance leads need to stop budgeting "AML" as a single line and start budgeting the full KYC vs AML stack: KYC, ongoing CDD, transaction monitoring, sanctions screening, and reporting as five auditable workstreams. For European context that follows a similar KYC vs AML trajectory, see compliance enforcement 2026: fintech takeaways.

How do you build a KYC vs AML program that covers both well?

Five KYC vs AML moves we'd push every compliance lead to make in the next 90 days, in priority order.

Run a layer-by-layer KYC vs AML self-audit. Score KYC, ongoing CDD, transaction monitoring, sanctions screening, and reporting separately. Don't roll them up. The TD Bank vs OKX cases show why the KYC vs AML scoring matters.
Tune the AML detection rules to your actual risk profile. Most monitoring systems run vendor-default thresholds. Calibrate them to your customer base, your product mix, and your jurisdiction. Document the calibration.
Stop accepting KYC vendors that retain customer documents. The IDmerit breach and the Sumsub breach show what happens when the verification vendor itself becomes the breach surface. The architectural fix is decoupling verification from PII storage. Read the deeper argument in the identity breach epidemic 2026 analysis.
Make KYC reusable across products and brands. A customer who's verified once shouldn't have to re-verify when you launch your second product or when they sign up to your sister brand. Reusable identity (KYC Passport-style) reduces drop-off and removes redundant identity records that turn into AML data-quality problems later.
Treat reporting as engineering, not paperwork. The Capital One and Robinhood cases were about pipelines that broke quietly. SAR / CTR filing should be a monitored, alarmed, end-to-end engineering surface, not a manual process.

For the architectural angle, see Decentralized PII Storage, Decentralized KYC, and KYC Passport.

The bottom line on KYC vs AML

KYC vs AML is not a definitions question, and the 2025–2026 enforcement record proves it. Regulators now write consent orders that name the specific KYC vs AML layer that failed: identity verification at the door (OKX, Binance), transaction monitoring across the lifecycle (TD Bank, Flutter), or report filing at the end of the chain (Capital One, Robinhood). Compliance leads who treat the program as a single line item are building towards the wrong audit on the wrong KYC vs AML scorecard.

The teams that come out of the next regulator review intact will be the ones who scored each KYC vs AML layer separately, fixed the layer that was actually broken, and stopped letting "AML" be a word that hides where the work isn't being done. If the KYC vs AML architecture conversation belongs in your roadmap, book a 30-minute walkthrough and we'll show you how verification and the audit trail fit together end-to-end.

Edoardo Mustarelli(Sales Development Representative)Edoardo Mustarelli, fintech/Web3 strategist at Zyphe, driving sales growth and partnerships with global expertise across technology, finance, and strategy.

KYC vs AML in 2026: What Regulators Actually Fine