← Industry Insights

What Is AML Screening and Why It Matters for Fintechs

Jun 2026 · 11 min read
SHAREinXf
Cover image for: What Is AML Screening and Why It Matters for Fintechs

UNODC puts annual global money laundering at $800 billion to $2 trillion — 2-5% of GDP — moved through correspondent accounts, shell companies, crypto rails, real estate, and the long tail of cash-intensive businesses that exist partly for this purpose. Most of it gets through. Detection and seizure rates have hovered near 1% for the last decade. One percent. That's the worst-performing enforcement metric in modern finance.

The rest gets through — and a growing share of it flows through fintechs.

AML screening sits at the front line of stopping that flow. Get it right and a fintech scales without inheriting financial crime exposure it can't see. Get it wrong? Global AML fines hit $10.4 billion in 2024, and even with enforcement easing to $3.8 billion across 2025, the average FinCEN penalty still ran $12.7 million. Real money. Real reputational damage that lingers long after the press release.

Here's what AML screening actually means, why fintechs feel the squeeze more than traditional banks, and what a credible program looks like in practice.

Screening, Defined

AML screening is the process of checking customers, transactions, and counterparties against lists of people, entities, and jurisdictions tied to money laundering, terrorist financing, sanctions exposure, and a widening category of related financial crime risk that regulators now treat as compulsory ground to cover. Sounds simple. Execution is anything but.

Bank Secrecy Act sets the US foundation. Under BSA, regulated institutions — including money services businesses, payment platforms, lenders, and most fintechs touching customer funds — must run an AML program built on five pillars: a designated compliance officer, written policies, training, independent testing, and risk-based customer due diligence. Screening is the operational engine.

What does the system actually do under the hood? Inside the few hundred milliseconds between a customer hitting submit and an approval screen rendering, the screening engine runs sanctions clearance first — that's the strict-liability gate. Game over if it fails. Once sanctions clears, PEP exposure gets scored against whatever risk model the institution licenses, which is where geography and role weightings start mattering more than the raw match itself. Watchlist matching is the last layer — adverse media, internal blocklists, regulatory enforcement records, the occasional law enforcement file — and the quality of the matching logic determines whether those alerts produce useful signal or just operational drag.

Miss the wrong hit and a fintech ends up explaining itself to a regulator. Flag too many false alerts and onboarding collapses under the operational drag of an analyst queue that grows faster than the team can clear it, which is roughly what every compliance leader at a scaling fintech eventually inherits. Both failure modes cost real money. Trick? Calibrating between them.

The Three Lists That Matter

Most AML programs run on three distinct screening types — sanctions, PEP, and watchlist — and each one solves a different problem in the broader effort to keep an institution out of regulatory crosshairs while still letting legitimate customers through the door. Each list, different risk.

Sanctions screening

Sanctions screening checks customers against government-maintained lists of restricted individuals, entities, and jurisdictions. US Treasury's OFAC publishes the Specially Designated Nationals list and pushes updates three to four times per week — unpredictably, with no fixed schedule, often without warning, sometimes piling several designations into a single release that compliance teams have hours to absorb. EU, UK, UN, dozens more. A cross-border fintech can easily land screening obligations against 30\+ active sanctions regimes simultaneously.

Sanctions hits are non-negotiable. Process a payment for a sanctioned party and the institution owns the consequence — strict liability across most jurisdictions, with no negligence standard available as a defense and no good-faith carveout for vendor mistakes. The screening vendor missing an overnight list update doesn't excuse it. Neither does a misspelled alias the matching engine wasn't tuned to catch, or a developer push that quietly degraded match sensitivity for a week before anyone on the compliance side noticed. Exposure attached the second the transaction settled.

Operationally? List data has to be current within hours, not days. Stale sanctions data shows up in published enforcement findings often enough to count as a pattern, and the reason regulators flag it consistently is that the gap between a fresh designation and the fintech's screening list catching up is exactly where the actual risk hides. Stale equals exposure.

PEP screening

Politically exposed persons are individuals who hold or have held prominent public positions, along with their immediate family members and close associates who often inherit influence by proxy. PEPs aren't banned. But the statistical risk of involvement in bribery, corruption, or misappropriation of public funds runs meaningfully higher than the general population, which is why every credible AML framework requires enhanced due diligence rather than a simple yes-or-no decision at onboarding.

PEP screening needs nuance more than any other type. Context matters. Think about the gap between a retired municipal councillor in Switzerland and a sitting cabinet minister in a country where public-sector graft is the default operating mode. Same PEP flag on paper. Wildly different risk exposure. A system that treats those two cases identically either generates so much noise around the councillor that analysts stop reading the alerts, or — worse — under-weights the cabinet minister because the queue volume from low-risk PEPs has quietly trained the team to clear matches fast. Leading PEP databases now use proprietary scoring that accounts for geography, role, relationships, and exposure category. Done well, that scoring cuts PEP false positives by 50% or more.

Watchlist screening

Watchlist screening covers everything else. Adverse media mentions of a customer in negative news contexts, law enforcement most-wanted databases, regulatory enforcement records, the institution's own internal blocklists that capture customers who've already burned the institution once. This is where risk appetite shows up most directly, because every choice about which lists to load and how to match against them is an implicit policy decision about what the institution considers worth catching.

Different fintechs build different stacks. Crypto-focused platforms pull on-chain risk data feeds, consumer lenders layer in bankruptcy and litigation records, and B2B payments platforms add chargeback and supplier-fraud lists — each pick is a function of the threat model that fintech sits inside. No universal watchlist exists. Calibration job is choosing which lists, with which matching logic, against which risk policy.

Most fintechs go wrong here. Either watchlists get skipped entirely — gap risk — or they get stacked on with weak matching logic, generating an alert flood that buries the actual signal under so much noise that analysts stop trusting the queue. Either path ends badly.

Why Fintechs Feel This More Than Banks

Fintechs sit on a structural tension that traditional banks don't carry the same way. Growth depends on frictionless onboarding — customers expect a payments account or a virtual card in minutes, not weeks, and they'll abandon to a competitor inside a single onboarding flow if the friction feels arbitrary or excessive. Speed runs head-on into the careful identity verification, enhanced due diligence, and ongoing monitoring that AML regulations actually demand. Two competing imperatives. No clean answer.

Regulators have noticed.

UK challenger Monzo absorbed a £21.1 million penalty for AML controls that didn't scale with customer growth. Starling Bank? £28.96 million, for financial crime prevention failures. Germany's BaFin restricted N26's customer growth before landing a €4.25 million fine for AML monitoring gaps that piled up while the company sprinted toward European market share. Stateside, sponsor banks supporting fintech partnerships — Piermont, Sutton, Thread, Evolve, Lineage — have collected enforcement actions tied specifically to AML failures that surfaced inside those bank-fintech relationships once regulators started looking closely.

Pattern repeats. Speed-first onboarding without proportionate screening produces compounding risk that stays quiet until a regulator finds it, usually about a year and a half after the failure mode was already obvious to anyone watching the alert backlog grow. Quiet until it isn't.

Crypto-native fintechs catch a sharper version of the same problem. OKX alone paid $504 million to the DOJ in February 2025 — half a billion in a single penalty — for failure to maintain an effective AML program over a sustained period the regulator documented in painful detail. Across H1 2025, crypto firms collectively paid over $927 million in AML penalties globally. AML fintech enforcement is not slowing down.

The False Positive Tax

Here's the part most vendors don't put on the marketing page. Roughly 90-95% of AML alerts are false positives — meaning the system flagged the customer or transaction, an analyst spent time investigating, and the result was nothing worth acting on, which is the dominant outcome of nearly every AML screening operation at meaningful scale. A large institution processing millions of transactions daily generates around 950 false alerts per million transactions. Each one eats 30 minutes. Roughly.

That adds up. Industry-wide, false positive investigation costs land near $3 billion annually, which is real money spent on confirming that the system was wrong about something it never should have flagged in the first place.

For a fintech, the damage isn't just analyst hours. The friction shows up in unglamorous places. A legitimate payout sits frozen in review for two days because someone with a vaguely similar name surfaced on a watchlist that nobody internally has audited in months. The small-business owner who needed that money to make payroll is now calling support. Twice. By the time the alert finally clears, the customer has already started shopping around for alternatives. Hidden cost is brand.

So why don't fintechs just raise the matching threshold and kill the noise? Because the moment a real hit slips through and a sanctioned party processes a payment, every false-positive saved becomes evidence in an enforcement filing about a program tuned for operational convenience instead of regulatory expectation. That trade kills careers.

Way out isn't weaker matching. It's smarter matching. Configurable fuzzy logic tuned to actual risk appetite, automated clearance rules that resolve obvious non-hits without analyst review, and PEP scoring that contextualizes risk against geography and role rather than returning a binary yes-or-no result. Well-tuned clearance rules can resolve up to 90% of alerts automatically — which is exactly what separates programs that scale cleanly from programs that drown inside their own alert queue inside eighteen months.

What Good Looks Like

A credible AML program treats screening as a continuous capability — not a one-time gate at onboarding. New customer signs up? Full sanctions, PEP, and watchlist run before the relationship goes live. A material change to customer information — new address, updated beneficial owner, shifting transaction profile — should trigger a rescreen against the same lists with the updated data, because what was clean six months ago may not be clean now. List update from OFAC or a PEP provider? Batch rescreen the full customer base against the delta inside hours rather than days, because that gap is exactly where real exposure tends to surface.

Data quality is the foundation. Sanctions data should come from primary government sources refreshed near real-time, while PEP and adverse media data needs proprietary scoring depth rather than blunt name matching, and watchlist sources need to be configurable to the institution's specific risk profile because generic stacks just generate generic noise that nobody trusts. Good data in, useful alerts out.

Operating model carries equal weight. A compliance team that can tune matching thresholds, author clearance rules, and resolve genuine hits within service-level expectations is what makes screening work at scale — and that team doesn't appear on the org chart by accident. Without that team, even the best data stack delivers an unmanageable queue. Tools don't run themselves.

Annual AML program costs for a mid-stage fintech run between $200,000 and $500,000. Not nothing. But it's a rounding error next to a single enforcement action — and most published enforcement actions against fintechs and the banks supporting them land somewhere in the seven or eight figures, which is the math that tends to focus a board's attention faster than any compliance presentation can.

What Should Actually Worry Compliance Leaders

Three numbers worth holding onto from the past eighteen months: £21.1 million (Monzo), £28.96 million (Starling), and $504 million (OKX, in a single February settlement). Different jurisdictions, different growth stages, different business models — and yet regulators landed on roughly the same finding each time, almost word for word. Screening systems that worked fine at small scale broke quietly as the customer base multiplied past what the original controls were ever designed to handle, and nobody inside the company caught the failure mode early enough to fix it on their own terms. Same story, every time.

That's the part that should keep fintech compliance leaders awake at night — not the worst-case scenario that lands on the front page of the FT, but the slow drift that nobody notices internally because each individual concession to operational pressure feels small and reasonable in the moment it's made. Slow drift. Quiet, then catastrophic.

So what actually fixes this? Vendor pitches don't. The annual independent audit doesn't either — by the time an auditor finds the drift, the drift has already happened for months, and the only remaining variable is whether a regulator finds it first or the institution does. Continuous instrumentation of the screening program itself is what works. Match rates, false-positive ratios, average clearance time, list freshness lag, percentage of alerts auto-resolved versus analyst-touched — measured weekly, reviewed monthly, treated as production telemetry rather than compliance reporting that gets read once a quarter and filed. Fintechs growing fastest without picking up enforcement scars run AML screening the way an SRE team runs an uptime dashboard. Same instinct for what the leading indicator looks like before something breaks. Anyone running screening without that instrumentation is flying blind. Blind programs eventually find a regulator. Just a matter of which quarter.

References

  1. United Nations Office on Drugs and Crime (UNODC), "Money Laundering Overview" — unodc.org/unodc/en/money-laundering/overview.html
  2. US Treasury, Office of Foreign Assets Control (OFAC), Sanctions List Updates and SDN Archive (2024–2025) — ofac.treasury.gov
  3. Financial Crimes Enforcement Network (FinCEN), Enforcement Actions Database (2024–2025) — fincen.gov
  4. US Department of Justice, OKX Plea Agreement, Failure to Maintain an Effective AML Program (February 2025) — justice.gov
  5. UK Financial Conduct Authority, Monzo Bank Final Notice — AML Controls Failure (2025) — fca.org.uk
  6. UK Financial Conduct Authority, Starling Bank Final Notice — Financial Crime Prevention Failures (2024) — fca.org.uk
  7. BaFin (Federal Financial Supervisory Authority, Germany), N26 Enforcement Action — AML Monitoring Deficiencies — bafin.de
  8. FFIEC BSA/AML Examination Manual — bsaaml.ffiec.gov
  9. Bank Secrecy Act, US Code Title 31 — fincen.gov/resources/statutes-and-regulations/bank-secrecy-act