Cross-Border Payment Compliance Guide: KYC, KYB, and AML Requirements by Region

Cross-border payments involve moving money across jurisdictions, each with its own regulatory framework. For fintechs, payment platforms, and businesses operating globally, understanding compliance requirements isn't optional. It's the foundation that determines whether you can operate legally, maintain banking relationships, and scale without regulatory friction.

This guide provides a comprehensive overview of cross-border payment compliance, covering Know Your Customer (KYC), Know Your Business (KYB), and Anti-Money Laundering (AML) requirements across major regions. Whether you're building a cross-border payments API integration or evaluating compliance infrastructure, this resource covers what you need to know.

Before diving into regional requirements, let's establish the core compliance concepts that apply globally.

KYC is the process of verifying the identity of individual customers before allowing them to transact. It's designed to prevent identity fraud, money laundering, and terrorist financing. Standard KYC typically includes collecting government-issued ID documents, proof of address, verifying identity against the documents provided, and screening against sanctions and watchlists.

The depth of KYC required varies by transaction type, amount, and risk level. A one-time small payment may require basic verification, while recurring high-value transfers trigger enhanced due diligence (EDD).

KYB extends identity verification to business entities. When onboarding a company as a customer or partner, you must verify the business is legitimate and identify its ownership structure. KYB typically requires business registration documents, proof of business address, identification of Ultimate Beneficial Owners (UBOs), verification of authorized signatories, and assessment of the business's nature and risk profile.

UBO identification is particularly important. Regulations typically require identifying individuals who own or control 25% or more of a business, though thresholds vary by jurisdiction.

AML encompasses the policies, procedures, and controls designed to detect and prevent money laundering and terrorist financing. A robust AML program includes transaction monitoring for suspicious patterns, sanctions screening against OFAC, EU, and UN lists, Suspicious Activity Report (SAR) filing procedures, risk-based customer segmentation, and ongoing monitoring and periodic reviews.

AML requirements are set by international bodies like the Financial Action Task Force (FATF) and implemented through national legislation. The FATF's 40 Recommendations form the global standard that most jurisdictions follow.

The US has one of the most complex regulatory environments for cross-border payments, with oversight from multiple federal and state agencies.

• FinCEN (Financial Crimes Enforcement Network): Primary AML regulator, administers the Bank Secrecy Act (BSA)
• OFAC (Office of Foreign Assets Control): Administers sanctions programs, maintains the SDN (Specially Designated Nationals) list
• State Regulators: Money transmitter licensing at the state level (required in most states)
• CFPB (Consumer Financial Protection Bureau): Consumer protection oversight for remittances

• Money Transmitter Licenses: Required in 49 states plus DC, Puerto Rico, and US Virgin Islands (Montana is exempt)
• BSA/AML Program: Written AML policies, designated compliance officer, employee training, independent testing
• Customer Identification Program (CIP): Name, date of birth, address, and ID number for individuals
• OFAC Screening: Real-time screening against SDN list for all transactions
• SAR Filing: Reports to FinCEN for suspicious activity over $2,000 (or any amount if terrorism-related)
• CTR Filing: Currency Transaction Reports for cash transactions over $10,000

Under the Customer Due Diligence (CDD) Rule, financial institutions must identify and verify beneficial owners who own 25% or more of a legal entity, and one individual with significant control (regardless of ownership). The Corporate Transparency Act (CTA), effective 2024, requires most US companies to report beneficial ownership information directly to FinCEN.

The CFPB's Remittance Transfer Rule (Regulation E) requires pre-payment disclosures including exchange rates, fees, and total cost, 30-minute cancellation windows, error resolution procedures, and receipts with specific information elements. These rules apply to transfers over $15 to foreign countries.

The EU has harmonized AML requirements across member states through a series of Anti-Money Laundering Directives (AMLD), with the 6th Directive (6AMLD) currently in effect and AMLA (the new AML Authority) coming online.

• 6AMLD (6th Anti-Money Laundering Directive): Harmonized AML requirements across EU
• PSD2 (Payment Services Directive 2): Licensing framework for payment institutions
• GDPR: Data protection requirements that intersect with KYC data handling
• EU Sanctions: Consolidated list administered by the European Commission
• National Regulators: BaFin (Germany), ACPR (France), DNB (Netherlands), etc.

• Payment Institution License: Required for payment services (PI license or E-Money license)
• Customer Due Diligence: Risk-based approach with simplified, standard, and enhanced tiers
• UBO Verification: Identify owners with 25%+ ownership (some countries use lower thresholds)
• PEP Screening: Politically Exposed Persons require enhanced due diligence
• Transaction Monitoring: Risk-based monitoring with SAR reporting to national FIUs
• Record Retention: 5 years after the business relationship ends

The EU's Transfer of Funds Regulation requires that payment service providers transmit payer and payee information with transfers. For transfers over EUR 1,000, full originator and beneficiary information must accompany the payment. This applies to both traditional payments and crypto-asset transfers under MiCA.

KYC data collection must comply with GDPR principles. This means collecting only necessary data (data minimization), having a lawful basis for processing (typically legal obligation for AML), providing privacy notices explaining data use, and implementing appropriate security measures. The intersection of AML requirements and GDPR creates tension that must be carefully managed.

Post-Brexit, the UK maintains its own regulatory framework that largely mirrors EU standards but with distinct enforcement and some divergence.

• FCA (Financial Conduct Authority): Primary regulator for payment services
• NCA (National Crime Agency): Operates the UK Financial Intelligence Unit (UKFIU)
• HMRC: Tax compliance and some AML supervision for certain sectors
• HM Treasury: Administers UK sanctions regime (OFSI)

• FCA Authorization: Payment Institution or E-Money Institution authorization required
• Money Laundering Regulations 2017 (as amended): Primary AML legislation
• Risk Assessment: Firm-wide and customer-level risk assessments required
• Enhanced Due Diligence: Required for high-risk situations (PEPs, high-risk countries, complex structures)
• SAR Reporting: To NCA via the SAR Online system
• Sanctions Screening: Against UK sanctions list (OFSI) plus UN and other relevant lists

The UK has implemented the Economic Crime and Corporate Transparency Act 2023, which strengthens corporate transparency requirements and expands the failure to prevent fraud offense. Companies House reforms require identity verification for directors and beneficial owners.

The UK also maintains its own sanctions regime separate from the EU, which has diverged post-Brexit. Payment providers must screen against both the UK sanctions list and understand how UK sanctions interact with other jurisdictions where they operate.

LATAM presents a diverse regulatory landscape. Key markets have developed sophisticated AML frameworks, while others are still maturing.

• Regulator: CNBV (banking), CONDUSEF (consumer protection)
• AML Law: Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (LFPIORPI)
• Key Requirements: Registration with SAT (tax authority), UBO identification for transactions over certain thresholds, suspicious activity reporting to the FIU (UIF)
• Fintech Law: Ley Fintech requires licensing for payment institutions and crypto platforms
• Currency Controls: Some restrictions on USD transactions; SPEI operates in MXN

• Regulator: Central Bank of Brazil (BCB), CVM (securities)
• AML Framework: Law 9.613/1998 (Money Laundering Law), BCB Circular 3.978/2020
• Key Requirements: Registration with BCB for payment institutions, CPF/CNPJ verification for all customers, suspicious activity reporting to COAF (FIU)
• PIX Requirements: Instant payment system has specific compliance rules for participants
• Foreign Exchange: BCB regulates all FX transactions; registration required for cross-border payments

• Regulator: Superintendencia Financiera de Colombia (SFC)
• AML Framework: SARLAFT (Risk Management System for Money Laundering and Terrorist Financing)
• Key Requirements: Risk-based customer classification, enhanced due diligence for high-risk customers, reporting to UIAF (FIU)
• Fintech Sandbox: Regulatory sandbox available for testing innovative payment services

• Regulator: BCRA (Central Bank), CNV (securities), UIF (FIU)
• AML Framework: Law 25.246 and UIF resolutions
• Key Requirements: Customer identification with DNI/CUIT, transaction monitoring and reporting to UIF
• Currency Controls: Strict foreign exchange controls (cepo cambiario); complex rules for USD transactions
• Note: Currency controls significantly impact cross-border payment flows; work with local experts

APAC is highly diverse, with mature frameworks in Singapore and Australia, rapidly evolving regulations in India and Southeast Asia, and unique challenges in markets like China.

• Regulator: Monetary Authority of Singapore (MAS)
• AML Framework: Payment Services Act (PSA) 2019, MAS Notice PSN01/PSN02
• Licensing: Major Payment Institution (MPI) or Standard Payment Institution (SPI) license
• Key Requirements: Risk-based CDD, enhanced measures for higher-risk customers, STR filing to STRO (Suspicious Transaction Reporting Office)
• Travel Rule: Singapore has implemented FATF Travel Rule requirements for crypto and traditional payments

• Regulator: AUSTRAC (AML/CTF), ASIC (financial services)
• AML Framework: Anti-Money Laundering and Counter-Terrorism Financing Act 2006
• Registration: Remittance service providers must register with AUSTRAC
• Key Requirements: Customer identification (100-point ID check), transaction monitoring, SMR (Suspicious Matter Reports) to AUSTRAC
• Threshold Reporting: IFTI (International Funds Transfer Instructions) must be reported for all cross-border transfers

• Regulator: RBI (Reserve Bank of India), FIU-IND
• AML Framework: Prevention of Money Laundering Act (PMLA) 2002
• Licensing: RBI authorization required for payment system operators
• Key Requirements: KYC with PAN/Aadhaar verification, transaction limits for different KYC tiers (full KYC vs. minimum KYC)
• Cross-Border: FEMA (Foreign Exchange Management Act) governs all cross-border transactions; strict documentation requirements
• UPI: Unified Payments Interface has specific compliance requirements for participants

• Regulator: Bangko Sentral ng Pilipinas (BSP), AMLC (Anti-Money Laundering Council)
• AML Framework: Anti-Money Laundering Act (AMLA) as amended by RA 11521
• Licensing: BSP registration for money service businesses and electronic money issuers
• Key Requirements: Customer identification with government ID, transaction monitoring, STR filing to AMLC
• Remittance Market: Major remittance destination; specific rules for inbound transfers

Sanctions compliance deserves special attention because it applies globally and violations carry severe penalties, including criminal liability.

• OFAC SDN List (US): Specially Designated Nationals and Blocked Persons
• OFAC Consolidated Sanctions List: Includes sectoral sanctions, non-SDN lists
• EU Consolidated List: Sanctions imposed by the European Union
• UK Sanctions List (OFSI): UK's autonomous sanctions regime
• UN Security Council Consolidated List: Global sanctions for terrorism, proliferation
• National Lists: Many countries maintain additional national sanctions lists

Effective sanctions screening requires real-time screening of all parties to a transaction (originator, beneficiary, intermediaries), fuzzy matching to catch name variations and transliterations, screening against multiple lists based on jurisdictional exposure, documented escalation procedures for potential matches, and regular list updates (OFAC updates frequently, sometimes daily).

Secondary sanctions are particularly important for non-US companies. US sanctions can apply extraterritorially, meaning non-US companies dealing in USD or with US nexus can face OFAC enforcement.

Understanding requirements is one thing. Building a compliance program that satisfies regulators while enabling business growth is another.

• Written Policies and Procedures: Documented AML/KYC policies tailored to your business model and risk profile
• Designated Compliance Officer: Individual with appropriate authority and expertise
• Risk Assessment: Enterprise-wide assessment of ML/TF risks, updated annually
• Customer Risk Scoring: Risk-based approach to CDD intensity
• Transaction Monitoring: Rules-based and/or machine learning systems to detect suspicious patterns
• Sanctions Screening: Real-time screening integrated into payment flows
• SAR/STR Filing Procedures: Clear escalation and filing workflows
• Training: Regular compliance training for all relevant staff
• Independent Testing: Annual audit of AML program effectiveness
• Record Retention: Systems to maintain required records for mandated periods (typically 5-7 years)

Modern compliance programs rely heavily on technology. Key capabilities include automated identity verification and document checking, real-time sanctions screening APIs, transaction monitoring with configurable rules, case management for investigations, regulatory reporting automation, and audit trail and record-keeping systems.

When evaluating whether to build or buy compliance infrastructure, consider that regulations change frequently and maintaining compliance systems requires dedicated resources. Many fintechs choose to partner with payment infrastructure providers that offer built-in compliance capabilities.

Routefusion's cross-border payment infrastructure includes compliance capabilities designed to reduce the burden on our customers while maintaining regulatory standards.

• Built-in KYC/KYB: Identity verification and business onboarding workflows
• Real-time Sanctions Screening: OFAC, EU, UK, UN, and other relevant lists
• Transaction Monitoring: Risk-based monitoring across all payment flows
• Regulatory Reporting Support: Data and documentation for SAR/STR filing
• Multi-jurisdictional Coverage: Compliance infrastructure spanning 185+ countries
• SOC 2 Certified: Independent verification of security and compliance controls
• Ongoing Updates: Compliance rules updated as regulations evolve

Our approach allows customers to leverage our compliance infrastructure while maintaining their own oversight and controls. This is particularly valuable for fintechs that want to move fast without building compliance systems from scratch.

KYC (Know Your Customer) applies to individual customers and focuses on verifying personal identity. KYB (Know Your Business) applies to business entities and includes verifying the company's legal existence, identifying Ultimate Beneficial Owners (UBOs), and understanding the business's activities and risk profile.

EDD is typically required for Politically Exposed Persons (PEPs) and their associates, customers from high-risk countries (FATF grey/black list), complex ownership structures where UBOs are difficult to identify, unusually large or frequent transactions, and any situation where ML/TF risk is elevated based on your risk assessment.

Sanctions lists should be updated as frequently as possible. OFAC updates its lists frequently, sometimes multiple times per week. Best practice is to use a sanctions screening provider that maintains real-time or near-real-time list updates and to re-screen existing customers periodically.

Penalties vary by jurisdiction but can include substantial fines (often millions of dollars), loss of licenses, personal liability for compliance officers, criminal prosecution in severe cases, and reputational damage. Recent enforcement actions have resulted in fines exceeding $1 billion for major institutions.

Generally, yes. Payment services typically require licensing in each jurisdiction where you operate. However, some regions offer passporting (EU) or regional frameworks that simplify multi-country operations. Working with a licensed payment infrastructure provider like Routefusion allows you to access multiple markets through a single integration while the provider maintains the necessary licenses.

B2B payments involve KYB (business verification) rather than just KYC, require UBO identification, and may trigger different transaction monitoring rules. B2B transactions are often larger and less frequent, which affects risk scoring. Consumer protection regulations (like the CFPB Remittance Rule) typically apply only to B2C transfers.

Cross-border payment compliance is complex, but it's manageable with the right approach. The key is understanding that compliance requirements vary by jurisdiction and keeping up with regulatory changes in your operating markets, building risk-based systems that apply appropriate scrutiny without creating unnecessary friction, investing in technology that automates compliance checks while maintaining audit trails, and considering partnerships that leverage existing compliance infrastructure.

Compliance shouldn't be viewed as a barrier to growth. Companies that build strong compliance foundations early find it easier to expand into new markets, maintain banking relationships, and build trust with customers and partners.

For more on avoiding common compliance pitfalls when scaling internationally, see our guide on common mistakes when scaling cross-border payments. And for a deeper look at the compliance landscape for contractor payments specifically, check out our compliance guide for global contractor payments.

Ready to simplify your cross-border payment compliance? Let's discuss how Routefusion's infrastructure can help you navigate regulatory requirements while scaling globally.

• Payroll & Contractor Payments
• AP/AR & Treasury Management
• Global USDC Funding