Anti-money-laundering (AML) screening is the systematic process of checking customers, beneficial owners, counterparties and transactions against sanctions lists, politically-exposed-person (PEP) registers, watchlists and adverse-media databases. It is a core obligation under the Financial Action Task Force (FATF) Recommendations, the EU's successive Anti-Money Laundering Directives, the US Bank Secrecy Act and the UK Money Laundering Regulations 2017. This article covers every component of the screening lifecycle, the regulatory framework that mandates it, the principal data providers, and how modern fintechs integrate AML screening at scale without paralysing operations with false positives.
AML screening is a subset of the broader Know Your Customer (KYC) and Customer Due Diligence (CDD) framework. It refers specifically to the automated or manual comparison of an entity's identifying attributes — full legal name, date of birth, nationality, registered address, tax identification number and, where relevant, corporate structure — against one or more structured reference datasets. A positive result (a "hit" or "alert") indicates that the entity may appear on a list that requires escalated due diligence, a transaction hold, or outright refusal of service.
The term "screening" is deliberately distinct from "monitoring." Screening is a point-in-time or event-driven check of identity against static or periodically refreshed reference data. Transaction monitoring, by contrast, is the ongoing behavioural analysis of payment flows against typology-based rules or machine-learning models. Both are mandatory obligations, but they address different risk vectors: screening asks who is this person or entity, while monitoring asks what are they doing with money.
The four canonical screening categories are: (1) Sanctions — designations issued by OFAC (SDN list), the UN Security Council, HM Treasury's Office of Financial Sanctions Implementation (OFSI), the EU Consolidated List and others; (2) PEP registers — individuals who hold or have held prominent public functions, as defined in Article 3(9) of the EU's Fourth Anti-Money Laundering Directive (4AMLD, 2015/849/EU) and its successors through 6AMLD; (3) Adverse media — credible negative news linking a subject to financial crime, bribery, corruption, narcotics or terrorism; (4) Internal blacklists — proprietary risk registers maintained by the obliged entity itself, populated by previous enforcement actions, fraud patterns or correspondent-bank exclusions.
FATF Recommendation 10 mandates CDD for all customers, whilst Recommendations 12 and 13 impose enhanced due diligence (EDD) on PEPs and correspondent relationships respectively. The EU's 2024 AML Package — comprising the new AML Regulation (AMLR), the recast AMLD6 and the establishment of AMLA (the EU Anti-Money Laundering Authority) — further harmonises screening obligations across member states, removing the uneven transposition that characterised earlier directives. In the United States, the AML Act of 2020 and the Corporate Transparency Act of 2021 extended screening requirements to beneficial ownership registers for the first time. The UK's Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692), as amended, remain the operative domestic framework post-Brexit.
AML screening operates across three distinct lifecycle stages, each with its own data requirements, latency tolerances and escalation paths.
Onboarding screening is the initial check performed before a customer relationship is established or a product is activated. At this stage the obliged entity collects identity documents, resolves the legal name to a standardised form (handling transliteration from non-Latin scripts, name order conventions and known aliases), and submits the resolved identity to a screening engine. The engine applies fuzzy-matching algorithms — typically Jaro-Winkler, Levenshtein distance or proprietary neural approaches — to compare the input against every record in the reference datasets. A configurable match-score threshold determines whether a result is a confirmed hit, a potential match requiring analyst review, or a clear. Onboarding screening is synchronous in most implementations: the customer journey is gated until the check resolves. Speed is therefore critical; enterprise-grade APIs from providers such as Refinitiv World-Check, Dow Jones Risk & Compliance, ComplyAdvantage and LexisNexis Bridger XG typically return results within 300–800 milliseconds.
Ongoing (periodic) screening re-checks the existing customer book against updated reference lists at defined intervals — commonly daily for high-risk customers and monthly or quarterly for standard-risk relationships. This reflects the fact that sanctions designations can be issued without notice (OFAC can publish a new SDN addition within hours of a geopolitical event), and PEP status changes when an individual assumes or vacates public office. Periodic screening is typically asynchronous and batch-processed overnight, with alerts queued for analyst review the following business day.
Transaction-level screening applies at the point of payment instruction, checking the originator, beneficiary, and — in wire transfers — all intermediary institutions against the sanctions lists mandated by EU Regulation 2015/847 (the Funds Transfer Regulation, now replaced by EU 2023/1113 for data-rich payment messages). This is the most latency-sensitive context: SEPA Instant Credit Transfers, for example, must settle within ten seconds, leaving a narrow window of roughly two to four seconds for the payment service provider to complete screening before accepting or rejecting the instruction. High-throughput environments therefore require horizontally scaled, in-memory screening engines capable of processing tens of thousands of transactions per second.
False-positive management is the operational challenge that dominates AML screening programmes. Industry studies consistently find false-positive rates of 95–99% in raw alert volumes — meaning the vast majority of alerts represent legitimate customers whose names resemble listed entities. Institutions manage this through tuning (adjusting match thresholds, adding date-of-birth disambiguation, whitelisting previously cleared records), analyst workflows (tiered review with clear escalation paths), and machine-learning models trained on historical dispositions. The risk of over-tuning is itself a regulatory concern: supervisors expect documented rationale for any threshold that results in potential matches being suppressed without human review.
European Union. The primary legislative instruments are AMLD4 (2015/849/EU) and AMLD5 (2018/843/EU), transposed into national law across member states, and — from 2025 onwards — the directly applicable AMLR and AMLD6. The new AMLA, headquartered in Frankfurt and operational from 2025, will assume direct supervisory authority over the highest-risk obliged entities and issue binding technical standards on screening methodology. EU Regulation 2023/1113 on information accompanying transfers of funds extends mandatory originator and beneficiary data requirements to crypto-asset transfers (implementing the FATF "Travel Rule"), creating a new transaction-screening obligation for crypto-asset service providers (CASPs).
United States. The Bank Secrecy Act (31 U.S.C. §§ 5311–5336), implemented through FinCEN regulations (31 C.F.R. Chapter X), requires financial institutions to establish AML programmes with screening components. OFAC administers the SDN list and imposes strict-liability civil penalties for violations — there is no knowledge requirement, which makes real-time sanctions screening at the transaction level a practical necessity rather than merely a best practice. The AML Act of 2020 (part of the National Defense Authorization Act) mandated FinCEN to publish national AML/CFT priorities annually, directly shaping the risk categories that screening programmes must address.
United Kingdom. The Money Laundering Regulations 2017 (as amended by SI 2019/1511 and SI 2022/860) require firms to apply CDD, including screening, to all customers. HM Treasury's OFSI publishes the UK consolidated sanctions list separately from the EU list following Brexit. The Financial Conduct Authority (FCA) supervises most payment institutions and electronic money institutions under MLR 2017, and its Financial Crime Guide sets out supervisory expectations on screening programme design. Firms operating across EU and UK jurisdictions must therefore maintain dual-list coverage.
FATF. The Financial Action Task Force's 40 Recommendations (revised 2012, updated 2023) form the international baseline. FATF Mutual Evaluations assess whether jurisdictions have effectively implemented these standards; poor ratings create market access risks for financial institutions domiciled in greylisted or blacklisted countries.
The quality of an AML screening programme is inseparable from the quality of its underlying reference data. The principal commercial providers occupy distinct positions in the market.
Refinitiv World-Check (now part of LSEG) is the incumbent in Tier-1 banking, offering deep structured data on PEPs and sanctioned entities with long entity histories and extensive source citations. It is licensed per-entity-screened and per-seat, making it expensive for high-volume fintechs at early growth stages. Dow Jones Risk & Compliance provides comparable depth and is frequently used in combination with World-Check by correspondent banks seeking independent verification. ComplyAdvantage takes a data-as-a-service and API-first approach, aggregating sanctions, PEP, adverse-media and watchlist data into a single fuzzy-matching API with sub-second response times, making it popular among fintechs and neobanks scaling rapidly. LexisNexis Bridger XG is widely adopted in the US market, integrating with core banking platforms via standardised connectors.
For fintechs integrating AML screening at scale, the architecture typically involves: (1) a normalisation layer that standardises identity data (name, DOB, nationality, identifiers) from onboarding flows, KYC documents and payment messages into a canonical schema before submission to the screening API; (2) a screening orchestrator that fans out requests to multiple list providers in parallel and consolidates results, deduplicating alerts from overlapping datasets; (3) a case-management system that queues analyst tasks, records disposition rationale with audit trails, and feeds back confirmed clears as whitelisted records to suppress repeat false positives; (4) a monitoring integration that pipes the "who" data from screening into the transaction-monitoring engine, enriching behavioural models with the entity's risk classification.
When operating embedded financial products — such as white-label card programmes or Banking-as-a-Service platforms — the question of screening responsibility is a contractual and regulatory one. The regulated principal (the electronic money institution or bank holding the licence) retains ultimate AML responsibility and cannot delegate it entirely to an unregulated programme manager. In practice this means the BaaS provider either performs screening itself and shares results via API, or mandates that the programme manager uses an approved screening vendor and grants audit rights over alert disposition records. See also the Codego glossary entries on BIN sponsorship and card issuing for how these responsibilities are allocated in card programme structures.
Codego's core banking and BaaS infrastructure embeds AML screening natively across all product lines — from card issuing to crypto-funded card programmes — so that programme partners launch compliant by design rather than bolting compliance on after go-live.
Operating under an NBB electronic-money distribution licence, with Codego Europe SIA in the EMI licensing process and pan-EU passporting coverage across 12 countries, Codego maintains CDD and screening obligations as the regulated principal across all white-label programmes. Onboarding screening is integrated directly into the client questionnaire and KYC flow accessible via the self-service portal, applying real-time sanctions, PEP and adverse-media checks before any IBAN or card credential is issued. For crypto programmes, where the EU's Travel Rule obligations under Regulation 2023/1113 add a transaction-screening layer at the point of on-the-fly stablecoin conversion, Codego's engine performs beneficiary screening within the settlement window — including on SEPA Instant rails where the ten-second settlement clock is in force.
Partners launching a white-label bank or white-label card programme through Codego benefit from the platform's existing screening integrations, pre-configured alert thresholds calibrated against EU and UK regulatory expectations, and documented false-positive disposition workflows that satisfy FCA and relevant national competent authority audit requirements. Because Codego's infrastructure targets a fifteen-day end-to-end programme launch — virtual cards live on day one, physical cards by day fifteen — the AML programme is production-ready from the first cardholder, not a subsequent retrofit.