What must a fintech's AML/KYC program contain to pass an audit?

Eight building blocks: a documented business-wide risk assessment, written policies and controls, a designated compliance officer, CDD/KYC with risk-based EDD, ongoing and transaction monitoring, suspicious-activity reporting to the FIU, record-keeping for typically five years, and staff training plus independent testing. Each must be documented and demonstrably operating.

What is the new EU AML package and when does it apply?

The 2024 package comprises the AMLR (Regulation (EU) 2024/1624), the single rulebook; AMLD6 (Directive (EU) 2024/1640) on supervision and registers; and AMLA (Regulation (EU) 2024/1620), the EU Anti-Money Laundering Authority in Frankfurt, operational since mid-2025. Most AMLR provisions apply from 10 July 2027.

What are the EU thresholds that trigger customer due diligence?

CDD is always required when establishing a business relationship, on suspicion of money laundering, or on doubts about earlier ID data. For occasional transactions the threshold moves from EUR 15,000 today to EUR 10,000 under the AMLR from 10 July 2027. CASPs apply CDD to occasional crypto transfers above EUR 1,000.

Does a fintech need a dedicated AML officer?

Yes. An audit-ready program requires a designated compliance or AML officer (often called the MLRO) with clear authority and senior-management accountability. The role owns the risk assessment, oversees monitoring and reporting, and is one of the first things a supervisor checks during authorisation and inspection.

Legal consulting
•
June 26, 2026
•
8 min read

AML/KYC compliance for fintechs: a program that passes audits

Q: What is the difference between AML and KYC?

AML, anti-money laundering, is the entire program of controls a firm runs to detect and prevent money laundering and terrorist financing. KYC, know your customer, is the identity and due-diligence part of that program. KYC is a component of AML, not a synonym for it.

An AML program is judged not on intent but on what a regulator can inspect. Here is what a fintech's AML/KYC framework must contain to withstand an audit, mapped to the EU's 2024 package and the July 2027 AMLR horizon.

Stylised identity-verification and compliance checks in cool blue tones

Key takeaways

KYC (know your customer) is the identity and due-diligence component of AML (anti-money laundering); KYC is a part of AML, not a synonym for it.
The EU's 2024 AML package comprises the AMLR (Regulation (EU) 2024/1624), AMLD6 (Directive (EU) 2024/1640) and AMLA (Regulation (EU) 2024/1620); most AMLR provisions apply from 10 July 2027.
Payment institutions, EMIs, neobanks and crypto-asset service providers are all obliged entities and must run a full AML/CFT program.
The customer due diligence threshold for occasional transactions moves from EUR 15,000 today to EUR 10,000 under the AMLR; for crypto transfers, CASPs apply due diligence above EUR 1,000.
An audit-ready program rests on eight pillars: a documented risk assessment, written policies, a designated compliance officer, CDD/KYC, ongoing monitoring, suspicious-activity reporting, record-keeping and independent testing.

AML and KYC are not the same thing

AML, anti-money laundering, is the whole program of controls a firm runs to detect and prevent money laundering and terrorist financing. KYC, know your customer, is the identity-and-due-diligence component of that program: verifying who the customer is and who ultimately owns or controls them. KYC is a part of AML, not a synonym.

The distinction matters in an audit. A regulator does not only ask whether you verify identities; it asks whether identity verification sits inside a documented, risk-based system with governance, monitoring, reporting and testing around it. A firm that confuses good onboarding with a complete AML program is the firm that fails the inspection.

The EU AML package and the July 2027 horizon

In 2024 the EU adopted a single, harmonised AML package that materially changes the compliance baseline. Knowing which instrument does what, and when it applies, is essential for dating a program correctly.

The practical framing is this: firms comply today under the AML directives in force, and move to the directly-applicable AMLR rulebook from 10 July 2027. A program built now should already anticipate the AMLR rather than be rebuilt for it later.

AMLR - Regulation (EU) 2024/1624: the single, directly-applicable AML rulebook covering CDD, beneficial ownership, EDD and reporting; most provisions apply from 10 July 2027.
AMLD6 - Directive (EU) 2024/1640: governance and supervision, financial intelligence units and beneficial-ownership registers, transposed into national law.
AMLA - Regulation (EU) 2024/1620: establishes the EU Anti-Money Laundering Authority, seated in Frankfurt and operational since mid-2025, issuing technical standards and beginning direct supervision of certain high-risk cross-border entities.

Who has to comply?

AML obligations fall on what EU law calls obliged entities. Credit and financial institutions are squarely in scope, and for the fintech sector that expressly includes payment institutions, electronic money institutions, neobanks and crypto-asset service providers.

In other words, if you hold a payments, e-money or MiCA licence, a full AML/CFT program is not optional and not a nice-to-have. It is a licensing condition, and supervisors increasingly treat AML weakness as a reason to delay or refuse authorisation in the first place.

Customer due diligence and the thresholds that trigger it

Customer due diligence (CDD) is the set of checks a firm runs to know and risk-rate its customers. CDD is always required when establishing a business relationship, when there is a suspicion of money laundering or terrorist financing, or when there are doubts about previously obtained identification data. For one-off dealings, fixed monetary thresholds also trigger CDD.

The thresholds are changing, so state the current and future figures together. For occasional transactions, the EU threshold moves from EUR 15,000 today to EUR 10,000 under the AMLR from 10 July 2027. Crypto is treated more tightly: CASPs must apply due diligence to occasional crypto transfers above EUR 1,000. The AMLR also introduces an EU-wide cash payment cap of EUR 10,000, though lower national caps may remain in place.

Always: when establishing a business relationship, on suspicion of ML/TF, or on doubts about earlier ID data.
Occasional transactions: CDD from EUR 15,000 today, moving to EUR 10,000 under the AMLR from 10 July 2027.
Crypto transfers: CASPs apply CDD to occasional transfers above EUR 1,000.
Cash: an EU-wide cash payment cap of EUR 10,000 under the AMLR, with lower national caps possible.

Enhanced due diligence and beneficial ownership

Enhanced due diligence (EDD) applies to higher-risk situations and means more information, senior sign-off and closer ongoing monitoring. It is required for politically exposed persons (PEPs), customers connected to high-risk third countries, and complex or unusually large transactions without an obvious economic purpose. Under the AMLR, very high-value relationships, such as wealthy clients above defined asset thresholds, are also brought into the EDD net.

Beneficial ownership is the other pillar auditors probe hard. A beneficial owner (UBO) is the natural person who ultimately owns or controls the customer. AMLD6 lowers the identification threshold from more than 25% to 25% or more of shares or voting rights, and requires more detailed, EU-interconnected central registers, including for non-EU entities with EU links. A program that still applies the old above-25% test is already out of step with the new standard.

Transaction monitoring and the crypto travel rule

Knowing a customer at onboarding is not enough; a firm must keep watching the relationship. Ongoing and transaction monitoring screens activity against the customer's expected profile and against sanctions, PEP and adverse-media lists, and flags anomalies for review. This is the engine that turns static KYC data into live risk management.

For crypto firms there is an additional, specific obligation known as the travel rule. Under the Transfer of Funds Regulation, Regulation (EU) 2023/1113, originator and beneficiary information must accompany crypto-asset transfers between providers regardless of amount. Transfers to or from self-hosted wallets above EUR 1,000 trigger additional verification that the customer controls the wallet.

The eight building blocks of an audit-ready program

Regulators inspect documents and decisions, not good intentions. A program passes an audit when each of the following building blocks exists, is written down, is proportionate to the firm's risk and is demonstrably operating in practice. Averium advises on the program and its legal sufficiency on a vendor-neutral basis, so the framework is built to withstand the supervisor rather than to fit a particular tool.

A business-wide AML/CFT risk assessment, documented and kept current.
Internal policies, controls and procedures proportionate to that risk.
A designated compliance/AML officer (MLRO) with senior-management accountability.
CDD and KYC at onboarding, including ID verification, UBO identification and purpose of the relationship, with risk-based EDD.
Ongoing monitoring and transaction monitoring, with sanctions, PEP and adverse-media screening.
Suspicious transaction and activity reporting (STR/SAR) to the national financial intelligence unit.
Record-keeping, typically retained for five years as a rule under EU AML law.
Staff training and independent audit or testing of the program.

Related services

Legal consulting Representation in disputes

Frequently asked questions

Build an AML program that withstands inspection

Averium designs AML/CFT programs that regulators can inspect: the documented risk assessment, policies, MLRO framework and audit-readiness mapped to the 2024 EU package and the July 2027 AMLR. Vendor-neutral, legally grounded. Tell us where your program stands today.

Talk to Averium