AML: what is AML and API solutions in compliance

Anti Money Laundering (AML) refers to all activities that financial institutions and intermediaries are required to carry out to prevent illicit funds from being reintroduced into the economic system.

To comply with AML regulations, obligated entities must perform proper customer due diligence, actively monitor their transactions, and report any suspicious transactions.

Anti Money Laundering: What It Is

The anti-money laundering system, which in Italy is regulated by Legislative Decree 231/2007, was created to prevent and combat the risk of money laundering from illegal activities, which is "cleaned" by reintroducing it into entirely legal channels.

Banks, financial institutions, insurance companies, and various other entities, including securities brokerage firms and accountants, are required to carry out anti-money laundering activities.

This means, among other things, that they are required to identify clients and the beneficial owners of legal entities performing financial transactions and to report any suspicious transactions.

Anti-Money Laundering Regulations

Anti-money laundering regulations consist of several levels: at the core are the international standards of the FATF, which serve as AML guidelines and are reflected in EU regulations and national legislation.

To summarize, the AML regulatory framework consists of:

• FATF (Financial Action Task Force) recommendations, which are recognized as the fundamental guidelines for fighting money laundering and terrorist financing;
• EU regulations: The current Fifth EU Directive 2018/843 implements international standards and tightens regulations, expanding the list of obligated entities for AML and providing more detailed rules for the verification of transactions;
• Italian law: introduced by Legislative Decree 231/2007 on November 21, the Italian AML legislation was updated with the enactment of Legislative Decree 90 of May 25, 2017, along with the relevant implementing provisions issued by the Ministry of Economy and Finance, the Financial Intelligence Unit for Italy, and anti-money laundering supervisory authorities (Bank of Italy, IVASS, Consob).

With the Fifth Directive, the European Union tightened the regulations, including cryptocurrency exchange providers, art dealers, and digital wallet service providers among the obligated entities.

AML: Anti-Money Laundering Obligations

Intermediaries and entities engaged in financial activities are required to follow AML provisions as defined by national and international regulations.

Some of the main AML obligations are as follows:

• Conducting proper customer due diligence: Initially, this is done through valid identification documents or identifying the beneficial owner of legal entities. Still, if the relationship becomes continuous, it involves constant assessment of financial operations and their associated risk factors;
• Reporting suspicious transactions: Obligated entities must report, before completing the transaction, "when they know, suspect, or have reasonable grounds to suspect that money laundering or terrorist financing operations are ongoing, have been completed, or attempted, or that the funds, regardless of their amount, originate from criminal activity" (Art. 35 of Legislative Decree 231/2007);
• Storing data for 10 years;
• Not executing transactions if customer due diligence cannot be performed (Art. 42);
• Transmitting data and communications to the Financial Intelligence Unit for Italy (based on UIF instructions and procedures).

Additionally, there is an obligation to establish training and internal control measures to monitor customer identification, data recording and retention, and suspicious transaction reporting.

Anti-Money Laundering: Customer Due Diligence

One of the most important obligations under AML regulations is proper customer due diligence, as expressed in Article 17 and subsequent articles of Legislative Decree 231/2007.

Customer due diligence is implemented through a set of measures that include the following operations:

• Identifying the customer through identity documents (in the case of legal entities, the identity of authorized representatives);
• Identifying the beneficial owner, i.e., the natural person on whose behalf the customer is performing the transaction;
• Verifying the identity of individuals through documents and information obtained from reliable sources;
• Gathering information on the purpose of the continuous relationship;
• Acquiring information on occasional transactions if a risk factor is present;
• Continuously monitoring the relationship through “analysis of the operations carried out and activities identified throughout the relationship to ensure they are consistent with the knowledge of the customer and their risk profile, including, if necessary, the origin of funds” (Art. 19).

Failure to obtain or verify the relevant identification data may result in monetary penalties, which, in the case of serious violations, can reach up to €50,000 (Art. 56).

Anti-Money Laundering in Online Onboarding and Operations

AML regulations also apply to online banks, financial operators exchanging cryptocurrencies, and digital wallet service providers. Many AML-related operations, therefore, take place online.

As established by Article 19 of Legislative Decree 231/2007, the identification requirement is considered fulfilled even without the physical presence of the customer, provided they have a digital identity with a significant level of assurance, or their identity is confirmed by qualified certificates used to generate a digital signature.

Except in exceptional cases, any digital onboarding process at a bank or cryptocurrency platform requires customer due diligence through KYC (Know Your Customer), which is the process of identifying and verifying the customer’s identity.

Customer Due Diligence and KYC

The KYC process aims to gather information that enables evaluating the money laundering or criminal financing risk for each customer.

In addition to customer identification and document verification, KYC requires the collection of information to assess the actual risk factors and constant monitoring of transactions.

Based on risk profiles, customer due diligence may be simplified or more thorough. It typically follows this pattern:

• Collecting basic personal information through online forms;
• Customer Identification Program (CIP) and information verification: The operator verifies the correctness of the entered data, for example, by verifying the individual’s tax code;
• Customer Due Diligence (CDD): A more in-depth check using official data and third-party databases, allowing for more accurate predictions about the customer’s activity and ongoing relationship. If the customer has a medium to high-risk score, a more thorough report on the individual or legal entity is necessary;
• Continuous monitoring to mitigate risk;
• Updating customer profiles and information.

KYC: API Solutions for AML

When the customer is a company, customer due diligence requires further information about the company: in addition to the beneficial ownership, the business model, revenue, size, and any export activities must be known.

Openapi's AML service was designed for this purpose: it allows access, through APIs, to over 300 enriched data points on all individuals (private or legal) involved in the company, starting with just the customer's VAT number. It is intended for all companies seeking certified data for AML verification.

As part of Customer Due Diligence, regardless of the risk level, it is also necessary to verify that the person performing the online procedure matches the individual whose identity documents are provided.

Some operators require the upload of the document, while others ask for a selfie with the document or participation in a live video call with an operator.

Openapi’s Video Identification APIs allow businesses to choose the video identification mode that best suits their needs, ensuring compliance with customer due diligence requirements while creating a secure and customizable user experience.