AML/KYC -- The Three Lines of Defence
A confidential report filed by the bank to the national Financial Intelligence Unit when transactions or behaviour indicate potential money laundering, terrorist financing, or other financial crime.
A customer makes 8 cash deposits of GBP 9,200 each over 14 days across different branches -- total GBP 73,600, each deposit just below the GBP 10,000 reporting threshold. The compliance team files a SAR with the UK's National Crime Agency.
Filing a SAR carries personal criminal liability for the Money Laundering Reporting Officer (MLRO) -- failing to file when indicators are present can result in prosecution; tipping off the customer that a SAR has been filed is itself a criminal offence.
An individual who holds or has recently held a prominent public function -- such as a head of state, minister, senior judge, or military officer -- plus their family members and close associates.
A former Minister of Energy (left office 2 years ago) opens a bank account. PEP status triggers mandatory Enhanced Due Diligence: senior management approval, source of wealth verification, and ongoing enhanced monitoring.
PEP status does not mean the person is a criminal -- it means their position creates elevated corruption and bribery risk, requiring the bank to apply a higher standard of scrutiny.
CDD is the standard identity verification and risk assessment performed on every bank customer; EDD is the additional scrutiny required for higher-risk customers (PEPs, high-risk jurisdictions, complex ownership).
Standard CDD: verify identity, confirm source of funds, assign a risk rating -- takes 1-2 days for a retail customer. EDD: all of the above plus source of wealth verification, senior management approval, and enhanced ongoing monitoring -- takes 2-6 weeks for a complex corporate.
CDD is the bank's first line of defence against financial crime -- inadequate CDD is the root cause behind most AML enforcement actions and billion-dollar fines.
FATF is the international body that sets AML standards (the "40 Recommendations"); the grey list is FATF's public list of countries with strategic deficiencies in their AML frameworks.
Pakistan was on the FATF grey list from June 2018 to October 2022, meaning every transaction involving a Pakistani counterparty triggered enhanced scrutiny at banks worldwide. Currently 20+ jurisdictions are grey-listed.
Grey-listing increases the cost of doing business for an entire country -- banks apply EDD to all transactions involving grey-listed jurisdictions, slowing trade finance and increasing compliance costs.
In Lessons 6-8, you built the solvency pillar: capital adequacy ratios, risk-weighted assets, leverage, and liquidity. That pillar protects the bank against financial losses. This lesson shifts to the third regulatory pillar -- financial crime compliance -- which protects the bank against being used as a conduit for money laundering, terrorist financing, and other illicit activity.
The scale of the problem is staggering. The United Nations Office on Drugs and Crime estimates that between 2% and 5% of global GDP is laundered annually -- approximately $800 billion to $2 trillion. Banks are the primary gatekeepers. They are legally obligated to know their customers, monitor transactions, and report suspicious activity. The cost of failure is severe: HSBC paid $1.9 billion in fines for AML failures in 2012. Danske Bank's Estonian branch handled over EUR 200 billion in suspicious transactions between 2007 and 2015. These are not theoretical risks.
For AI agents operating in banking, AML creates a hard boundary. An agent can automate screening, data gathering, and risk scoring. It must never make the final decision to accept or reject a high-risk customer, and it must never file a Suspicious Activity Report -- those decisions carry personal criminal liability for the humans who make them.
The Three Lines of Defence
The three lines of defence model defines who does what in a bank's AML framework:
| Line | Function | Responsibility | Key Personnel |
|---|---|---|---|
| 1st Line | Customer-facing business | Know the customer at onboarding, monitor ongoing activity, escalate concerns | Relationship managers, branch staff, onboarding teams |
| 2nd Line | Financial crime compliance | Design the framework, set policies, operate transaction monitoring systems, investigate alerts, file SARs | Money Laundering Reporting Officer (MLRO), compliance analysts |
| 3rd Line | Internal audit | Independent assurance that 1st and 2nd lines are working effectively | Internal audit team (reports to Audit Committee, not to management) |
How the Lines Interact
The first line is accountable for applying CDD procedures at the point of customer contact. The relationship manager must collect identity documents, verify source of funds, and assign an initial risk rating. They escalate concerns to the second line.
The second line designs the policies the first line follows, operates the transaction monitoring systems that generate alerts, investigates those alerts, and decides whether to file a Suspicious Activity Report. The MLRO has personal accountability for SAR filing decisions.
The third line tests both. Internal audit reviews a sample of customer files to verify that first-line CDD was performed correctly, reviews transaction monitoring alert dispositions to verify that second-line investigations were adequate, and reports findings directly to the Board Audit Committee -- independent of both the business and the compliance function.
The third line must be independent of both the first and second lines. If internal audit reports to the Head of Compliance (second line), there is a conflict of interest -- audit would be reviewing its own colleagues' work. The Board Audit Committee provides the independent reporting line that makes the three-line model function.
Customer Due Diligence (CDD)
CDD is the foundation of AML compliance. It applies to every customer at onboarding and throughout the relationship.
Standard CDD Requirements
| CDD Element | What It Involves |
|---|---|
| Identity verification | Government-issued ID, proof of address, corporate registration documents |
| Nature and purpose of relationship | Why is the customer opening this account? What transactions are expected? |
| Source of funds | Where does the money come from? Salary, business income, inheritance, investment? |
| Risk rating | Low, Medium, or High -- based on customer type, geography, product, channel |
When Standard CDD Is Sufficient
Standard CDD is appropriate for:
- Domestic retail customers with straightforward banking needs
- SME business accounts with clear trading activity
- Customers from low-risk jurisdictions with transparent ownership
Enhanced Due Diligence (EDD)
EDD is required when risk indicators are elevated. It involves everything in standard CDD plus additional measures:
| EDD Trigger | Additional Requirements |
|---|---|
| Politically Exposed Person (PEP) | Senior management approval, enhanced monitoring, source of wealth verification |
| High-risk jurisdiction (FATF grey/black list) | Enhanced scrutiny of source of funds, purpose of transactions, beneficial ownership |
| Correspondent banking | Full understanding of correspondent's AML framework, nested correspondent relationships prohibited |
| Complex ownership structures | Full beneficial ownership chain, source of wealth for UBOs, explanation for complexity |
| High-value / unusual transactions | Enhanced transaction analysis, documented rationale |
Politically Exposed Persons (PEPs)
A PEP is an individual who holds or has held a prominent public function. The definition extends to family members (spouse, children, parents, siblings) and close associates (business partners, joint beneficial owners).
PEP categories include:
- Heads of state, heads of government, ministers
- Members of parliament or legislature
- Senior judiciary (Supreme Court, Constitutional Court)
- Senior military officers
- Board members and senior executives of state-owned enterprises
- Senior political party officials
PEP status does not mean the person is a criminal. It means they occupy a position that could be abused for money laundering, corruption, or bribery, and therefore require enhanced scrutiny.
Beneficial Ownership
Beneficial ownership identifies the natural person who ultimately owns or controls a legal entity. The typical regulatory threshold is 25% -- any natural person who directly or indirectly holds 25% or more of the shares or voting rights, or who exercises control through other means.
For complex structures -- multiple layers of holding companies, trusts, partnerships -- the bank must trace the ownership chain to identify the ultimate beneficial owner. If no natural person meets the 25% threshold, the bank must identify the person who exercises control through other means (e.g., a senior managing official).
The Agent Boundary in AML
AI agents operating in banking AML must respect a clear boundary:
| AI Can Automate | Requires Human Judgment |
|---|---|
| Identity document verification (OCR, biometric matching) | Risk acceptance or rejection decision |
| PEP screening against databases | PEP escalation and approval |
| Adverse media screening | EDD assessment and conclusions |
| Transaction monitoring alert generation | SAR filing decision |
| Risk scoring (using defined criteria) | Overriding a risk score |
| Data gathering for EDD (public records, corporate registries) | Beneficial ownership conclusions in complex structures |
| Sanctions list screening | Deciding to exit a customer relationship |
The SAR filing decision carries personal criminal liability for the MLRO. An AI agent must never file a SAR, never draft a SAR without human review and approval, and never communicate to any customer or staff member that a SAR is being considered. Tipping-off -- informing anyone that a SAR has been or may be filed -- is a criminal offence under UK POCA 2002 s333A, punishable by up to two years' imprisonment.
Exercise 7: Customer Onboarding Risk Assessment
Assess the following customer for onboarding. Determine whether standard CDD or enhanced EDD is required, identify all risk factors, and explain which aspects an AI agent can handle versus which require human judgment.
Customer Profile: Azura Power Holdings Ltd
| Field | Details |
|---|---|
| Entity name | Azura Power Holdings Limited |
| Jurisdiction of incorporation | United Kingdom (Companies House registered) |
| Business activity | Power generation and infrastructure development in Sub-Saharan Africa |
| Operating jurisdictions | Nigeria (Lagos), Kenya (Nairobi), Zambia (Lusaka) |
| Ownership structure | 45% held by a Cayman Islands-registered private equity fund ("Equatorial Capital Partners LP") |
| 30% held by a UK-registered infrastructure fund | |
| 25% held by individual shareholders | |
| Key individual | One of the 25% individual shareholders is a former Minister of Energy in Nigeria (left office 2019) |
| Requested services | Project finance facility (GBP 150M), operational accounts, treasury management |
| Source of funds | Equity from shareholders, project revenue from power purchase agreements with national utilities |
| Annual turnover | Approximately GBP 85M |
Your tasks:
- List every risk factor you identify
- Determine: Standard CDD or Enhanced EDD? Justify your answer
- What additional information would you request under EDD?
- Which elements of this assessment can the AI agent perform? Which require human decision?
- The former minister's nephew is the CFO of Azura. Does this change your assessment?
PEP status: A former Minister of Energy (Nigeria) is a PEP. PEP status continues for a period after leaving office (typically 12-24 months minimum, some jurisdictions apply it indefinitely). The minister left office in 2019, but many policies treat former PEPs as requiring ongoing enhanced monitoring.
Family/close associate: If the nephew serves as CFO, he is a close associate of the PEP, which extends EDD requirements to the operating relationship.
High-risk jurisdictions: Nigeria, Kenya, and Zambia each carry elevated ML/TF risk.
Complex ownership: Cayman Islands PE fund requires tracing to ultimate beneficial owners. Who controls Equatorial Capital Partners LP?
High-value transaction: GBP 150M project finance facility.
Assessment: Enhanced Due Diligence is mandatory. Multiple triggers are present simultaneously -- any one of them would be sufficient.
Agent boundary: The AI can screen the former minister against PEP databases, scan adverse media, pull Companies House records, and generate an initial risk score. The decision to onboard or decline, the EDD conclusions, and the senior management approval must be made by humans.
Using the Banking Plugin
The aml-cdd-edd and kyc-risk-rating skills automate customer screening, risk factor identification, and due diligence classification. Here is a worked example.
Worked example. Rachel Mbeki, KYC Analyst at Commonwealth Pacific Bank, is onboarding a complex corporate client with multiple risk indicators. She types:
Screen this customer for CDD/EDD classification:
Entity: Azura Power Holdings Limited
Jurisdiction of incorporation: United Kingdom
Operating jurisdictions: Nigeria, Kenya, Zambia
Ownership: 45% Cayman Islands PE fund, 30% UK infra fund,
25% individual shareholders
Key individual: One 25% shareholder is a former Minister
of Energy in Nigeria (left office 2019)
Requested services: GBP 150M project finance facility
Annual turnover: GBP 85M
Jurisdiction: UK FCA
The agent routes through aml-cdd-edd and kyc-risk-rating and responds:
GOVERNING STANDARD: AML/KYC — UK FCA / JMLSG Guidance
DOMAIN: Customer Due Diligence — Risk Classification
JURISDICTION: United Kingdom — FCA Handbook / POCA 2002
RISK FACTORS IDENTIFIED
1. PEP: Former Minister of Energy (Nigeria) — 25% shareholder
PEP status: Active (left office 2019, within extended
monitoring period)
2. High-risk jurisdictions: Nigeria, Kenya, Zambia
(elevated ML/TF risk per FATF mutual evaluations)
3. Complex ownership: Cayman Islands PE fund requires
UBO identification through to natural persons
4. High-value facility: GBP 150M project finance
RISK RATING: HIGH
CLASSIFICATION: Enhanced Due Diligence (EDD) required
EDD REQUIREMENTS
- Senior management approval for onboarding
- Source of wealth verification for PEP shareholder
- Full beneficial ownership chain for Cayman PE fund
- Enhanced ongoing transaction monitoring
- Annual EDD review cycle
NOTE: The professional makes the onboarding accept/reject
decision and the EDD conclusions; the agent screened for
risk factors and classified the due diligence level.
Rachel reviews the PEP screening result against her bank's PEP database and confirms the risk rating, then escalates the file to senior management for the onboarding approval decision -- which the agent cannot make.
Jurisdiction Variant: Pakistan (SBP AML Framework)
Pakistan's AML framework is governed by the Anti-Money Laundering Act 2010 (AMLA 2010, amended 2020) and enforced by the State Bank of Pakistan (SBP) for banks and the Securities and Exchange Commission of Pakistan (SECP) for non-bank financial institutions. Pakistan was placed on the FATF grey list in June 2018 after its mutual evaluation identified strategic deficiencies in 27 of 40 FATF Recommendations. Over the following four years, Pakistan implemented a 34-item FATF action plan including enhanced CDD requirements for designated non-financial businesses and professions, strengthened beneficial ownership transparency through the Companies Act 2017 amendments, and increased SAR filing volumes from approximately 8,000 per year (2018) to over 45,000 per year (2021). Pakistan was removed from the grey list in October 2022 following a successful on-site visit. For banks operating in Pakistan, SBP's AML/CFT Regulations (BPRD Circular Letter No. 13 of 2018, updated 2021) require CDD thresholds aligned with FATF standards, mandatory EDD for all PEP relationships, and STR filing to the Financial Monitoring Unit (FMU) -- Pakistan's Financial Intelligence Unit. The banking plugin's pakistan-sbp jurisdiction overlay includes these SBP-specific CDD thresholds and FMU filing requirements.
Try With AI
Use these prompts in Claude or your preferred AI assistant to deepen your understanding of AML/KYC frameworks.
Prompt 1: Three Lines in Practice
I am learning the three lines of defence model for bank AML
compliance. For each of these scenarios, identify:
(a) Which line of defence is responsible
(b) What specific action should be taken
(c) What happens if this line fails
Scenarios:
1. A relationship manager onboards a new corporate client
without collecting beneficial ownership documentation
2. The transaction monitoring system generates 50 alerts
per day, but only 2 are investigated due to staffing
3. A compliance analyst decides not to file a SAR because
the customer is a "valued client" of the bank
4. Internal audit discovers that 30% of customer files
are missing source-of-funds documentation
For scenario 3, explain the personal criminal liability
implications for the compliance analyst and the MLRO.
What you are learning: The three lines model is not theoretical -- each line has specific, concrete responsibilities. When a line fails, the consequences cascade. Understanding these cascades is essential for building AI agents that operate within the compliance framework rather than accidentally undermining it.
Prompt 2: PEP Risk Classification
A private bank is onboarding the following individuals.
For each, determine:
(a) Are they a PEP, PEP family member, or PEP close associate?
(b) Is EDD required?
(c) What specific additional information should the bank obtain?
1. Current deputy governor of the central bank of Saudi Arabia
2. The 22-year-old daughter of a sitting UK Member of Parliament
3. A retired Supreme Court justice (retired 8 years ago)
4. The business partner of a current minister in a joint
real estate venture
5. A senior executive at a state-owned oil company
6. A diplomat's spouse who is also a successful entrepreneur
in her own right
For each, explain whether an AI agent can make the PEP
determination or whether it requires human judgment.
What you are learning: PEP classification requires both database screening (which AI handles well) and contextual judgment (which requires human input). The boundary between "clearly a PEP" and "arguably a PEP close associate" is where AI agents must escalate rather than decide. Learning to identify this boundary is a critical skill for designing banking AI systems.
Prompt 3: Beneficial Ownership Investigation
You are investigating the beneficial ownership of a corporate
client with this structure:
- Client: "GlobalTrade Solutions Ltd" (UK registered)
- Shareholder 1: "Pacific Holdings BV" (Netherlands) - 40%
- Shareholder 2: "Mountain Capital Trust" (Jersey) - 35%
- Shareholder 3: Individual - Mr. James Chen - 25%
Pacific Holdings BV is owned by:
- "Sunrise Group Pte Ltd" (Singapore) - 70%
- "Harbor Investments SA" (Luxembourg) - 30%
Mountain Capital Trust has:
- Settlor: Dr. Sarah Williams (UK national)
- Protector: Williams Family Office Ltd
- Beneficiaries: Discretionary (not named)
Questions:
1. Who are the beneficial owners at the 25% threshold?
2. What red flags does this structure present?
3. What additional documentation should the bank request?
4. Can an AI agent resolve this ownership chain, or does
it require human investigation?
5. What if Mr. Chen is also a director of Sunrise Group?
What you are learning: Beneficial ownership investigation is where AML compliance meets detective work. Multi-layered structures, trusts with discretionary beneficiaries, and cross-jurisdictional holdings all complicate the analysis. AI agents can pull corporate registry data and map structures, but the judgment calls -- "Is this structure designed to obscure ownership?" -- require human expertise. Understanding both sides of this boundary makes you a more effective designer of banking AI systems.