Building an AML/CFT Compliance Programme from Scratch: A Practical Guide for Fintech Founders

Introduction

For many fintech founders, anti-money laundering (“AML”) compliance feels like something to handle after product-market fit.

If your product moves money, stores value, enables payments, issues wallets, processes merchant transactions, supports cross-border transfers, or provides financial infrastructure to other businesses, regulators and banking partners will expect you to understand your financial crime risks early on.

Anti-money laundering and countering the financing of terrorism compliance, usually shortened to AML/CFT, is not just a policy document but a working system for stopping your platform from being used to hide illegal money, fund terrorism, evade sanctions, or commit fraud.

This guide explains how fintech founders can build an AML/CFT compliance programme from scratch. The goal is to help you understand what needs to be built, why it matters, and when to bring in specialist support.

What AML/CFT means in practice

AML focuses on preventing criminals from using financial products to hide the source, ownership, or destination of illegal funds.

CFT focuses on preventing money, assets, or services from being used to support terrorist activity.

In practice, AML/CFT controls help a fintech answer five basic questions:

Who is the customer?
Where is the money coming from?
Where is the money going?
Does the transaction make sense?
Should the activity be reported, stopped, or escalated?

A startup does not need a 200-page compliance manual on day one, however, it does need a clear risk-based system that matches the product.

Start with your business model

The first step is to understand what your fintech actually does. Regulators and banks will look at the real product flow and will judge your AML/CFT programme not just on your pitch deck.

Start by defining who your customers are – individuals or businesses – and whether you hold their funds. Then clarify if users can send or receive money, and whether transactions are domestic or cross-border. From there, assess if they can convert currency and what instruments your product supports – cash, wallets, cards, bank accounts, crypto, or merchants.

Next, evaluate whether you serve high-risk industries, if users can transact instantly, and finally, whether you rely on agents, vendors, or third-party partners.

This map helps you identify your risk level. A budgeting app with no money movement has a different risk profile from a remittance company sending funds across borders. A merchant acquiring a product has different risks from a savings wallet. A crypto exchange has different risks from payroll software.

Do not copy another company’s AML policy without doing this exercise. A copied policy may look professional, but it may fail because it does not match your product.

Conduct a risk assessment

A risk assessment is the foundation of your AML/CFT programme. It is a structured way of identifying how your product could be misused for financial crime.

Your risk assessment should cover:

Customer risk – looks at who uses your product. For example, individual salary earners may present lower risk than complex corporate entities with unclear ownership. Politically exposed persons, high-cash businesses, and customers from sanctioned or high-risk jurisdictions may require extra scrutiny.

Product risk – looks at what your product allows users to do. Products that move money quickly, support anonymous use, permit cross-border transfers, or offer cash-like value may carry higher risk.

Transaction risk – looks at transaction size, frequency, pattern, and purpose. A user sending one small family support payment each month is different from a user making many transfers to unrelated recipients.

Geographic risk – looks at where your customers, recipients, counterparties, and partners are located. Some jurisdictions present higher sanctions, terrorism financing, corruption, or regulatory risks.

Delivery channel risk – looks at how customers access the product. A fully remote digital onboarding process may require stronger identity verification than face-to-face onboarding.

Partner risk – looks at banks, processors, agents, aggregators, outsourced compliance vendors, and technology providers.

Write an AML/CFT policy that your team can actually use

An AML/CFT policy is the document that explains your compliance approach. It should not be written only to impress investors or banks. It should guide how your team handles real customers and transactions.

A useful AML/CFT policy should explain the purpose of the programme; the business model and risk profile; roles and responsibilities; Customer and enhanced due diligence rules; sanctions screening;
transaction monitoring; suspicious activity escalation; reporting obligations; recordkeeping; staff training; independent review; governance and board oversight and also, how the policy is updated.

Use plain English. If a customer support team member cannot understand the policy, the policy is too legalistic.

Take for example, instead of saying, “The company shall conduct enhanced due diligence on customers presenting elevated risk typologies,” you can say, “We will apply extra checks to customers who present higher risk, such as politically exposed persons, high-risk businesses, or users connected to high-risk countries.”

Appoint someone responsible for compliance

Even at an early stage, someone must own AML/CFT compliance. This person may be called the compliance officer, money laundering reporting officer, or financial crime lead, depending on the jurisdiction and licence type.

The title is not as important as the responsibility. The person responsible should understand the product and all the purposes of the policy listed above. If the compliance lead cannot challenge sales, product, or operations decisions, the programme will not work.

Build customer due diligence into onboarding

Customer Due Diligence (CDD) means collecting and checking information about customers before allowing them to use the product. Know Your Customer or KYC, is part of this process.

For individual customers, you may need to collect personal data (such as – full name, date of birth, Address, phone number etc)

For business customers, you may need to collect important details (such as – legal name,
registration number, registered address, directors or managers) to determine who owns or controls a company. This matters because criminals may hide behind companies to move money.

CDD should be risk-based. Lower-risk users may go through standard checks. Higher-risk users may need enhanced due diligence, which means additional checks before approval or transaction access.

Design enhanced due diligence for higher-risk users

Enhanced due diligence (EDD) is extra review for customers or transactions that present higher financial crime risk.

You may need EDD where a customer is a politically exposed person or operates in a high-risk industry; is connected to a high-risk country; sends unusually large transactions; or simply triggers sanctions or watchlist concerns.

EDD may include asking for source of funds or reviewing corporate ownership documents. Your team should know when it applies, who approves it, and what documents are required.

Screen customers and transactions for sanctions

Sanctions are legal restrictions imposed on certain countries, entities, individuals, vessels, sectors, or activities. A fintech that violates sanctions can face serious regulatory, banking, and reputational consequences.

Sanctions screening means checking customers, beneficial owners, recipients, counterparties, and sometimes transactions against applicable sanctions lists.

Your screening process should be structured to cover the full lifecycle of customer and transaction checks. It needs to establish which sanctions lists apply to your business, and whether you screen customers at onboarding. You should also confirm if you screen recipients and counterparties, and whether customers are rescreened periodically. Screening should occur before transactions are released, with clear procedures for reviewing possible matches and defined steps for handling confirmed matches.

False positives are common. A false positive happens when a customer’s name looks similar to a sanctioned person but is not the same person. Your team needs a clear process for reviewing and clearing false positives.

Set up transaction monitoring

Transaction monitoring means reviewing customer activity to detect suspicious patterns. For fintech products, monitoring should be designed around the actual product. Generic rules may miss important risks.

Examples of suspicious patterns include many transfers just below a reporting threshold or multiple accounts using the same device or bank account.

Transaction monitoring can start simple. Early-stage companies may use manual reviews and basic rules. As volume grows, you will need automated monitoring, alert management, and documented investigations.

The key point is evidence. If a regulator or bank asks why a transaction was allowed, you should be able to show the review process.

Create a suspicious activity escalation process

Not every unusual transaction is criminal. But unusual activity should always be reviewed.

An effective AML/CFT programme must include a clear escalation process for suspicious activity. This process should define what counts as a red flag, specify who reviews alerts, and outline when an account should be restricted or closed. It should also establish when a regulatory report is required, ensuring consistency and compliance across all cases.

Team members should know how to escalate concerns. Customer support, fraud operations, payments operations, and compliance should not work in silos.

For example, a support agent may notice that a customer keeps asking how to avoid transfer limits. That may be a compliance signal. The programme should make it easy for the agent to report that concern internally.

Keep proper records

AML/CFT compliance depends on records. If you cannot prove that a check was done, regulators and banking partners may treat it as not done.

Records should be secure, searchable, and retained for the legally required period in the relevant jurisdiction.

Do not keep sensitive documents casually in email inboxes or shared folders without access controls. Customer identity documents and compliance records contain sensitive personal data. They should be protected.

Train your team

An AML/CFT programme will fail if only the compliance officer understands it.

Training should be practical and role-specific. A customer support agent does not need the same training as a compliance analyst. A product manager does not need to become a lawyer, but they should understand how product design affects financial crime risk.

Training should cover:

What money laundering and terrorism financing look like
Customer due diligence basics
How to escalate suspicious activity

Use examples from your product. If you run a wallet product, train the team on wallet abuse. If you run remittances, train the team on structuring, and suspicious recipient patterns.

Test and update the programme

AML/CFT compliance is not a one-time launch document. It should be tested and updated.

Testing can include internal reviews, sample transaction reviews, alert quality checks, policy gap assessments, or independent audits.

The goal is not perfection. The goal is to show that your controls are reasonable, risk-based, and improving as the company grows.

Common mistakes fintech founders should avoid

Many AML/CFT failures start with avoidable mistakes.

Treating compliance as paperwork. A policy without working controls is not a programme.

Copying another company’s AML manual. Your programme must match your product, customers, jurisdictions, and transaction risks.

Onboarding users before building checks. It is harder to clean up a customer base later than to build reasonable controls from the start.

Relying entirely on vendors. Identity verification vendors and screening tools are useful, but they do not replace your responsibility to understand and manage risk.

Ignoring partner obligations. Banks and licensed partners will expect evidence of your controls. If you cannot explain your programme, they may delay onboarding or terminate the relationship.

Failing to document decisions. A reasonable decision that is not documented may be difficult to defend.

A practical AML/CFT build plan

A founder building from scratch can follow a simple sequence.

Start by mapping the product and money flow. Identify who uses the product, what transactions are possible, and where the main risks sit.

Next, conduct a risk assessment. Rate the customer, product, geography, transaction, delivery channel, and partner risks.

Write a practical AML/CFT policy. Keep it clear enough for the team to use.

After that, appoint a responsible compliance lead. Make sure the person has authority and access to management.

Build onboarding checks. Decide what information you collect from individuals and businesses.

Then add sanctions screening. Screen customers, beneficial owners, recipients, and relevant counterparties.

Create transaction monitoring rules and escalation procedures. Start with the most obvious red flags for your product and make sure staff know how to raise concerns.

Finally, train the team and review the programme regularly. Set up recordkeeping. Keep documents, checks, alerts, and decisions in an organised system.

This approach is more useful than waiting until a bank asks for a compliance manual. By then, you may be rushing to build controls that should already exist.

Conclusion

An AML/CFT compliance programme is not just a regulatory requirement. It is part of the operating system of a serious fintech company.

Founders do not need to build a bank-grade compliance department on day one. But they do need a clear, risk-based programme that matches the product. That means understanding the business model, assessing risk, verifying customers, screening sanctions, monitoring transactions, escalating suspicious activity, keeping records, and training the team.

If you are building a fintech product that moves, stores, or processes money, get AML/CFT advice before launch. A good programme does more than satisfy regulators. It protects your customers, your partners, and the long-term value of the business.

For further information or assistance with fintech product compliance and advisory services, please fill out our Contact Us Form to reach the compliance team .