AML Compliance in ERP Systems: Know Your Customer and Transaction Monitoring

Anti-money laundering (AML) compliance is no longer the exclusive concern of banks and financial institutions. Businesses across sectors — from professional services and real estate to luxury goods, crypto exchanges, and any company processing significant payment volumes — face AML obligations that their ERP systems must support. The Financial Action Task Force (FATF) standards, implemented through national legislation in 200+ jurisdictions, create a web of obligations that touch payment processing, customer onboarding, transaction monitoring, record-keeping, and suspicious activity reporting.

ERP systems are both an AML risk and an AML control. They process customer payments, manage accounts receivable, handle supplier transactions, and generate the financial trails that regulators examine. Configuring your ERP to support AML compliance — and avoid becoming a vehicle for financial crime — requires understanding both the legal obligations and the technical controls.

Key Takeaways

• AML obligations apply across a wide range of non-financial businesses: real estate agents, accountants, lawyers, high-value goods dealers, trust and company service providers
• Know Your Customer (KYC) and Customer Due Diligence (CDD) are foundational — verify customer identity before establishing a business relationship
• Enhanced Due Diligence (EDD) is required for high-risk customers including PEPs (Politically Exposed Persons), high-risk jurisdictions, and complex ownership structures
• Transaction monitoring must detect unusual patterns: structuring, rapid movement of funds, transactions inconsistent with customer profile, high-risk destination countries
• Suspicious Activity Reports (SARs) must be filed with national Financial Intelligence Units (FIUs) when suspicious activity is identified — tipping off the subject is a criminal offence
• FATF's 40 Recommendations form the global AML standard; jurisdictions implement through national legislation
• ERP configuration for AML: customer classification, payment screening, transaction rules, audit trails, and SAR workflow integration
• Non-compliance penalties: criminal prosecution, substantial fines ($5B+ for major banks), business licence revocation, reputational destruction

---

The AML Regulatory Framework

FATF and the 40 Recommendations

The Financial Action Task Force (FATF) is an intergovernmental body that sets international standards for preventing money laundering, terrorist financing, and proliferation financing. Its 40 Recommendations (last updated 2023) are the globally recognised benchmark for AML/CFT (Combating the Financing of Terrorism) programmes. FATF conducts mutual evaluations of member countries; low-rated countries face grey list or blacklist designation, significantly affecting financial access.

Key FATF Recommendations for businesses:

• Recommendation 10: Customer Due Diligence (CDD)
• Recommendation 11: Record keeping (5 years minimum)
• Recommendation 12: PEP requirements
• Recommendation 13: Correspondent banking
• Recommendation 14: Money or value transfer services
• Recommendation 15: New technologies and virtual assets
• Recommendation 20: Reporting of suspicious transactions
• Recommendation 22: Designated non-financial businesses and professions (DNFBPs)

Who is Subject to AML Obligations?

Financial institutions: Banks, credit institutions, payment service providers, money exchanges, securities firms, insurance companies, crypto asset service providers (under MiCA in EU)

Designated Non-Financial Businesses and Professions (DNFBPs):

• Real estate agents (for buying/selling real estate)
• Lawyers, notaries, accountants (when involved in financial transactions, company formation, trust arrangements)
• Trust and company service providers (TCSPs)
• Dealers in precious metals and stones (transactions exceeding thresholds, typically $10,000 USD or €10,000)
• Casinos (including online casinos)

High-value goods: Art dealers (transactions over €10,000 in EU), luxury goods dealers above thresholds, yacht and aircraft brokers in some jurisdictions

Crypto asset service providers: Under FATF Recommendation 15 and EU MiCA (Markets in Crypto-Assets Regulation, fully applicable December 2024), crypto exchanges, custodians, and certain DeFi platforms have full AML obligations

Corporate sector alert: General commercial businesses (not in the DNFBP categories) typically do not have FATF-based AML reporting obligations — but many do face sector-specific requirements (e.g., companies listed on regulated exchanges, government contractors) and all have general proceeds-of-crime reporting obligations in most jurisdictions.

---

Know Your Customer (KYC) and Customer Due Diligence (CDD)

Standard CDD Requirements

CDD must be performed before establishing a business relationship or conducting occasional transactions above thresholds. Standard CDD includes:

1. Customer identification: Obtain identifying information — for individuals: full legal name, date of birth, nationality, residential address, national ID or passport number. For legal entities: full legal name, legal form, jurisdiction of incorporation, registered office address, identity of directors/beneficial owners.

2. Verification: Verify the information provided through reliable, independent sources. For individuals: government-issued photo ID, utility bills for address. For legal entities: company registration documents, certificate of incorporation, articles of association, official registry records.

3. Beneficial ownership: Identify and verify the ultimate beneficial owners (UBOs) of legal entities — typically natural persons who own or control 25% or more of the entity (some jurisdictions use lower thresholds). Complex ownership structures (trusts, nominees, offshore vehicles) require tracing through to the natural person level.

4. Understanding the business relationship: Understand the nature and purpose of the business relationship, and the source of funds.

5. Ongoing monitoring: Monitor the business relationship and transactions on an ongoing basis to ensure consistency with the customer profile.

Enhanced Due Diligence (EDD)

EDD is required for higher-risk customers, business relationships, and transactions. Triggers include:

Politically Exposed Persons (PEPs): Senior government officials, senior executives of state-owned enterprises, senior officers of international organisations, senior members of political parties — and their family members and close associates. For PEPs, EDD requires: senior management approval before establishing a relationship; establishing the source of wealth and funds; enhanced ongoing monitoring.

High-risk jurisdictions: Countries on FATF's grey list or blacklist, or jurisdictions with significant AML deficiencies. Transactions involving high-risk jurisdictions require EDD regardless of other risk factors.

Non-face-to-face onboarding: Higher risk than in-person verification — use enhanced verification (certified document copies, video verification, electronic identity verification services).

Complex ownership structures: Layered corporate structures, trusts, nominee arrangements — trace to the natural person UBO; understand the rationale for the structure.

Unusual transaction patterns: Customers whose transactions are inconsistent with their stated business or risk profile.

Simplified Due Diligence (SDD)

For lower-risk customers and transactions, SDD may be appropriate — fewer identification requirements or reduced verification depth. SDD cannot be applied to PEPs or high-risk jurisdictions. Examples: established public companies listed on regulated markets, government departments.

---

ERP Configuration for KYC/CDD

Modern ERP systems can be configured to support KYC/CDD workflows within the customer onboarding process. For Odoo and similar platforms:

Customer categorisation fields:

• Customer type (individual/corporate/government/financial institution)
• Legal entity registration number, country, date of incorporation
• UBO name, date of birth, nationality, ownership percentage
• PEP status (Yes/No/Close Associate)
• Customer risk rating (Low/Medium/High)
• CDD completion date and reviewing officer
• Document checklist (ID verified, company registration verified, UBO verified)
• Next review date (based on risk rating — high risk: annual; medium: 2 years; low: 3 years)

Document management: Link document uploads to customer records. Implement expiry alerts for ID documents (passports, licences) and company registrations.

Workflow automation:

• New customer creation triggers CDD checklist
• PEP flag triggers EDD workflow and senior management approval queue
• High-risk jurisdiction flag triggers EDD
• Document expiry alerts trigger review queue
• Annual review reminders generated automatically

Screening integration: ERP can integrate with sanctions screening services (Refinitiv World-Check, Dow Jones Risk & Compliance, Comply Advantage) via API to automatically screen customers and beneficial owners against:

• OFAC SDN list (US)
• EU Consolidated Sanctions List
• UN Security Council Sanctions
• PEP databases

---

Transaction Monitoring

Transaction monitoring is the systematic review of customer transactions to detect patterns inconsistent with the customer's profile, business, or risk level. Effective transaction monitoring requires both rule-based alerts and increasingly AI-driven anomaly detection.

High-Risk Transaction Indicators (Red Flags)

Structuring (Smurfing): Deliberately breaking large transactions into smaller amounts below reporting thresholds. Red flag: multiple transactions just below $10,000 (or local equivalent) from the same customer or related parties.

Rapid fund movement: Funds received and immediately transferred out — "layering" — with little time in the account and no apparent business purpose.

Round number transactions: Unusual number of round-figure transactions (exactly $50,000, $100,000) may indicate structured payments.

High-risk geographic patterns: Payments to or from FATF-blacklisted/grey-listed jurisdictions, jurisdictions associated with specific criminal typologies (tax havens, offshore finance centres).

Transactions inconsistent with business profile: A retail business receiving large wire transfers from foreign counterparties; a sole trader receiving payments from hundreds of different individuals.

Cash-intensive transactions: Large cash payments (real estate, high-value goods); multiple cash deposits; cash proceeds inconsistent with stated business revenue.

Third-party payments: Customers making payments to third parties not directly related to the business relationship; payments from unknown third parties on behalf of a customer.

Urgency requests: Pressure to complete transactions quickly without adequate business justification; bypassing normal controls citing urgency.

ERP Transaction Monitoring Rules

Configure the following rules in your ERP or transaction monitoring system:

Rule 1 — Structuring Alert:
TRIGGER if sum of transactions from a single customer within 24 hours
        approaches or exceeds reporting threshold (e.g., $9,500 aggregate)
TRIGGER if multiple transactions in 7 days total exceed 150% of customer's
        historical average transaction volume

Rule 2 — High-Risk Geography Alert:
TRIGGER if payment destination country is on FATF blacklist/greylist
TRIGGER if beneficial owner is resident in high-risk jurisdiction

Rule 3 — Unusual Volume Alert:
TRIGGER if single transaction exceeds 3× the customer's average transaction size
TRIGGER if monthly transaction volume exceeds 5× the historical 12-month average

Rule 4 — Rapid Movement Alert:
TRIGGER if funds received are transferred out within 48 hours
        and transfer exceeds 80% of received amount

Rule 5 — PEP/Sanctions Hit:
TRIGGER if customer or beneficial owner matches sanctions or PEP database
TRIGGER on name change or new beneficial owner addition

---

Suspicious Activity Reporting (SAR/STR)

When a transaction monitoring alert is investigated and suspicious activity is confirmed — or when any employee identifies suspicious activity — a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) must be filed with the national Financial Intelligence Unit (FIU).

Key FIUs by jurisdiction:

• USA: FinCEN (Financial Crimes Enforcement Network) — SARs filed via BSA e-Filing
• UK: National Crime Agency (NCA) — SARs filed via SARs Online
• EU member states: Each has a national FIU (e.g., BaFin/FIU in Germany, TRACFIN in France, CSSF in Luxembourg)
• Australia: AUSTRAC — SARs via AUSTRAC Online
• UAE: Anti-Money Laundering and Suspicious Cases Unit (AMLSCU)

Critical rule: Tipping Off Prohibition: Once a SAR has been filed or when there are reasonable grounds to file a SAR, you must not tell the subject of the SAR that a SAR has been filed or that they are under investigation. Tipping off is a criminal offence in most jurisdictions. Do not contact the customer about the suspicious activity; do not freeze obvious funds that would alert them; continue normal business while the SAR is processed.

SAR content:

• Description of the suspicious activity
• Dates and amounts of transactions
• Customer information (name, identification, account details)
• Description of why the activity is suspicious
• Any prior suspicious activity
• Actions taken (if any) — document any business decision to continue or exit the relationship

Record retention: Retain SAR records for at least 5 years. These records are often required by regulators during inspections.

---

Record Keeping Requirements

FATF Recommendation 11 and national implementing legislation require minimum 5-year retention of:

• Customer identification and verification records (from the end of the business relationship)
• Transaction records (from the date of the transaction)
• SAR records and supporting documentation

ERP configuration for record retention:

• Do not allow deletion of customer identity records before the retention period expires
• Archive closed accounts with records retained
• Automated retention schedule: flag records for archival/review at 5 years
• Immutable audit log of changes to customer records
• Backup and recovery procedures covering AML records

---

AML Risk Assessment for Businesses

Every business subject to AML obligations must conduct and document an AML risk assessment covering:

1. Customer risk: Who are your customers? Are any high-risk (PEPs, non-residents, complex structures)?
2. Product/service risk: Which products/services carry higher ML/TF risk (cash acceptance, high-value transactions, global reach)?
3. Geographic risk: Do you operate in or serve high-risk jurisdictions?
4. Transaction/delivery channel risk: Online onboarding, non-face-to-face delivery, intermediaries

The risk assessment drives the risk appetite, CDD thresholds, transaction monitoring rules, and EDD triggers in your AML programme.

---

ERP AML Compliance Checklist

• AML obligation assessment completed for your business type and jurisdiction
• Written AML policy and procedures documented
• Money Laundering Reporting Officer (MLRO) designated
• Customer risk rating framework documented (Low/Medium/High criteria)
• KYC/CDD checklist implemented in ERP customer onboarding workflow
• UBO identification and verification process documented
• EDD workflow for PEPs, high-risk geographies, complex structures
• Sanctions and PEP screening integrated with customer database
• Transaction monitoring rules configured and tested
• Alert review process documented (who reviews, escalation, timeline)
• SAR filing process documented (form, filing instructions, tipping-off prohibition)
• Staff training on AML obligations, red flags, and SAR process
• Record retention configured: 5 years minimum for CDD and transaction records
• Annual AML risk assessment documented
• MLRO annual report to senior management completed

---

Frequently Asked Questions

Does my regular business need AML compliance if we are not a bank?

It depends on your business type, jurisdiction, and the nature of your transactions. FATF Recommendation 22 applies AML obligations to specific DNFBPs — real estate agents, accountants, lawyers, TCSPs, dealers in precious metals/stones, and casinos. If your business falls into these categories, full AML obligations apply. If not, you likely do not have formal AML reporting obligations but still face general proceeds-of-crime laws that prohibit knowingly facilitating money laundering. Specific sectors (crypto, gaming, payment services) have additional AML obligations regardless of their DNFBP status.

What is the threshold for filing a Suspicious Activity Report?

There is no monetary threshold for SAR filing — the obligation arises from suspicion, not transaction size. If you have knowledge or suspicion, or reasonable grounds for suspicion, that a customer or their funds are related to money laundering or terrorist financing, a SAR must be filed. Many jurisdictions have separate transaction reporting requirements (Currency Transaction Reports in the US for cash transactions exceeding $10,000, for example) — these are different from SARs and apply automatically without a suspicion requirement.

How do we screen customers against sanctions lists?

Sanctions screening services provide databases of sanctioned individuals, entities, and countries and offer API integration with business systems. Leading providers include: Refinitiv World-Check, Dow Jones Risk & Compliance, LexisNexis, Comply Advantage, ComplyAdvantage. These can be integrated with your ERP via API to screen at onboarding and on an ongoing basis as list updates occur. At minimum, screen against: OFAC SDN list (US), EU Consolidated Sanctions List, UN Security Council Consolidated List, and your jurisdiction's national sanctions list. Implement a clear process for handling hits — not all hits are true matches (false positives are common with similar names).

What happens if we file a SAR and we are wrong about the suspicious activity?

SAR filers are generally protected from civil liability for filing in good faith — even if the reported activity ultimately does not prove to be money laundering. The protection is strong in most jurisdictions: the FIU will investigate and determine whether criminal activity exists. Filing a good-faith SAR is always safer than not filing one when you have genuine suspicion. The tipping-off prohibition prevents you from telling the customer that you have filed a SAR. Deliberately filing false SARs is a separate offence — but good-faith errors are protected.

What are the penalties for AML non-compliance for businesses?

Penalties vary dramatically by jurisdiction and nature of violation. For regulated financial institutions, fines are enormous: HSBC paid $1.9 billion (2012), Goldman Sachs $2.9 billion (2020), Commerzbank $1.45 billion (2015) for AML failures. For DNFBPs, penalties are lower but significant: UK HMRC has fined estate agents up to £800,000 for AML failures. For all businesses, criminal prosecution for money laundering itself (if proceeds-of-crime laws are violated) can result in imprisonment. Reputational damage from public enforcement actions often exceeds financial penalties.

---

Next Steps

Building AML compliance into your ERP system is an investment that protects your business from financial crime liability, regulatory sanctions, and the reputational damage of being identified as a vehicle for money laundering. The configuration work — customer classification, screening integration, transaction monitoring rules, SAR workflow — pays dividends far beyond AML compliance by improving customer data quality and transaction visibility.

ECOSIRE's Odoo implementation team has experience configuring ERP systems with AML-supporting workflows, including customer risk classification, document management, transaction monitoring rule design, and audit trail configuration.

Get started: ECOSIRE Odoo Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. AML obligations are highly jurisdiction-specific and evolve regularly through FATF updates and national legislation. Consult qualified legal counsel and a certified AML compliance professional for advice specific to your organisation.