TL;DR: Anti-money laundering programs rely on customer due diligence, transaction monitoring, and cross-border reporting to detect illicit flows and reduce regulatory exposure, according to 1Kosmos. The identity lesson is that AML breaks down when verification, risk scoring, and review processes cannot keep pace with changing customer behaviour and jurisdictional complexity.
NHIMG editorial — based on content published by 1Kosmos: anti-money laundering controls, compliance, and technology support
Questions worth separating out
Q: How should organisations connect AML controls to identity governance?
A: Organisations should connect AML controls to identity governance by treating identity proofing, beneficial ownership, risk scoring, and review cycles as the foundation for monitoring.
Q: Why do cross-border AML programmes become inconsistent so easily?
A: Cross-border AML programmes become inconsistent because jurisdictions differ in reporting thresholds, documentation requirements, and evidence expectations.
Q: What breaks when customer due diligence is treated as a one-time check?
A: When customer due diligence is treated as a one-time check, the programme loses its ability to detect when a relationship has changed.
Practitioner guidance
- Tie AML risk scoring to identity evidence quality Use the same evidence set for onboarding, beneficial ownership, and ongoing review so risk scores reflect verified identity data rather than isolated profile fields.
- Synchronise monitoring rules with lifecycle events Refresh customer and account risk baselines when ownership changes, activity shifts, or verification evidence ages out so alerts track the current relationship.
- Standardise cross-border control objectives Keep one internal control model for due diligence, escalation, and record retention, then map local reporting requirements to that baseline instead of building regional exceptions from scratch.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- The full breakdown of AML component controls, including CDD, EDD, monitoring, and reporting workflows.
- Specific examples of how AI and machine learning are applied to suspicious activity detection and case reduction.
- Practical discussion of cross-border compliance challenges and how financial institutions adapt control frameworks.
- Technology examples for automating identity verification and risk scoring in onboarding flows.
👉 Read 1Kosmos's analysis of anti-money laundering controls and compliance →
AML compliance and identity controls: what IAM teams need to know?
Explore further
AML is an identity governance programme disguised as a financial crime control. The article treats AML as monitoring-led, but the operational reality is that every effective AML control depends on proving identity, assessing risk, and sustaining review discipline over time. That makes CDD, KYC, and lifecycle governance the true control plane, with transaction monitoring acting as a detection layer rather than the source of trust. Practitioners should treat AML outcomes as a function of identity quality, not only alert volume.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when suspicious activity is missed in an AML programme?
A: Accountability should sit with the control owner who can trace the case from identity evidence to monitoring, investigation, escalation, and reporting. If ownership is split across onboarding, compliance, and operations without clear handoff rules, suspicious activity can be missed even when alerts exist. Clear exception ownership is essential.
👉 Read our full editorial: AML compliance depends on identity controls, not just monitoring