The purpose behind this guide is clear: to provide compliance and legal teams, fintech CTOs, risk officers, and senior executives in the financial sector with a practical perspective on Anti-Money Laundering (AML) measures and their real-world application.

Our focus lies particularly in the use of sanctions, PEP, UN, OFAC, and national watchlists, and how these can be effectively integrated into modern KYC and digital identity verification processes. While the content takes a global view, we have placed particular emphasis on Spain and Latin America, where we have extensive experience and a strong operational presence.

With the Definitive AML Guide 2025, you’ll learn how to design and implement efficient screening workflows that minimise both legal and operational risk, without compromising conversion rates in remote digital onboarding processes.

A single match on a sanctions list or a PEP database can trigger immediate consequences: transaction blocks, mandatory reporting to authorities, internal investigations, and ultimately, reputational damage. Understanding the origin, scope, and limitations of each list is therefore essential to make informed decisions — not all lists carry the same legal weight, update frequency, or depth of information.

What is AML and why it matters

AML (Anti-Money Laundering) encompasses the framework of laws, regulations, policies, and technologies designed to prevent the financial system from being exploited to launder illicit funds or finance terrorism.

Its core objective is to ensure that no organisation — whether a bank, fintech, insurer, betting operator, or digital platform — becomes a conduit for activities that undermine the integrity or stability of the financial system.

Effective AML compliance extends far beyond simply “checking lists”. It requires a holistic approach built on three fundamental pillars:

1. Customer identification and verification (Know Your Customer – KYC) The first step is to establish and verify the true identity of each client from the very first interaction, particularly during digital onboarding. Beyond checking AML lists, identity is confirmed through official documentation and biometric verification, ensuring that the individual carrying out a transaction is who they claim to be.
2. Transaction monitoring and analysis: This pillar focuses on detecting unusual or inconsistent behaviour relative to the customer’s normal activity. The key lies in continuous screening, which involves periodically reviewing sanctions and PEP lists and analysing transaction patterns to identify risk indicators. The most advanced platforms combine automated analytics with adaptive risk models, helping to predict and prevent potentially suspicious activity before it escalates.
3. Reporting and Communication: Whenever there is a reasonable suspicion of irregular or high-risk activity, institutions are obliged to report their findings to the relevant authorities. Timely reporting plays a crucial role in breaking the money-laundering chain and preserving transparency across the financial ecosystem

Together, these three pillars form the KYC–AML–Reporting cycle, where digital identity verification now plays a pivotal role. Automation enables organisations to accelerate onboarding, enhance user experience, and maintain robust, auditable compliance controls that strengthen both regulatory alignment and operational security.

AML in Spain and Ibero-America

In Spain, the AML framework is governed by Law 10/2010 and its implementing regulation, under the supervision of SEPBLAC (the Executive Service for the Prevention of Money Laundering and Monetary Offences).

In Ibero-America, each country operates its own Financial Intelligence Unit (FIU/UIAF/UAF) aligned with the GAFILAT standards and the international recommendations of the FATF/GAFI.
Despite structural differences, these frameworks share a common goal: to harmonise regulations and close regional gaps in the fight against money laundering and terrorist financing.

The main challenge lies in the fragmentation of data sources and diversity of lists. That’s why having a centralised solution that consolidates references and maintains consistency across jurisdictions is vital for effective compliance.

AML list map: types and key differences

Effective AML compliance largely hinges on one simple yet crucial concept: knowing which lists to screen individuals or companies against.
These lists contain information about people, businesses, or entities involved in illicit activities, or those with political exposure that may pose a risk of corruption, sanctions, or terrorist financing.

In practice, there is no such thing as a universal list. Each country or international body maintains its own databases, which differ in scope, legal enforceability, and update frequency.

Within the financial system, the sanctions lists that must be checked depend on the jurisdiction in which the entity operates, the type of financial activity, and the geographical reach of its business.
In other words, each country legally defines which lists are mandatory. However, institutions operating internationally typically adopt a broader, enhanced compliance approach to minimise both legal and reputational risk.

In summary:

• Always mandatory: The United Nations list (by international mandate).

• Additionally: Each institution must comply with the national lists of the country where it is incorporated or supervised.

• In practice: Most international banks check against UN + EU + OFAC + UK lists to avoid cross-sanctions and protect their reputation.

We can group AML lists into five main categories:

🟥 1. Internacional sanctions list

These are the most critical and legally binding. They include individuals, entities, and countries subject to economic or financial sanctions. Any match on these lists may lead to an immediate prohibition on transactions, an asset freeze, and an obligation to report to the relevant authority.

These lists are legally mandatory for any regulated entity operating within the corresponding jurisdictions. In addition, many Latin American countries adopt them as complementary references, even when their enforcement is not legally binding in all cases.

OFAC – USA

It’s the U.S. sanctions list. As part of its enforcement efforts, the OFAC (Office of Foreign Assets Control) publishes a list of individuals and companies that are owned or controlled by specific countries, or that act on their behalf: SDNs (Specially Designated Nationals) and SSIs. It also includes individuals, groups, and entities—such as terrorists and drug traffickers—designated under programmes that are not country-specific. Collectively, these individuals and companies are referred to as “Specially Designated Nationals” or “SDNs”. Their assets are frozen, and U.S. persons are generally prohibited from engaging in transactions with them.

The list has global coverage and is updated daily or weekly.

UN

The United Nations consolidated sanctions list includes all individuals and entities subject to measures imposed by the UN Security Council. Combining all names into a single Consolidated List is intended to facilitate the implementation of these measures. However, this does not mean that all names fall under the same sanctions regime, nor that the criteria for their inclusion are identical.

In every instance where the Security Council has decided to impose measures in response to a threat, a dedicated Security Council Committee manages the corresponding sanctions regime. Each sanctions committee established by the United Nations Security Council publishes the names of the individuals and entities listed in relation to that committee, along with details of the specific measures applied to each entry.

The current version of the Consolidated Sanctions List is available in .xml, .html, and .pdf formats. Member States are required to implement the specific measures applicable to each listed name, as outlined on the website of the relevant sanctions committee.

European Union

The EU Sanctions Map is an official platform created and maintained by the European Union that provides a comprehensive, up-to-date, and user-friendly overview of all sanctions regimes imposed by the EU. Its main purpose is to promote a clear understanding and consistent implementation of restrictive measures across Member States and among economic operators.

Key features:

• Geographical visualisation: Displays on an interactive map the countries, entities, and individuals subject to EU sanctions.

• Advanced search: Allows users to search by country, type of measure (such as arms embargoes, financial restrictions, or travel bans), and legal basis.

• Direct access to official documents: Provides links to the Council of the EU regulations and decisions that establish or amend sanctions regimes.

• Continuous updates: The platform is updated whenever the Council adopts new measures or revises existing ones.

The EU Sanctions Map aims to enhance transparency around EU sanctions and support businesses, financial institutions, and national authorities in ensuring compliance with the relevant regulations.

United Kingdom (UK)

The financial sanctions targets: list of all asset freeze targets is an official list published by the UK government that includes all individuals, entities, and organisations subject to asset freezes under the UK’s financial sanctions regimes.

Each entry contains key details such as:

• Full name of the sanctioned individual or entity

• Aliases or alternative names

• Reason for the sanction (e.g. terrorism, human rights violations, military aggression, etc.)

• Type of measure applied, primarily asset freezing

• Legal basis: UK regulations or laws supporting the sanction

• Date of inclusion and subsequent updates

The list is managed by the Office of Financial Sanctions Implementation (OFSI), which operates within HM Treasury. OFSI oversees the correct implementation of financial sanctions and has the authority to impose penalties for non-compliance.

The Consolidated List of Asset Freeze Targets (OFSI) will be discontinued. From 28 January 2026, the UK Sanctions List will become the sole official source for all UK sanctions designations.

The list is regularly updated whenever the UK imposes, amends, or lifts sanctions. It is available in downloadable formats (.csv, .xml, .html, .pdf) to facilitate its integration into automated financial compliance systems.

Canada

The Consolidated Canandian Autonomous Sanctions List brings together all individuals, entities, and countries subject to restrictive measures imposed by the Government of Canada. It is administered by Global Affairs Canada (GAC), the department responsible for foreign policy, trade, and development.

The government may impose a range of measures, including:

• Freezing of financial assets and prohibition of transactions

• Travel restrictions on sanctioned individuals

• Arms embargoes and export restrictions

• Limitations on the provision of financial or technical services

The list is updated whenever the government amends a sanctions regime and is available in downloadable formats (.CSV and .XML) for integration into automated compliance systems

Australia

Australia maintains a Consolidated Sanctions List, administered by the Department of Foreign Affairs and Trade (DFAT). It includes all individuals and entities subject to financial restrictions or travel bans under Australian law.

Switzerland

Switzerland maintains a Consolidated Sanctions List, managed by the State Secretariat for Economic Affairs (SECO). The list includes all individuals, entities, and organisations subject to restrictive measures under Swiss law, such as asset freezes, travel bans, or trade restrictions.

Switzerland implements United Nations Security Council sanctions directly and may also adopt autonomous measures in line with its own foreign and security policy objectives. SECO oversees the enforcement of these sanctions and provides guidance to financial institutions and businesses to ensure compliance.

The list is updated whenever new sanctions are imposed, amended, or lifted, and is available in downloadable formats (such as .XML and .CSV) for integration into compliance and screening systems.

🟧 2.PEP Lists (Politically Exposed Persons)

PEPs are individuals who, due to holding prominent public positions or having close associations with those who do, present a higher risk of involvement in corruption or bribery.

Examples: Ministers, judges, mayors, executives of state-owned enterprises, or their immediate family members and close associates.

Unlike sanctions lists, PEPs are not “prohibited” individuals, but they are subject to enhanced due diligence and ongoing monitoring. Financial institutions and regulated entities must assess the potential risks associated with PEPs as part of their anti–money laundering (AML) and counter–terrorist financing (CTF) obligations.

Common sources and references include:

• UN / GAFI (PEP definition and categories): FATF Recommendations

• Spain: SEPBLAC y la Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo.

• Ibero-America:

  • Mexico: UIF Mexico

  • Colombia: UIAF Colombia

  • Chile: UAF Chile

  • Argentina: UIF Argentina

  • Brasil: COAF Brasil

  • Peru: Prevención de Lavado de Activos
  • El Salvador: UIF El Salvador
  • Guatemala: SIB (Súper Intendencia de Bancos) Guatemala
  • Ecuador: UAFE Ecuador
  • Panama: UAF Panama

In screening processes, matches involving Politically Exposed Persons (PEPs) must trigger an Enhanced Due Diligence (EDD) procedure.

🟨 3. Terrorism, drug trafficking, and organised crime lists

These lists are used to identify individuals, groups, or entities involved in or suspected of terrorism, drug trafficking, or organised crime. Consulting them is either mandatory or strongly recommended for banks, insurers, and other entities subject to anti–money laundering (AML) regulations.

Below are some of the most relevant sources by region and country:

• European Union: The EU has imposed sanctions against individuals, groups, and entities involved in acts of terrorism, particularly ISIL/Daesh, Al-Qaida, Hamas, and the Palestinian Islamic Jihad.

• Spain: Both the Civil Guard and the National Police work closely with Europol and Interpol to identify criminal and terrorist organisations. They do not rely on public databases but instead operate within INTERPOL and EUROPOL’s most wanted systems.

• Mexico: The Ministry of the Interior maintains the List of Terrorist Organisations, and CENAPI (National Centre for Planning, Analysis and Information to Combat Crime) manages financial intelligence databases.

• Colombia: In addition to the lists maintained by the Financial Information and Analysis Unit (UIAF), the Office of the Attorney General holds databases on organised armed groups.

• Brazil: The country’s Financial Activities Control Council (COAF) functions as its financial intelligence unit and maintains lists of PEPs and individuals under investigation for organised crime.

• Argentina: The Financial Information Unit (UIF) oversees AML compliance and manages the Public Registry of Persons and Entities Linked to Acts of Terrorism and Their Financing (REPET).

🟩 4. Adverse media and open-source lists

Adverse media lists are compilations of publicly available information — primarily news reports, journalistic investigations, and court records — that link individuals or entities to illicit activities, reputational risks, or compliance concerns. Unlike official sanctions lists, they are not issued by governments or international organisations but come from open sources and specialised private providers. These include traditional media outlets (newspapers), blogs, online articles, or platforms focused on compliance and anti–money laundering (AML).

Although non-official and non-binding, these sources provide valuable context for assessing reputational and compliance risks. Common sources include press databases, judicial records, and open-source intelligence (OSINT) tools. Within AML processes, cross-checking against these lists helps anticipate potential risks before they escalate into formal sanctions.

🟦 5. National and Regional Lists (Spain and Ibero-America)

Each country maintains its own lists, regulated by its Financial Intelligence Unit (FIU). These typically include:

• Individuals or entities subject to domestic sanctions

• National PEP lists

• Individuals under investigation or convicted for financial crimes

In screening processes, national lists should be combined with international ones to ensure full coverage — particularly in multi-jurisdictional contexts, where an individual or company might appear on a regional list even if not included in OFAC or UN lists.

Regulatory framework and key institutions

AML compliance is not sustained by technology alone — it relies on a complex and constantly evolving regulatory framework designed to address emerging financial, technological, and geopolitical risks. Understanding which bodies set the standards, how they interact, and what implications they have in each jurisdiction is essential to designing a coherent and effective compliance system.

🌐 1. International Framework: FATF / GAFI

The Financial Action Task Force (FATF / GAFI) is the world’s leading authority on anti–money laundering (AML) and counter–terrorist financing (CTF). Established in 1989 by the G7, its mission is to set international standards to combat money laundering, terrorist financing, and the proliferation of weapons of mass destruction.

Its cornerstone document, the “40 FATF Recommendations,” forms the foundation of all modern AML frameworks. Each member country (or regional associate) adapts these recommendations to its national legislation. Compliance is periodically assessed through a mutual evaluation process, which measures the effectiveness of implementation. Countries with serious deficiencies may be placed on the FATF’s “grey” or “black” lists, which can significantly affect their financial reputation and global market access.

🇪🇺 2. European Union

In Europe, the AML framework is structured around a series of Anti-Money Laundering Directives (AMLDs). The most significant include:

• 4th Directive (AMLD4 – 2015/849): Introduced mandatory customer due diligence (CDD) and the identification of both domestic and foreign PEPs.

• 5th Directive (AMLD5 – 2018/843): Extended AML obligations to cryptocurrency service providers and enhanced transparency in beneficial ownership registers.

• 6th Directive (AMLD6 – 2018/1673): Established a uniform definition of money laundering offences and corporate criminal liability across EU Member States.

🇪🇸 3. Spain: SEPBLAC and National Legislation

In Spain, the central authority for AML supervision is SEPBLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias).
Its operations are governed by Law 10/2010 and its Regulation (Royal Decree 304/2014), which transpose the EU AML Directives and adapt the FATF recommendations to Spain’s legal and financial environment.

Key obligations for obliged entities include:

• Formal identification and document verification (KYC)

• Risk assessment and enhanced due diligence for clients and transactions

• Appointment of a designated representative before SEPBLAC

• Record retention for 10 years

• Reporting of suspicious transactions (ROS / STRs)

• Regular staff training and internal audits

SEPBLAC coordinates with the Bank of Spain, the CNMV (National Securities Market Commission), and the Directorate-General for Insurance and Pension Funds, depending on the sector.

All companies operating financial transactions or managing funds in Spain must integrate robust AML policies into their identity verification, onboarding, and transaction monitoring systems.

🌎 4. Ibero-America: regional overview

In Ibero-America, the Latin American Financial Action Task Force (GAFILAT) acts as the FATF’s regional body, promoting legislative harmonisation and mutual evaluations across the region.

Each Ibero-American country has a Financial Intelligence Unit (FIU) responsible for implementing GAFILAT standards. While levels of regulatory maturity vary, all follow the structure of the 40 FATF Recommendations, requiring formal KYC processes, continuous monitoring, and mandatory reporting of suspicious activities.

🏛️ 5. Global coordination

In addition to the bodies mentioned, several international organisations strengthen cooperation in AML and CTF enforcement:

• Egmont Group: A global network connecting over 160 FIUs to securely exchange financial intelligence.

• IMF / World Bank: Provide technical assistance and conduct AML/CFT evaluation programmes.

• Interpol / Europol: Offer intelligence and operational support for cross-border investigations.

This multilateral cooperation is the backbone of the global AML ecosystem, ensuring that sanctions and PEP lists remain consistent, accurate, and up to date worldwide.

Screening and continuous monitoring

AML screening is the operational core of any anti–money laundering programme. Its purpose is to continuously check customer, supplier, and transaction data against sanctions lists, PEPs, and other risk sources. This process, carried out periodically or in real time, helps detect suspicious relationships or behaviours before they expose the organisation to legal or reputational risk.

An effective screening system must balance accuracy, coverage, and speed. The main challenge is identifying true matches without overwhelming compliance teams with false positives. In large financial institutions, up to 95% of initial alerts can be irrelevant.

To reduce this burden while maintaining coverage, best practices are combined with advanced technology:

• Intelligent customer segmentation: adjust monitoring levels according to risk factors (country, industry, transaction volume, customer profile).

• Use of additional identifiers: including date of birth, country, or official documents drastically reduces erroneous matches.

• Machine learning and dynamic rules: train models on historical alerts to automatically adjust thresholds and improve accuracy.

The final output should be fully integrated with the screening engine.

Integration of KYC and digital identity verification into AML strategy

The relationship between KYC (Know Your Customer) and AML is inseparable. No AML policy is effective without a reliable identification process. In practice, digital identity verification has become the first line of defence against money laundering, terrorist financing, and fraud.

The success of an AML programme increasingly depends on how digital onboarding is designed and executed.

KYC processes have evolved from manual, paper-based systems to automated digital workflows capable of verifying identities in seconds. Using technologies such as OCR, facial biometrics, and liveness detection, companies can validate documents, confirm user authenticity, and automatically cross-check against AML lists (sanctions, PEP, Interpol, UN, etc.) remotely and securely. This transformation not only reduces errors and false positives but also provides full traceability and a smooth user experience.

Integrating KYC and AML in a unified architecture allows organisations to move toward a predictive risk management model. With interconnected modules for identity verification, risk scoring, screening, and audit, financial institutions can detect threats from onboarding, maintain up-to-date risk profiles, and optimise resources. This approach, known as “AML-First Onboarding,” accelerates regulatory compliance, reduces operational costs, and strengthens corporate reputation by ensuring secure, scalable, and auditable processes in real time.

Mobbeel: your partner for KYC and AML compliance

AML is no longer just a regulatory obligation — it has become a competitive advantage. Organisations adopting digital identity, automation, and AI technologies not only comply with regulations but also lead the market in trust, efficiency, and reputation.

The future of compliance lies not in controlling the past but in anticipating and preventing risk from the point of identity. Mobbeel positions itself as a trusted partner to guide you through these processes.

If you want to verify your customers’ identities during onboarding while checking against all current AML lists, don’t hesitate to contact us. We will be delighted to help you comply with regulatory requirements using our technology.

Contact us if you want to implement a robust KYC and AML process.

PRODUCT BROCHURE

Discover our identity verification solution

Verify your customers’ identities in seconds through ID document scanning and validation, and facial biometric matching with liveness detection.