Skip to content
CallSphere - AI voice and chat agents for businessCallSphere
Guides12 min read0 views

AML/CFT Calling Compliance for Financial Institutions

Ensure AML/CFT calling compliance with this guide covering transaction monitoring, suspicious activity reporting, and communication audit trails.

The Intersection of AML/CFT and Communication Compliance

Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations have traditionally focused on transaction monitoring, customer due diligence, and suspicious activity reporting. However, regulators worldwide have increasingly recognized that voice communications are a critical data source for detecting and investigating financial crime.

The Financial Action Task Force (FATF) Recommendation 11 requires financial institutions to maintain records of all transactions and communications sufficient to reconstruct individual transactions and comply with information requests from competent authorities. In practice, this means that every phone call related to a financial transaction, account inquiry, or investment decision may fall within the scope of AML/CFT record-keeping requirements.

In 2025, global AML enforcement actions totaled $6.2 billion in fines, with communication surveillance failures cited in 34% of enforcement orders. The message from regulators is clear: inadequate communication monitoring is an AML compliance failure.

FATF Standards and Their Impact on Calling

FATF Recommendation 11: Record Keeping

FATF Recommendation 11 requires financial institutions to maintain:

  • Transaction records for at least five years following completion of the transaction
  • Customer identification data for at least five years after the end of the business relationship
  • All records necessary to reconstruct individual transactions so as to provide evidence for prosecution of criminal activity

Voice communications that relate to transactions fall squarely within the "records necessary to reconstruct individual transactions" requirement. A verbal instruction to execute a trade, transfer funds, or modify account details is a transactional record.

FATF Recommendation 20: Suspicious Transaction Reporting

When call monitoring reveals indicators of money laundering or terrorist financing, financial institutions are obligated to file Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) with their national Financial Intelligence Unit (FIU).

Key call-based red flags:

  • Customer requests to structure transactions below reporting thresholds
  • Reluctance to provide identification or documentation when asked during calls
  • Requests for unusual urgency in executing transactions
  • References to third-party instructions or unnamed beneficiaries
  • Contradictions between information provided on calls and documentation on file
  • Use of coded language or deliberate vagueness about transaction purposes
  • Frequent calls from geographic locations inconsistent with customer profile

FATF Recommendation 18: Internal Controls

Financial institutions must establish internal controls including:

  • Compliance management arrangements: Designated AML compliance officer with access to all relevant communications
  • Screening procedures: Ongoing screening of communications for red flags
  • Ongoing training: Staff training on recognizing suspicious communication patterns
  • Independent audit function: Regular testing of communication monitoring effectiveness

Jurisdiction-Specific Requirements

United States: Bank Secrecy Act (BSA) and FinCEN

The BSA requires financial institutions to:

  • File Currency Transaction Reports (CTRs) for cash transactions exceeding $10,000
  • File Suspicious Activity Reports (SARs) for transactions over $5,000 that the institution knows, suspects, or has reason to suspect involve funds from illegal activity
  • Maintain records of transactions and related communications for 5 years

FinCEN's 2025 guidance on communication monitoring explicitly states that financial institutions with telephone-based customer interactions must include call recordings and transcripts in their transaction monitoring programs. Institutions relying solely on transaction data without corresponding communication analysis are considered to have a "significant gap" in their AML program.

Penalties: Civil penalties up to $1 million per day of violation; criminal penalties up to $500,000 and 10 years imprisonment per willful violation.

European Union: Anti-Money Laundering Directives

The 6th Anti-Money Laundering Directive (6AMLD) and the upcoming Anti-Money Laundering Regulation (AMLR) establish:

See AI Voice Agents Handle Real Calls

Book a free demo or calculate how much you can save with AI voice automation.

Book a Demo ROI Calculator
  • Mandatory Customer Due Diligence (CDD) including verification of identity and purpose of business relationship
  • Enhanced Due Diligence (EDD) for high-risk customers, Politically Exposed Persons (PEPs), and correspondent banking relationships
  • Transaction monitoring with risk-based approach
  • Communication record-keeping aligned with MiFID II for investment firms

The Anti-Money Laundering Authority (AMLA), operational from 2025, will directly supervise the highest-risk financial entities across the EU and has indicated that communication monitoring effectiveness will be a key supervisory focus.

United Kingdom: Money Laundering Regulations 2017

The UK's MLR 2017 (as amended) requires:

  • Risk-based CDD and ongoing monitoring
  • Record retention for 5 years after the end of the business relationship
  • SAR filing with the National Crime Agency (NCA)
  • FCA guidance (FG23/4) specifically references call recording analysis as a component of effective transaction monitoring

Singapore: MAS Notice 626

MAS Notice 626 on Prevention of Money Laundering and Countering the Financing of Terrorism requires:

  • CDD and ongoing monitoring with risk-based approach
  • Record retention for at least 5 years after termination of account or business relationship
  • STR filing with the Suspicious Transaction Reporting Office (STRO)
  • MAS has emphasized during inspections that communication surveillance must be proportionate to the risk profile of the customer base

Australia: AML/CTF Act 2006

AUSTRAC requirements include:

  • Customer identification procedures (KYC)
  • Ongoing customer due diligence
  • Suspicious matter reporting (SMRs) to AUSTRAC
  • Record retention for 7 years
  • AUSTRAC's 2025 enforcement priority included communication monitoring adequacy in the financial services sector

Implementing AML-Compliant Call Monitoring

Tier 1: Basic Compliance (Manual Review)

At minimum, financial institutions must:

  1. Record all relevant calls in accordance with MiFID II, FCA, FINRA, or applicable regulatory requirements
  2. Maintain searchable archives that allow compliance officers to retrieve calls by date, agent, customer, and account
  3. Conduct periodic sampling — reviewing a statistically significant sample of recorded calls for red flags
  4. Document findings and escalate suspicious communications to the AML compliance officer

Limitation: Manual review is resource-intensive and typically covers only 1-5% of total call volume, leaving significant gaps in monitoring coverage.

Tier 2: Enhanced Compliance (Keyword and Pattern Detection)

Automated keyword detection can flag calls for human review:

  • Keyword libraries: Terms associated with money laundering typologies (structuring, smurfing, layering, shell company, nominee, cash-intensive)
  • Pattern detection: Unusual call frequency, calls outside business hours, calls from sanctioned jurisdictions
  • Customer risk scoring: Prioritize monitoring of calls involving high-risk customers, PEPs, and customers with elevated risk scores

Improvement over Tier 1: Automated flagging typically increases monitoring coverage to 15-30% of call volume while reducing false negatives.

Tier 3: Advanced Compliance (AI-Powered Analysis)

AI-powered call analysis platforms provide the most comprehensive monitoring:

  • Natural Language Processing (NLP): Analyzes call transcripts for semantic indicators of suspicious activity, not just keywords
  • Behavioral analytics: Detects changes in customer communication patterns over time (e.g., a previously forthcoming customer becoming evasive)
  • Network analysis: Identifies communication patterns between related parties that may indicate coordinated suspicious activity
  • Sentiment analysis: Flags calls where customer or agent emotional patterns deviate from baseline
  • Real-time alerting: Generates alerts during live calls, enabling immediate intervention

CallSphere's AI-powered call analytics platform provides Tier 3 monitoring capabilities with pre-built AML/CFT detection models trained on regulatory enforcement patterns. The platform integrates with existing transaction monitoring systems to provide a unified view of customer activity across both communication and transactional channels.

Documentation and Record-Keeping Requirements

Call Record Metadata

For each recorded call, maintain the following metadata:

  • Call identifier: Unique reference number
  • Date and time: Start and end timestamps (UTC)
  • Participants: Agent name/ID, customer name/ID, account number(s)
  • Call direction: Inbound or outbound
  • Call type: Transaction-related, advisory, inquiry, complaint
  • Consent record: Timestamp and method of consent obtained
  • Monitoring flags: Any automated or manual flags applied during or after the call
  • Review status: Whether the call has been reviewed, by whom, and outcome

SAR/STR Supporting Documentation

When a suspicious call triggers a SAR/STR filing:

  1. Preserve the original recording under litigation hold (override normal retention)
  2. Generate a complete transcript with speaker identification
  3. Document the red flags identified during the call with timestamps
  4. Cross-reference with transaction records, CDD documentation, and previous SARs
  5. Maintain confidentiality — SAR/STR filings are confidential; do not inform the customer that a report has been filed (tipping off is a criminal offense in most jurisdictions)

Training and Awareness

Required Training Topics

AML/CFT communication compliance training should cover:

  • Red flag recognition: How to identify suspicious communication patterns during calls
  • Escalation procedures: When and how to escalate suspicious calls to compliance
  • Tipping off prohibition: Understanding that informing customers about SAR/STR filings is illegal
  • Record-keeping requirements: Proper documentation of call-related compliance actions
  • Technology use: How to use call monitoring tools and flag suspicious interactions

Training Frequency

  • Initial training: Before handling customer communications
  • Annual refresher: Updated with current typologies and regulatory changes
  • Ad hoc training: Following regulatory updates, enforcement actions, or internal audit findings

Frequently Asked Questions

Do all financial institution calls need to be monitored for AML purposes?

Not necessarily all calls, but your monitoring program must be risk-based and cover a sufficient proportion of calls to be effective. Calls involving high-risk customers, large transactions, PEPs, customers from high-risk jurisdictions, and new account openings should receive priority monitoring. Regulators expect your monitoring coverage to be proportionate to your risk exposure.

Can AI transcription replace human review for AML call monitoring?

AI transcription and analysis can significantly enhance monitoring coverage and efficiency, but current regulatory expectations still require human oversight. AI should be used to flag and prioritize calls for human review, not as a complete replacement. The AML compliance officer must retain ultimate decision-making authority for SAR/STR filing decisions.

How do I balance customer privacy with AML monitoring requirements?

AML/CFT obligations constitute a legal obligation that provides a lawful basis for processing call recordings under GDPR Article 6(1)(c) and equivalent data protection frameworks. However, you must still apply data minimization principles — monitor only what is necessary for AML purposes, restrict access to authorized compliance personnel, and retain recordings only for the mandated periods. Your privacy notice should inform customers that calls may be monitored for regulatory compliance purposes.

What happens if we fail to detect suspicious activity in a recorded call?

Regulators evaluate whether your monitoring program is reasonable and effective, not whether it catches every instance of suspicious activity. If a failure is due to a systemic gap in your monitoring program (e.g., no call monitoring at all, or monitoring that excludes high-risk customer segments), enforcement action is likely. If the failure occurred despite a well-designed, properly implemented, and regularly tested program, regulators may require remediation rather than imposing penalties.

Share this article
C

CallSphere Team

Expert insights on AI voice agents and customer communication automation.

Try CallSphere AI Voice Agents

See how AI voice agents work for your industry. Live demo available -- no signup required.

Book a DemoTry Live Demo

Related Articles

Guides

BDR/SDR Calling Tech Stack for 2026: Complete Guide

Build the optimal BDR and SDR calling tech stack for 2026 with AI dialers, conversation intelligence, CRM integrations, and workflow automation for peak productivity.

Guides

TCPA Compliance for Outbound Calling: 2026 Guide

Avoid costly TCPA violations with this 2026 compliance guide covering prior express consent, DNC rules, ATDS definitions, and enforcement trends.

Guides

GDPR Call Recording: Data Processing Compliance Guide

Achieve GDPR-compliant call recording with this guide to lawful bases, DPIAs, data subject rights, and retention for European business communications.