KYC and AML Considerations in OTC Markets

HSBC: $1.256 billion forfeited plus $665 million in civil penalties across 60+ correspondent banking relationships (U.S. DOJ, December 11, 2012). Deutsche Bank: £163 million in FCA fines after broken KYC controls let $10 billion in suspicious mirror trades flow between Moscow and London (FCA, 2017). The common thread isn't missing policies—both firms had compliance manuals—it's that neither institution enforced the controls already on the books when transactions actually hit the wire. Every OTC desk should read those cases as a direct warning: regulators measure your program by whether controls fire in real time, not by page count. The practical antidote isn't another reporting layer stacked on top of existing failures—it's a structured, risk-tiered compliance framework engineered to catch breakdowns before regulators do.

TL;DR: KYC and AML obligations in OTC markets require a four-pillar due diligence program, threshold-based reporting, and ongoing monitoring—with specific numeric triggers (SAR at $5,000, CTR at $10,000, swap dealer registration at $8 billion notional) that compliance teams must operationalize into daily workflows.

Core Definitions (What You're Actually Required to Do)

Know Your Customer (KYC) is the regulatory process requiring financial institutions to verify the identity, suitability, and risk profile of counterparties before and during the business relationship. In the U.S., this is governed by the Bank Secrecy Act and FinCEN's Customer Due Diligence (CDD) Rule, effective May 11, 2018.

Anti-Money Laundering (AML) encompasses the laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. The key U.S. statute is the Bank Secrecy Act of 1970, supplemented by the USA PATRIOT Act of 2001. Globally, the FATF 40 Recommendations set the baseline standard (including Recommendation 10 on CDD and Recommendation 20 on suspicious transaction reporting with no monetary threshold).

The point is: KYC and AML are not separate workstreams. KYC feeds AML—you cannot detect suspicious activity if you haven't properly identified who you're dealing with and what their normal transaction profile looks like.

Customer Due Diligence (CDD) under FinCEN's rule has four mandatory pillars:

1. Customer identification and verification — confirm the legal entity or individual is who they claim to be
2. Beneficial ownership identification — identify any individual owning 25% or more of the equity interests, plus one individual with significant management responsibility (the "control prong")
3. Customer risk profiling — assign a risk tier based on geography, product type, transaction patterns, and entity structure
4. Ongoing monitoring — continuously review transactions and update customer information, filing SARs when activity deviates from the established profile

Enhanced Due Diligence (EDD) applies heightened scrutiny to higher-risk counterparties: politically exposed persons (PEPs), correspondent banking relationships, and counterparties in FATF-listed jurisdictions. EDD requires more frequent reviews and senior management approval. FATF updates its lists of jurisdictions with strategic AML/CFT deficiencies three times per year—your screening process must keep pace.

How KYC/AML Works in OTC Derivatives (The Operational Reality)

OTC derivatives add layers of complexity that exchange-traded products don't. There's no centralized exchange performing pre-trade screening. You are the gatekeeper. Every counterparty onboarding, every novation, every portfolio compression exercise requires its own compliance assessment.

Here's the operational chain:

Counterparty identification → Beneficial ownership verification → Risk tiering → Transaction monitoring → Reporting obligations → Ongoing review

Registration Thresholds That Trigger Full Compliance Programs

The CFTC's permanent swap dealer de minimis rule sets the line: any entity engaging in swap dealing activity exceeding $8 billion in aggregate gross notional amount over the preceding 12 months must register as a swap dealer. Registration triggers the full suite of KYC/AML program requirements (CFTC Final Rule, November 2018).

Why this matters: firms operating just below this threshold often lack the compliance infrastructure they'll need if their activity crosses it. The $8 billion is measured on a rolling 12-month basis—a single large quarter can push you over.

Reporting Deadlines You Must Operationalize

The point is: these aren't suggestions with soft deadlines. A missed SAR filing within the 30-day window is itself a compliance violation—regardless of whether the underlying activity turns out to be criminal.

Margin Requirements as a Compliance Touchpoint

The BCBS-IOSCO framework for non-centrally cleared OTC derivatives (final phase completed September 1, 2022) requires initial margin from entities with an aggregate average notional amount (AANA) above €8 billion. Phase 4 captured entities above €750 billion AANA.

(These margin thresholds matter for KYC/AML because margin call workflows require verified counterparty information, valid legal entity identifiers, and confirmed beneficial ownership—you can't post or receive margin with an entity you haven't properly onboarded.)

EMIR Reporting and Its KYC Overlap

Under EMIR Refit, EU counterparties must report 203 data fields per trade (up from 129 under the original framework). UK EMIR Refit requires 204 fields. These fields include counterparty identification data that directly overlaps with KYC records—Legal Entity Identifiers, corporate hierarchy information, and counterparty classification codes.

EMIR 3 entered into force on December 24, 2024, introducing the Active Account Requirement (AAR) that requires EU firms to maintain active clearing accounts at EU CCPs within 6 months (deadline: June 24, 2025). Critically, EMIR 3 denies intragroup exemptions if the counterparty is in a jurisdiction on the EU AML/CFT blacklist. AML status now directly affects your ability to use regulatory relief provisions.

Worked Example: Onboarding a New OTC Counterparty

Here's what a compliant onboarding process looks like for a mid-sized asset manager seeking to trade interest rate swaps with your desk.

Phase 1: The Setup (Pre-Trade Due Diligence)

Your desk receives an ISDA Master Agreement request from Apex Capital Management LLC, a Delaware-registered fund with $2.4 billion AUM. They want to trade USD interest rate swaps with an estimated annual notional volume of $6 billion.

Your compliance team initiates CDD:

• Customer identification: Verify Apex's legal entity status, LEI, Delaware registration, and SEC registration. Confirm authorized signatories against corporate documents.
• Beneficial ownership: Apex has three partners. Partner A holds 35% equity (above the 25% threshold—must be identified and verified). Partner B holds 30% (also above threshold). Partner C holds 15% (below threshold but identified under the control prong as managing partner). Two individuals require full identification; one requires control prong documentation.
• Risk profiling: Apex is U.S.-domiciled, SEC-registered, operating in standard product types. No PEP flags. No FATF high-risk jurisdiction connections. Risk tier: Standard.

Phase 2: The Trigger (Ongoing Monitoring Catches an Anomaly)

Six months into the relationship, Apex's trading pattern shifts. Monthly notional volume jumps from $500 million to $1.8 billion in a single month—a 260% increase. The counterparty begins requesting offshore settlement accounts in a jurisdiction that appeared on the most recent FATF grey list update.

Your transaction monitoring system flags this for review. The compliance team's assessment:

• Volume spike alone doesn't trigger a SAR (legitimate portfolio rebalancing could explain it)
• Offshore settlement request to a FATF-listed jurisdiction combined with the volume anomaly crosses the threshold for enhanced review
• Apex's relationship manager is contacted for an explanation and updated documentation

Phase 3: The Outcome (Quantified Compliance Response)

Apex provides documentation showing the volume increase relates to a new pension fund mandate (verifiable through public filings). However, the offshore settlement request lacks adequate business justification.

Compliance action: SAR filed within 30 days of initial detection. The suspicious activity involves estimated settlement flows of $12 million through the offshore account (well above the $5,000 SAR threshold). Enhanced Due Diligence is activated for the relationship—quarterly reviews instead of annual, senior management sign-off required for new trades, and the offshore settlement path is declined.

The practical point: The system worked because three elements aligned—automated transaction monitoring flagged the volume anomaly, the risk-tiered framework identified the jurisdiction issue, and the SAR filing met the 30-day deadline. Without any one of these, the firm would be exposed.

Mechanical alternative: Firms without automated monitoring would likely miss the volume spike entirely. Manual review of a 260% notional increase across hundreds of counterparties is operationally impossible at scale.

Key Compliance Metrics (Summary Table)

Common Pitfalls (And How Enforcement Actions Expose Them)

Pitfall 1: Treating KYC as a one-time onboarding exercise. Deutsche Bank's £163 million FCA fine resulted from failing to maintain proper KYC documentation and customer risk ratings on an ongoing basis (2012–2015 period). The bank had onboarding procedures but no effective ongoing monitoring—allowing over $10 billion in suspicious mirror trades to flow through unchecked.

Pitfall 2: Ignoring correspondent and intermediary relationships. HSBC's $1.921 billion enforcement action stemmed from failure to conduct due diligence on over 60 correspondent banking relationships. The investigation found $881 million laundered through HSBC by Mexican and Colombian drug cartels via these unmonitored channels.

Pitfall 3: Siloing KYC/AML from derivatives-specific compliance. EMIR 3's denial of intragroup exemptions for counterparties in AML-blacklisted jurisdictions demonstrates that regulatory frameworks are converging. Your AML program and your derivatives reporting program cannot operate as separate functions.

Pitfall 4: Underinvesting in transaction monitoring automation. Manual monitoring cannot scale across OTC portfolios with hundreds of counterparties and thousands of trades. The SAR filing deadline of 30 days (starting from initial detection, not from confirmation) means late detection is functionally equivalent to non-detection from a regulatory perspective.

The lesson worth internalizing: every major OTC AML enforcement action shares the same root cause—the compliance framework existed on paper but failed in execution. HSBC had policies. Deutsche Bank had policies. What they lacked was operational integration between KYC data, transaction monitoring, and escalation workflows.

Detection Signals (Self-Diagnostic for Your Compliance Program)

You likely have gaps in your OTC KYC/AML framework if:

• Beneficial ownership records haven't been refreshed in more than 12 months for any active counterparty
• Your transaction monitoring thresholds haven't been recalibrated since the relationship was onboarded
• SAR filing decisions are made by the same team that manages the trading relationship (independence failure)
• EMIR trade reporting and KYC counterparty data are maintained in separate systems with no reconciliation
• You cannot produce a complete list of counterparties in FATF grey-list or blacklist jurisdictions within one business day
• Your swap dealing activity is between $5 billion and $8 billion notional but you haven't built the compliance infrastructure for potential registration

Compliance Checklist: KYC/AML for OTC Derivatives

Essential (High ROI) — Prevents 80% of Regulatory Exposure

• Verify beneficial ownership at 25% threshold for all legal entity counterparties, with annual refresh
• Automate SAR/CTR threshold monitoring ($5,000 suspicious / $10,000 currency) with alerts routed to independent compliance
• Implement T+1 EMIR trade reporting with counterparty identification fields reconciled against KYC records
• Screen all counterparties against FATF high-risk jurisdiction lists at onboarding and after each triannual FATF update

High-Impact (Workflow and Automation)

• Integrate KYC databases with trade reporting systems so counterparty data changes automatically propagate to EMIR fields
• Establish risk-tiered review cycles: standard counterparties annually, EDD counterparties quarterly, PEPs with senior management approval
• Track aggregate swap dealing notional on a rolling 12-month basis against the $8 billion CFTC registration threshold
• Maintain documented escalation procedures with clear timelines aligned to the 30-day SAR filing deadline

Optional (Recommended for Firms with Cross-Border OTC Activity)

• Map EMIR 3 Active Account Requirements against your current CCP clearing relationships (June 24, 2025 deadline)
• Reconcile EU (203 fields) and UK (204 fields) EMIR Refit reporting requirements for dual-reporting counterparties
• Conduct annual independent audit of KYC/AML program effectiveness with findings reported to board-level risk committee

Your Next Step

Pull your current counterparty list and run a beneficial ownership freshness check today. Export every active OTC counterparty, note the date of last beneficial ownership verification, and flag any record older than 12 months. For each flagged counterparty, initiate an updated CDD review starting with the 25% equity ownership verification and FATF jurisdiction screening. This single exercise will identify your largest immediate compliance gaps—and give you a defensible record of proactive monitoring if regulators come asking.

For related operational frameworks, see Onboarding New Counterparties for the full pre-trade workflow and Internal Audit Checklists for Derivative Programs for board-level reporting templates.