Nexto
HomeBlogCompliance & risk
Compliance & risk

AML and KYC for Currency Exchanges, in Plain English

Customer due diligence and anti-money laundering without legal jargon. What to record, which behaviors are real red flags, and why it protects your business even when the law does not force you.

10 min read · Nexto team · Last updated: July 16, 2026

Most texts about AML are written for lawyers. This one is written for the person who will be behind the counter tomorrow morning and has to decide whether to accept this customer or not.

This article is not legal advice. Laws differ by country and change regularly. Here we explain the logic of the work; for exact thresholds and legal articles, check the official authority in your own country.

What is the difference between KYC and AML?

People use these two interchangeably all the time, but they are two different jobs:

  • KYC means “know your customer.” It is a start-of-relationship task: who is this person, what do they do, and what volume should we expect from them?
  • AML means “anti-money laundering.” It is an ongoing task: does this person’s behavior today match what they said during KYC?

In plain terms: KYC is a photo, AML is a film. A photo without the film is useless — a passport copy gathering dust in a folder protects no one from anything.

Why it matters, even if the law does not force you

Let’s be honest: many exchange businesses in the region operate in an environment where direct regulatory pressure is low. So why bother?

1. Banking and corridor risk. If your bank or corridor partner feels it does not know where the money comes from, it will close the account/access. Explaining after closure almost never works. Most exchange businesses do not die because of a legal ruling; they die because they lose their route.

2. Partner risk. Your counterparty exchange in Dubai or Istanbul judges you by how cleanly you operate. A good track record means better rates, higher limits, and more trust. These are money.

3. Personal risk. If dirty money passes through your hands, “I did not know” is a weak defense. The question is always: “Should you have known?” And the answer depends on what you recorded.

4. The value of the business itself. An exchange business with orderly records can be sold, partnered with, and scaled. An exchange business where everything is in the owner’s head only has value as long as the owner is there.

The three layers that make up the whole story

Layer 1: Identification

Before the first meaningful transaction, know who the party is. The minimums:

  • Identity: full name, valid and dated identity document, date of birth, nationality.
  • Contact: a number that actually works (verified, not merely written down).
  • Occupation and source of income: the most important field, and the one everyone leaves alone. “Trader” means nothing. “Imports auto parts from China, USD 30,000 to 50,000 per month” means something.
  • Purpose of the relationship: why they came to you and what volume we expect.

For legal entities, one step further: who is the ultimate beneficial owner (UBO)? A company that is registered but whose real backer is unclear is exactly the tool used for concealment.

Layer 2: Monitoring

Measure every transaction against what was stated in Layer 1. The question is always the same:

Does this behavior match what this person said about themselves?

A teacher who used to exchange USD 200 a month and suddenly brings USD 80,000 is not necessarily a criminal — maybe they sold a house. But you must have asked and you must have recorded the answer. That is the whole story: not harassing, not looking away. Ask and write it down.

Layer 3: Retention and reporting

  • Keep the records. The common international standard is at least five years after the end of the relationship. That means documents, transactions, and decision notes — all of it.
  • Know the reporting route. If you operate in a country with a financial intelligence unit (FIU), know where and how a suspicious transaction report is filed — before you need it.
  • One person must be responsible. Even in a five-person exchange business, one person has to own this file. Shared responsibility means no responsibility.

Real red flags

These are not a theoretical list; these are things seen at the counter:

  • Structuring the amount. Instead of one large transaction, several smaller transactions, each slightly below the reporting threshold. If the customer knows the threshold and stays exactly below it, that is a signal in itself.
  • Third party. One person brings the money, another person receives it; or the destination IBAN is in someone else’s name. Sometimes there is a simple explanation. But it must be asked and recorded.
  • Indifference to the rate. A normal customer negotiates. Someone who does not care at all how much you charge usually sees the fee as the cost of something else.
  • Unusual urgency and pressure. “It has to go right now” together with resistance to any question.
  • Sudden change in pattern. A quiet two-year customer suddenly becomes ten times bigger, or their corridor changes completely.
  • Multiple unrelated accounts. Money comes from five accounts in the names of five people with no clear connection to each other.
  • Refusal or vague documents. “I’ll bring it later” that never arrives; or a document that proves nothing.
  • In crypto: addresses with mixer history, amounts that have been moved several times immediately, or insistence on a network that is harder to trace.

None of these alone is a crime. But two or three of them together means it is time to ask — and if the answer is not convincing, it is time to say no.

Saying no is your right. The customer you lose has a cost; the customer who gets your banking route closed costs the whole business.

Regional differences — the broad map

The regulatory environment in the main markets of this region is not the same:

  • Iran: It is on the FATF high-risk list (counter-measures). In practice, that means any transaction with an Iran footprint receives a higher level of review at foreign banks — regardless of how cleanly you operate. Exchange businesses are licensed under the Central Bank.
  • Turkey: The supervisory authority is MASAK, and exchange businesses operate as authorized institutions. Turkey was removed from the FATF grey list in 2024; the result has been stricter supervision, not easier supervision. Periodic identification thresholds are updated — get the current figure from MASAK itself, not from hearsay.
  • UAE: The Central Bank of the UAE licenses exchange businesses, and reporting is done through the FIU system. The UAE was also removed from the grey list in 2024, precisely because enforcement became tougher. Here, the expectation of complete documentation is a daily reality, not a recommendation.
  • Iraq: The Central Bank of Iraq licenses exchange companies in different categories, and in recent years currency controls and documentation requirements have become noticeably stricter.

The practical summary: the direction of travel across the whole region is the same — tougher. Nowhere is going to become easier. An exchange business whose records are orderly today will simply keep operating tomorrow; the rest will have to make up for years of backlog at the worst possible time.

Four common mistakes

  1. KYC as archiving. Collecting document copies without ever connecting them to transactions. This is paperwork, not compliance.
  2. Only new customers. A ten-year customer whose ID has expired and whose job has changed has an incomplete file — and those are exactly the customers with the highest volume.
  3. An unrecorded red flag. The operator saw something, asked, was satisfied, and wrote it nowhere. From any auditor’s point of view, that conversation never happened.
  4. The file in people’s heads. “Hassan is an old customer, we know him.” When Hassan leaves, that sentence leaves with him.

The role of software

Compliance is inherently a data problem, not a moral problem. If recording a question and answer is hard, it will not be recorded on a busy day. And the busy day is exactly the day that matters.

A few things you should expect from your system:

  • The customer file next to the customer itself — documents, numbers, and notes, not in a separate folder.
  • Private notes on the account — a place for “I asked, he said he sold a house, I saw the deed” with a timestamp and user.
  • An undeniable audit trail — every change with name and time, so three years later you can prove what you saw and when.
  • Real reporting on every dimension — customer, period, currency, corridor, volume — so you see the anomaly before others do.
  • Automated checksIBAN lookup and identity checks that happen in the right place in the form, with the result remaining in the file.

Nexto provides these: customer files, private notes, a complete audit trail for every document, Excel and PDF output from every report, and checks that happen inside the workflow itself, not in another tab.

Where should you start?

If you have nothing today, you do not need to launch a six-month project. Three steps, in this order:

  1. Complete your top twenty customers. They have the highest volume and the highest risk. Do not try to complete 2,000 files.
  2. Make the “source of income” field mandatory for every new customer. Just that, starting tomorrow.
  3. Build the note-taking habit. Every time you ask a question, write the answer on the account. It takes thirty seconds and is worth three years.

Three months later, you have a file that actually defends you — instead of a folder full of passport copies that defends no one.

Summary

AML is not a form, it is a habit: ask, write, keep. KYC is the photo and AML is the film; without the film, the photo is worthless.

And its main motive is not fear of fines — it is survival. In a market where banking routes get narrower every year, the exchange business that can show where its money came from is the last one whose route gets closed.

See all of this inside Nexto

A complete, private instance with sample data — no install, no credit card.

Create free demo
Chat on WhatsApp