AML Compliance Guide for Buy Now Pay Later (BNPL)

Buy now pay later credit has grown from a checkout novelty into a mainstream consumer credit product, with global transaction volumes running into the hundreds of billions annually. That growth has brought regulatory and financial crime attention in equal measure. BNPL's defining features, high-volume onboarding, low-friction identity checks, small individual transaction values, and split payment structures, are precisely the characteristics that make it attractive to bad actors and difficult for compliance teams to manage. 

The product is not inherently high-risk in the way that cross-border cryptocurrency transfers are, but its structural design creates specific AML vulnerabilities that standard compliance frameworks designed for traditional credit products do not adequately address. This article maps the risk profile unique to BNPL, explains where the regulatory landscape currently stands across key markets, and sets out how to build a screening and monitoring framework calibrated to the product's operational reality.

{{snippets-guide}}

The BNPL AML Risk Profile

Synthetic Identity Fraud at Scale

BNPL's customer acquisition model is built around speed. Approval decisions are made in seconds, often based on limited identity data. That creates a favorable environment for synthetic identity fraud, where a fabricated identity, combining real and fictitious data elements, passes onboarding checks that were designed to reduce friction rather than to verify deeply. Regulators have flagged potential gaps in fraud prevention and customer identity verification, particularly in platforms operating outside the frameworks that apply to traditional financial institutions. 

The synthetic identity problem in BNPL differs from its equivalent in traditional credit because the ticket size per transaction is lower, but the ability to open multiple accounts across providers is higher. A fraudster with a credible synthetic identity can open accounts with several BNPL providers simultaneously, accumulate credit, and default without any single provider having visibility of the aggregate exposure. The distributed nature of the fraud complicates both detection and SAR filing, since no single institution has a complete picture of the pattern.

Micro-Transaction Layering

BNPL's installment structure creates a layering vehicle that conventional transaction monitoring rules miss. A bad actor converting illicit funds via BNPL typically uses the product to purchase goods with criminal proceeds presented as legitimate income, then resells the goods or exploits merchant return policies to extract clean funds. 

The individual transaction values are low enough to fall below most monitoring thresholds, and the installment structure spreads the activity across multiple payment dates, further diluting the pattern. When this is coordinated across multiple accounts and multiple merchants, detecting it requires behavioral monitoring that aggregates across the customer lifecycle, not just individual transaction screening.

Abuse of Soft Credit Lines

BNPL lenders approved 67 percent of applications in the 2020 to 2021 period. High approval rates are a commercial design feature of BNPL, not a compliance failure in isolation, but they create a credit accessibility that is easily exploited. The absence of hard credit checks at onboarding, combined with the ability to stack loans across multiple providers, means that the product can be used as a conduit for funds that would not survive the scrutiny applied to a bank account opening or a conventional loan application.

The Regulatory Landscape

United States

The US BNPL regulatory environment is a patchwork following the CFPB's withdrawal of its 2024 interpretive rule. On May 12, 2025, the CFPB withdrew several guidance documents, including the 2024 BNPL Interpretive Rule, and has stated it does not intend to reissue a revised BNPL rule. The result is that federal-level oversight has receded, and enforcement is now primarily at the state level. New York has passed BNPL oversight laws, California regulates BNPL under the California Financing Law, and Maryland has ruled that BNPL transactions count as loans under state law, requiring providers to hold a license.

From a BSA/AML perspective, BNPL providers that are licensed as money transmitters or that hold state lending licenses remain subject to BSA requirements administered by FinCEN, including the obligation to maintain an AML program, file SARs, and conduct customer due diligence. The withdrawal of the CFPB interpretive rule does not remove these obligations. It removes a layer of consumer protection requirements, not AML requirements.

European Union

EU member states had to implement the Consumer Credit Directive II by the end of 2025, with the directive coming into force in 2026. CCD II extends credit regulation to BNPL products that were previously exempted from the original Consumer Credit Directive on the basis of short duration or low value. Under CCD II, BNPL providers offering credit within scope must conduct affordability assessments, provide standardized pre-contractual disclosures, and comply with the AML obligations that apply to credit institutions and financial institutions under the EU AML Regulation. BNPL providers operating as obliged entities under the AMLR will be subject to the same CDD, sanctions screening, PEP checking, and suspicious transaction reporting requirements as any other financial institution. 

United Kingdom

The UK FCA's BNPL regulatory regime is still in development. The FCA has consulted on bringing BNPL into the Consumer Credit Act framework, but the implementing legislation has not yet passed as of mid-2026. Providers operating in the UK that are already FCA-authorized, whether as credit brokers, consumer credit firms, or under other permissions, remain subject to the FCA's existing AML requirements under the Money Laundering Regulations 2017. BNPL providers that are not yet FCA-authorized are operating in a window that is narrowing, and compliance teams should be building programs that will satisfy FCA authorization requirements when they arrive.

Australia

Australia's Treasury Laws Amendment Act 2024 extended the National Credit Code to BNPL products as credit products, with the new regime taking full effect in June 2025, requiring BNPL providers to hold a credit license and become members of the Australian Financial Complaints Authority. 

{{snippets-case}}

Building a BNPL-Calibrated AML Framework

KYC Without Killing Conversions

The tension between BNPL's conversion-driven business model and AML's identity verification requirements is real, but it is not irresolvable. The compliance approach that works in BNPL is a tiered model where the depth of verification is calibrated to the risk level of the transaction, the customer's behavior over time, and the applicable regulatory threshold.

At the lowest tier, a customer making a first purchase under a defined threshold can proceed with a simplified identity check that confirms the identity is real without requiring document upload or facial biometrics. The check should still include sanctions screening and an adverse media query at the point of application. 

At the upper tier, customers approaching elevated credit limits, demonstrating unusual purchase or repayment patterns, or presenting from high-risk jurisdictions should trigger full CDD before further credit is extended. 

The key design principle is that verification is triggered by risk indicators, not by a single transaction value threshold, and that the monitoring system can aggregate behavior across the customer lifecycle to identify when a low-tier customer's pattern warrants elevation.

Sanctions and PEP Screening

Sanctions and PEP screening must occur at onboarding, not as a post-approval back-office check. In a BNPL context, where the approval decision is made in seconds, this requires an API-integrated screening call that returns a result within the onboarding decision window. 

Screening must cover the OFAC SDN list where US-nexus applies, the EU consolidated list for EU operators, the UN Security Council Consolidated List, and the UK OFSI list for UK operators. PEP screening is relevant in BNPL because PEPs are not immune from using consumer credit products, and the source of funds associated with a PEP's purchases may warrant investigation even where the individual transaction value is low.

Transaction Monitoring for Split Payments

Monitoring BNPL transactions requires rules calibrated to the installment structure, not rules copied from a single-payment product. Red flags specific to BNPL include:

• Rapid escalation in credit utilization across multiple providers within a short window
• Consistent full utilization followed by minimum repayment patterns
• Purchase patterns concentrated in high-resale categories, electronics, luxury goods, gift cards
• Returns that exceed purchase value, exploiting merchant return policies
• Multiple accounts registered to variants of the same name or the same device identifier
• Repayment using sources inconsistent with the customer's stated income profile

See our Transaction Monitoring Guide for more information. 

SAR Filing

The obligation to file a SAR is triggered by suspicion, not certainty. In a high-volume BNPL environment, the practical challenge is building enough context in the case management system to support a SAR narrative for patterns that are anomalous rather than obviously fraudulent. Transaction monitoring rules should generate case records that aggregate the relevant behavioral signals, and the case management process should document how the analyst moved from alert to SAR decision. 

The SAR narrative for a BNPL-specific pattern should explain the installment structure, the behavioral anomaly, and why the combination of factors raises suspicion of money laundering rather than, for instance, simple credit fraud.

Conclusion

BNPL's regulatory treatment is converging toward conventional consumer credit in most major markets, and the AML obligations that follow from that convergence are substantive. Compliance teams that build their BNPL programs on the assumption that the product's low transaction values or short credit durations exempt them from meaningful AML obligations will find that assumption challenged by regulators and by the risk exposures that synthetic identity fraud and micro-transaction layering create at scale.

sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs. To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call. We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).

‍