March 24, 2026

AML proof of address: what regulators expect

Anti-money laundering (AML) regulations require businesses to verify their customers' residential addresses as part of customer due diligence (CDD). But the specifics, which documents count, how recent they need to be, and what constitutes adequate verification, vary across jurisdictions and are often buried in guidance notes rather than spelled out in statute.

This article covers what regulators actually expect for AML proof of address verification, where companies most commonly fall short, and how to build a process that holds up during an audit.

Why address verification matters for AML

Address verification isn't bureaucratic box-ticking. It serves specific purposes within the AML framework:

• Jurisdictional risk assessment: a customer's residential address determines which jurisdiction's rules apply, affects their risk rating, and may trigger enhanced due diligence if they're in a high-risk country
• Identity corroboration: matching a name and address on a utility bill against an identity document provides independent corroboration that the person exists at the stated address
• Fraud detection: synthetic identities and stolen credentials often fail at the address verification stage because the fraudster can't produce a genuine, recent document showing the victim's name at a controlled address
• Sanctions screening context: confirmed addresses help distinguish between individuals with similar names on sanctions and PEP lists

When address verification is weak or inconsistent, it creates a gap in the overall CDD process that regulators will identify, and that money launderers can exploit.

What each major AML regime requires

European Union: AMLD and AMLR

The EU's Anti-Money Laundering Directives (currently the 6th AMLD) require obliged entities to identify and verify the identity of their customers using "reliable, independent source documents, data or information." Address verification is part of this standard CDD obligation.

The upcoming AML Regulation (AMLR) will replace the directive framework with directly applicable regulations, harmonising requirements across all EU member states. Key changes relevant to address verification include:

• More explicit requirements for documentary verification of address
• Standardised risk factors for determining when enhanced due diligence is required
• Clearer rules on acceptable electronic verification methods
• Establishment of the Anti-Money Laundering Authority (AMLA) as a central supervisory body

In practice, most EU-regulated entities accept utility bills, bank statements, and government-issued correspondence dated within the last 3 months.

United States: BSA and FinCEN

Under the Bank Secrecy Act, financial institutions must comply with FinCEN's Customer Identification Program (CIP) rule, which requires verification of customer identity including name, date of birth, address, and identification number.

The CIP rule allows both documentary and non-documentary verification methods for address. Documentary methods include government-issued identification showing the address, utility bills, and similar documents. Non-documentary methods include checking the address against consumer reporting agency data, public databases, or other reliable sources.

US regulations are generally more flexible on specific document requirements but more prescriptive about record-keeping. The key requirement is that your verification method is "reasonable" and that you document what you did and why.

United Kingdom: FCA and JMLSG

The FCA requires regulated firms to verify customer identity "to a standard commensurate with the money laundering risk." The Joint Money Laundering Steering Group (JMLSG) guidance provides detailed, practical requirements:

• A recent utility bill (gas, electricity, water, landline phone) or bank/building society statement is the standard documentary evidence for address
• "Recent" generally means within the last 3 months, though annual documents like council tax bills are accepted within 12 months
• The document must be from an independent, reputable source
• Electronic verification using credit reference agency data is an accepted alternative

The JMLSG guidance is notable for being specific and practical, it lists exactly which document types are and aren't acceptable, making it a useful reference even for firms operating outside the UK.

Singapore: MAS Notice

The Monetary Authority of Singapore requires financial institutions to verify customer identity, including residential address, as part of CDD. MAS Notice 626 (for banks) specifies that address verification should use "reliable and independent source documents, data or information."

Accepted documents include utility bills, bank statements, and government-issued correspondence. Singapore places particular emphasis on ongoing monitoring and re-verification when customer information changes.

Australia: AUSTRAC

Under Australia's AML/CTF Act, reporting entities must verify customer identity before providing designated services. The AML/CTF Rules specify a "safe harbour" approach where entities can rely on specific combinations of identity documents.

For address verification specifically, AUSTRAC accepts utility bills, rates notices, and government correspondence. Australia is relatively advanced in accepting electronic verification methods alongside traditional documentary approaches.

Canada: FINTRAC

Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires reporting entities to verify customer identity and, as part of that, confirm residential address. FINTRAC guidance specifies acceptable methods including documentary verification (utility bills, government correspondence) and electronic verification using reliable data sources.

The documents that count

Across jurisdictions, there's broad consensus on which documents are reliable for AML address verification:

Generally accepted

• Utility bills: gas, electricity, water, and landline telephone. The most universally accepted category because they're issued by independent companies to a physical address.
• Bank or building society statements: monthly or quarterly statements showing customer name and address. Increasingly accepted in digital PDF format.
• Government correspondence: tax notices (e.g., council tax, income tax assessments), voter registration confirmations, social security letters, benefits notifications.
• Insurance documents: home or life insurance policy schedules or renewal letters.
• Mortgage statements: from a recognised mortgage provider, confirming the property address.

Generally not accepted

• Mobile phone bills: widely considered unreliable because the billing address may not reflect the customer's residential address
• Screenshots or app exports: too easy to manipulate; most regulators require original documents or official digital exports
• Delivery confirmations: prove a package was delivered, not that someone lives there
• Self-issued or self-certified documents: lack the independent verification that AML requires
• Business address documents: unless the business address is also the customer's confirmed residential address

Recency requirements

Document age is one of the most frequently cited issues in AML audits. The general standard across most jurisdictions:

• 3 months: the default for most document types in most jurisdictions. EU, UK, Singapore, and most other regulators require utility bills and bank statements to be dated within the last 3 months.
• 6 months: some jurisdictions allow this for lower-risk customers or for certain document types.
• 12 months: typically reserved for annual documents like tax assessments or council tax bills that are only issued once per year.

An important subtlety: the relevant date is the document's issue date or statement period, not the date the customer submits it. A utility bill dated January 5 that's submitted on April 10 is more than 3 months old, regardless of when the customer scanned it.

Common audit findings

When regulators or internal auditors examine AML address verification processes, these are the issues they find most often:

1. No documented process

The firm verifies addresses but hasn't written down what documents they accept, what thresholds they apply, or how decisions are made. Regulators expect a documented policy that staff follow consistently.

2. Inconsistent application

Different team members apply different standards. One analyst accepts a document another would reject. The same document type is treated differently depending on who reviews it. This is both a compliance risk and a fairness issue.

3. Expired documents accepted

Documents older than the stated policy threshold are accepted without justification. This is especially common when teams are under pressure to clear backlogs or when document dates are in unfamiliar formats.

4. Insufficient record-keeping

The verification was done, but the evidence trail is incomplete. The original document isn't retained, or there's no record of what was checked and by whom. Regulators need to see not just the decision but the reasoning.

5. No risk-based differentiation

The same verification standard is applied to all customers regardless of risk. AML frameworks require a risk-based approach, higher-risk customers should face enhanced due diligence, which may mean stricter document requirements, tighter recency windows, or multiple document checks.

6. Non-Latin documents mishandled

Documents in Arabic, Cyrillic, Chinese, or other non-Latin scripts are either rejected outright (losing legitimate customers) or accepted without proper verification (creating compliance risk). Neither approach is adequate.

Building a defensible process

Based on what regulators look for, an adequate AML address verification process should include:

1. A written policy: document which document types you accept, your recency requirements, and your matching criteria. Update it when regulations change.
2. Consistent application: apply the same rules to every verification. Automated systems do this inherently; manual processes need clear checklists and quality assurance.
3. Risk-based tiers: define what standard CDD and enhanced due diligence look like for address verification specifically. Higher-risk customers may need more recent documents, multiple documents, or tighter match thresholds.
4. Complete audit trails: for every verification, record what document was submitted, what data was extracted, what it was compared against, the match result, and the decision. Retain this for the period required by your regulator.
5. Multi-language capability: if you onboard international customers, you need a process that handles documents in any language reliably, not just European languages.
6. Regular review: audit your own address verification process periodically. Are the rules being followed? Are there patterns in rejections that suggest the process needs updating?

How automation strengthens AML address checks

Manual document review struggles with consistency, speed, and multi-language support, exactly the areas where AML audits find the most problems. Automated verification addresses these directly:

• Consistency: every document is evaluated against the same rules, every time. A match score of 0.85 is either above your threshold or it isn't. No subjective judgment, no variation between reviewers.
• Speed: automated checks complete in seconds, reducing onboarding time from days to minutes. Your team focuses on edge cases and high-risk decisions rather than routine document review.
• Audit trails: every verification automatically produces a detailed record with extracted data, match scores, reasoning, and timestamps. This is exactly what auditors want to see.
• Multi-language support: AI-powered extraction handles documents in any script, with automatic transliteration for cross-script matching. No need for language-specialist reviewers.
• Configurable rules: set match thresholds, recency requirements, and accepted document types to match your policy. Adjust them as regulations change, and the new rules apply immediately to all future verifications.

Automating AML address verification with trusqo

trusqo automates proof of address verification for AML compliance teams. Send a document via API with the expected name and address, and trusqo extracts structured data, runs fuzzy matching, validates document recency, and returns a pass/fail verdict with detailed scores and reasoning.

For AML-specific use cases:

• Configurable match thresholds that map to your CDD and EDD policies
• Automatic document age validation, reject documents older than your regulatory requirement
• PDF audit reports with extracted data, match scores, and decision reasoning
• Support for documents in any language and script, with Latin transliteration
• EU-hosted, GDPR-native data handling

See the AML compliance use case for more details, or read the API documentation to get started.