Skip to main content
AML screening checks a person’s or company’s identity against global lists — sanctions, PEP, adverse media — and returns the analysis result with its risk level. It is a pure compliance product: it does not verify identity with documents or a liveness check (that is KYC/KYB verification); it analyzes whether the identity carries list risk.
Breaking change (v1.34): this product used to live at POST /v1/kyc, /v1/kyc/rescreen and PATCH /v1/kyc/monitoring. Those routes were removed and are now POST /v1/aml/screenings, POST /v1/aml/rescreen and PATCH /v1/aml/monitoring (same semantics, same fees). The /v1/kyc/... routes now belong to identity verification, a different product.
If CBPay configured a compliance fee, it is debited before the call (you will see compliance_fee in the response) and automatically refunded if the screening fails. With a fee of 0 the service is free for you. Requires your own approved identity verification.

Catalogs to build your form

Before building the screening (or verification) form, fetch the official catalogs with GET /v1/aml/catalogs: genders, company statuses, address types, legal entity forms (global list plus per-country cascade), income/wealth sources, industry standards with their per-country default, and the full ISO-3166 country and subdivision lists. Every entry carries value (what you send to the API) and label (what you display). Static data — safe to cache for hours.
Cascades: the company’s country fixes its legal forms (company_types_by_country[country], falling back to company_types) and its industry standard (industry_code_type_by_country[country], default ISIC); with that standard you take the codes from industries_by_code_type[standard].

Submit a screening

One endpoint for person and company; the type is detected from the payload (other differences between account types are summarized in persons and companies):
If you omit person/company, it is filled from your account data (the person/company type comes from your account type). The customer object accepts many more fields, all optional, forwarded verbatim to the screening engine: the more identity data you send, the more precise the analysis — date of birth, countries and strong documents rule out namesakes and reduce false positives.
The screening engine is strict about shapes and rejects mismatches with 422: inside company, do not send flat fields like tax_id, registration_number or country_of_incorporation (the identifier goes in registration_authority_identification and the country in place_of_registration); inside person, date_of_birth goes ONLY as a {year, month, day} object, nationality as an array, and personal_identification[] without a type field (verified live 2026-07-18).
A query with exactly the same identity data reuses the previous screening (no new charge). Adding or changing identity fields (name, date, country, document, alias) makes the search more specific and runs — and bills — a new screening. Cosmetic fields (email, phone, textual address) do not change the matching.
201 response — person and company share the same shape; only compliance_service changes (compliance_person vs compliance_company, each with its own fee):

Rescreening

Re-runs the analysis of the same identity (e.g. after a data change or on a periodic policy). No body — it uses the customer_id of your previous screening:
200 response (bills compliance_rescreen, when configured):
Requires a previous screening; otherwise 409 no_screening.

Continuous monitoring

Enables (or disables) permanent watch over the identity — list changes, PEP, adverse media. Updates arrive via the aml_screening_updated webhook:
200 response:
When disabling, compliance_fee returns "0.000000" — disabling is always free.

Screening PDF report

Every screening in your history can be downloaded as an executive PDF report with your branding: a cover page with the decision and its risk traffic light, indicators (sanctions, watchlists, PEP, terrorism, narcotics, adverse media, fraud, corruption, arms), the consolidated matches with their lists and links, aliases, a signal glossary and a final backing section with the international data sources consulted. It is the document you hand to an auditor or a counterparty as evidence of the analysis. First locate the screening_id in your history:
Then download the report (pure read — no fee, no idempotency key):
The response is application/pdf with a descriptive Content-Disposition filename. lang accepts en (default), es and zh; any other value returns 400 invalid_language. A screening_id that belongs to another account returns 404.
The report is generated from the screening’s persisted evidence, so it is always available even if the compliance engine is down. The analysis data (list names, media headlines) stays in its original language; only the report labels are translated.

Webhook

Example payload:
Subscribe the same way as every other event (see Webhooks).

Errors

FAQ

Screening checks an identity against lists (sanctions, PEP, adverse media) — no documents involved. KYC/KYB verification proves the person/company is who they claim to be, with a form, documents and a video liveness check. They complement each other: verify identity with KYC/KYB and watch its risk with AML.
Yes: the customer object accepts any identity, not only your account’s. Each screening bills its fee (person or company depending on the payload).
No. Since v1.34 your account’s kyc_status is managed exclusively by the KYC/KYB identity verification (your onboarding). Screening only evaluates list risk.
The history and the PDF report are generated from each screening’s persisted evidence, available for operations executed since the history exists (v1.55). Screenings older than that version have no persisted evidence, so they do not appear in GET /v1/aml/screenings and cannot download a report. If you need the document, run a new screening of the same identity (identical data reuses the previous result without a new charge) and download its report.
Last modified on July 18, 2026