Form Validations and Business validations - Controller and Service layer

This might not be one layer....
Behind the form each field should (must?) be validated. A data field should contain a valid data, an string field a string (possibly parsed for illegal characters like ' "etc. or syntax validated if specific syntax is required.) numeric field should be numerix, hexadecimal field hex. valuta fields should contain valid numbers.  A mailaddress should look like a valid mail address (somestring@somedomain, where somedomain is a dotted string with at leas one .) etc.etc.  (optional fields may be empty, non optional field MUST hold valid data).
(This is mostly called marshalling of data).

Then if some string field means it should be a valid persons name is the next level just like if a valuta field holds USD, JPY, EUR  amounts or
if the mail address is already known etc. etc. (the later mostly are business rules).
But business rules "SHOULD" not have to worry about the syntactic validity of an Email address...

Where you solve it is a design decision but do expect the business layer to be access through forms as well other API's...
so maybe the form should do the checks and handle it in a user friendly way warning of the problems a submission will face.
Where the API/Business side just balks at first error and refuses to handle the data.

Not clear on the explanation. could you please explain about which layer the validations should fall?