Firm policies, controls, and procedures

Every UK accounting firm is legally required to have AML policies, controls and procedures in place. These three components form the framework for how your firm manages its AML responsibilities in practice. - Policies define your firm’s commitment to compliance and outline its principles and expectations - Controls are the safeguards used to reduce AML risks and enforce those policies - Procedures are step-by-step instructions that staff follow to carry out their AML responsibilities Together, they show how your firm understands AML risk and how it plans to stay compliant.

Why these documents matter

Strong AML policies, controls and procedures are a legal requirement under regulation 19 of the Money Laundering Regulations (MLR 2017). But beyond compliance, they also:

  • Help your team know what’s expected of them
  • Reduce the risk of mistakes or oversight
  • Provide evidence of compliance in case of a regulatory inspection
  • Create consistency across the firm, even as teams grow or change

Supervisors frequently cite weak or generic AML documentation as a cause of non-compliance. Your framework must be tailored to your firm’s size, services, client base and risk exposure.

How to build your AML policy, controls, and procedures framework

Your policies, controls and procedures should work together to reflect the actual risks your firm faces — and the way your services are delivered. While some elements are prescribed in law, much of the detail depends on your own operations.

1. AML policies

Policies define what your firm is aiming to do and why. They set the tone for your AML approach and outline who is responsible for what.

A good AML policy should include:

Purpose and scope

  • A clear statement of the firm’s commitment to AML compliance
  • How the policy applies across the business

Relevant legislation and guidance

  • References to key laws (e.g. POCA, the Terrorism Act 2000, MLR 2017)
  • Links to government and professional body guidance (e.g. AMLGAS, CCAB, FATF)

Roles and responsibilities

  • Who holds the role of MLRO (or equivalent Compliance/Nominated Officer)
  • What other senior management and staff are expected to do
  • A definition of “relevant employees” under the regulations

Risk management

  • How the firm identifies and assesses AML risk
  • The factors considered (e.g. client type, services, geography)

Monitoring and reporting

  • How the firm monitors clients and services for suspicious activity
  • How and when to report concerns internally and externally

Record keeping

  • What records are kept and for how long
  • Where they’re stored and how they’re protected

Internal controls and training

  • How staff are screened and trained
  • How policies are reviewed, updated, and communicated

Policies should also address other areas specific to your firm, such as your position on trust and company services or your use of client accounts.

2. AML risk

A strong AML framework depends on a clear understanding of risk.

Risk includes:

  • The chance your firm is used to move or conceal criminal property
  • The risk of failing to identify suspicious activity
  • Reputational or regulatory damage from non-compliance

The UK’s National Risk Assessment (2020) makes clear that the highest risk occurs when firms don’t fully understand AML threats or fail to apply proportionate controls. FATF has also flagged that smaller firms can be particularly vulnerable due to lack of training or understanding.

You’re not expected to eliminate all risk — but you are expected to understand it, assess it, and respond proportionately.

3. AML controls

Controls are the actions and checks that reduce your firm’s exposure to AML risk. They support your AML policies and help ensure consistent behaviour across the business.

Under regulation 21 of MLR 2017, key AML controls include:

Senior management oversight

  • A designated MLRO or Compliance Officer responsible for AML compliance
  • Board or leadership engagement where applicable

Employee screening and training

  • Background checks before and during employment
  • Ongoing training for relevant employees
  • Documentation of attendance and materials covered

Independent review

  • An internal audit function (where appropriate) that evaluates your AML controls
  • Proportional to the size and structure of your firm

These controls help detect and prevent money laundering, and ensure your AML approach stays effective as your firm evolves.

4. AML procedures

Procedures are the practical instructions staff follow to apply your AML policies and controls. They explain how to carry out tasks, who’s involved, and what documentation is required.

Key procedures should cover:

Client onboarding and due diligence

  • Steps for collecting CDD information
  • Assessing client risk
  • Verifying identity
  • Issuing engagement letters and communicating with previous accountants

Record keeping

  • What records are required
  • How they’re stored (digital or physical)
  • Retention and destruction timeframes
  • Protection of sensitive data

Suspicious activity reporting (SARs)

  • What counts as suspicious
  • How to raise internal reports
  • What the MLRO does next
  • How to file a SAR

Employee training

  • Identifying who needs training
  • How it’s delivered and how often
  • Recording participation and updates

You may also want to document procedures for:

  • AML compliance reviews
  • Employee screening
  • Reliance on third parties

Firms should support their procedures with checklists and templates to keep things consistent and auditable.

Summary

AML policies, controls and procedures form the foundation of your compliance framework. They show regulators — and your team — how seriously your firm takes its AML obligations.

To stay compliant:

  • Define clear, tailored AML policies based on your risks and services
  • Put controls in place to monitor, review and improve your AML processes
  • Create step-by-step procedures so staff know exactly what to do
  • Regularly review and update your documentation to reflect changes in law, risk, or your firm’s operations

By combining all three elements — policies, controls and procedures — you build a robust, risk-based approach to AML compliance and a clear roadmap for your team to follow.

This article was summarised by the Firmcheck content team. The original content was written by an independent AML expert and is available on our blog.

Compliance made easy

Start your compliance journey for free. Try Firmcheck's beautifully designed self-service platform and see why firms trust us with their AML compliance.

Sign up today