Firm policies, controls, and procedures

‍Why these documents matter

Strong AML policies, controls and procedures are a legal requirement under regulation 19 of the Money Laundering Regulations (MLR 2017). But beyond compliance, they also:

• Help your team know what’s expected of them
  
• Reduce the risk of mistakes or oversight
  
• Provide evidence of compliance in case of a regulatory inspection
  
• Create consistency across the firm, even as teams grow or change
  

Supervisors frequently cite weak or generic AML documentation as a cause of non-compliance. Your framework must be tailored to your firm’s size, services, client base and risk exposure.

How to build your AML policy, controls, and procedures framework

Your policies, controls and procedures should work together to reflect the actual risks your firm faces — and the way your services are delivered. While some elements are prescribed in law, much of the detail depends on your own operations.

1. AML policies

Policies define what your firm is aiming to do and why. They set the tone for your AML approach and outline who is responsible for what.

A good AML policy should include:

Purpose and scope

• A clear statement of the firm’s commitment to AML compliance
  
• How the policy applies across the business
  

Relevant legislation and guidance

• References to key laws (e.g. POCA, the Terrorism Act 2000, MLR 2017)
  
• Links to government and professional body guidance (e.g. AMLGAS, CCAB, FATF)
  

Roles and responsibilities

• Who holds the role of MLRO (or equivalent Compliance/Nominated Officer)
  
• What other senior management and staff are expected to do
  
• A definition of “relevant employees” under the regulations
  

Risk management

• How the firm identifies and assesses AML risk
  
• The factors considered (e.g. client type, services, geography)
  

Monitoring and reporting

• How the firm monitors clients and services for suspicious activity
  
• How and when to report concerns internally and externally
  
  

Record keeping

• What records are kept and for how long
  
• Where they’re stored and how they’re protected
  

Internal controls and training

• How staff are screened and trained
  
• How policies are reviewed, updated, and communicated
  

Policies should also address other areas specific to your firm, such as your position on trust and company services or your use of client accounts.

2. AML risk

A strong AML framework depends on a clear understanding of risk.

Risk includes:

• The chance your firm is used to move or conceal criminal property
  
• The risk of failing to identify suspicious activity
  
• Reputational or regulatory damage from non-compliance
  

The UK’s National Risk Assessment (2020) makes clear that the highest risk occurs when firms don’t fully understand AML threats or fail to apply proportionate controls. FATF has also flagged that smaller firms can be particularly vulnerable due to lack of training or understanding.

You’re not expected to eliminate all risk — but you are expected to understand it, assess it, and respond proportionately.

3. AML controls

Controls are the actions and checks that reduce your firm’s exposure to AML risk. They support your AML policies and help ensure consistent behaviour across the business.

Under regulation 21 of MLR 2017, key AML controls include:

Senior management oversight

• A designated MLRO or Compliance Officer responsible for AML compliance
  
• Board or leadership engagement where applicable
  

Employee screening and training

• Background checks before and during employment
  
• Ongoing training for relevant employees
  
• Documentation of attendance and materials covered
  

Independent review

• An internal audit function (where appropriate) that evaluates your AML controls
  
• Proportional to the size and structure of your firm
  

These controls help detect and prevent money laundering, and ensure your AML approach stays effective as your firm evolves.

4. AML procedures

Procedures are the practical instructions staff follow to apply your AML policies and controls. They explain how to carry out tasks, who’s involved, and what documentation is required.

Key procedures should cover:

Client onboarding and due diligence

• Steps for collecting CDD information
  
• Assessing client risk
  
• Verifying identity
  
• Issuing engagement letters and communicating with previous accountants
  

Record keeping

• What records are required
  
• How they’re stored (digital or physical)
  
• Retention and destruction timeframes
  
• Protection of sensitive data
  
  

Suspicious activity reporting (SARs)

• What counts as suspicious
  
• How to raise internal reports
  
• What the MLRO does next
  
• How to file a SAR
  

Employee training

• Identifying who needs training
  
• How it’s delivered and how often
  
• Recording participation and updates
  
  

You may also want to document procedures for:

• AML compliance reviews
  
• Employee screening
  
• Reliance on third parties
  

Firms should support their procedures with checklists and templates to keep things consistent and auditable.

Summary

AML policies, controls and procedures form the foundation of your compliance framework. They show regulators — and your team — how seriously your firm takes its AML obligations.

To stay compliant:

• Define clear, tailored AML policies based on your risks and services
  
• Put controls in place to monitor, review and improve your AML processes
  
• Create step-by-step procedures so staff know exactly what to do
  
• Regularly review and update your documentation to reflect changes in law, risk, or your firm’s operations
  

By combining all three elements — policies, controls and procedures — you build a robust, risk-based approach to AML compliance and a clear roadmap for your team to follow.

This article was summarised by the Firmcheck content team. The original content was written by an independent AML expert and is available on our blog.

‍