8 steps to a compliant AML policy

Your anti-money laundering (AML) policy isn’t just paperwork. It’s the backbone of your firm’s compliance framework. The document that explains how you identify, assess and manage money laundering risks.

It’s also likely to be one of the first things an inspector will ask to see. So if it’s outdated, copied from a template or missing key details, you’re exposed.

Whether you’re updating your AML policies or building them from scratch, here’s a practical guide to what needs to be included and how to keep it fit for purpose.

1. Link your policy to your business-wide risk assessment

Every AML policy should be built on your firm’s business-wide risk assessment. This assessment identifies where and how your business could be used for money laundering, terrorist financing or proliferation financing.

Your policy must then explain how you manage those risks in practice. For example:

Client risk: How you assess and categorise different client types

Service risk: How high-risk services (like company formation or conveyancing) are handled

Geographic risk: How you manage exposure to high-risk jurisdictions

Delivery channels: How you address risks from online or non-face-to-face onboarding

If the risks in your policy don’t reflect your actual client base or services, supervisors will view it as generic and therefore non-compliant.

2. Define clear roles and responsibilities

Supervisors expect to see that your AML policy spells out who does what. That means identifying key roles and their duties, such as:

Money Laundering Reporting Officer (MLRO): Responsible for receiving internal Suspicious Activity Reports (SARs) and liaising with the National Crime Agency (NCA)

Deputy MLRO (if applicable): Steps in when the MLRO is unavailable

Senior management: Accountable for ensuring AML systems are effective

All staff: Responsible for following the policy and reporting concernsListing these roles demonstrates that compliance isn’t theoretical, it’s operational

3. Outline your customer due diligence (CDD) process

This section should explain how your firm verifies clients’ identities and the steps you take for:

Standard due diligence: Verifying ID, proof of address and beneficial ownership

Enhanced due diligence (EDD): What triggers it and what extra checks you carry out

Ongoing monitoring: How you keep client information current and identify unusual activity

Simplified due diligence (SDD): When and how it can be applied (and the justification for doing so)

Documenting your approach ensures staff follow a consistent process and gives regulators evidence that you’re managing risks proportionately.

4. Include your approach to training and awareness

Regulation 24 of the Money Laundering Regulations 2017 requires you to train staff regularly and keep evidence of it.

Your policy should outline:

• How often AML training takes place
• Which roles receive which type of training
• How you test understanding (e.g. online assessments or scenario discussions)
• How training completion is recorded

An effective policy makes it clear that AML knowledge isn’t optional or one-off. It’s part of your firm’s culture.

5. Explain your internal reporting and escalation process

Every staff member should know exactly what to do if they have a suspicion. Your policy must set out:

• How to make an internal report to the MLRO
• What happens once a report is made
• How the MLRO assesses whether to submit a SAR to the NCA
• The importance of confidentiality and the prohibition on ‘tipping off’

Clear escalation pathways prevent hesitation and protect both the employee and the firm from regulatory breaches.

6. Cover record-keeping and data retention

Your policy should explain how AML records are stored, secured and retained. Under Regulation 40, AML-related records must be kept for five years after a client relationship or transaction ends.

Make sure your policy covers:

• What’s recorded (risk assessments, ID documents, SARs, training records)
• Where and how the data is stored
• How access is controlled
• When and how data is securely deleted

Having a documented data policy isn’t just best practice, it’s a legal requirement.

7. Build in regular reviews and version control

Policies go out of date faster than many realise. Changes to legislation, new risk types or shifts in your client base can make yesterday’s approach obsolete.

Set out in your document:

• How often reviews take place (at least annually, or when risks change)
• Who is responsible for reviewing and approving updates
• How changes are communicated and acknowledged by staff

A live, version-controlled policy demonstrates continuous compliance and awareness.

8. Make it practical, not theoretical

Supervisors are quick to spot template policies. The most compliant firms go further, making their policy document a living guide that’s linked directly to their actual processes and controls.

To achieve this:

• Avoid vague statements like “We take a risk-based approach”. Instead, describe how you apply it
• Reference specific forms, systems or workflows used in your firm
• Ensure the tone reflects your size, services and structure

Generic documents don’t protect your firm but tailored ones do.

How AMLCC helps you get it right

Keeping AML policies, controls and procedures aligned with your firm’s risks is easier said than done, especially when regulations keep changing.

The AMLCC platform takes the complexity out of it by helping you:

• Build a tailored policy linked to your Business Risk Assessments
• Keep automatic audit trails of changes and approvals
• Track staff AML Training and acknowledgements
• Stay aligned with the latest legislation and sector guidance

With AMLCC, your AML Firm-Wide Policy document isn’t static. It evolves with your firm and the law.

Final thoughts

An AML policy is more than a compliance checkbox. It’s your evidence that your business understands its risks, takes them seriously, and manages them responsibly.

A strong policy does three things:

1. Explains your risks clearly
2. Describes your processes transparently
3. Proves you act on them consistently

If it does that – and if it’s kept live and tailored – you’re not just compliant, you’re protected.