What should an AML policy include?

An anti-money laundering (AML) policy is the document that translates international standards and local law into the policies, controls and procedures your business actually uses to operate day-to-day.

It sets out who does what, how risks are assessed, how clients are checked and how concerns are escalated. Done well, it gives staff a clear framework to follow and gives supervisors confidence that controls are genuinely embedded in how the business runs.

The global benchmark for what an AML policy should cover comes from FATF (the Financial Action Task Force), which sets the international standards for combating money laundering, terrorist financing and proliferation financing. 

Of FATF’s 40 Recommendations, 1 and 18 are particularly important here. Together they define the risk-based approach and the internal policies, controls and procedures that an effective AML programme must include.

Start with a documented risk assessment

Recommendation 1 (Assessing risks and applying a risk-based approach) sets out that businesses should identify, assess and understand the money laundering, terrorist financing and proliferation financing risks they face, and apply controls proportionate to those risks. This is the foundation of every AML policy.

Your policy should describe:

• how the business carries out its business-wide risk assessment;
• what factors are considered (clients, products and services, geographies, transaction types and delivery channels);
• how findings are documented;
• how often the assessment is reviewed. 

The risk assessment is the bridge between FATF’s standards and your own controls, so your policy needs to make that link explicit.

Customer due diligence and beneficial ownership

FATF Recommendations 10 and 24 set the global expectation for customer due diligence (CDD) and beneficial ownership transparency. Your AML policy should explain how the business meets those obligations in practice, covering:

• client identification and the verification of identity using reliable, independent sources, including the documents accepted, the use of electronic verification and the standards applied across face-to-face and remote channels;
• identification of beneficial owners and the steps taken to understand ownership and control structures, particularly where corporate or trust arrangements are layered or cross-border;
• the circumstances that trigger enhanced due diligence, including politically exposed persons (PEPs), high-risk jurisdictions and complex or unusually large transactions, and what those enhanced measures look like in practice.

Setting out clear thresholds and triggers in your policy gives staff a consistent basis for CDD decisions and reduces reliance on individual judgement.

Ongoing monitoring and sanctions screening

An AML policy needs to address what happens after onboarding. Ongoing monitoring is a core requirement under FATF’s Recommendations, covering both transaction review and the periodic refresh of client information. 

Your policy should explain how monitoring is carried out, how frequently client risk is reassessed and what triggers a review outside the normal cycle, such as a change in ownership or a shift in transaction patterns.

Sanctions screening sits alongside monitoring as a distinct control. FATF Recommendation 6 requires the implementation of targeted financial sanctions, and Recommendation 7 extends this to proliferation financing. 

Your policy should describe how clients, beneficial owners and counterparties are screened at onboarding and on an ongoing basis, how alerts are reviewed and how confirmed matches are escalated.

Internal controls, governance and reporting

FATF Recommendation 18 (Internal controls and foreign branches and subsidiaries) sits at the heart of any AML programme. The interpretive note is explicit that policies must be supported by appropriate compliance management arrangements, employee screening, ongoing training and an independent audit function. 

Your AML policy should reflect each of those elements:

• The appointment of a compliance officer at management level, with the authority and access needed to discharge the role effectively, including direct lines to senior management and the board.
• Internal reporting routes that allow staff to escalate suspicions promptly, alongside the business’ process for filing suspicious transaction reports with the relevant financial intelligence unit under FATF Recommendation 20.
• Employee screening procedures designed to maintain integrity in roles where AML risk is most concentrated, including front office, operations, compliance and IT security.

Training

Training is one of the three pillars FATF identifies in Recommendation 18, alongside internal controls and independent audit. Your policy should set out how staff are trained on money laundering, terrorist financing and proliferation financing risks, and how training is tailored to each role. 

For example, front-line staff need to recognise red flags in the work they do, while compliance officers and senior managers need a deeper technical grounding. Your policy should reflect these differences and explain how training keeps pace with changes in legislation, business model or risk profile, with refresher cycles built in.

Your AML policy should also set out how training records are kept, including who has completed which modules, when, and the outcome of any assessment. Without that evidence, the business has no way to demonstrate to a supervisor that staff are equipped to recognise and respond to AML risk in their day-to-day work.

Record-keeping and independent audit

Recommendation 11 sets out record-keeping standards. Your AML policy should cover what records are kept, where they’re stored and how long they’re held, including identity and verification evidence, transaction records and the documents that support both. 

The standard to aim for is that someone independent could pick up the file later and follow what happened, why and when.

Your policy should also explain how the AML programme is independently tested. FATF expects this audit function to be genuinely independent of the people and processes it reviews, with the depth and frequency reflecting the business’ risk profile. What audit finds should feed back into the risk assessment and the policy itself, so the programme keeps improving.

Keeping your policy live

An AML policy is a living document. FATF makes it clear that controls should evolve as risks evolve, which means your policy should be reviewed:

• when the business changes;
• when new typologies emerge;
• when regulatory expectations shift;
• after findings from audit;
• supervisory engagement;
• at least annually. 

Version control, dated reviews and a clear owner for the document make those updates traceable and easy to evidence in an inspection. 

Final thoughts

A strong AML policy reflects the actual risks your business faces and the controls that respond to them. It draws directly on the FATF’s 40 Recommendations, particularly Recommendations 1 and 18, and translates those expectations into practical procedures your staff can follow. 

When your AML policy is genuinely embedded, supported by training, monitoring and independent audit, it becomes the backbone of how the business prevents financial crime.

AMLCC brings risk assessments, customer due diligence, sanctions and PEP checks, training and reporting into a single platform, with the audit trail captured automatically. That structure helps businesses keep their AML policy aligned with what is actually happening in the business, and ready for scrutiny at any time.