The 6 signs your AML PCPs are out of date

When was the last time you gave your AML policies, controls and procedures more than a passing glance?

If you’re like many busy regulated professionals, it’s probably been a while. After all, once the policies, controls and procedures have been discussed, written, signed off and stashed in the compliance folder, it’s easy to assume it’s sorted. And you have your day job to do.

But AML compliance doesn’t work like that. Criminal methods evolve fast. Regulations shift. Supervisors tighten expectations. And what passed muster last year might fall flat today.

That means your AML policies, controls and procedures might not just be out of date—it could be quietly putting your business at risk.

1. You haven’t reviewed them in the last 12 months

The first and most obvious sign: if your written AML policies, controls and procedures haven’t had a formal review in the last year, they’re out of date, in accordance with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

These regulations require that AML policies, controls and procedures are regularly reviewed and updated to reflect changes in risk and regulation. Most supervisory bodies expect a minimum of an annual review, even if nothing has changed.

If that review hasn’t happened, you’re already on the back foot. It suggests:

• You might be missing changes to regulations or guidance
• Your written policies may not reflect your actual risk exposure or internal controls
• You’re potentially failing your obligations under Regulation 19 and 20

What to do: Set a formal review schedule. Document it. Assign responsibility. If you’re using AMLCC, the system flags when reviews are due and guides you through the update process.

2. Your written PCPs are full of generic content or copied templates

This AML document could be 30 pages long but say almost nothing specific. If your written AML policy is based on a downloaded template, with no reference to your firm’s structure, client base or service risks, it’s unlikely to get past an inspection.

Supervisors are clear: AML policies, controls and procedures must be tailored to your firm. That means aligning with your:

• Size, services, and client base
• Delivery channels (online, face-to-face, intermediaries)
• Geographical risk exposure
• Staff structure and experience
• Day-to-day operational realities

A templated approach that doesn’t reflect your actual business activities won’t stand up to scrutiny.

What to do: Rewrite or rebuild your written policy to match your risk assessment. Use tech like AMLCC to link your policies, controls and procedures directly to your risk profile, creating an integrated and evidence-based document.

3. Your policies, controls and procedures aren’t aligned with your risk assessment

Strong AML policies, controls and procedures don’t stand alone—they’re built on your firm’s risk assessment.

It’s common for businesses to update their risk assessment periodically, especially when services change or new client types come on board. But if your written policies haven’t been updated at the same time, they’re likely missing important context.

Your AML framework should clearly show how your firm identifies, assesses and responds to the risks outlined in your risk assessment. If your client base has shifted—maybe you’re seeing more complex corporate structures, overseas ownership or high-net-worth individuals—that should be directly reflected in the controls and procedures your firm has in place.

Supervisors want to see that your AML policies, controls and procedures are driven by real-world risk, not theory. If there’s a gap between the risks you’ve identified and the processes you’ve implemented, your approach is out of step—and that’s a red flag.

What to do: Revisit your AML policies, controls and procedures whenever your risk profile changes. Make sure there’s a clear link between what you know about your clients and how you’re managing those risks in practice. If you’re using AMLCC, you can easily add any additional procedures you have put in place to the relevant section of your PCPs and update all staff automatically to those changes. 

4. They don’t cover digital or remote working risks

Has your business, like many, shifted to more remote or hybrid working? Have you increased use of digital onboarding, e-signatures or cloud-based document sharing? If so, your AML policies, controls and procedures must reflect that.

Money laundering risk has changed. Criminals are actively exploiting remote environments, using fake IDs, deepfake tech, spoofed documents and untraceable messaging apps. If your policy document was written when most interactions were face-to-face, it won’t cover these new risks.

Signs your PCPs are behind the times:

• No guidance on verifying identity remotely
• No mention of cyber risk or data security in AML processes
• No controls for monitoring online communication channels

What to do: Update your risk assessment to include technology-related risks, and make sure your AML policies, controls and procedures follow suit. Include procedures for remote CDD, digital verification tools and secure record-keeping.

5. Your team don’t know what they are

This one’s simple to diagnose. Ask your staff—especially those in client-facing or compliance roles—if they know what’s in your AML policies, controls and procedures and are they happy they have digested and understood all AML training. Can they summarise their responsibilities? Do they know the escalation procedure for suspicious activity?

If the answer is no, then your PCPs and training might as well not exist.

It’s not enough to have a written AML policy. Regulation 21 of the Money Laundering Regulations requires you to ensure that staff are aware of them, understand them and receive regular training.

A PDF no one’s read won’t protect your firm or demonstrate compliance.

What to do: Build awareness into your training programme. Use practical examples and make the content relevant to each role. Platforms like AMLCC let you track staff understanding and acknowledge policy updates.

6. They haven’t been tested

When was the last time you tested whether your AML policies, controls and procedures actually work? Do they stand up in practice—or only on paper?

A policy may look great until you’re hit with a suspicious client, an internal breach or a supervisory visit. That’s when you find out whether your controls and training are robust, whether escalation processes are followed, and whether your records are accurate.

The AML regulations require that all businesses complete an annual audit of their AML policies, controls and procedures. This can be internal or external, depending on the size and structure of your business. For internal audits, someone senior—but not normally involved in day-to-day AML activity—should carry out the review.

What to do: Introduce periodic testing and audits. Simulate reporting a SAR. Review files for compliance. Test whether your staff can follow procedures under pressure. Record outcomes and update your policies where gaps are found.

Why this matters now

The regulatory bar is getting higher. In 2023 and 2024 alone, the number of fines issued by professional body supervisors rose significantly. Enforcement action is no longer limited to financial penalties—businesses are now facing licence removal, disciplinary hearings, public censure, and even prosecution of senior management.

If your AML policies, controls and procedures are not current, specific, and embedded in your day-to-day operations, you’re running a real compliance risk. But more than that, you’re leaving your business vulnerable to being used by criminals—and that undermines trust in the entire sector.

An out-of-date AML framework doesn’t just cost money. It could cost your reputation.

How AMLCC can help

Keeping AML policies, controls and procedures current is a challenge—especially when regulations are always moving. That’s where AMLCC comes in.

The platform gives you everything you need to:

• Create and maintain a tailored, regulation-ready AML policy
• Link your policy directly to your risk assessment
• Stay aligned with the latest legislation and sector-specific guidance
• Educate and track staff awareness, with built-in training and functionality for all staff to acknowledge their awareness and understanding of all PCP updates
• Provide evidence of compliance to your supervisor

Most importantly, AMLCC is constantly updated by experts. So your PCPs can stay live, not static.

Final thoughts

Think of your AML policies, controls and procedures as a living system. They’re not something you draft once and forget. They’re the foundation of your risk-based approach, the map your team follows, and part of the evidence you show to your supervisor when they come knocking.

If any of the six signs in this article ring true for you, it’s time to act. Don’t wait for a visit or an incident to expose the gaps. Reviewing and updating your AML policies, controls and procedures now is not only good governance—it’s good business.