The perfect AML programme: A ten point guide

Published on Feb 20, 2019

Does the ‘perfect’ path to anti-money laundering (AML) exist?

The quest for the perfect plan can be traced back to criminals causing immeasurable damage for many economies through money laundering.

In response, governments are continuously trying to fight back, issuing a raft of rules and penalties for financial institution (FIs) – fines such as HSBC’s $1.9 billion or Commerzbank’s $1.45 billion are a sobering warning for compliance officers globally of just how important AML has become.

This in turn has triggered FIs to come up with various AML programmes to stay safe, or stay alive in some instances (some banks such as Latvia’s ABLV were completely shut down over AML issues).

Over the years, some AML programmes have proven to be effective, others, however, were so bad that they landed the bank in hot trouble with regulators – in such cases, banks were hit with the fines that their AML programmes were created to avoid.

With that in mind, it is very important to articulate a sound AML programme.

Here’s a ten step guide to achieving an effective AML programme, which could prove useful in staying compliant and warding off those petrifying fines.

1. Engaging with technology partners

The relationship of compliance and technology is not new; however, it is shifting gears as regulators are constantly enhancing their regulations with an increased focus on data and reporting. There are many RegTech solutions in the space of KYC/real-time AML screening, AI/ML-based fraud prevention, and real-time compliance monitoring which are customisable and can easily be integrated into a variety of existing environments.

For automated, real-time customer risk-profiling technology visit

Regulators around the world have been supporting the adoption of RegTech as it helps financial institutions to not only streamline their reporting but also have better oversight of their data hence; it is high time FIs to choose an apt technology partner who can offer solutions that address regulatory challenges through innovation.

2. Independent Audit:

Each and every FI has to uniquely design its AML policy to address the money laundering risks it faces. Hence it is mandatory for FIs to conduct independent audits to assess their AML programmes against international standards such as the Bank Secrecy Act (BSA) and Financial Action Task Force (FATF) recommendations.

Independent auditors will look into issues such as:

  1. Whether the AML programme outlines the all the risks sufficiently
  2. Whether the AML programme has clear-cut guidelines for different entity types such as trusts & foundations etc.
  3. Whether the AML programme can identify suspicious activity, if yes what are the requirements for records retention, and so on.

The audit report should have sufficient information as well as a list of findings and recommendations to help the decision makers evaluate the programme effectively.

3. Risk-based approach:

Back in 2007, FATF came up with the idea of a risk-based approach (RBA) and since then it has been a subject of confusion.

However, some FIs in have struggled to implement the RBA properly, leading to inadequate controls in place to manage and mitigate money laundering risk.

Steps have to be taken to implement the RBA approach and create more logical processes, the focus has to be laid on identifying money laundering risks that can cause damage to the FI and weave processes accordingly that can detect and deter such risks, this approach will automatically have FIs comply with the majority of AML regulations.

For more information on the risk-based approach read this article

4. The necessity of enhanced due diligence (EDD):

The approach to KYC varies from customer to customer depending on the risk exposure and money laundering risks that they pose respectively and hence it is necessary to carry out the correct processes to ascertain if EDD is required.

When on-boarding high-risk customers EDD must be applied to mitigate the risks associated with the customer accordingly to protect the FI from a potential damage.

Some of the EDD processes include:

  1. Gathering additional identification information about the customer from a wide variety of authentic sources
  2. Taking additional measures to verify the source of wealth of the beneficial owner to be convinced that they do not constitute the proceeds from crime
  3. Drilling down the purpose and intended nature of the business relationship to understand the account activity of the customer

As a best practice, it is recommended to perform ongoing enhanced monitoring for higher risk situations to intercept suspicious activity.

5. Risk Assessment

FIs need to have their own internal risk assessments which are tailor-made to counter the money laundering risks they might potentially be exposed to.

There are multiple risk factors that a FI should access; the top three being:

  1. Geographic risk: Not all countries carry identical risks, FIs need to be aware of the specific circumstances when operating in high-risk countries, they should have a more stringent control environment that would prevent illegal elements taking advantage of the financial ecosystem. Guidance should be taken from international regulatory bodies while bucketing countries as either low/medium or high risks.
  2. Customer risk:FIs must have enough processes in place to ensure they understand with whom they’re doing business. They must fully understand the risks posed by a customer, including:
  • Involvement of a politically exposed person
  • Involvement of an entity or person on the sanctions list
  • Entities issuing bearer shares
  • A complex layer of ownership structures
  1. Product risk:Some products offered by the FIs can attract money launderers more than others, due to multiple reasons. FIs have to take care while risk rating the products, they must take into consideration:
  • What kind of flexibility does the product offer?
  • Whether the product had caused the FI any issues pertaining to money laundering in the recent past?
  • Which portfolio of customers choose the product most?

If these risks are not applied diligently, they could lead to a bigger risk called regulatory risk, which would subject the FIs to reputational damage and forcing customers to lose trust in them.

6. Discounting False Positives

We all talk about the increasing rates of false positives, and how we can reduce the occurrences, but we seldom talk about how to discount these false positives?

FIs should have proper policies in place to discount false positives; they should be discounted on real and not on fictitious grounds.

Below is a list of things that one can refer to discount any potential match:

  1. Look for static agents such as Date of birth/Place of birth, using any one of this the match can be discounted
  2. Do not discount hits on dynamic agents such as Name, Address, Age or qualification alone, have at least one static agent in conjunction with a dynamic agent to discount any match
  3. Perform conventional research to identify additional information to gain more insights if unable to discount with the information on the hit
  4. Expired documents should not be considered to discount any match


7. Periodic reviews and auditable records:

 It is of utmost importance that the identity verification data available with the FIs is up-to-date; stale documentation does not serve the purpose of an AML programme and hence documents have to be reviewed and updated at a regular time period, which is why regulators stress so much on performing periodic reviews

While collecting the fresh set of documents one might be able to capture any material change to the customer profile, this also allows FIs to keep an eye on the risk rating of the customer to make sure that the risk rating assigned to the customer is still appropriate.

Regulators perform regular audits for FIs to make sure that the all the internal compliance controls and policies and procedures are in place and implemented properly.

It is mandatory for FIs to have fully auditable records that are regulator-ready at the end of the day. This includes recording of all compliance decisions as well as the data, documentation and the back-up required to evidence the basis for these decisions.

8. Keeping an eye on the market:

Regulatory policies change and evolve every day and to stay compliant in such an environment can be challenging.

It is extremely important for FIs to keep themselves updated with the latest happenings around the world so that their internal policies can be in line with the current state of regulatory requirements. Resources should be deployed in place that can track and monitor all the new relevant developments and implement the same to improve their AML programme.

9. Employee Training:

It is mandatory for all the employees to be aware of their obligations in an AML programme, and contribute actively. Relevant training is necessary to create a truly effective AML programme. They should be trained on all the relevant topics which are applicable to their functional roles.

As discussed in point five above every FI is exposed to different kinds of risks, and it would be best to train on how the risks look like and how to react to them , explaining via real-life examples is more preferable than hypothetical situations as it will help them to respond better.

The ultimate goal of training is not simply to tick off the list of things to do. It is to establish an effective AML programme and the training should be reviewed and updated at least every six months to include any latest happenings in the compliance space.

10. No Shortcuts!

Last but not the least, KYC has no shortcuts. Ineffective processes can put the entire organisation at risk of significant fines and can also mean imprisonment for senior officials.

FIs should make sure that the process flows are streamlined and data is collected appropriately as per the entity type and ongoing efforts are implemented in place to detect any violation.

To conclude, an effective AML programme will not only help the FI to comply with regulations, but it can also help in spotting other potential weakness in the process. Most of the C-suite members see such a programme as a hefty cost however, they have to remember not having or having an inefficient programme can be even costlier and cause damage beyond control.

About the article author: Suresh Chavali is a subject matter specialist in the risk and compliance sector, focusing on know your customer (KYC), risk management, money laundering and terrorist financing schemes and trends. He has worked for various firms, including Barclays and Deutsche Bank.

This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.



Advance your CPD minutes for this content,
by signing up and using the CPD Wallet

Get started