Learn what AML policies are and which businesses need them most. You can also get acquainted with FINRA’s template and follow the steps we’ve laid out to create your own solid AML policy.
Financial crime is on the rise, and the trend will continue in the coming years. According to Nasdaq’s report, in 2023 alone there were over 3 trillion dollars in illicit funds that flowed through the global economy. Meanwhile, the United Nations Office on Drugs and Crime (UNODC) estimates that 2 – 5% of global GDP is laundered on a yearly basis. These are alarming numbers for the global economy, as well as individual companies.
To prevent money laundering (ML), governments use defensive regulatory AML and KYC policy that has to be adopted by all financial businesses. Therefore, companies should learn how to translate these intricate rules into sound anti-money laundering policy and procedures.
If you don’t know where to start, we’ve laid out the key steps to building an AML policy. Or you can refer to FINRA’s template at the end of the article.
An AML policy is a combination of measures to stop criminals from disguising illegally obtained money as legitimate income. Implementation is mandatory for financial institutions and overseen by regulatory authorities.
AML policies are designed to set a general structure of company systems and controls for combating money laundering (ML) and terrorist financing (TF). It should determine AML risk appetite, tolerances, unacceptable customer types, forbidden actions, employee responsibilities, employee rights, qualification levels, etc.
The AML policy must be approved by the company’s senior management and reviewed regularly.
An AML policy is similar to an AML program. These terms are interchangeable depending on the jurisdiction.
Suggested read: 6 Key Steps to a Successful Anti-Money Laundering (AML) Program in 2023
A solid AML policy is important because it sets forth the measures and controls for preventing suspicious customers and transactions. It also safeguards businesses from huge regulatory fines in case ML has been detected during an audit.
An AML program prevents money laundering through customer due diligence, transaction monitoring, and detecting and reporting suspicious activity. This includes predicate offenses to money laundering and terrorist financing.
Since criminals constantly improve their money laundering methods, it’s essential to develop an AML policy that can handle new and complex ML attempts. Otherwise, businesses expose themselves to financial and reputational losses.
Financial organizations (such as banks) and those at higher risk of exposure to money laundering (such as money service businesses, law firms, casinos, tax advisors, forex brokers and a number of others) need reliable AML policies. Whether it’s required depends on the jurisdiction and specific AML regulations.
At the international level, there is the Financial Action Task Force (FATF), a global money laundering and terrorist financing watchdog. The FATF issues global standards to prevent money laundering, and local AML regulations are usually based on them (e.g. the EU’s 4, 5, and 6 AML Directives).
On the national level, the regulating bodies vary by country. In Germany, it’s BaFin; in Canada, it’s FINTRAC; in Singapore, it’s MAS, and so on.
Suggested read: Understanding the FATF Black and Grey Lists
With experience developing AML policies for financial institutions, we have a first-hand perspective on what it takes and what works best for businesses. Our step-by-step guide is based on the US Bank Secrecy Act (BSA), the EU 4th Anti-Money Laundering Directive (AMLD4), and FATF recommendations.
Step 1: draft an AML policy statement
This document may include:
Step 2: appoint a Money Laundering Reporting Officer (MLRO)
Businesses need to nominate an MLRO, who’s responsible for oversight of the compliance with AML regulations on systems and controls against money laundering, receiving disclosures regarding suspicious activity and deciding whether external suspicious activity reports (SARs) should be made.
An MLRO should have a sufficient level of seniority within the firm (such as being part of or accountable to senior management). The MLRO should have:
Step 3: perform Customer Due Diligence (CDD)
Customer Due Diligence includes collecting and verifying relevant client information, as well as identifying and assessing the criminal risk they present. This process involves:
Regulated entities should implement CDD measures whenever:
Companies must perform ongoing monitoring of their customer relationships and update CDD information from time to time. They should also determine the extent of their CDD measures and ongoing monitoring on a risk-based approach, according to the type of customer, transaction, or business relationship. Businesses should therefore determine whether a given customer requires simplified due diligence, customer due diligence, or enhanced due diligence.
CDD also involves a standard procedure for checking clients through sanctions lists and adverse media. Therefore, companies should be aware of changes in sanctions regimes as soon as they occur. This can be done using a special automated system that monitors sanctions regime updates. Before entering a business relationship or opening an account for a client, financial companies must verify that they’re not onboarding someone listed as a target of financial sanction legislation—such as someone listed on the US Specially Designated Nationals List (SDN)—and confirm that there are no legal barriers to providing services.
Step 4: verifying client identity
Identity checks are central to an AML compliance policy. Companies therefore must specify comprehensive and reliable measures to accurately verify the identities of their clients upon opening an account or registering for their service.
Here are the 6 related points the AML policy must cover regarding client identity checks:
The company must determine what data is sufficient to check individual, corporate and high-risk clients based on local AML regulation requirements and the risk-based approach.
It is important to specify which f documents are requested and why to the client. The company also needs to state how it will handle cases when a customer intentionally rejects requests for information or submits a false name, address, etc.
Companies must state the means they will use to verify their client’s identities. This could be through collecting documents, biometrics, digital identity, database searches or a combination of means performed using verification software or manually.
Companies should indicate how long it takes to verify a client and its restriction policy on transactions involving unverified accounts.
An AML policy must detail measures taken in situations when clients cannot be identified—i.e. restricting accounting opening, limiting transactions, blocking users, etc.
Besides, the company won’t be able to start a business relationship with high-risk, or sanctioned countries and industries.
A PEP is an individual who holds or held a powerful public position, such as a high-level politician or judge. Due to their influence, PEPs are more likely to be involved in aiding or abetting money laundering, racketeering, and financial fraud. As such, working with PEPs entails certain risks for financial institutions and other entities.
Since there is no universal definition of PEP, most countries refer to the one provided by Financial Action Task Force:
Step 5: report to Financial Intelligence Units (FIU)
Companies must define how they’ll report to financial intelligence units and law enforcement requests for information.
Step 6: share data with financial institutions
AML policies must describe a secure and confidential process for sharing accumulated AML data with other financial entities that does not allow for data leaks. The purpose is to identify and prevent money laundering elsewhere.
Step 7: fill out suspicious activity reports
AML policies should specify the information that’s necessary for Suspicious Activity Reports (SARs) and the relevant deadlines. As an example, the BSA gives 30 days to file a report before issuing a fine.
This sample template can be conveniently used for businesses, however, there is more to add to an all-round anti-money laundering policy.
Step 8: Staff awareness and training
The AML policy should ensure that employees are aware of how to deal with money laundering. Staff therefore should be trained at regular intervals on topics such as:
Step 9: Record-keeping
This refers to the measures taken to keep track of all AML-related procedures and documents for auditing purposes. Companies should also mention how long these documents will be kept. For example, under the BSA and AMLD4 it’s 5 years.
Step 10: Regular audits
A company should establish an independent internal audit function to:
Here you can see an example of FINRA’s template.
It’s important to take into account that the content of the AML policy as and its features may vary depending on the business and jurisdiction, should also reflect the size and nature of the business in question, as well as complexity and geographical spread of the customer and service base.
An AML policy is a combination of measures to stop criminals from disguising illegally obtained money as legitimate income. Implementation is mandatory for financial institutions and overseen by regulatory authorities.
All companies under AML regulations (depending on the jurisdiction) must develop an AML policy. Usually, organizations in finance, crypto, trading, real estate, and law are obliged to have an AML policy.
An AML policy should contain a detailed description of the procedures an organization follows to detect money laundering and terrorist financing, along with reporting procedures to the relevant FIU.
It’s the statement that sets out the AML policies of a company. An AML policy may include:
