Anti-Money Laundering (AML) Policy: Step-by-Step Guide (with Template)

To prevent money laundering (ML), governments use defensive regulatory AML and KYC policy that has to be adopted by all financial businesses. Therefore, companies should learn how to translate these intricate rules into sound anti-money laundering policy and procedures.

If you don’t know where to start, we’ve laid out the key steps to building an AML policy. Or you can refer to FINRA’s template at the end of the article.

The highlights

1. What is an AML policy?
2. Why are AML policies important?
3. How do AML policies prevent money laundering?
4. Who needs AML policies?
5. Who regulates AML rules?
6. Steps to creating an AML policy
7. Template
8. FAQ

What is an AML policy?

An AML policy is a combination of measures to stop criminals from disguising illegally obtained money as legitimate income. Implementation is mandatory for financial institutions and overseen by regulatory authorities.

AML policies are designed to set a general structure of company systems and controls for combating money laundering (ML) and terrorist financing (TF). It should determine AML risk appetite, tolerances, unacceptable customer types, forbidden actions, employee responsibilities, employee rights, qualification levels, etc.

The AML policy must be approved by the company’s senior management and reviewed regularly.

An AML policy is similar to an AML program. These terms are interchangeable depending on the jurisdiction.

Suggested read: 6 Key Steps to a Successful Anti-Money Laundering (AML) Program in 2023

Why are AML policies important?

A solid AML policy is important because it sets forth the measures and controls for preventing suspicious customers and transactions. It also safeguards businesses from huge regulatory fines in case ML has been detected during an audit.

How do AML policies prevent money laundering?

An AML program prevents money laundering through customer due diligence, transaction monitoring, and detecting and reporting suspicious activity. This includes predicate offenses to money laundering and terrorist financing. 

Since criminals constantly improve their money laundering methods, it’s essential to develop an AML policy that can handle new and complex ML attempts. Otherwise, businesses expose themselves to financial and reputational losses.

Who needs an AML policy?

Financial organizations (such as banks) and those at higher risk of exposure to money laundering (such as money service businesses, law firms, casinos, tax advisors, forex brokers and a number of others) need reliable AML policies. Whether it’s required depends on the jurisdiction and specific AML regulations.

Who regulates the process?

At the international level, there is the Financial Action Task Force (FATF), a global money laundering and terrorist financing watchdog. The FATF issues global standards to prevent money laundering, and local AML regulations are usually based on them (e.g. the EU’s 4, 5, and 6 AML Directives).

On the national level, the regulating bodies vary by country. In Germany, it’s BaFin; in Canada, it’s FINTRAC; in Singapore, it’s MAS, and so on.

Steps to creating an AML policy

With experience developing AML policies for financial institutions, we have a first-hand perspective on what it takes and what works best for businesses. Our step-by-step guide is based on the US Bank Secrecy Act (BSA), the EU 4th Anti-Money Laundering Directive (AMLD4), and FATF recommendations.

Step 1: draft an AML policy statement

This document may include:

• Definitions of money laundering and terrorist financing
• Reasons why the policy is necessary
• Commitment to the company “knowing its customer” appropriately
• Commitments to regular audits to stay within regulatory demands
• Definition of the culture and values of the company regarding financial crime prevention
• Reasons for staff AML training

Step 2: appoint a Money Laundering Reporting Officer (MLRO)

Businesses need to nominate an MLRO, who’s responsible for oversight of the compliance with AML regulations on systems and controls against money laundering, receiving disclosures regarding suspicious activity and deciding whether external suspicious activity reports (SARs) should be made.

An MLRO should have a sufficient level of seniority within the firm (such as being  part of or accountable to senior management). The MLRO should have:

• active support of senior management
• adequate resources
• independence of action
• access to information
• an obligation to produce an annual report.

Step 3: perform Customer Due Diligence (CDD)

Customer Due Diligence includes collecting and verifying relevant client information, as well as identifying and assessing the criminal risk they present. This process involves:

• identifying the customer and verifying their identity
• identifying the beneficial owner and verifying their identity
• assessing and obtaining information on the purpose and intended nature of the business relationship or transaction

Regulated entities should implement CDD measures whenever: 

• they start new business relationships
• they see occasional transactions
• there is suspicion of money laundering 
• there is unreliable documentation
• there are ongoing monitoring obligations

Companies must perform ongoing monitoring of their customer relationships and update CDD information from time to time. They should also determine the extent of their CDD measures and ongoing monitoring on a risk-based approach, according to the type of customer, transaction, or business relationship. Businesses should therefore determine whether a given customer requires simplified due diligence, customer due diligence, or enhanced due diligence.

CDD also involves a standard procedure for checking clients through sanctions lists and adverse media. Therefore, companies should be aware of changes in sanctions regimes as soon as they occur. This can be done using a special automated system that monitors sanctions regime updates. Before entering a business relationship or opening an account for a client, financial companies must verify that they’re not onboarding someone listed as a target of financial sanction legislation—such as someone listed on the US Specially Designated Nationals List (SDN)—and confirm that there are no legal barriers to providing services.

Step 4: verifying client identity

Identity checks are central to an AML compliance policy. Companies therefore must specify comprehensive and reliable measures to accurately verify the identities of their clients upon opening an account or registering for their service. 

Here are the 6 related points the AML policy must cover regarding client identity checks: 

1) State the documents and personal data that must be gathered

The company must determine what data is sufficient to check individual, corporate and high-risk clients based on local AML regulation requirements and the risk-based approach.

It is important to specify which f documents are requested and why to the client. The company also needs to state how it will handle cases when a customer intentionally rejects requests for information or submits a false name, address, etc.

2) State how the information is verified

Companies must state the means they will use to verify their client’s identities. This could be through collecting documents, biometrics, digital identity, database searches or a combination of means performed using verification software or manually.

3) State the time limit for the check and waiting list terms

Companies should indicate how long it takes to verify a client and its restriction policy on transactions involving unverified accounts.

4) State what must be done if the client cannot be verified

An AML policy must detail measures taken in situations when clients cannot be identified—i.e. restricting accounting opening, limiting transactions, blocking users, etc. 

Besides, the company won’t be able to start a business relationship with high-risk, or sanctioned countries and industries. 

5) Politically Exposed Persons (PEPs)

A PEP is an individual who holds or held a powerful public position, such as a high-level politician or judge. Due to their influence, PEPs are more likely to be involved in aiding or abetting money laundering, racketeering, and financial fraud. As such, working with PEPs entails certain risks for financial institutions and other entities. 

Since there is no universal definition of PEP, most countries refer to the one provided by Financial Action Task Force:

• A present or past senior government official
• Prominent politicians belonging to a certain party
• An executive of a governmental commercial enterprise formed for the benefit of a government official
• Close family members of a government official
• A publicly-known associate of a financial institution.

6) State the procedure for when identity verification is outsourced to a third party

Step 5: report to Financial Intelligence Units (FIU)

Companies must define how they’ll report to financial intelligence units and law enforcement requests for information.

Step 6: share data with financial institutions

AML policies must describe a secure and confidential process for sharing accumulated AML data with other financial entities that does not allow for data leaks. The purpose is to identify and prevent money laundering elsewhere. 

Step 7: fill out suspicious activity reports

AML policies should specify the information that’s necessary for Suspicious Activity Reports (SARs) and the relevant deadlines. As an example, the BSA gives 30 days to file a report before issuing a fine. 

This sample template can be conveniently used for businesses, however, there is more to add to an all-round anti-money laundering policy.

Step 8: Staff awareness and training

The AML policy should ensure that employees are aware of how to deal with money laundering. Staff therefore should be trained at regular intervals on topics such as:

• the risks of ML/TF
• relevant laws and their obligations
• the responsibilities of the firm’s MLRO
• how their firm deals with potential money laundering or terrorist financing transactions or activity.

Step 9: Record-keeping

This refers to the measures taken to keep track of all AML-related procedures and documents for auditing purposes. Companies should also mention how long these documents will be kept. For example, under the BSA and AMLD4 it’s 5 years.

Step 10: Regular audits

A company should establish an independent internal audit function to:

• examine and evaluate the effectiveness of the current AML policy
• make recommendations in relation to this policy
• monitor the company’s compliance with those recommendations.

Template

Here you can see an example of FINRA’s template. 

It’s important to take into account that the content of the AML policy as and its features may vary depending on the business and jurisdiction, should also reflect the size and nature of the business in question, as well as complexity and geographical spread of the customer and service base.

FAQ

• What is the purpose of an AML policy?

  The purpose of an AML policy is to develop the procedures and controls to detect and report suspicious activity related to money laundering, terrorist financing, fraud and other crimes.

• Who is required to have an AML policy?

  All companies under AML regulations (depending on the jurisdiction) must develop an AML policy. Usually, organizations in finance, crypto, trading, real estate, and law are obliged to have an AML policy.

• What should an AML policy contain?

  An AML policy should contain a detailed description of the procedures an organization follows to detect money laundering and terrorist financing, along with reporting procedures to the relevant FIU.

• How do I create an AML policy?

  An AML policy should be developed by an AML compliance professional or money laundering reporting officer (MLRO).

• What is included in an anti-money laundering policy?

  An AML policy may include:

  • Customer Due Diligence

  • Appointing a ML reporting officer (MLRO)

  • Clients and business verification (KYC and KYB)

  • Record-keeping

  • Reporting of suspicious activity to the FIU

  • Conducting regular audits

• What is a BSA AML policy?

  According to FINRA, an AML policy:

  • has to be approved in writing by a senior manager.

  • It must be reasonably designed to ensure the firm detects and reports suspicious activity.

  • It must be reasonably designed to achieve compliance with the AML Rules, including, among others, having a risk-based customer identification program (CIP) that enables the firm to form a reasonable belief that it knows the true identity of its customers.

  • It must be independently tested to ensure proper implementation of the program.

  • Each FINRA member firm must submit contact information for its AML Compliance Officer through the FINRA Contact System (FCS).

  • Ongoing training must be provided to appropriate personnel.

  • The program must include appropriate risk-based procedures for conducting ongoing customer due diligence, including (i) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and, (ii) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding the beneficial owners of legal entity customers.

  A template of the BSA AML policy may be downloaded per this link.