Policies, Controls, and Procedures for AML Compliance | FigsFlow
Need Stronger AML Frameworks?

Policies, Controls and Procedures

Develop, implement, and maintain clear policies, controls, and procedures to effectively reduce AML risks, ensuring your firm meets all legal requirements and operates with robust safeguards against financial crimes.

AML Essentials Kit Breakdown:
Try FigsFlow Now

Regulation 19 of the Money Laundering Regulations 2017 requires every accounting firm in the UK to establish and maintain policies, controls and procedures that address money laundering and terrorist financing risk. These three elements form the operational framework through which your firm meets its legal obligations and manages its exposure to financial crime.

Although they are often discussed together, each serves a distinct purpose. Policies set out your firm’s approach and principles. Controls are the mechanisms you put in place to manage risk and enforce those principles. Procedures are the practical instructions that tell your team what to do and when.

What the framework consists of

Your AML framework has three components, each with a specific role:

  1. Policies articulate your firm’s commitment to preventing money laundering and terrorist financing. They define your overall approach, clarify who is responsible for what and explain the principles that guide your decision making.
  2. Controls are the safeguards and oversight arrangements you use to reduce risk and ensure compliance. They include measures such as appointing a Money Laundering Reporting Officer, screening employees, providing training and conducting independent reviews of your AML arrangements.
  3. Procedures are the detailed, step by step instructions that staff follow when carrying out AML tasks. They cover activities such as verifying client identity, assessing risk, maintaining records and reporting suspicious activity.

Together, these three elements demonstrate that your firm understands the risks it faces and has a structured, defensible approach to managing them.

Why your firm needs this in place

Having clear and well documented policies, controls and procedures is not only a legal requirement. It also serves several practical purposes:

  • It provides your team with clear guidance on what is expected of them and how to carry out their responsibilities
  • It reduces the likelihood of errors, omissions or inconsistent application of AML requirements
  • It creates an audit trail that you can rely on if your supervisory body reviews your compliance arrangements
  • It ensures continuity and consistency as your firm grows, your team changes or your services evolve

Regulatory supervisors frequently identify weak or generic AML documentation as a cause of non-compliance. Simply adopting template documents without tailoring them to your own circumstances is unlikely to satisfy a regulator and will not provide useful guidance to your staff.

Your framework must reflect the reality of your firm. That means considering your size, the services you offer, the types of clients you work with and the risks your firm-wide risk assessment has identified.

Developing your policies

Your AML policy is the overarching document that sets out your firm’s commitment to compliance and explains how that commitment will be put into practice. It should be clear, accessible and tailored to your firm’s operations.

What to include in your policy

Your policy should address the following areas:

  1. The purpose and scope of the policy: Begin by stating clearly that your firm is committed to complying with its obligations under UK anti money laundering legislation. Explain how the policy applies across the business and who it covers.
  2. The legal and regulatory framework: Identify the legislation your firm is subject to, including the Proceeds of Crime Act 2002, the Terrorism Act 2000 and the Money Laundering Regulations 2017. You should also reference any guidance issued by your supervisory body, professional institutes or the Financial Action Task Force.
  3. Roles and responsibilities: Specify who holds the role of Money Laundering Reporting Officer or nominated officer within your firm. Explain what that role involves and what authority the officer has. You should also clarify the responsibilities of other senior managers and staff members, including what is expected of relevant employees under the regulations.
  4. How your firm assesses and manages risk: Describe how your firm identifies AML risk and what factors it considers when assessing that risk. This should align with your firm-wide risk assessment and cover areas such as client characteristics, the services you provide, transactional patterns and geographical connections.
  5. Monitoring and reporting obligations: Explain how your firm monitors clients and their activities for signs of suspicious behaviour. Set out the process for reporting concerns internally to your Money Laundering Reporting Officer and, where necessary, externally to the National Crime Agency.
  6. Record keeping requirements: Specify what records your firm keeps, how long they are retained and where they are stored. This should cover both client due diligence records and records of internal decision making and reporting.
  7. Training and internal controls: Describe how your firm ensures that staff are properly trained and kept up to date with their AML responsibilities. Explain how employees are screened before employment and how your policies and procedures are reviewed and updated over time.
  8. Firm specific matters: Your policy should also address any areas that are particularly relevant to your practice. For example, if you act as a trust or company service provider, your policy should explain how you manage the risks associated with those services. If you operate client bank accounts, you should set out the controls and oversight arrangements that apply. If you have chosen not to offer certain services or handle client funds, documenting that decision in your policy can be helpful.

Understanding AML risk

Your policies, controls and procedures must be informed by a clear understanding of what AML risk means. Risk is not just the possibility that a client is involved in criminal activity. It includes:

  • The risk that your firm could be used, intentionally or otherwise, to facilitate the movement or concealment of criminal property
  • The risk that you fail to recognise or report suspicious activity when it occurs
  • The reputational damage and regulatory consequences that follow a compliance failure

The UK National Risk Assessment published in 2020 makes clear that the greatest risk arises when firms do not fully understand the threats they face or fail to apply controls that are appropriate to the level of risk. The Financial Action Task Force has similarly noted that smaller firms can be particularly vulnerable due to limited resources, lack of training or insufficient understanding of their obligations.

You are not expected to eliminate all risk. That would be neither realistic nor required. What you are expected to do is understand the risks your firm faces, assess them properly and respond in a way that is proportionate and effective.

Implementing controls

Controls are the mechanisms you put in place to manage risk, enforce your policies and ensure that your firm operates in line with its AML obligations. Regulation 21 of the Money Laundering Regulations sets out the key controls you must have in place.

  1. Senior management/MLRO oversight: Your firm must appoint a Money Laundering Reporting Officer or, if your firm is a sole practitioner, a nominated officer. This individual is responsible for overseeing your AML compliance, receiving internal reports of suspicious activity and deciding whether to submit a suspicious activity report to the National Crime Agency. Where your firm has a board or senior leadership team, that group should be engaged in overseeing AML compliance and ensuring that adequate resources are allocated to the function.
  2. Employee screening and training: You must conduct appropriate background checks on employees before they join your firm and, where relevant, during their employment. This helps ensure that your firm does not employ individuals who pose a risk to your compliance arrangements or your reputation. All relevant employees must receive regular training on their AML responsibilities. Training should cover the legal framework, the firm’s policies and procedures, how to identify suspicious activity and what to do if they have concerns. You should keep records of who has been trained, when the training took place and what topics were covered.
  3. Independent review: Where appropriate to the size and nature of your firm, you should arrange for an independent review of your AML controls. This might be conducted by an internal audit function or by an external party. The purpose of the review is to evaluate whether your controls are working effectively and whether your policies and procedures remain fit for purpose. For smaller firms, a proportionate approach might involve periodic reviews by a senior member of staff who is independent of the day-to-day compliance function, or an external review carried out every few years. These controls are not simply administrative requirements. They help detect and prevent money laundering, ensure accountability within your firm and provide assurance that your AML approach remains effective as your business evolves.

Writing effective procedures

Procedures translate your policies into practical, actionable steps. They tell your team exactly what to do, in what order and what documentation is required. Good procedures are clear, concise and easy to follow.

Your procedures should cover the following areas:

  1. Client onboarding and due diligence: Set out the steps your firm follows when taking on a new client. This should include how to gather customer due diligence information, how to assess the client’s risk profile, how to verify identity and address, and what checks to carry out before issuing an engagement letter. If you are required to make anti money laundering enquiries of the client’s previous accountant, your procedure should explain when and how to do this.
  2. Record keeping: Explain what records must be created and retained, where they should be stored, how long they must be kept and when and how they can be destroyed. Your procedures should address both physical and electronic records and should ensure compliance with data protection requirements.
  3. Suspicious activity reporting: Describe what constitutes suspicious activity and how staff should respond if they have concerns. Set out the process for reporting concerns internally to your Money Laundering Reporting Officer (MLRO), what the officer does upon receiving a report, and how and when a suspicious activity report is submitted to the National Crime Agency.
  4. Training and awareness: Explain how your firm identifies which employees need AML training, how that training is delivered, how often it is refreshed and how participation is recorded.
  5. Other procedures: You may also wish to document procedures for conducting your annual AML compliance review, for screening employees, for relying on third party due diligence and for updating your firm-wide risk assessment.
  6. Supporting your procedures with templates, checklists and worked examples can help ensure that tasks are carried out consistently and that all necessary steps are completed. It also makes it easier for new staff to understand what is required and reduces the risk of errors or oversights.

Keeping the framework current

Your policies, controls and procedures are not static documents. They must be kept under review and updated whenever there are material changes to your firm, your client base, the regulatory environment or the risks you face.

You should review your framework:

  • At least annually as part of your broader AML compliance review
  • Whenever you introduce new services or stop offering existing ones
  • When there are changes to relevant legislation or guidance
  • Following any internal audit, supervisory visit or compliance issue that reveals gaps or weaknesses

When you update your policies, controls or procedures, you must ensure that your team is informed of the changes and understands how they affect their day-to-day work. Training should be provided where necessary, and updated documents should be easily accessible to all relevant staff.

Your framework should evolve alongside your firm. A document that was fit for purpose five years ago may no longer reflect your current operations, client base or risk profile. Regular review and updating ensures that your compliance arrangements remain effective and proportionate.

Frequently Asked Questions

Why does your firm need formal policies and procedures for money laundering checks?

We are legally required under UK Money Laundering Regulations to establish and maintain a formal framework for preventing money laundering and terrorist financing. This framework consists of policies that set out our overall approach, controls that help us manage risk, and procedures that tell our team exactly what to do. Having this in place protects both our firm and our clients. It ensures we handle compliance matters consistently, reduces the risk of errors, and demonstrates to regulators that we take our obligations seriously.

How do you ensure your policies and procedures stay up to date?

We review our policies, controls and procedures at least annually as part of our broader compliance review. We also update them whenever there are material changes to our firm, such as introducing new services, or when there are changes to relevant legislation or regulatory guidance. If we identify gaps or weaknesses, whether through an internal review or following a supervisory visit, we make the necessary changes promptly. When we update our framework, we inform our team and provide additional training where needed. This ensures our approach remains effective and proportionate to the risks we face.

What happens if a member of your team identifies something suspicious about my account?

If a member of staff has concerns about any aspect of your relationship with us, they are required to report those concerns internally to our Money Laundering Reporting Officer. The officer will review the matter and decide whether it warrants a report to the National Crime Agency. We cannot tell you if a report has been made, as doing so would be a criminal offence known as tipping off. Our procedures set out exactly how we handle these situations to ensure we comply with the law while maintaining confidentiality. Most concerns turn out to be innocent, but we are legally obliged to assess them properly.

AML Essentials Kit Breakdown:

Don’t forget to share this post!

Unlock the Future of AML Compliance
Sign Up
Book a Demo
figsflow demo & trial
Log In
Book a Demo
Start 30-day free trial