Your accounting firm needs an Anti-Money Laundering policy.
You know this. HMRC knows this. Yet the thought of writing one probably fills you with dread. Do you need three pages or thirty? A simple checklist or a compliance manual? Most firms aren’t sure, so they either overcomplicate it or dangerously oversimplify it.
The Money Laundering Regulations 2017 is clear: your AML policy need written policies, controls, and procedures that demonstrate how you prevent money laundering. Getting this right protects your firm, satisfies HMRC, and gives your team clear guidance they can actually follow.
This guide shows you exactly what to include, how to structure it, and how to avoid the common mistakes that lead to HMRC breaches. To better understand AML Checks, check out our guide on what an AML check involves.
Key Points Summarised for Busy Readers
- An AML policy with written policies is mandatory under Regulation 19 MLR 2017, having procedures “in your head” constitutes a breach
- Three distinct elements required: policies set direction, controls prevent breaches, procedures guide staff actions
- Your policy must address your specific risks identified in your firm-wide risk assessment, not just generic risks
- The MLRO designation is non-negotiable and must be clearly documented with contact details and deputy arrangements
- Customer due diligence procedures must specify when standard CDD applies versus when enhanced measures are required
- Record retention is five years minimum for all customer due diligence and transaction records
- Staff training requirements must be documented, including frequency, content, and effectiveness measures
- Regular reviews are essential, your policy must specify review cycles and update procedures when regulations change
Understanding AML Policy Requirements Under MLR 2017
The Money Laundering Regulations 2017 mandate documented approaches to preventing money laundering and terrorist financing. Your written policies, controls, and procedures serve two critical purposes:
- provide your team with clear guidance during daily operations
- prove to HMRC that your firm maintains genuine compliance standards
What is an AML Policy?
An AML policy is your firm’s documented approach to preventing money laundering, terrorist financing, and proliferation financing.
The regulations distinguish between three interconnected elements that work together to create your compliance framework: policies, controls, and procedures. Many firms conflate these elements, producing confusing documents that mix high-level principles with detailed instructions. Understanding the distinction is fundamental to creating an effective AML framework.
Your policy document should:
- answer the question: what is our firm’s stance on money laundering prevention?
- identify your MLRO
- establish your commitment to compliance
- outline your risk-based approach
Controls often work behind the scenes. A practice management system that won’t let staff proceed without completing identity verification is a control. Software that flags transactions above certain thresholds is a control. Staff may not always see how controls work, but they must exist and function effectively.
Procedures are the detailed instructions that turn policies into daily practice. These tell staff exactly what to do when onboarding a new client, how to verify identity, when to escalate concerns, and how to maintain records.
Who Needs an AML Policy?
The requirement for a written AML policy applies to any firm conducting relevant business activities, especially those within the scope of anti-money laundering regulations.
Relevant business activities include:
- tax advice
- accounting services
- treasury management
- investment or financial services
- audit services
- legal services
- trust and company formation services
- dealing in goods involving cash payments of £10,000 or more
If your firm provides any of these services, you must have documented policies, controls, and procedures in place. The excuse that you’re a small practice doesn’t exempt you from this requirement. Size affects the complexity of what you need, not whether you need it at all.
Even firms that primarily serve other UK local authorities or public bodies, which seem low risk, must have written procedures. The regulations make no exception for firms with exclusively public sector clients.
11 Non-Negotiable Components of an AML Policy
Every AML policy must contain specific elements to satisfy regulatory requirements. The table below outlines these components with placeholders indicating which require detailed explanation.
Key Requirements Explained:
[1] Scope & Application: Specify the actual services your firm provides that fall within MLR 2017 scope. Identify who the policy applies to, including permanent staff, contractors, and partners. If operating across multiple jurisdictions, clarify geographic scope.
[2] Money Laundering Offences Overview: Brief overview of main offences under the Proceeds of Crime Act 2002 (concealing, arranging, acquiring criminal property), failure to disclose offences, and tipping off. Keep this concise to help staff understand why compliance matters.
[3] MLRO Designation: Name a specific individual as your Money Laundering Reporting Officer with full name, job title, contact details, and office location. Designate a deputy MLRO and document escalation paths if both are unavailable.
[4] Risk Assessment Link: Connect your policy explicitly to your firm-wide risk assessment. If you’ve identified third-party payments as high risk, your policy must address how you handle them. Reference HMRC’s sector guidance and the National Risk Assessment.
[5] Customer Due Diligence: Document when CDD is required, what evidence you’ll obtain to verify identity, how you’ll verify it, and how you’ll understand the business relationship purpose. Include procedures for both individual and corporate clients, specifying how you’ll identify beneficial owners.
[6] Enhanced Due Diligence: Identify triggers requiring EDD: customers in high-risk third countries, PEPs and their associates, false identification, complex transactions, and risks from your assessment. For high-risk countries and PEPs, document prescribed measures including senior approval and source of wealth verification.
[7] Cash Payment Procedures: Specify procedures for accepting cash payments. Document when you’ll verify customer identity, how you’ll record transactions, and what triggers suspicious activity reports. Best practice suggests additional scrutiny for cash payments over £1,000.
[8] Suspicious Activity Reporting: Detail how staff recognise potential money laundering, establish clear escalation procedures to the MLRO, document the MLRO’s investigation process, and include NCA consent procedures. Emphasise confidentiality and the tipping off offence throughout.
[9] Record Keeping: Specify what records must be retained (identity verification, transactions, correspondence, internal reports, MLRO decisions, NCA correspondence) for at least five years. Document storage methods and establish procedures for quick retrieval if required by authorities.
[10] Staff Training: Document training frequency (annual refresher is standard), detail training content covering money laundering indicators, CDD and EDD procedures, and reporting processes. Establish how you’ll measure effectiveness and maintain attendance records for HMRC compliance checks.
[11] Review & Update: Establish annual review procedures with trigger events prompting immediate review: legislation changes, new HMRC guidance, FATF list updates, new business risks, compliance breaches, or audit findings. Document who reviews, how changes are approved, and how updates reach staff.
8 Step Guide to Writing Your AML Policy
An effective AML policy starts with understanding your risks and ends with ongoing review. Follow these eight steps to create a policy your team can actually use.
Step 1: Review Your Risk Assessment
Your policy must address the specific risks you’ve identified, not just generic money laundering risks. If you haven’t completed a risk assessment, stop here and complete one first. Your policy without a risk assessment is like building a house without foundations.
Identify each risk factor your assessment has flagged:
- Customer Types – High net worth individuals, clients with overseas interests
- Service Types – Trust formation, tax planning for complex structures
- Transaction Types – Large cash receipts, third-party payments
- Geographic Factors – Clients with interests in high-risk jurisdictions
Your policy must explain how you’ll manage each identified risk. Review HMRC’s sector-specific guidance for your activities and ensure your risk assessment addresses the risks they expect you to consider.
Step 2: Designate Your MLRO
Choose your Money Laundering Reporting Officer carefully. This person must be:
For small practices, this might be a partner or sole practitioner. For larger firms, consider someone in a compliance or senior management role.
Designate a deputy MLRO for situations where the primary MLRO is unavailable or conflicted. Document both appointments formally in your policy. Ensure both receive appropriate training beyond standard staff training, including investigative techniques, NCA reporting procedures, and handling complex disclosure decisions.
Step 3: Document Your CDD Procedures
Create clear, practical procedures for customer due diligence. Start with the basics. When does CDD apply? For most accounting firms, this means at the start of every new client relationship and periodically throughout ongoing relationships. Document what evidence you’ll obtain to verify identity.
For individual clients, specify acceptable evidence. Typically, this includes viewing original documents from reliable, independent sources.
- One document from List A (passport, photo driving license)
- Two documents from List C (utility bill, bank statement, council tax demand)
Whatever you choose, be specific. Don’t say “appropriate identification.” Say exactly what documents you’ll accept.
For corporate clients, document how you’ll:
- verify the company exists (Companies House search, certificate of incorporation)
- identify persons with significant control or beneficial owners (those holding more than 25% of shares or voting rights)
- verify their identities
- specify how you’ll understand the nature of the business, the source of funds, and the intended nature of your business relationship
You can create practical tools to support your procedures.
- a customer identity verification checklist ensures consistent application
- a flowchart showing when CDD applies and what steps to follow helps staff navigate complex situations
Include these tools as appendices to your policy or in separate procedural documents that staff can easily access.
Step 4: Establish Your EDD Framework
Enhanced Due Diligence requires more detailed procedures because the stakes are higher and the measures more extensive. Start by clearly listing every trigger that requires EDD. Include the mandatory triggers (high-risk third countries, PEPs, false documentation, complex or unusual transactions) and any firm-specific triggers from your risk assessment.
For each trigger, document exactly what additional measures will apply. For high-risk third countries, this must include all six prescribed measures from Regulation 33(3A):
- obtaining additional information on the customer and beneficial owners
- additional information on the intended nature of the relationship
- establishing source of funds and source of wealth
- understanding reasons for the transaction
- obtaining senior management approval
- conducting enhanced ongoing monitoring
For PEPs, document the three prescribed measures from Regulation 35(5):
- senior management approval
- establishing source of wealth and source of funds
- enhanced ongoing monitoring
Specify which senior manager must approve these relationships, what criteria they’ll apply, and how approval will be documented.
Create clear guidance on source of wealth versus source of funds. Source of wealth means how the client accumulated their total assets (inheritance, business ownership, employment income over time, property appreciation). Source of funds means the origin of the particular funds involved in this specific transaction or relationship (sale of property, business profits, salary payment, loan proceeds).
Your procedures should specify what evidence you’ll obtain for each.
Step 5: Create Your Reporting Framework
Your suspicious activity reporting procedures are perhaps the most critical part of your policy. They must enable staff to recognise potential money laundering, report concerns confidentially and understand what happens next. At the same time, they must protect against inappropriate disclosures that could constitute tipping off.
Document indicators of potential money laundering that are relevant to your practice. Include both:
- general indicators (secretive clients, illogical transactions, unusual payment methods, reluctance to provide information)
- specific indicators relevant to your services (companies with poor financial records seeking audit opinions, trust formations with unclear beneficial ownership, tax planning that lacks commercial rationale, third-party payments from unexpected sources)
Establish a clear reporting process. Staff must know how to contact the MLRO, what information to include in their report (use a standard template), and what timescales apply (immediate reporting is best, certainly within hours rather than days). Emphasise that staff should report suspicions, not certainties. The MLRO will investigate further; staff shouldn’t try to gather evidence themselves.
Also, document the MLRO’s investigation and decision process.
- What inquiries will the MLRO make?
- How will they assess whether reasonable grounds exist to suspect money laundering?
- How will they decide whether to report to the NCA?
- How will they record their decision and reasoning?
This documentation protects both the MLRO and the firm by evidencing that decisions were made properly.
Step 6: Specify Record Keeping Requirements
Clear record keeping requirements prevent compliance failures and provide evidence of your procedures if HMRC conducts a compliance check. Document exactly what records must be kept, in what format, for how long, and who is responsible for maintaining them.
Your records must include evidence of:
- customer identity verification (copies of documents reviewed, notarised to indicate they’re copies and signed to evidence sight of originals)
- details of the business relationship (nature of services, purpose of relationship, expected transaction volumes)
- transaction records (dates, amounts, parties involved, nature of transactions)
- internal suspicious activity reports
- MLRO decisions and reasoning
- any correspondence with the NCA
Specify retention periods clearly. The minimum is five years from the end of the business relationship or completion of the occasional transaction. Many firms adopt longer retention periods to align with other professional obligations. Clarify whether the retention period starts from the last service provided or from formal termination of the client relationship.
Step 7: Plan Your Training Program
Training transforms your written policy into practical action. Without effective training, even the best policy document sits unused. Document your training program in detail, as HMRC routinely reviews training records during compliance checks.
- Specify Training Frequency
All relevant staff should receive AML training during induction and annual refresher training thereafter. Staff in higher-risk roles (those regularly conducting CDD, handling large transactions, or working with high-risk client types) may need more frequent training, such as quarterly updates.
- Detail Training Content
Cover money laundering offenses and penalties, how to recognise potential indicators, your firm’s CDD and EDD procedures, how to report suspicions to the MLRO, and the critical importance of avoiding tipping off. Include recent case studies or compliance failures and updates to legislation or guidance. Make training practical and relevant to your firm’s actual activities rather than generic e-learning that staff click through without engagement.
- Establish How You’ll Measure Effectiveness
Simple attendance records aren’t sufficient. Consider tests or quizzes after training, case studies that staff must analyse, supervision observations of staff applying procedures correctly, or review of staff documentation to ensure procedures are being followed. Document the results and use them to improve future training.
- Maintain Comprehensive Training Records
Document who attended what training, when it occurred, what content was covered, what materials were provided, and any assessment results. These records demonstrate your commitment to compliance and help identify any staff who may need additional support.
Comprehensive training ensures your policy becomes embedded in daily practice rather than remaining a theoretical document your team never references.
Step 8: Establish Review Procedures
Your policy must be a living document that evolves with changing risks and regulations. Document clear procedures for regular reviews and updates. Annual reviews are standard, but certain events should trigger immediate review.
Specify who is responsible for conducting reviews. This might be the MLRO, a compliance officer, or a senior partner. Clarify how they’ll assess whether the policy remains appropriate (reviewing regulatory changes, considering compliance breaches or near-misses, analysing effectiveness of procedures, gathering feedback from staff).
Establish an approval process for changes. Significant policy updates should require senior management approval, typically from the board, partnership, or practice owner. Document how approved changes will be communicated to all relevant staff, including those working remotely or part-time.
Create a version control system. Maintain records of all previous policy versions, dates of changes, reasons for updates, and who approved them. This demonstrates to HMRC that you actively maintain your policy rather than creating it once and forgetting about it.
5 Overlooked Essentials of AML Policy
Several aspects of AML policies frequently receive insufficient attention, creating compliance vulnerabilities even when the policy appears comprehensive.
[12] Initial Risk vs Residual Risk: Initial risk is your assessment before any controls are applied. Residual risk is what remains after controls. EDD triggers are based on initial risk only.
Common Mistakes in AML Policy Writing & How to Address Them
Even well-intentioned firms make predictable mistakes when creating AML policies. Recognising these common errors helps you avoid compliance gaps that could trigger HMRC action.
Avoiding these mistakes creates a policy that satisfies regulatory requirements and actually supports your compliance efforts in practice.
Action Steps: What Firms Should Do Next
Creating or updating your AML policy requires immediate action. Use this practical checklist to address gaps and strengthen your compliance framework.
- Audit your current policy against the components in this guide and identify gaps
- Conduct or update your risk assessment if it’s more than a year old
- Designate your MLRO and deputy formally in writing with clear terms of reference
- Document your actual procedures as they currently operate, not aspirational ones
- Prioritise fundamental gaps (MLRO designation, basic CDD procedures, reporting framework) before refinements
- Involve staff in procedure development to build buy-in and improve practical application
- Plan your training rollout for all relevant staff once procedures are documented
- Establish your annual review cycle and system for tracking regulatory changes
- Document everything: policy development, risk assessments, MLRO designation, training, and approvals
Don’t let perfect become the enemy of good. Better to implement a solid baseline policy quickly and refine it than pursue the perfect document that takes months to complete. Your regulatory exposure increases with every day of delay.
Additional Resources
- HMRC Economic Crime Supervision Handbook: Economic Crime Supervision Handbook – HMRC internal manual – GOV.UK
- Joint Money Laundering Steering Group Guidance: Current Guidance – JMLSG
- HMRC “Understanding Risks and Taking Action” Guidance: Who needs to register for money laundering supervision – GOV.UK
- FATF High-Risk Jurisdictions Lists: “Black and grey” lists
- Person with Significant Control (PSC) Explained: Person with Significant Control (PSC) Explained – FigsFlow
- Top 6 AML Software for Accountants in 2025: Top 6 AML Software for Accountants in 2025 – FigsFlow
Conclusion
Strong AML policies protect your firm and your clients.
They reflect your actual risks, genuine procedures, and your commitment to preventing money laundering. A practical policy defines clear actions, meets regulatory standards, and works in everyday operations.
Firms that excel involve staff, provide meaningful training, review procedures regularly, and adapt as risks evolve. Your AML policy safeguards your clients, supports your team, and reduces regulatory risk while enhancing your reputation.
Stop delaying. Start writing your AML policy today.
Frequently Asked Questions
Yes. The requirement for written policies, controls, and procedures under Regulation 19 applies regardless of firm size. A sole practitioner conducting relevant business activities must have documented procedures just as a large firm does. The complexity and length of your policy should be proportionate to your size and risks, but having procedures only “in your head” constitutes a regulatory breach.
Templates can provide a useful starting point, but you cannot simply adopt them without customisation. Your policy must reflect your specific risks identified in your firm-wide risk assessment, your actual services and client base, your chosen procedures, and your organisational structure. HMRC will quickly identify generic policies that don’t match your actual operations.
Length depends on your firm’s complexity, but clarity matters more than brevity. A sole practitioner might have a comprehensive policy in 15 to 20 pages including appendices. A larger firm with multiple service lines might need 40 to 50 pages. Focus on including all required elements explained clearly rather than achieving a specific page count.
Senior management must approve your policy under Regulation 19(2). For partnerships, this typically means the partners collectively or a designated senior partner. For companies, the board of directors. For sole practitioners, the proprietor. Document the approval formally and include it in your version control records.
Annual reviews are standard best practice and expected by HMRC. However, certain events should trigger immediate interim reviews, including changes to MLR 2017 or related legislation, new HMRC guidance relevant to your sector, updates to FATF high-risk country lists, identification of new risks, compliance breaches, or internal audit findings.
English (UK) 
English