Guide Updated 2026-07-11 18 min read By HubSecure Editorial Team Reviewed by compliance reviewers

Short summary

Anti-money laundering compliance is not optional for regulated firms — and the consequences of getting it wrong range from regulatory censure to criminal prosecution. This guide gives small and mid-sized firms a complete, practical picture of what AML compliance requires in 2026.

  • The 5 pillars of AML compliance and what each demands in practice.
  • When to apply CDD, EDD, and SDD — and how to document each decision.
  • SAR filing: what triggers a report, how to file it, and what the deadlines are.
  • 2026 regulatory changes under EU AMLD6 and FinCEN beneficial ownership rules.
  • A compliance checklist you can use to assess your current programme today.

The Complete AML Compliance Guide for Small Regulated Firms (2026)

Everything small firms need to know about AML compliance in 2026 — from risk assessments to SAR filing, CDD/EDD, transaction monitoring, beneficial ownership, and the regulatory changes taking effect this year.

Written byHubSecure Editorial Team

Practical compliance guides for MLROs, compliance officers, and managing partners at regulated firms.

Reviewed byHubSecure Security & Compliance Review

Reviewed for regulatory accuracy against FATF, FinCEN, FCA, and EU AMLD standards.

Last updatedJuly 11, 2026

Incorporates EU AMLD6 requirements and FinCEN beneficial ownership rule updates effective 2026.

TL;DR

What AML compliance means and who it applies to

Anti-money laundering (AML) compliance is the set of legal obligations that require regulated businesses to detect, prevent, and report money laundering and terrorist financing. It is not a voluntary framework or a best-practice standard — it is a statutory requirement backed by criminal penalties for non-compliance.

Money laundering is the process by which criminals disguise the origin of illicit funds by moving them through legitimate businesses and financial institutions. Terrorist financing is the related crime of channelling funds — sometimes from entirely legitimate sources — to support terrorism. AML obligations target both.

Who is subject to AML obligations? The scope varies by jurisdiction but consistently covers:

If your firm falls into any of these categories — or if you are uncertain whether it does — you should obtain legal advice specific to your jurisdiction. Operating without an AML programme when one is required is not a technical compliance gap; it is a criminal exposure for the firm and potentially for individual senior managers.

Small firm myth: Many partners and directors at small firms believe AML obligations are primarily for large banks. This is incorrect. Regulatory enforcement actions against small law firms, accounting practices, and independent financial advisers have increased significantly since 2022. Regulators have explicitly stated that firm size is not a mitigating factor in the assessment of AML programme adequacy.

The 5 pillars of an AML programme

A compliant AML programme is built on five interdependent pillars. Weakness in any one pillar undermines the entire programme. Regulators assess all five during inspections, and deficiencies in any pillar can result in enforcement action regardless of the firm's performance on the others.

Pillar 1
Firm-Wide Risk Assessment

A documented analysis of the money laundering and terrorist financing risks specific to your firm — considering your client types, geographic exposure, delivery channels, products and services, and transaction volumes. This assessment drives everything else: it determines how much resource you allocate, where your controls focus, and what your risk appetite is.

Pillar 2
Customer Due Diligence (CDD/EDD/SDD)

Know Your Customer processes applied before and during the client relationship. Includes identity verification, beneficial ownership identification, understanding the nature and purpose of the relationship, and ongoing monitoring. The depth of due diligence varies by risk — standard, enhanced, or simplified.

Pillar 3
Transaction Monitoring

Ongoing scrutiny of client transactions to detect patterns or anomalies that are inconsistent with the expected profile of the client or the stated nature of the relationship. Must be systematic, documented, and must generate actionable alerts rather than producing noise that gets ignored.

Pillar 4
SAR Filing

The legal obligation to file a Suspicious Activity Report (or Suspicious Transaction Report in some jurisdictions) when you know, suspect, or have reasonable grounds to suspect that a person is engaged in money laundering or terrorist financing. Failure to file is a criminal offence. Filing must not be preceded by tipping off the subject.

Pillar 5
Training and Awareness

All staff with client-facing or transaction-handling roles must receive AML training appropriate to their role. Training must cover how to recognise suspicious activity, the firm's internal reporting procedures, and the personal criminal liability for failing to report. Training must be documented and refreshed at least annually.

The risk-based approach explained

The risk-based approach (RBA) is the foundational principle of modern AML compliance, endorsed by FATF and embedded in every major AML framework including the EU's AMLD series, the UK's Money Laundering Regulations, and FinCEN's BSA rules. It means that the intensity of your AML controls should be proportionate to the level of risk — higher for higher-risk clients and transactions, lower for genuinely lower-risk situations.

The RBA is not a licence to do less. It is a framework for allocating your compliance resource intelligently. A firm that applies exactly the same level of due diligence to a long-established domestic retail client and to a new offshore corporate entity in a high-risk jurisdiction is not following the RBA — it is ignoring risk signals on the offshore client while wasting time on the retail client.

Implementing the RBA requires three things:

Common misapplication: Some firms use the RBA to justify minimal due diligence on the bulk of their clients, on the basis that "most clients are low risk." This is a regulatory red flag. The RBA requires you to demonstrate that your risk assessment is substantive and current — not that you have found a reason to do less. Regulators look specifically for evidence that your risk assessment is genuinely driving your control framework, not just providing cover for under-investment in compliance.

CDD, EDD, and SDD: knowing which applies and when

Customer due diligence (CDD) is the umbrella term for the identity and risk verification processes you apply to clients. Within CDD, three tiers of intensity apply depending on the risk level of the client and the relationship.

Standard CDD

Standard CDD applies to all clients in the absence of risk factors that would require enhanced measures or justify simplified measures. Standard CDD requires you to:

Enhanced Due Diligence (EDD)

Enhanced Due Diligence is mandatory when you identify higher risk factors. EDD must be applied — it is not discretionary — when:

EDD is not a single additional step — it is a qualitatively different level of scrutiny. It typically includes independent verification of source of funds and source of wealth, senior management approval for the relationship, enhanced ongoing monitoring, and more frequent review cycles. All EDD decisions and the evidence underlying them must be documented.

Simplified Due Diligence (SDD)

Simplified Due Diligence is a limited exception permitted in genuinely low-risk situations — not a default for any client you judge to be "routine." SDD is typically available for regulated financial institutions in equivalent jurisdictions, publicly listed companies on recognised exchanges, and government entities. Even where SDD is applied, you must still verify the client's identity — you simply apply a reduced level of scrutiny to the ongoing monitoring.

Documentation rule: Whatever tier of due diligence you apply, you must be able to demonstrate that you made a conscious, documented decision to apply that tier — and the risk factors that supported the decision. An undocumented CDD process is, from a regulatory perspective, the same as no CDD process. The records are the compliance.

PEP screening and beneficial ownership (UBO)

Politically Exposed Persons

A Politically Exposed Person is an individual who holds or has held a prominent public function — heads of state, government ministers, members of parliament, senior judiciary, senior military officers, senior state enterprise executives, and ambassadors — together with their immediate family members and known close associates. The PEP classification exists because public positions of power create opportunities and temptations for corruption, bribery, and the misappropriation of public funds.

PEP screening is not optional. You must screen all clients against PEP lists at onboarding and throughout the relationship. A client who was not a PEP when you onboarded them may become one if they enter public office. An individual who was a PEP retains that status for at least 12 months after leaving the position (many jurisdictions apply longer periods for higher-risk roles).

When a client screens as a PEP, you must apply EDD. You must obtain senior management approval to enter into or continue the business relationship. You must verify the source of wealth and source of funds through independent means. And you must conduct enhanced ongoing monitoring. Simply noting the PEP status and continuing as normal is not compliance — it is a documented admission that you failed to apply the required controls.

Beneficial Ownership and UBO Identification

The beneficial owner is the natural person who ultimately owns or controls the client entity — the human being behind the corporate structure, regardless of how many layers of holding companies, trusts, or nominees sit between them and the entity you are dealing with.

Identifying the UBO is frequently the hardest part of CDD for small firms, because many clients — particularly those in professional services or with cross-border activities — have ownership structures that are deliberately or legitimately complex. Your obligations are:

The FinCEN beneficial ownership rule (effective January 2024, with enforcement progressively tightening in 2025–2026) requires most US legal entities to file beneficial ownership information with a central FinCEN registry. When conducting CDD on US corporate counterparties, you can cross-reference this registry — but registry data supplements your own verification rather than replacing it.

Transaction monitoring: what it is and what triggers a review

Transaction monitoring is the ongoing scrutiny of client transactions during the business relationship to ensure they are consistent with your knowledge of the client — their business, their source of funds, their stated purpose for the relationship, and their expected transaction patterns. It is not a one-time check at onboarding. It is a continuous obligation.

For many small regulated firms, transaction monitoring is the least well-implemented pillar. Onboarding processes have improved significantly over the last five years; transaction monitoring has not kept pace. The most common failure mode is "monitoring" that consists of a fee earner occasionally glancing at a client's activity with no structured criteria, no documented triggers, and no escalation path.

Transaction monitoring triggers that require investigation:

When a trigger is identified, the firm's MLRO or nominated officer must review the situation, make a documented judgment about whether suspicion has been formed, and if so, file a SAR. The review itself must be documented — even if the conclusion is that no suspicion exists and no SAR is required.

Risk IndicatorWhy It MattersYour Response
Structuring below thresholdsClassic money laundering technique to avoid mandatory reportingInternal review by MLRO; likely SAR required
Third-party paymentsObscures true source of fundsRequest written explanation; EDD on third party
Cash-heavy transactionsCash is hardest to trace; preferred by launderersSource of cash documentation; escalate if unexplained
Rapid movement of fundsLayering technique — move funds before detectionPause transaction if possible; urgent MLRO review
Inconsistent wealth claimsClient's stated wealth doesn't match transaction volumeSource of wealth verification; EDD if unresolvable

SAR filing: process, timeline, and what happens next

A Suspicious Activity Report (SAR) is a formal report filed with your jurisdiction's financial intelligence unit (FIU) when you know, suspect, or have reasonable grounds to suspect that a person is engaged in money laundering or terrorist financing. Filing a SAR is a legal obligation, not a discretionary escalation. Failure to file when the threshold is met is a criminal offence.

The suspicion threshold

The threshold for filing a SAR is suspicion — not certainty, not proof, and not a completed investigation. The moment you have reasonable grounds to suspect that criminal activity is occurring, your obligation to file is engaged. You do not need to complete an investigation before filing. You do not need to wait until you are sure. Suspicion is a lower standard than belief, and belief is a lower standard than certainty. If you are asking yourself "should I file a SAR?", the answer is almost always yes.

The filing process

The process varies by jurisdiction, but the standard flow is:

  1. Flag raised: A fee earner, compliance officer, or monitoring system identifies a potential issue and reports it to the MLRO (or nominated officer)
  2. MLRO review: The MLRO reviews the internal report and the underlying evidence, makes a documented judgment about whether suspicion exists, and decides whether to file
  3. SAR submission: If suspicion exists, the MLRO files the SAR with the relevant FIU — FinCEN in the US (via the BSA E-Filing System), the National Crime Agency in the UK, the relevant national FIU in EU member states
  4. Consent (if required): In some jurisdictions (notably the UK), if you are about to undertake a transaction that is the subject of a SAR, you may need to request consent from the FIU before proceeding. This is the "defence against money laundering" (DAML) consent regime
  5. Record keeping: The SAR, the internal report, and all supporting documentation must be retained for a minimum of five years

Timeline obligations

The filing deadline varies by jurisdiction. In the US, SARs must be filed within 30 calendar days of the date a suspicious transaction was detected, with a 60-day extension permissible when no subject is identified. In the UK, there is no statutory filing deadline but the obligation is engaged "as soon as practicable." In EU member states, obligations vary but urgency is expected when the suspicion relates to terrorist financing.

Tipping off: It is a criminal offence to disclose to a client, or to any person the subject of a SAR, that a SAR has been filed or that an investigation is underway. This prohibition on "tipping off" applies even if the client directly asks whether you have filed a SAR. You are permitted to decline to answer on legal privilege grounds, or to indicate that you cannot discuss the matter. You cannot confirm or deny the filing.

Record keeping requirements and training obligations

Record keeping

AML records must be retained for a minimum of five years from the end of the business relationship or the date of the transaction — whichever is later. The five-year requirement applies universally across FATF member jurisdictions, though some require longer periods (seven years in certain EU member states and for specific transaction types).

Records that must be retained include:

Records must be stored securely and must be retrievable on demand for regulatory inspection. Physical records stored in filing cabinets are technically compliant but create significant operational risk. Records should be stored in a system that provides audit logging of access, version control, and the ability to export on demand.

Training obligations

Every member of staff with a role that is relevant to AML compliance — client-facing roles, transaction-handling roles, and supervisory roles — must receive AML training. Training must cover:

Training must be documented and must be refreshed at least annually. It must also be refreshed whenever there are material changes to the regulatory framework, the firm's risk profile, or the firm's AML policies and procedures. Generic e-learning alone is often insufficient — regulators increasingly expect training to be tailored to the specific risks in the firm's sector and client base.

Regulatory bodies and 2026 changes

Key regulatory bodies

2026 regulatory changes

EU AMLD6 (Sixth Anti-Money Laundering Directive): AMLD6 extends the list of predicate offences for money laundering (the crimes whose proceeds can be laundered) to include cybercrime, environmental crime, and tax crimes. Critically, it introduces explicit criminal liability for senior managers of obligated entities who fail to prevent money laundering through inadequate AML programmes. The minimum custodial sentence for money laundering offences is set at four years. Member states were required to implement AMLD6 into national law, with the new AMLA framework adding EU-level oversight from 2025 onward.

FinCEN Beneficial Ownership Rule: The Corporate Transparency Act's beneficial ownership reporting requirements, administered by FinCEN, require most US legal entities to file UBO information with a central FinCEN registry. The registry is not publicly accessible, but law enforcement and, in limited circumstances, financial institutions conducting due diligence can access it. For firms conducting CDD on US corporate counterparties, the registry provides a new verification resource — but it supplements, rather than replaces, your own verification obligations.

EU Regulation on Transfers of Funds: New rules extending information requirements to crypto-asset transfers took effect in 2024 and are being enforced with increasing rigour in 2026. Crypto asset service providers subject to EU regulation must apply AML/CFT controls equivalent to traditional financial institutions, including CDD and transaction monitoring.

Common AML compliance mistakes at small firms

AML compliance programme checklist

Use this checklist to assess your current AML programme. Every item marked "no" is a gap that requires remediation.

Firm-wide risk assessment documented: You have a written risk assessment that analyses your firm's exposure to money laundering and terrorist financing risk, covering client types, geographic exposure, products/services, and delivery channels. It has been reviewed within the last 12 months.
MLRO (or nominated officer) appointed: A named, qualified individual holds the MLRO role and has the authority, resource, and access to information needed to discharge it. Their appointment is documented and they have received appropriate training.
AML policies and procedures written and current: Your policies cover CDD, EDD, PEP screening, beneficial ownership, transaction monitoring, internal reporting, SAR filing, record keeping, and training. They have been reviewed against current regulations within the last 12 months.
Client risk rating applied to all clients: Every client has a documented risk rating (at minimum: low, medium, high) based on defined criteria. The rating drives the intensity of due diligence applied. Risk ratings are reviewed at defined intervals and upon material changes.
Identity verification completed for all active clients: All current clients have been through compliant identity verification. Clients onboarded before current standards were introduced have been reviewed and, where necessary, re-verified.
Beneficial ownership identified and verified: For all entity clients, the UBO has been identified and their identity verified against independent sources. Complex structures have been documented and risk-assessed.
PEP and sanctions screening in place: All clients are screened at onboarding and on an ongoing basis against PEP lists, sanctions lists (OFAC, UN, EU, HMT, and relevant national lists), and adverse media. Screening uses a reputable, regularly updated provider.
Transaction monitoring process defined: You have documented criteria for what constitutes an unusual or suspicious transaction, a defined escalation path for flags, and a process for the MLRO to review and document the outcome of each review.
SAR process documented and tested: Your MLRO knows how to file a SAR in your jurisdiction, has access to the relevant filing system, and the filing process has been tested. Staff know who to report suspicions to and how.
Records retained for five years: All CDD records, transaction records, internal reports, and SARs are retained for at least five years and are retrievable on demand. Retention is managed in a system with audit logging.
All relevant staff trained annually: Training records exist for all client-facing and transaction-handling staff. Training covers recognition of suspicious activity, internal reporting procedures, and personal liability. Records are current within the last 12 months.
Independent audit or review conducted: Your AML programme has been reviewed by an independent party (internal audit, external compliance consultant, or equivalent) within the last two years. Findings have been addressed.

Frequently asked questions

Do we need an MLRO if we are a small firm with fewer than 10 people?

Yes, if your firm is a regulated entity with AML obligations. The obligation to appoint a nominated officer (the equivalent of an MLRO) applies regardless of firm size. In a very small firm, the MLRO role is often held by the managing partner, principal, or a senior compliance professional on a part-time or consultant basis. What matters is that the role is formally appointed, documented, and resourced — not that it occupies a full-time position. Failing to appoint a nominated officer when required is itself a regulatory breach.

What is the difference between a SAR and a CTR (Currency Transaction Report)?

These are distinct reporting obligations. A SAR (Suspicious Activity Report) is filed when you suspect money laundering or terrorist financing — it is triggered by suspicion, regardless of transaction amount. A CTR (Currency Transaction Report), which exists primarily in the US context, is filed when a financial institution processes a cash transaction exceeding $10,000 on a single business day. CTRs are mandatory threshold-based reports; SARs are suspicion-based reports. Non-financial firms subject to AML obligations are typically only required to file SARs, not CTRs — but you should confirm your specific obligations with legal counsel.

Can we use a client's company filing at the company registry as evidence of beneficial ownership?

Company registry filings provide a useful starting point but are not sufficient as standalone evidence of beneficial ownership. Registries often contain outdated information, rely on self-reporting, and may not cover all jurisdictions in a complex structure. You should cross-reference registry data with other independent sources — constitutional documents, shareholder agreements, bank letters of introduction, or certified declarations from a qualified professional in the relevant jurisdiction. For higher-risk structures or high-value relationships, additional verification steps such as company searches in multiple jurisdictions may be appropriate.

We sometimes act for clients urgently and need to start work before completing full CDD. Is this permitted?

Most AML frameworks include a provision for exceptions where it is necessary to complete a transaction urgently and it is not reasonably practicable to complete CDD beforehand. However, this is a narrow exception with strict conditions: you must complete CDD as soon as practicable after the transaction, the exception must be documented and approved by the MLRO, and you must assess whether the circumstances of the exception themselves are suspicious. If you routinely rely on this exception rather than building CDD into your standard intake process, you are operating outside the spirit and, in many cases, the letter of the law.

How frequently should we review existing client CDD?

Your AML policies must define a review cycle for existing client CDD. The minimum review trigger should be any material change in the client's circumstances (change of ownership, new jurisdiction, new transaction type, or any event that changes their risk profile). In addition, you should conduct periodic reviews on a risk-tiered basis: at least annually for high-risk clients; every two to three years for medium-risk clients; at least every five years for low-risk clients. PEP status must be checked on every new transaction and at regular intervals, regardless of the general review cycle.

What are the penalties for AML non-compliance?

Penalties vary by jurisdiction but are severe. In the US, BSA violations can result in civil money penalties of up to $1 million per violation per day and criminal penalties of up to $500,000 per violation plus imprisonment. In the UK, the FCA can impose unlimited financial penalties and withdraw authorisation; criminal conviction for money laundering offences carries up to 14 years imprisonment. EU AMLD6 sets a minimum four-year custodial sentence for money laundering offences and introduces direct criminal liability for senior managers. Beyond legal penalties, AML failures damage firm reputation, professional standing, and insurance coverage in ways that can be more destructive than the fine itself.

Automate your AML compliance programme

HubSecure's Sentinel module provides integrated AML screening, CDD workflow management, SAR tracking, and audit-ready record keeping — built for small and mid-sized regulated firms that need enterprise-grade compliance without the enterprise overhead.

Book a demo

Reviewed for regulated teams

Prepared by the HubSecure editorial team for MLROs, compliance officers, and senior partners at law firms, accounting practices, and financial services firms. This guide is for informational purposes and does not constitute legal advice. Consult qualified legal counsel for advice specific to your jurisdiction and circumstances.

Authors · Reviewers · Editorial policy

Next useful pages

Continue the compliance evaluation

These links connect this page to the most relevant compliance, onboarding, and screening pages.

AML & KYC sentinelcompliance CRMsecure document collectionclient onboarding softwareguides
Canonical hubs

Source-of-truth pages for this topic

These hub pages tell buyers and search engines how this page fits into the wider HubSecure information architecture.

Recommended next step

Continue the evaluation path

The next step for a firm building or reviewing its AML programme is to see how HubSecure's Sentinel module handles screening, CDD workflows, and SAR tracking in a live environment.