- AML compliance applies to any firm that handles client money, provides financial, legal, or accounting services, or transacts in high-value goods above threshold amounts
- The 5 pillars are: firm-wide risk assessment, customer due diligence, transaction monitoring, SAR filing, and staff training — all five are mandatory, none can be delegated away
- CDD applies to all clients; EDD is mandatory for high-risk clients, PEPs, and complex ownership structures; SDD is a limited exception, not the default
- SARs must be filed within 30 days of a suspicion forming — the clock starts the moment you have grounds for suspicion, not when you complete your investigation
- EU AMLD6 introduces broader predicate offences, criminal liability for senior managers, and new cross-border cooperation rules — effective for EU firms in 2026
- FinCEN's beneficial ownership rule now requires US entities to report UBO data to a central registry — due diligence on US counterparties must account for this
What AML compliance means and who it applies to
Anti-money laundering (AML) compliance is the set of legal obligations that require regulated businesses to detect, prevent, and report money laundering and terrorist financing. It is not a voluntary framework or a best-practice standard — it is a statutory requirement backed by criminal penalties for non-compliance.
Money laundering is the process by which criminals disguise the origin of illicit funds by moving them through legitimate businesses and financial institutions. Terrorist financing is the related crime of channelling funds — sometimes from entirely legitimate sources — to support terrorism. AML obligations target both.
Who is subject to AML obligations? The scope varies by jurisdiction but consistently covers:
- Financial institutions: banks, credit unions, payment service providers, money service businesses, crypto asset service providers, insurers, and investment firms
- Legal professionals: law firms and solicitors when handling client money, real estate transactions, company formations, or trust structures
- Accounting and tax professionals: accountants, auditors, tax advisers, and insolvency practitioners when handling financial transactions on behalf of clients
- Real estate agents: when acting in transactions above threshold values
- High-value dealers: businesses that accept cash payments above €10,000 (EU) or equivalent thresholds in other jurisdictions
- Trust and company service providers: firms that form companies, serve as registered agents, or provide nominee directors or shareholders
If your firm falls into any of these categories — or if you are uncertain whether it does — you should obtain legal advice specific to your jurisdiction. Operating without an AML programme when one is required is not a technical compliance gap; it is a criminal exposure for the firm and potentially for individual senior managers.
Small firm myth: Many partners and directors at small firms believe AML obligations are primarily for large banks. This is incorrect. Regulatory enforcement actions against small law firms, accounting practices, and independent financial advisers have increased significantly since 2022. Regulators have explicitly stated that firm size is not a mitigating factor in the assessment of AML programme adequacy.
The 5 pillars of an AML programme
A compliant AML programme is built on five interdependent pillars. Weakness in any one pillar undermines the entire programme. Regulators assess all five during inspections, and deficiencies in any pillar can result in enforcement action regardless of the firm's performance on the others.
A documented analysis of the money laundering and terrorist financing risks specific to your firm — considering your client types, geographic exposure, delivery channels, products and services, and transaction volumes. This assessment drives everything else: it determines how much resource you allocate, where your controls focus, and what your risk appetite is.
Know Your Customer processes applied before and during the client relationship. Includes identity verification, beneficial ownership identification, understanding the nature and purpose of the relationship, and ongoing monitoring. The depth of due diligence varies by risk — standard, enhanced, or simplified.
Ongoing scrutiny of client transactions to detect patterns or anomalies that are inconsistent with the expected profile of the client or the stated nature of the relationship. Must be systematic, documented, and must generate actionable alerts rather than producing noise that gets ignored.
The legal obligation to file a Suspicious Activity Report (or Suspicious Transaction Report in some jurisdictions) when you know, suspect, or have reasonable grounds to suspect that a person is engaged in money laundering or terrorist financing. Failure to file is a criminal offence. Filing must not be preceded by tipping off the subject.
All staff with client-facing or transaction-handling roles must receive AML training appropriate to their role. Training must cover how to recognise suspicious activity, the firm's internal reporting procedures, and the personal criminal liability for failing to report. Training must be documented and refreshed at least annually.
The risk-based approach explained
The risk-based approach (RBA) is the foundational principle of modern AML compliance, endorsed by FATF and embedded in every major AML framework including the EU's AMLD series, the UK's Money Laundering Regulations, and FinCEN's BSA rules. It means that the intensity of your AML controls should be proportionate to the level of risk — higher for higher-risk clients and transactions, lower for genuinely lower-risk situations.
The RBA is not a licence to do less. It is a framework for allocating your compliance resource intelligently. A firm that applies exactly the same level of due diligence to a long-established domestic retail client and to a new offshore corporate entity in a high-risk jurisdiction is not following the RBA — it is ignoring risk signals on the offshore client while wasting time on the retail client.
Implementing the RBA requires three things:
- A firm-wide risk assessment that identifies the inherent risks in your business model and client base
- Client risk ratings that classify each client (and each transaction) according to the risk factors present — and that are reviewed and updated as circumstances change
- Risk-proportionate controls that apply CDD, transaction monitoring, and reporting intensity in proportion to the risk rating
Common misapplication: Some firms use the RBA to justify minimal due diligence on the bulk of their clients, on the basis that "most clients are low risk." This is a regulatory red flag. The RBA requires you to demonstrate that your risk assessment is substantive and current — not that you have found a reason to do less. Regulators look specifically for evidence that your risk assessment is genuinely driving your control framework, not just providing cover for under-investment in compliance.
CDD, EDD, and SDD: knowing which applies and when
Customer due diligence (CDD) is the umbrella term for the identity and risk verification processes you apply to clients. Within CDD, three tiers of intensity apply depending on the risk level of the client and the relationship.
Standard CDD
Standard CDD applies to all clients in the absence of risk factors that would require enhanced measures or justify simplified measures. Standard CDD requires you to:
- Verify the client's identity using reliable, independent source documents — for individuals, a government-issued photo ID plus proof of address; for entities, company registry verification, articles of association, and identity verification of directors and authorised signatories
- Identify and verify the beneficial owner(s) — any individual who owns or controls more than 25% of the entity (10% in some high-risk contexts)
- Understand the nature and purpose of the intended business relationship
- Conduct ongoing monitoring of the relationship and keep records up to date
Enhanced Due Diligence (EDD)
Enhanced Due Diligence is mandatory when you identify higher risk factors. EDD must be applied — it is not discretionary — when:
- The client is a Politically Exposed Person (PEP) or a close associate or family member of a PEP
- The client or the beneficial owner is resident in or connected to a high-risk third country as designated by FATF, the EU, FinCEN, or your national authority
- The transaction involves correspondent banking or similar high-risk relationships
- The client's ownership structure is complex, opaque, or involves jurisdictions known for nominee arrangements
- The source of funds or source of wealth cannot be adequately explained and verified through standard means
- The nature of the business relationship presents unusual risk features identified through your risk assessment
EDD is not a single additional step — it is a qualitatively different level of scrutiny. It typically includes independent verification of source of funds and source of wealth, senior management approval for the relationship, enhanced ongoing monitoring, and more frequent review cycles. All EDD decisions and the evidence underlying them must be documented.
Simplified Due Diligence (SDD)
Simplified Due Diligence is a limited exception permitted in genuinely low-risk situations — not a default for any client you judge to be "routine." SDD is typically available for regulated financial institutions in equivalent jurisdictions, publicly listed companies on recognised exchanges, and government entities. Even where SDD is applied, you must still verify the client's identity — you simply apply a reduced level of scrutiny to the ongoing monitoring.
Documentation rule: Whatever tier of due diligence you apply, you must be able to demonstrate that you made a conscious, documented decision to apply that tier — and the risk factors that supported the decision. An undocumented CDD process is, from a regulatory perspective, the same as no CDD process. The records are the compliance.
PEP screening and beneficial ownership (UBO)
Politically Exposed Persons
A Politically Exposed Person is an individual who holds or has held a prominent public function — heads of state, government ministers, members of parliament, senior judiciary, senior military officers, senior state enterprise executives, and ambassadors — together with their immediate family members and known close associates. The PEP classification exists because public positions of power create opportunities and temptations for corruption, bribery, and the misappropriation of public funds.
PEP screening is not optional. You must screen all clients against PEP lists at onboarding and throughout the relationship. A client who was not a PEP when you onboarded them may become one if they enter public office. An individual who was a PEP retains that status for at least 12 months after leaving the position (many jurisdictions apply longer periods for higher-risk roles).
When a client screens as a PEP, you must apply EDD. You must obtain senior management approval to enter into or continue the business relationship. You must verify the source of wealth and source of funds through independent means. And you must conduct enhanced ongoing monitoring. Simply noting the PEP status and continuing as normal is not compliance — it is a documented admission that you failed to apply the required controls.
Beneficial Ownership and UBO Identification
The beneficial owner is the natural person who ultimately owns or controls the client entity — the human being behind the corporate structure, regardless of how many layers of holding companies, trusts, or nominees sit between them and the entity you are dealing with.
Identifying the UBO is frequently the hardest part of CDD for small firms, because many clients — particularly those in professional services or with cross-border activities — have ownership structures that are deliberately or legitimately complex. Your obligations are:
- Identify all natural persons who own or control more than 25% of the entity (or apply a lower threshold if your risk assessment requires it)
- Verify their identity using reliable, independent sources
- If no natural person is identified at the 25% threshold (which can happen with widely-held structures), identify the senior managing official and treat them as the beneficial owner for CDD purposes
- Document the ownership chain, including any trust structures, nominee arrangements, or complex holding structures — and flag these as risk factors that may require EDD
The FinCEN beneficial ownership rule (effective January 2024, with enforcement progressively tightening in 2025–2026) requires most US legal entities to file beneficial ownership information with a central FinCEN registry. When conducting CDD on US corporate counterparties, you can cross-reference this registry — but registry data supplements your own verification rather than replacing it.
Transaction monitoring: what it is and what triggers a review
Transaction monitoring is the ongoing scrutiny of client transactions during the business relationship to ensure they are consistent with your knowledge of the client — their business, their source of funds, their stated purpose for the relationship, and their expected transaction patterns. It is not a one-time check at onboarding. It is a continuous obligation.
For many small regulated firms, transaction monitoring is the least well-implemented pillar. Onboarding processes have improved significantly over the last five years; transaction monitoring has not kept pace. The most common failure mode is "monitoring" that consists of a fee earner occasionally glancing at a client's activity with no structured criteria, no documented triggers, and no escalation path.
Transaction monitoring triggers that require investigation:
- Transactions that are inconsistent with the client's stated business or expected financial profile
- Transactions that are unusually large relative to historical patterns without explanation
- Structuring — multiple transactions just below reporting thresholds that appear to be designed to avoid triggering controls
- Round-number transactions, particularly where the amounts are atypical for the nature of the business
- Funds arriving from or being sent to jurisdictions that are inconsistent with the client's profile
- Requests for unusual payment methods — cash, crypto, third-party payments, or payments through multiple intermediaries
- Explanations for transactions that are implausible, inconsistent, or unsupported by documentary evidence
- Clients who are unwilling to provide information or who provide information that cannot be verified
- Sudden changes in client behaviour, volume, or transaction type without a credible business explanation
When a trigger is identified, the firm's MLRO or nominated officer must review the situation, make a documented judgment about whether suspicion has been formed, and if so, file a SAR. The review itself must be documented — even if the conclusion is that no suspicion exists and no SAR is required.
| Risk Indicator | Why It Matters | Your Response |
|---|---|---|
| Structuring below thresholds | Classic money laundering technique to avoid mandatory reporting | Internal review by MLRO; likely SAR required |
| Third-party payments | Obscures true source of funds | Request written explanation; EDD on third party |
| Cash-heavy transactions | Cash is hardest to trace; preferred by launderers | Source of cash documentation; escalate if unexplained |
| Rapid movement of funds | Layering technique — move funds before detection | Pause transaction if possible; urgent MLRO review |
| Inconsistent wealth claims | Client's stated wealth doesn't match transaction volume | Source of wealth verification; EDD if unresolvable |
SAR filing: process, timeline, and what happens next
A Suspicious Activity Report (SAR) is a formal report filed with your jurisdiction's financial intelligence unit (FIU) when you know, suspect, or have reasonable grounds to suspect that a person is engaged in money laundering or terrorist financing. Filing a SAR is a legal obligation, not a discretionary escalation. Failure to file when the threshold is met is a criminal offence.
The suspicion threshold
The threshold for filing a SAR is suspicion — not certainty, not proof, and not a completed investigation. The moment you have reasonable grounds to suspect that criminal activity is occurring, your obligation to file is engaged. You do not need to complete an investigation before filing. You do not need to wait until you are sure. Suspicion is a lower standard than belief, and belief is a lower standard than certainty. If you are asking yourself "should I file a SAR?", the answer is almost always yes.
The filing process
The process varies by jurisdiction, but the standard flow is:
- Flag raised: A fee earner, compliance officer, or monitoring system identifies a potential issue and reports it to the MLRO (or nominated officer)
- MLRO review: The MLRO reviews the internal report and the underlying evidence, makes a documented judgment about whether suspicion exists, and decides whether to file
- SAR submission: If suspicion exists, the MLRO files the SAR with the relevant FIU — FinCEN in the US (via the BSA E-Filing System), the National Crime Agency in the UK, the relevant national FIU in EU member states
- Consent (if required): In some jurisdictions (notably the UK), if you are about to undertake a transaction that is the subject of a SAR, you may need to request consent from the FIU before proceeding. This is the "defence against money laundering" (DAML) consent regime
- Record keeping: The SAR, the internal report, and all supporting documentation must be retained for a minimum of five years
Timeline obligations
The filing deadline varies by jurisdiction. In the US, SARs must be filed within 30 calendar days of the date a suspicious transaction was detected, with a 60-day extension permissible when no subject is identified. In the UK, there is no statutory filing deadline but the obligation is engaged "as soon as practicable." In EU member states, obligations vary but urgency is expected when the suspicion relates to terrorist financing.
Tipping off: It is a criminal offence to disclose to a client, or to any person the subject of a SAR, that a SAR has been filed or that an investigation is underway. This prohibition on "tipping off" applies even if the client directly asks whether you have filed a SAR. You are permitted to decline to answer on legal privilege grounds, or to indicate that you cannot discuss the matter. You cannot confirm or deny the filing.
Record keeping requirements and training obligations
Record keeping
AML records must be retained for a minimum of five years from the end of the business relationship or the date of the transaction — whichever is later. The five-year requirement applies universally across FATF member jurisdictions, though some require longer periods (seven years in certain EU member states and for specific transaction types).
Records that must be retained include:
- All customer due diligence information and documents — ID documents, proof of address, beneficial ownership analysis, risk assessments
- All transaction records sufficient to reconstruct each transaction
- All internal AML reports submitted to the MLRO, whether or not they resulted in a SAR filing
- All SARs filed, together with supporting documentation
- Evidence of all AML screening results, including the database version and date screened
- Records of all EDD decisions, including senior management approvals
- Training records, including who was trained, when, and on what content
Records must be stored securely and must be retrievable on demand for regulatory inspection. Physical records stored in filing cabinets are technically compliant but create significant operational risk. Records should be stored in a system that provides audit logging of access, version control, and the ability to export on demand.
Training obligations
Every member of staff with a role that is relevant to AML compliance — client-facing roles, transaction-handling roles, and supervisory roles — must receive AML training. Training must cover:
- The legal framework and the firm's obligations
- How to recognise suspicious activity in the context of their specific role
- The firm's internal reporting procedures — who to report to, how, and within what timeframe
- The personal criminal liability for failing to report, and for tipping off
- Updates on emerging typologies and any changes in regulatory requirements
Training must be documented and must be refreshed at least annually. It must also be refreshed whenever there are material changes to the regulatory framework, the firm's risk profile, or the firm's AML policies and procedures. Generic e-learning alone is often insufficient — regulators increasingly expect training to be tailored to the specific risks in the firm's sector and client base.
Regulatory bodies and 2026 changes
Key regulatory bodies
- FATF (Financial Action Task Force): The global standard-setter for AML/CFT. FATF's 40 Recommendations define the framework that national laws implement. FATF mutual evaluations assess compliance country by country and grey-listing a jurisdiction signals significant risk to all counterparties dealing with it.
- FinCEN (Financial Crimes Enforcement Network): The US FIU and AML regulator. Administers the Bank Secrecy Act (BSA), issues regulations and guidance, and receives SARs and CTRs from US obligated entities.
- FCA (Financial Conduct Authority): The UK's primary AML supervisor for financial services firms. The FCA has significantly increased AML enforcement activity since 2022, with fines exceeding £50 million in some individual cases.
- AMLA (EU Anti-Money Laundering Authority): The new EU-level AML supervisor established under AMLD6, operational from 2025–2026. Will directly supervise the highest-risk financial institutions across the EU and coordinate national supervisors.
2026 regulatory changes
EU AMLD6 (Sixth Anti-Money Laundering Directive): AMLD6 extends the list of predicate offences for money laundering (the crimes whose proceeds can be laundered) to include cybercrime, environmental crime, and tax crimes. Critically, it introduces explicit criminal liability for senior managers of obligated entities who fail to prevent money laundering through inadequate AML programmes. The minimum custodial sentence for money laundering offences is set at four years. Member states were required to implement AMLD6 into national law, with the new AMLA framework adding EU-level oversight from 2025 onward.
FinCEN Beneficial Ownership Rule: The Corporate Transparency Act's beneficial ownership reporting requirements, administered by FinCEN, require most US legal entities to file UBO information with a central FinCEN registry. The registry is not publicly accessible, but law enforcement and, in limited circumstances, financial institutions conducting due diligence can access it. For firms conducting CDD on US corporate counterparties, the registry provides a new verification resource — but it supplements, rather than replaces, your own verification obligations.
EU Regulation on Transfers of Funds: New rules extending information requirements to crypto-asset transfers took effect in 2024 and are being enforced with increasing rigour in 2026. Crypto asset service providers subject to EU regulation must apply AML/CFT controls equivalent to traditional financial institutions, including CDD and transaction monitoring.
Common AML compliance mistakes at small firms
- No documented firm-wide risk assessment: Many small firms have informal awareness of their risks but no written risk assessment. Regulators treat the absence of a documented risk assessment as a fundamental failure of the AML programme — it removes the evidential basis for every other control decision.
- CDD treated as a one-time onboarding task: CDD is a continuous obligation. Client risk profiles change. Beneficial ownership changes. Circumstances change. A client screened at onboarding five years ago with no subsequent review is, from a compliance perspective, essentially unmonitored.
- PEP screening done manually against incomplete lists: Manual PEP screening using a single database is inadequate. PEP lists are not standardised — different providers cover different individuals and apply different criteria. Screening must use a reputable, regularly updated provider and must cover PEP lists, sanctions lists, and adverse media.
- SAR decisions not documented: The MLRO's decision not to file a SAR is as important to document as the decision to file one. If a transaction is investigated and concluded not to be suspicious, that conclusion — and the reasoning behind it — must be recorded. Without it, you cannot demonstrate the robustness of your process.
- Training records not maintained: Many firms train staff but fail to keep records of who was trained, when, what content was covered, and whether the staff member completed it. Without records, the training effectively did not happen from a regulatory perspective.
- Relying on clients to self-certify their UBO: Client-provided beneficial ownership declarations must be verified against independent sources. A client who says they own 30% of an entity and is not a PEP is telling you what you want to hear — your obligation is to verify it, not to accept it.
AML compliance programme checklist
Use this checklist to assess your current AML programme. Every item marked "no" is a gap that requires remediation.
Frequently asked questions
Do we need an MLRO if we are a small firm with fewer than 10 people?
Yes, if your firm is a regulated entity with AML obligations. The obligation to appoint a nominated officer (the equivalent of an MLRO) applies regardless of firm size. In a very small firm, the MLRO role is often held by the managing partner, principal, or a senior compliance professional on a part-time or consultant basis. What matters is that the role is formally appointed, documented, and resourced — not that it occupies a full-time position. Failing to appoint a nominated officer when required is itself a regulatory breach.
What is the difference between a SAR and a CTR (Currency Transaction Report)?
These are distinct reporting obligations. A SAR (Suspicious Activity Report) is filed when you suspect money laundering or terrorist financing — it is triggered by suspicion, regardless of transaction amount. A CTR (Currency Transaction Report), which exists primarily in the US context, is filed when a financial institution processes a cash transaction exceeding $10,000 on a single business day. CTRs are mandatory threshold-based reports; SARs are suspicion-based reports. Non-financial firms subject to AML obligations are typically only required to file SARs, not CTRs — but you should confirm your specific obligations with legal counsel.
Can we use a client's company filing at the company registry as evidence of beneficial ownership?
Company registry filings provide a useful starting point but are not sufficient as standalone evidence of beneficial ownership. Registries often contain outdated information, rely on self-reporting, and may not cover all jurisdictions in a complex structure. You should cross-reference registry data with other independent sources — constitutional documents, shareholder agreements, bank letters of introduction, or certified declarations from a qualified professional in the relevant jurisdiction. For higher-risk structures or high-value relationships, additional verification steps such as company searches in multiple jurisdictions may be appropriate.
We sometimes act for clients urgently and need to start work before completing full CDD. Is this permitted?
Most AML frameworks include a provision for exceptions where it is necessary to complete a transaction urgently and it is not reasonably practicable to complete CDD beforehand. However, this is a narrow exception with strict conditions: you must complete CDD as soon as practicable after the transaction, the exception must be documented and approved by the MLRO, and you must assess whether the circumstances of the exception themselves are suspicious. If you routinely rely on this exception rather than building CDD into your standard intake process, you are operating outside the spirit and, in many cases, the letter of the law.
How frequently should we review existing client CDD?
Your AML policies must define a review cycle for existing client CDD. The minimum review trigger should be any material change in the client's circumstances (change of ownership, new jurisdiction, new transaction type, or any event that changes their risk profile). In addition, you should conduct periodic reviews on a risk-tiered basis: at least annually for high-risk clients; every two to three years for medium-risk clients; at least every five years for low-risk clients. PEP status must be checked on every new transaction and at regular intervals, regardless of the general review cycle.
What are the penalties for AML non-compliance?
Penalties vary by jurisdiction but are severe. In the US, BSA violations can result in civil money penalties of up to $1 million per violation per day and criminal penalties of up to $500,000 per violation plus imprisonment. In the UK, the FCA can impose unlimited financial penalties and withdraw authorisation; criminal conviction for money laundering offences carries up to 14 years imprisonment. EU AMLD6 sets a minimum four-year custodial sentence for money laundering offences and introduces direct criminal liability for senior managers. Beyond legal penalties, AML failures damage firm reputation, professional standing, and insurance coverage in ways that can be more destructive than the fine itself.
Automate your AML compliance programme
HubSecure's Sentinel module provides integrated AML screening, CDD workflow management, SAR tracking, and audit-ready record keeping — built for small and mid-sized regulated firms that need enterprise-grade compliance without the enterprise overhead.
Book a demoReviewed for regulated teams
Prepared by the HubSecure editorial team for MLROs, compliance officers, and senior partners at law firms, accounting practices, and financial services firms. This guide is for informational purposes and does not constitute legal advice. Consult qualified legal counsel for advice specific to your jurisdiction and circumstances.