For the accountancy sector, AML compliance isn’t a “set it and forget it” task. Regulations change. Criminal strategies evolve. Supervisors raise the bar, year after year.
If your AML policies, controls and procedures haven’t kept pace, your firm could be exposed without you even knowing it.
Here are six questions to help you find out if your AML policies, controls and procedures actually up to date?
1. Have you reviewed them in the last 12 months?
If your written AML policies, controls and procedures haven’t been formally reviewed in the past year, they’re out of date.
The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (The Regulations) require a regular review to ensure these documents stay relevant to the risks your firm faces. Most supervisors expect a minimum annual review—even if you think nothing has changed.
If your PCPs haven’t been reviewed, it suggests:
- you might be missing key updates to regulation or guidance.
- your controls may no longer match your actual risk profile.
- you could be breaching your obligations under Regulations 19 and 20.
How to get up-to-date: Set a formal review schedule. Assign responsibility and document each review. If you’re using AMLCC, it flags review dates for you and provides the tools to guide updates.
2. Are your AML policies, controls and procedures based on a template?
If your AML framework is a slightly edited template, filled with vague roles and generic content, it won’t reflect your business—and it won’t stand up to scrutiny.
Supervisors are clear: your policies must be tailored to your firm. That means they should reflect:
- the services you offer and your typical client types.
- how you deliver those services (in person, remotely, via intermediaries).
- where your clients are based.
- the structure and experience of your team.
- the operational realities of how your firm runs.
How to get up-to-date: Rebuild or refine your AML policies, controls and procedures to match your firm’s actual risk.
3. Are they aligned with your business-wide risk assessment?
Even when business-wide risk assessments are regularly updated, it’s common for AML policies, controls and procedures to be left behind. Your PCPs should clearly explain how your firm identifies, assesses and mitigates the risks highlighted in your business-wide risk assessment.
If you’ve started offering new services, dealing with more complex clients, or operating across borders, those risks must be reflected in your documented controls and procedures. Supervisors expect to see a live connection between your business-wide risk assessment and your PCPs.
How to get up-to-date: Revisit your AML policies, controls and procedures every time your business-wide risk assessment changes. AMLCC helps you link your PCPs directly to your business-wide risk assessment, so the content stays practical and up to date
4. Do they reflect today’s digital and remote working risks?
If your PCPs were written when most client interactions were face-to-face, they’re probably missing key threats. Today’s AML risks increasingly stem from digital environments—think deepfakes and spoofed documents. If your firm uses cloud platforms, e-signatures or digital onboarding tools, your AML controls need to reflect that.
Red flags include:
- No guidance on remote identity verification
- No reference to cyber risk or digital CDD procedures
- No policies for online communications or digital record-keeping
How to get up-to-date: Update your risk assessment to account for digital processes, then ensure your AML PCPs cover those risks in full. AMLCC allows you to reflect modern working practices in your documented procedures, including secure remote onboarding.
5. Do your staff understand what’s in them?
This is where many firms fall short. Ask your team—particularly those handling client onboarding or compliance tasks—if they understand their responsibilities.
- Can they explain what the AML policies say?
- Do they know how to raise a suspicious activity report?
- Are they confident in the training they’ve received?
If not, your AML training and documentation may be ineffective. Regulation 21 of the Money Laundering Regulations requires all staff to be aware of your AML PCPs, understand them, and receive regular training tailored to their role.
How to get up-to-date: Make AML awareness a part of your culture. Use training that’s practical and role-specific. AMLCC provides built-in education tools and functionality that lets your staff acknowledge updates to AML policies, controls and procedures—so you’ve got clear evidence of understanding.
6. Have you tested whether they actually work?
A written AML framework is only effective if it holds up in real-world situations. When did you last run a mock audit, simulate a suspicious activity report, or test whether staff follow escalation procedures correctly?
Supervisors increasingly expect documented evidence of testing, especially through an annual AML audit. This can be internal or external, depending on the size and structure of your business. If internal, it should be led by a senior person not normally involved in day-to-day AML operations.
How to get up-to-date: Review a sample of client files, test training retention and simulate SARs. Record findings and use them to strengthen your AML controls. AMLCC gives you the tools to audit your AML policies, controls and procedures and demonstrate continuous improvement.
Why this matters now
If even one of these six questions gave you pause, now’s the time to take action.
AML enforcement in the UK has intensified. In 2023–24 alone, HMRC and professional body supervisors issued record fines for AML failures. These weren’t just for missing documentation—they were for AML frameworks that were poorly maintained, not followed in practice, or completely out of date.
Outdated AML policies, controls and procedures could lead to more than a fine. They could cost you your licence, damage your firm’s reputation, or lead to individual disciplinary action.
About Richard Simms
Richard Simms, Founder and Director of AMLCC, is a licensed insolvency practitioner, chartered accountant and a leading authority on anti-money laundering. He is a sought-after guest at accountancy and AML conferences worldwide due to his position at the pulse of changes in guidance and legislation that impact DNFBPs.
To see how AMLCC keeps your business fully AML compliant, visit amlcc.com
