Don’t let the title fool you. Establishing a comprehensive AML Program may involve “Five Steps” – but the steps are giant. We’ll break them down, but each area is time-consuming and takes a focused mindset. We don’t suggest holding someone new to the AML profession solely responsible for implementing an AML Programme. Senior Management needs to understand that there are significant financial and reputational risk exposures if you have an underdeveloped AML Programme. Seek the input of an experienced advisor rather than trying to build a programme alone if you don’t have the experience.

1. 5 Steps to a
Comprehensive AML
Programme

2. Background
Because money laundering and terrorist financing is a global problem and requires global cooperation to combat,
an international agency called the Financial Action Task Force (FATF) has provided recommendations that
countries must apply in their legislative framework. These recommendations are known as the FATF 40+
Recommendations.
Allowing each country to draft its laws to meet the FATF 40+ Recommendations enables local governments to
consider their specific regional economic risks, resources, and objectives.
You’ll often read about using a “risk-based approach” to implementing these recommendations. The risk-based
approach takes away the need for everyone to follow the same prescriptive rules, and instead allows for the
effective use of resources by those impacted by the regulations.
Typically, these local laws and regulations are called Anti-Money Laundering (AML) laws. However, ancillary
legislation and guidance publications work together to guide a good AML programme in many countries.
The first step in establishing a good AML Programme is knowing the FATF 40+ Recommendations and ensuring
that you understand the AML laws, along with any industry-specific regulations or guidance that apply to your
business. Your local industry associations may also issue best practices.

3. Step 1:
Review Corporate Governance roles and responsibilities. Determine who is
accountable for the AML compliance programme. Furthermore, choose the
individuals that will be the Compliance Officer, the Money Laundering Reporting
Officer, and which Board Members will oversee AML compliance from a high level.
Detail the frequency of reports to the Board, along with the information contained
in those reports. Detail the number of meetings held, any review or escalation
committees, and the coverage of duties, such as who will review potential sanctions
hits or reviews.
Also, keep in mind – only employ and appoint persons who are fit and proper for
these roles. Your regulator may even require their approval or, at the very least,
notification of appointments to these specific functions.

4. Step 2:
Conduct a Business Risk Assessment. Perform this assessment on your entire
organisation and local operations. Review every product/service you provide in all
regions to all types of customers/clients.
Larger organisations need to ensure the person(s) performing the Business Risk
Assessment has access to all divisions and departments. This way, they can obtain
information on the products/services offered – like how they are used, who uses
them, and why. Accounting teams will need to provide information on the
client/customer portfolio, including where they reside and how they pay (wire
transfers, cash, checks, bitcoin). The assessor may also require extra support,
depending on your organisation.

5. Step 3:
1. Client Due Diligence (CDD) – what you require as standard due diligence
measures.
2. Risk Assessment Procedures – what factors you consider when
performing the risk assessment, and how you can tell if a
client/customer is at higher risk for money laundering or terrorist
financing.
3. Enhanced Due Diligence (EDD) Requirements – the additional steps you
take when identifying higher risk clients/customers.
4. Sanction Screening and Politically Exposed Persons Review procedures –
which sanctions lists you check, how you check, how often (if not
automated), and how you identify potential PEPs.
5. Escalation Procedures for Higher-Risk clients/customers – who in Senior
Management will review higher risk clients/customers and approve
acceptance.

6. ● Ongoing Monitoring – how frequently you review all
clients/customers, and procedures taken during the review.
● Suspicious Transaction/Activity Reporting – how to report, to
whom you report, how to avoid tipping-off, what to expect
when you report.
● Record Retention – how long you retain all related
compliance documentation and the procedures for
destroying any documentation.
● AML Awareness Training of Staff – how frequently, who
provides, what constitutes AML training.
● Any other internal controls that apply to your industry or
business.

7. Step 4:
Consider whether your firm requires supporting policies and procedures.
The main difference between policies and procedures is that a policy
defines the rules, and the procedures provide a step-by-step guide on
the execution of that policy. For example, you may need a procedure
manual on the different data information systems (e.g., compliance and
accounting systems).
There is a time and a place for each. But first, draft the policies. They
provide expectations and directions for staff. The procedures are
essential for unique applications, and they also highlight places where
there could be exceptions to the policy.

8. Step 5:
Review your AML programme – from your business risk
assessment to any procedures – at minimum once a year. Bring
forward the review during certain trigger events such as
implementing new systems, staff changes, role and responsibility
changes (e.g., annual promotions), when new products/services
are rolled out or no longer offered, or if there are regulatory
changes.
Never assume that nothing has changed. You should review the
entire programme and its supporting documents.

9. Additional Considerations:
Depending on the size of your organisation, a policy writer could
be a full-time job. If you rely on staff with additional
responsibilities, allow them to block out a week (or more) each
year to focus entirely on the review of the AML programme. The
business risk assessment alone could take several days of
reviewing your client/customer data and getting an
understanding of all products/services you provide to ensure a
thorough understanding of money laundering and terrorist
financing risk.

10. CREDITS: This presentation template was
created by Slidesgo, including icons by
Flaticon, and infographics & images by Freepik
www.silocompliance.com
Do you have any questions?
kimberly@silocompliance.com
+1(501) 422-8030
THANKS!