AML Compliance Session Eight: Staff Training

AML Compliance · Session Eight of Nine

Staff Training

35 minute read UK · New Zealand · Australia PDF available below

Important note

This guide is for educational purposes only. It is not legal advice and is not a substitute for jurisdiction-specific professional counsel: legislation, regulation and regulatory guidance change. Always verify current requirements with a qualified adviser in your jurisdiction before relying on this material for compliance decisions.

Reviewed May 2026. This session is primarily UK-focused, with comparisons to New Zealand and Australia.

An AML framework is only as effective as the people who apply it. Policies and procedures that exist on paper but are not understood by front-line staff fail at the point where they matter most. The onboarding desk, the relationship manager's call, the transaction that does not quite add up: those are the moments the framework is meant to catch, and they belong to people, not documents.

Staff training is how a compliance programme is put into effect. It is also a legal requirement. This session explains what the training obligation requires, how to design training that changes behaviour, how to evidence it properly, and how the position compares in New Zealand and Australia.

Who this session is for. This session is for MLROs, compliance officers, onboarding teams, relationship managers, senior managers, and anyone else who designs, delivers, oversees, or relies on AML training in practice.

The legal obligation

What regulation 24 requires

Regulation 24 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 sets out the training obligation. A relevant person must take appropriate measures to ensure that relevant employees are made aware of the laws relating to money laundering, terrorist financing, and data protection as they relate to the Regulations. Relevant employees must also be regularly trained to recognise and address transactions and other activities or situations that may be related to money laundering or terrorist financing.

Two points matter here. First, the obligation applies to relevant employees, not just compliance staff or the MLRO. Anyone whose role brings them into contact with customers, transactions, or activities that might involve financial crime risk may be in scope. That will usually include front-line staff, onboarding teams, relationship managers, operations staff, and managers with oversight responsibility. Second, the obligation is ongoing. Regular training is not a one-off induction exercise.

The express reference to data protection is easy to miss, but it matters in practice. Staff handling identification documents, screening results, and internal reports need to understand both the AML purpose for collecting and using that information and the limits on its sharing or retention.

Who counts as a relevant employee

The obligation is not limited to those with a formal compliance title. Any employee whose role involves customer contact, transaction processing, onboarding, relationship management, or oversight of those functions is within scope.

This includes temporary staff, contractors and consultants whose work brings them into contact with the firm's AML obligations. It also applies across all levels: a new relationship manager and a senior partner both need training appropriate to their role.

The MLRO should maintain a clear picture of which roles are in scope, ensure training reaches all of them, and record who has been trained and when.

Regulation 21 and employee screening

Alongside the training obligation, regulation 21 requires firms to take appropriate measures to assess the skills, knowledge, conduct and integrity of employees whose work is relevant to compliance with the Regulations, both before appointment and during employment. That is broader than training alone. A firm should not simply deliver a module and assume the risk is covered. It should have a considered view on whether the people in relevant roles are fit to do the work properly.

In practice, that means building AML competence into recruitment, onboarding, supervision, and periodic assessment. A supervisor is unlikely to be persuaded by a list of names showing who completed an online module. The real question is whether the firm can show that staff understand the work, apply it properly, and are suitable for the roles they hold.

What training must cover

AML training should reflect the firm's actual risk profile, not a generic account of the law. If the content does not align with the risks staff face in their roles, it is unlikely to meet the regulatory standard or work well in practice.

With that principle in mind, the minimum content for any AML training programme should include:

What money laundering and terrorist financing are, how they work in practice, and why the AML framework exists. Staff who do not understand the controls' underlying purpose are less likely to apply them thoughtfully.
The relevant legislation and regulations, in particular those most directly applicable to the firm's business. This does not require every employee to be a legal expert, but it should give them a working understanding of their personal obligations and the consequences of failing to meet them.
The firm's specific risk exposure, including the customer types, products, services and geographies that carry the highest risk in the context of the firm's actual business.
The firm's internal policies and procedures, including how to apply the risk-based approach, how CDD works in practice, and what enhanced due diligence looks like in the context of the firm's customer base.
How to identify indicators of suspicious activity relevant to the employee's specific role and sector.
How to make an internal suspicious activity report: who the MLRO and deputy MLRO are, what the reporting process involves, and what protection is available to staff who report in good faith.
The tipping-off prohibition and what it means in practical terms for staff who may be asked questions by a customer about a delayed transaction or paused relationship.
Data protection obligations as they relate to the AML framework, including what customer information can and cannot be shared and with whom.

Training must be role-specific

Generic training delivered uniformly across an organisation is not adequate for a firm with a meaningful risk profile. A compliance analyst, a customer-facing relationship manager, and a senior manager each face different situations and need training tailored to their roles.

Current JMLSG guidance and the FCA Financial Crime Guide both point in the same direction. Training should reflect the firm's business, its risks, and the realities of the roles being trained. Supervisors regularly identify generic training as a weakness because it looks tidy on paper but does little to improve judgment in practice.

Practical scenario-based training, in which staff work through situations they might actually encounter, tends to be significantly more effective than abstract descriptions of the law. If staff leave a training session with a clearer sense of what to do differently tomorrow, the training has worked.

Designing a training programme that works

Frequency and timing

Training must be regular. What counts as regular depends on the firm's risk profile, staff turnover, and the pace at which the legal and operational picture changes.

Training should also be refreshed when something changes. That may be a new product or service, a revised risk assessment, a regulatory change, an audit finding, or a pattern in internal reporting that shows a gap in staff understanding.

Delivery methods

There is no single right way to deliver AML training. The best approach depends on the size of the firm, the scope of roles, and the risks staff face.

Online training modules that can be completed at the employee's own pace and generate a completion record. These are efficient for reaching large numbers of staff and produce the documentary evidence that regulators expect. They are less effective for complex topics or for staff who need to discuss ambiguous situations.
Face-to-face or virtual sessions led by the MLRO or a compliance professional. More resource-intensive but more effective for nuanced content, for senior staff who need to understand the reasoning behind controls, or for roles with particularly high exposure to financial crime risk.
Scenario-based workshops or case studies, where staff work through realistic situations they might encounter in their role. These tend to produce the strongest behaviour change because they make the learning concrete and specific.
Written materials, accessible on an intranet or shared drive, that staff can refer to when they encounter a situation in practice. Useful as a reference resource alongside formal training, though not a substitute for it.
Targeted updates delivered when the regulatory environment changes or when supervisory findings identify a specific gap. These do not replace regular training but sit alongside it.

Testing effectiveness

Completion is not the same as understanding. The real question is whether training changes what staff do in practice.

Practical ways to assess whether training is working include:

Knowledge assessments at the end of training modules, with a pass threshold that requires genuine engagement rather than clicking through.
Mystery shopping or scenario-based assessments, where staff are presented with a realistic situation and their response is evaluated.
Monitoring internal SAR rates and quality over time. A well-trained workforce should be filing more reports, and filing them with better information. A sudden drop in internal reports is often a sign that training has drifted out of contact with operational reality.
File review and compliance monitoring findings. If compliance monitoring consistently identifies CDD gaps in a particular team or function, that is a signal that training has not reached the right people or has not been effective for those it has reached.
Exit interviews and staff surveys, which can reveal whether the culture around reporting is healthy and whether staff feel confident applying the controls they have been trained on.

The culture test

Effective AML training is not just about knowledge transfer. It is about creating the conditions in which staff are willing to act on what they know.

A firm where front-line staff are reluctant to raise concerns because they fear the consequences for a client relationship, or where the MLRO is seen as a compliance obstacle rather than a resource, will not generate good internal reporting regardless of how well-designed the training is.

Senior management sets the tone. If leaders treat AML obligations as a cost of business to be minimised rather than a genuine responsibility, that attitude will filter through the organisation. Training can communicate the rules. It cannot, on its own, build a culture of compliance. That requires visible commitment from the top.

Record keeping for training

Regulation 24 requires firms to keep records of training. Those records should be sufficient to demonstrate, in a supervisory review or enforcement context, that training has taken place, that it was relevant to the employee's role, and that it covered the required content.

At a minimum, training records should document:

Who received training, identified by name and role.
When training was delivered.
What was covered, including the topics addressed and the format of delivery.
How completion or competency was verified, including any assessment results.
When training was last updated and what prompted any update.

Records must be easy to produce and easy to use. A spreadsheet on the MLRO's desktop that cannot be retrieved during a supervisory visit is not adequate in practice.

A common supervisory finding

Inadequate training records are among the most frequently identified weaknesses in AML supervisory reviews across all sectors. The typical failure is not that training did not happen, but that the records do not adequately demonstrate what happened, who was involved, and whether it was effective.

A supervisor reviewing a firm's training programme will want to see more than a list of online module completions. They will want to understand whether the training was appropriate to the firm's risk profile, whether it reached everyone it needed to reach, and whether there is any evidence that it made a difference to how staff operate in practice.

Training in New Zealand and Australia

New Zealand

In New Zealand, the training obligation sits within the AML/CFT programme required by the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. Reporting entities must establish, maintain, and audit a written programme in accordance with their risk assessment. That programme must address employee vetting, employee training, and the measures the business uses to manage and mitigate AML/CFT risk.

The practical reference point is the joint supervisor guidance issued by the Department of Internal Affairs, the Financial Markets Authority, and the Reserve Bank of New Zealand. The AML/CFT Programme Guideline was updated in October 2024, and the supervisors have continued to publish guidance and statements alongside later regulatory changes.

The New Zealand legislation does not prescribe training content in the same level of detail as regulation 24 of the UK Regulations. The practical expectation remains clear: training should align with the reporting entity's risks, be relevant to each role, and be supported by records documenting what was delivered, to whom, and when.

Australia

In Australia, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 remains the primary legislation. The Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 now provide the detailed supporting framework, with the current version and related amendment instruments in force from 31 March 2026.

AUSTRAC's current framework expects reporting entities to include appropriate employee due diligence and employee training within their AML/CTF programme. The broad expectation is familiar: training must be ongoing, risk-based, and updated when the business, its services, or the law changes. Records should be sufficient to demonstrate both delivery and effective oversight.

For businesses brought into scope by Australia's recent reforms, implementation dates matter. Many updated requirements for existing reporting entities took effect on 31 March 2026, while newly regulated tranche two sectors face later commencement points in 2026. In practice, firms should work from the current Act, the current Rules, any transitional instruments, and AUSTRAC's latest sector guidance rather than from older summaries.

What a supervisor will expect to see

A clear training plan linked to the firm's risk assessment and business model.
Role-specific content for front-line staff, operations teams, managers, and control functions.
Evidence that new joiners are trained promptly and that refresher training happens at sensible intervals.
Training records that show who was trained, when, on what, and how understanding was checked.
A process for updating training when the law, the firm's risks, or supervisory expectations change.
Some evidence that the training works in practice, such as better escalation, stronger internal reporting, or fewer repeated control failures.

Key takeaways from Session Eight

Training is a legal obligation under regulation 24 of the MLR 2017, not a discretionary extra. It must be regular, role-specific, and must cover the law relating to money laundering, terrorist financing, and data protection as it relates to the Regulations.
All relevant employees are in scope: not just compliance staff, but anyone whose role brings them into contact with customers, transactions, or activities connected to financial crime risk. Contractors and consultants are also within scope where they perform relevant functions.
Training content must reflect the firm's actual risk profile. Generic training that does not connect to the situations staff encounter in their specific roles is unlikely to satisfy the regulatory standard and unlikely to be effective.
Effectiveness matters as well as completion. Measuring training by completion rates alone misses the point. Assessment, monitoring of internal SAR quality, compliance monitoring findings, and staff behaviour in practice are all better indicators of whether training is working.
Records must be maintained and must be retrievable. They should document who was trained, when, on what, and how competency was verified. Records that cannot be produced promptly during a supervisory review are not adequate.
In New Zealand, the training obligation falls under the AML/CFT programme required by the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. In Australia, it sits within the AML/CTF programme required under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the current AML/CTF Rules. In both jurisdictions, the principle is much the same as in the UK: training must be relevant, regular, documented, and capable of standing up to supervisory review.

Coming up in Session Nine

Session Nine is the implementation summary. It draws together the obligations covered across all nine sessions into a practical framework for building, reviewing, or strengthening an AML compliance programme. It is designed to be a practical reference for MLROs, compliance officers, and senior managers responsible for AML oversight.