AML Compliance · Session Nine of Nine
Implementation Summary
This guide is for educational purposes only. It is not legal advice and is not a substitute for jurisdiction-specific professional counsel: legislation, regulation and regulatory guidance change. Always verify current requirements with a qualified adviser in your jurisdiction before relying on this material for compliance decisions.
Legislation and guidance checked May 2026. This session is primarily UK-focused, with comparisons to New Zealand and Australia.
This is the final session of the course. Its purpose is practical. It draws together the obligations covered across Sessions One through Eight into a single working reference for building, reviewing, or strengthening an AML compliance programme.
It does not repeat the details from those sessions. It assumes that the detail has already been read. What it offers is a consolidated view of what a functioning programme must contain, a checklist of core obligations cross-referenced to their main regulatory sources, and direct commentary on the failure modes supervisors encounter most often.
One point is worth making at the outset. A programme that is technically complete but operationally inert is not compliant. In 2026, supervisors across all three jurisdictions are increasingly focused on whether risk-based judgements are made and evidenced in practice, not merely on whether policies exist on paper. The question is not only whether the documents are there. It is whether the programme works.
What a functioning AML programme contains
The MLR 2017 set out obligations. They do not prescribe the precise form in which those obligations are met. What the regulations require is a programme that is proportionate to the firm's risk, documented, implemented in practice, and kept up to date. The same principle applies under the AML/CFT Act 2009 in New Zealand and the AML/CTF Act 2006 in Australia.
A functioning programme has six components. They are not a sequence to complete. They are a system that must work together.
1. A firm-wide risk assessment that is specific to the firm, current, and the foundation from which everything else is built.
2. Policies, controls and procedures that are proportionate to the risk assessment, documented clearly, and understood by the people responsible for following them.
3. Customer due diligence that is applied consistently, calibrated to risk, updated when circumstances change, and supported by records that can be produced promptly.
4. Suspicious activity reporting that works in practice: staff who recognise indicators and report internally, an AML compliance officer who considers reports and acts on them, and an external reporting process that produces quality SARs.
5. Staff training that is regular, role-specific, and demonstrably effective, not merely completed.
6. Governance and oversight: senior management accountability, appropriate authority and resource for the AML compliance officer or equivalent function, compliance monitoring, and a process for keeping the programme current as the business and the regulatory environment change.
The consolidated obligations checklist
The table below sets out the core obligations from across the course. Each is cross-referenced to its primary regulatory source. This is a working reference, not a substitute for reading the underlying legislation and guidance.
Governance and senior management
| 1 | Appoint an individual at the board, equivalent management body, or senior management level as the officer responsible for the firm's compliance with the Regulations. | MLR 2017, reg 21(3) |
| 2 | Obtain senior management approval for the firm's AML policies, controls and procedures. | MLR 2017, reg 21(1)(a) |
| 3 | Ensure the MLRO has adequate authority, independence, and resources to perform their function effectively. | MLR 2017, reg 21; JMLSG Ch 3 |
| 4 | Screen relevant employees prior to appointment and assess their ongoing conduct, integrity, and competence. | MLR 2017, reg 21(1)(b) |
Risk assessment
| 5 | Carry out a firm-wide risk assessment covering customers, geographies, products and services, transactions, and delivery channels. | MLR 2017, reg 18 |
| 6 | Document the risk assessment in writing and make it available to the supervisor on request. | MLR 2017, reg 18(4) |
| 7 | Keep the risk assessment up to date, updating it when the business, the external threat environment, or supervisory findings change. | MLR 2017, reg 18(6) |
| 8 | Draw on external inputs, including the HM Treasury National Risk Assessment of Money Laundering and Terrorist Financing 2025, FATF typologies, supervisor publications, and sector-specific guidance. | MLR 2017, reg 18; NRA 2025 |
Policies, controls and procedures
| 9 | Establish policies, controls, and procedures that are proportionate to the firm-wide risk assessment. | MLR 2017, reg 19 |
| 10 | Include in policies: customer due diligence, ongoing monitoring, suspicious activity reporting, record keeping, and staff training. | MLR 2017, reg 19(4) |
| 11 | Review policies, controls and procedures regularly and update them when the risk assessment, the business, or the regulatory framework changes. | MLR 2017, reg 19(1) |
| 12 | Keep records of previous policy versions and review decisions so the firm can evidence how its framework has changed over time. | MLR 2017, reg 40; good practice |
Customer due diligence
| 13 | Apply standard CDD to all customers when establishing a business relationship, carrying out an occasional transaction above the relevant threshold, or when there is suspicion. | MLR 2017, reg 27, 28 |
| 14 | Verify customer identity on the basis of documents, data or information from a reliable and independent source. | MLR 2017, reg 28(2) |
| 15 | Identify and take reasonable steps to verify the identity of beneficial owners. For corporate customers, understand the ownership and control structure. | MLR 2017, reg 28(3), (4) |
| 16 | Understand the nature and purpose of the business relationship, and, where appropriate, the source of funds. | MLR 2017, reg 28(1)(d) |
| 17 | Apply simplified due diligence where the risk assessment justifies it, and document the basis for that decision. | MLR 2017, reg 37 |
| 18 | Apply enhanced due diligence to high-risk customers, PEPs, customers from high-risk third countries, and complex ownership structures. Obtain senior management approval for PEP relationships. | MLR 2017, regs 33, 35 |
| 19 | Conduct ongoing monitoring of business relationships, including scrutiny of transactions and periodic review of customer risk ratings. | MLR 2017, reg 28(1)(e) |
| 20 | Where CDD cannot be completed, do not establish or continue the relationship. Consider whether a SAR is required. | MLR 2017, reg 31 |
Suspicious activity reporting
| 21 | Establish and document internal reporting procedures. Staff must know who the MLRO is, how to report, and what protection they have. | MLR 2017, reg 19(4); POCA 2002, s 330 |
| 22 | Report suspicions to the MLRO as soon as practicable. The threshold is a possibility more than fanciful (Da Silva), not certainty. | POCA 2002, s 330 |
| 23 | The MLRO must consider all internal reports and document that consideration, recording the reasons for any decision not to report externally. | POCA 2002, s 331 |
| 24 | File external SARs through the NCA's SAR Portal as soon as practicable after suspicion arises. Ensure the report is complete, structured, and uses glossary codes correctly where relevant. | POCA 2002, s 338; NCA UKFIU guidance Dec 2025 |
| 25 | Where appropriate, seek a Defence Against Money Laundering before carrying out a prohibited act involving suspected criminal property, and wait for the statutory process to run before proceeding. | POCA 2002, s 337 |
| 26 | Do not disclose to the subject of a SAR that a report has been made. Ensure staff understand the prohibition on tipping off and its practical implications. | POCA 2002, s 333A |
| 27 | Keep SAR records securely and separately from client files, and suspend routine destruction where a SAR, defence request, or investigation is live. | POCA 2002, s 333A; MLR 2017, reg 40; good practice |
Record keeping
| 28 | Keep CDD records for five years from the end of the business relationship or from the date of an occasional transaction. | MLR 2017, reg 40(1) |
| 29 | Keep transaction records for five years from the date the transaction was completed. | MLR 2017, reg 40(2) |
| 30 | Keep records of the firm-wide risk assessment, policies and procedures, internal SARs, training, and screening results. | MLR 2017, reg 40 |
| 31 | Ensure records can be retrieved promptly and produced in a usable form. Inaccessible records do not meet the regulatory standard. | MLR 2017, reg 40(4) |
| 32 | Apply AML retention requirements while also meeting UK GDPR and data protection requirements. Set this out clearly in the firm's retention schedule. | MLR 2017, reg 40; UK GDPR |
Staff training
| 33 | Train all relevant employees regularly on the law relating to money laundering and terrorist financing, as well as the firm's own policies and procedures. | MLR 2017, reg 24 |
| 34 | Include data protection obligations as they relate to the Regulations in training content. | MLR 2017, reg 24 |
| 35 | Tailor training to the risks and realities of each role. Generic training delivered uniformly is not adequate. | MLR 2017, reg 24; FCA FCG |
| 36 | Keep records of training: who was trained, when, on what, in what format, and how competency was verified. | MLR 2017, reg 24 |
| 37 | Refresh training when the law, the firm's risk profile, or supervisory expectations change, not only on an annual cycle. | MLR 2017, reg 24 |
The failure modes supervisors most often find
Supervisory reviews across all three jurisdictions consistently identify the same weaknesses. Understanding them is as useful as understanding the obligations themselves, because the gap between a compliant programme and an effective one is usually found here.
The risk assessment is treated as a document rather than a tool. The firm produced one, updates it annually by changing the date, and does not use it to drive decisions. Controls are not designed to align with what the assessment says. EDD is not applied consistently where the assessment says it is required. The assessment and the programme live in separate worlds.
CDD is applied uniformly rather than proportionately. Every customer goes through the same process regardless of risk. Simplified due diligence is not applied where the risk justifies it. Enhanced due diligence is triggered by category rather than by a genuine assessment of the specific risk presented. The risk-based approach is nominally in place but not genuinely operating.
Customer risk ratings are not maintained. Ratings are assigned at onboarding and never updated. Transaction monitoring alerts are closed without reference to the customer's risk rating. The link between the rating and the level of scrutiny applied has broken down.
Internal reporting culture is weak. Front-line staff know they should report, but do not, because they worry about client relationships, internal friction, or being wrong. The MLRO is seen as a barrier rather than a resource. Internal SAR rates are low, not because the business is low-risk, but because the culture does not support reporting.
SAR quality is poor. Reports are filed to protect the firm rather than to inform law enforcement. Key fields are incomplete. The description of the suspicious activity is vague. The report does not explain clearly why the activity gives rise to suspicion. It is technically filed but practically invisible.
Training records cannot be produced. Training happened, but the records are incomplete, inaccessible, or do not show what was covered, who attended, or how competence was assessed. A list of completed online modules is produced. It does not show that anyone learned anything.
The programme is not kept current. The risk assessment was written when the firm launched. The policies have not been reviewed since the last major regulatory change. Training content refers to guidance that has since been updated. The programme describes the firm as it was, not as it is.
In the UK, the direction of travel is towards more centralised, outcome-focused supervision, with higher expectations for documented risk-based judgements. The Government has decided that the FCA should take over AML supervision of legal, accountancy, trust and company service providers from the current professional body model, and consulted on the detailed powers and accountability framework in late 2025. At the time of review, that reform direction is clear, but firms should check the current implementation position.
The 2025 National Risk Assessment and recent supervision reports point in the same direction. Risk assessments must be dynamic, controls must be proportionate and evidenced, and firms must be able to show that their programme works in practice, not just on paper.
In New Zealand and Australia, the same direction is visible. In Australia, the 2024 reforms and the AML/CTF Rules 2025 are bringing new sectors into scope in stages through 2026. In New Zealand, the current Act remains in force while further reform continues through the legislative process. In all three jurisdictions, regulators are asking the same practical question: Does the policy match what actually happens?
Keeping the programme current
An AML compliance programme is not a project with an end date. It is a live system that requires maintenance. The regulatory environment changes. The business changes. The threat landscape changes. A programme that was adequate two years ago may not be adequate today.
In practical terms, keeping a programme current means having a process for monitoring the regulatory horizon, assessing the impact of changes on the firm's risk profile and controls, updating documentation, and refreshing training. That process should be owned, not left to chance. In the UK, this will often be handled by the MLRO. In other jurisdictions, the equivalent AML compliance officer or responsible person will usually lead it. In every case, the process needs to be resourced and supported by senior management.
- A new or updated National Risk Assessment, FATF typologies report, or supervisor publication that changes the picture of where the risks lie.
- A change in the regulatory framework, including new or amended legislation, regulations, or guidance.
- A material change in the firm's business: new products, new customer segments, new geographies, new delivery channels, or significant growth in existing areas.
- Findings from a supervisory review, internal audit, or compliance monitoring exercise that reveal gaps in the programme.
- A pattern of internal SARs or transaction monitoring alerts that suggests a risk not previously identified or a control that is not working.
- An enforcement action or thematic review published by the firm's supervisor or by another supervisor in the same sector, which often signals where supervisory attention is moving.
A note on jurisdictional differences
This course has been written primarily with reference to the UK framework, with comparisons to New Zealand and Australia throughout. The core obligations are comparable across all three jurisdictions: risk assessment, policies and procedures, CDD, suspicious activity reporting, training, and record keeping. The specific provisions, thresholds, supervisors, and reporting routes differ.
Any firm operating across more than one of these jurisdictions should treat the requirements as distinct rather than interchangeable. The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 in New Zealand and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 in Australia each have their own structures, supervisors, and reporting obligations. In Australia, the 2024 amending Act and the AML/CTF Rules 2025 have changed the framework, with staged commencement through 2026. In New Zealand, the principal Act remains in force and amendment bills were still progressing through Parliament at the time this session was checked. In all three jurisdictions, the starting point is always the current legislation, current rules or regulations, and current supervisory guidance.
Key takeaways from Session Nine and the course
- An AML compliance programme is a system, not a document. Risk assessment, policies, CDD, suspicious activity reporting, training, and governance must function together. A programme that is complete on paper but not operational in practice is not compliant.
- The risk assessment is the foundation. Everything else, the policies, the CDD levels, the monitoring, the training, should flow from it. A risk assessment that does not drive decisions is not serving its purpose.
- The most common failures are not about ignorance of the law. They are about the gap between what the programme says and what actually happens: inconsistent CDD, weak internal reporting culture, poor SAR quality, inaccessible records, and training that does not change behaviour.
- Keeping the programme current is an ongoing obligation. The regulatory environment, the business, and the threat landscape all change. The programme must change with them.
- In 2026, regulators across all three jurisdictions are increasingly focused on whether risk-based judgements are made and evidenced in practice. The question is not whether controls exist. It is whether they work.
Further reading and resources
The following sources provide the primary legal and regulatory framework for all three jurisdictions. All are publicly available.
Proceeds of Crime Act 2002 and Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended). The primary UK framework. Available at legislation.gov.uk. Always use the consolidated version.
HM Treasury: National Risk Assessment of Money Laundering and Terrorist Financing 2025. Published July 2025. Essential input to any UK firm-wide risk assessment. Available at gov.uk.
FCA Financial Crime Guide (FCG). Updated by Policy Statement PS24/17 in November 2024, with later handbook updates to reflect current text. The FCA's consolidated guidance on financial crime systems and controls. Available through the FCA Handbook.
JMLSG Guidance, Parts I and II. Core practical guidance on applying the MLR 2017 in financial services. Use the current guidance and check the revisions page for approved amendments and any text still awaiting HM Treasury approval. Available at jmlsg.org.uk.
NCA UKFIU SARs best practice guidance. Use the current SAR Portal and chapter-based guidance, including the 2025 guidance on using the SAR Portal, submitting SARs, and understanding DAMLs and DATFs. Available from the National Crime Agency.
Anti-Money Laundering and Countering Financing of Terrorism Act 2009, related regulations, and supervisor guidance (New Zealand). The DIA, FMA, and Reserve Bank of New Zealand publish sector-specific guidance. Also check any current amendment bill before Parliament, as reform was still progressing when this session was checked. Available at legislation.govt.nz and on each supervisor's website.
Anti-Money Laundering and Counter-Terrorism Financing Act 2006, the AML/CTF Rules 2025, and AUSTRAC guidance (Australia). Use the current Act, Rules, transitional materials, and AUSTRAC guidance. Check staged commencement dates and sector-specific implementation material for the 2026 reforms. Available at legislation.gov.au and austrac.gov.au.
FATF 40 Recommendations and typologies reports. The international standard underpinning all three domestic regimes, and practical risk material. Available at fatf-gafi.org.
The complete session as a PDF, including the full obligations checklist.