Resources / AML Compliance / AML: Core Principles and Practice

Introduction

Anti-money laundering compliance is one of the most consistently regulated areas of business activity across the world. Over 200 jurisdictions have built AML frameworks that share the same foundations, reflect the same international standards, and require organisations to address the same fundamental challenges.

Those foundations come from the Financial Action Task Force (FATF), the international body that sets the global standards for combating money laundering and terrorist financing. Whether you are working in New York, Singapore, Dubai, Nairobi, or Sydney, the core principles of AML compliance are the same. The legislation differs. The regulatory body differs. The specific thresholds and requirements differ. But the underlying framework is consistent.

This guide is built on those international principles. It covers the risk-based approach, customer due diligence, suspicious activity reporting, staff training, and a practical implementation checklist. It is written for compliance professionals, MLROs, senior managers, and anyone who needs to understand how AML obligations work in practice, wherever they are.

It does not replace jurisdiction-specific guidance. Every reader needs to understand how these principles are implemented in the laws and regulations of their own country. But understanding the principles first makes that local knowledge far easier to apply.

A companion guide covering the UK legislative framework in detail is available separately.

The international framework

Why international standards matter

Money laundering is a global problem. Criminal proceeds do not respect borders. A drug trafficking operation in one country generates cash that is layered through shell companies in a second, converted into real estate in a third, and integrated into legitimate business in a fourth. Effective AML compliance requires a consistent international framework, because weak points in one jurisdiction undermine the efforts of every other.

That is the core rationale for FATF. Established in 1989 by the G7, FATF is the international standard-setting body for AML and counter-terrorist financing (CTF). Its 40 Recommendations are the recognised global benchmark, and its associate members and observer organisations extend its reach across virtually every significant financial jurisdiction in the world.

FATF does not pass laws. What it does is set expectations, monitor compliance through a mutual evaluation process, and apply reputational pressure on jurisdictions that fall short. Being placed on FATF's enhanced monitoring list (often called the grey list) or its Call for Action list (the black list) carries significant consequences for a country's access to international finance and trade.

The FATF 40 Recommendations

FATF's 40 Recommendations cover four broad areas: AML and CTF policies and coordination, money laundering and confiscation, terrorist financing and proliferation financing, and preventive measures for regulated entities. For compliance professionals, the preventive measures are the most directly relevant.

Key recommendations that shape practical compliance obligations globally include the following.

Recommendation 1. Countries and financial institutions should identify, assess, and understand their money laundering and terrorist financing risks, and take action proportionate to those risks. This is the foundation of the risk-based approach.

Recommendation 10. Financial institutions should be prohibited from keeping anonymous accounts and should be required to identify and verify their customers. This is the basis for customer due diligence requirements globally.

Recommendation 18. Financial institutions should be required to implement AML and CTF programmes including internal policies, training, and an audit function.

Recommendation 20. Financial institutions should be required to report suspicious transactions to the financial intelligence unit. This is the basis for suspicious activity reporting.

The three stages of money laundering

Understanding what money laundering actually is helps make sense of why the controls are designed the way they are. Money laundering is the process by which criminals attempt to conceal the origin of illegally obtained money, making it appear to have come from a legitimate source. The process is typically described in three stages.

Placement. Illegal proceeds enter the financial system. This is often the most vulnerable stage for criminals because it involves physical cash, which is difficult to move in large quantities without detection. Common placement techniques include structuring cash deposits to avoid reporting thresholds, using cash-intensive businesses as a front, and purchasing high-value goods with cash.

Layering. Proceeds are moved through a series of transactions designed to obscure their origin. This might involve wire transfers between multiple accounts in different jurisdictions, converting funds into different currencies or financial instruments, or using shell companies and complex ownership structures to break the audit trail.

Integration. The laundered funds re-enter the legitimate economy, typically through investment in real estate, businesses, or other assets that appear to have a legitimate source. At this stage, the proceeds are difficult to distinguish from legitimately earned wealth.

Understanding these stages helps compliance professionals think about where in the customer journey or transaction cycle financial crime risk is most likely to arise, and what controls are most relevant.

Financial intelligence units

Every FATF-compliant jurisdiction maintains a financial intelligence unit (FIU), the national body that receives, analyses, and disseminates financial intelligence. Suspicious activity reports submitted by regulated businesses go to the FIU, which uses that intelligence to identify patterns, support law enforcement investigations, and share information with international counterparts.

The Egmont Group is the international network of FIUs, facilitating information sharing between national units. Understanding the role of the FIU in your jurisdiction is an important part of understanding how the SAR process actually functions.

The risk-based approach

The risk-based approach is the central organising principle of modern AML compliance. It is required by FATF standards and embedded in the AML legislation of every major jurisdiction. Understanding what it actually means in practice, rather than simply what it says in the regulations, is one of the most important things a compliance professional can develop.

The core principle

Not all customers, products, channels, and jurisdictions pose the same level of money laundering or terrorist financing risk. A risk-based approach requires organisations to identify, assess, and understand those risks, then design controls that are proportionate to them.

This means applying enhanced scrutiny where risk is high, and proportionate, lighter-touch measures where risk is genuinely low. It explicitly does not mean applying the same level of scrutiny to every customer regardless of their actual risk profile. FATF is clear that over-compliance, blanket measures applied without reference to actual risk, is not good compliance practice. It is inefficient, it pushes costs onto customers who present no material risk, and it can contribute to financial exclusion.

Regulators globally are measuring effectiveness, not just technical compliance. The question is not whether a process exists, but whether it works.

The organisation-wide risk assessment

The starting point for any effective AML programme is an organisation-wide risk assessment. This is a structured analysis of the money laundering and terrorist financing risks to which the business is exposed, based on its specific characteristics.

The assessment should consider the types of customers the organisation serves and their risk profiles, the products and services offered and the financial crime risks they present, the channels through which products and services are delivered, the jurisdictions in which the organisation and its customers operate, the nature, volume, and pattern of transactions, and the sources and destinations of funds.

The complexity of the risk assessment should be proportionate to the complexity of the business. A smaller firm with a straightforward client base needs a less elaborate assessment than a large multinational with diverse products, multiple jurisdictions, and high transaction volumes. What matters in both cases is that the assessment is genuine, documented, and used to drive decisions about controls.

The risk assessment must be a living document. It needs to be updated when the business changes, when new products or services are introduced, when the customer base shifts, and when the external threat environment evolves. An assessment that is completed once and then archived is not fit for purpose.

Why the risk-based approach fails in practice

Despite being well understood in principle, the risk-based approach consistently fails in implementation for the same reasons across different organisations and jurisdictions.

The risk assessment becomes a document, not a tool. Many organisations produce a risk assessment to satisfy a regulatory requirement and then update it annually as a compliance exercise. It does not drive how controls are designed, how resources are allocated, or how decisions are made. It sits in a folder and comes out when auditors or regulators ask for it. A genuine risk assessment is dynamic and decision-driving.

Risk ratings become formulaic. Customer risk ratings are often generated by automated systems applying a fixed scoring model. The model produces a number, the number determines the level of due diligence, and the process runs on autopilot. Nobody asks whether the model is still capturing the right risks, whether its criteria remain current, or whether its outputs reflect what is actually happening in the customer relationship. Financial crime is adaptive. Static risk models become outdated.

Compliance and the business operate separately. A genuine risk-based approach requires the compliance function to understand the business well enough to identify where financial crime risk actually arises in practice. That requires real collaboration. Where compliance teams and business units operate in separate lanes, the risk assessment reflects compliance theory rather than operational reality.

The process becomes a tick-box exercise. Organisations optimise for documentation rather than outcome. Enhanced due diligence is conducted because a risk rating requires it, not because anyone is genuinely investigating a concern. The checks are completed, the file is closed, and nothing meaningful is learned. The process runs; the purpose is lost.

What effective implementation looks like

Organisations that implement the risk-based approach effectively share a set of characteristics that go beyond having the right policies in place.

Their risk assessment genuinely drives decisions. When new products are launched, the compliance team is involved early enough to identify financial crime risks and design appropriate controls from the outset. The assessment is not retrospective.

Customer risk ratings are treated as a starting point, not a definitive answer. There is a process for human review of ratings that seem inconsistent with what transaction data or relationship managers are showing. The model is updated when its assumptions become outdated.

Enhanced scrutiny is meaningful. When a customer is identified as high risk, the investigation asks practical questions about source of funds, whether transactions make sense given the customer's known circumstances, and whether there are inconsistencies that warrant further review. The process produces a genuine judgement.

Simplified due diligence is genuinely applied. Low-risk customers are not subjected to the same scrutiny as high-risk ones. The organisation understands that over-compliance is not just inefficient, it can exclude people from financial services who have a legitimate right to access them. Proportionality is treated as an obligation, not a courtesy.

Monitoring is continuous and intelligence-led. Transaction monitoring is tuned to the actual risk profile of the customer base. Alerts are reviewed by people who understand context. And the outputs of monitoring feed back into the risk assessment.

Customer due diligence

Customer due diligence is how regulated businesses identify their customers, understand the nature of the relationship, and assess the risk it presents. It is one of the most operationally significant elements of AML compliance, and one of the areas where the gap between policy and practice is most often found.

When CDD is required

FATF standards require CDD to be applied when establishing a business relationship, when carrying out occasional transactions above the applicable threshold, when there is a suspicion of money laundering or terrorist financing regardless of any threshold or exemption, and when there are doubts about the accuracy or adequacy of previously obtained customer identification information.

The specific thresholds and triggers will vary by jurisdiction and sector. The principle is consistent: before entering into a significant relationship or transaction, the organisation must know who it is dealing with.

Standard CDD

Standard CDD requires organisations to identify and verify the identity of their customers, understand the nature and purpose of the business relationship, and conduct ongoing monitoring throughout the relationship.

For individual customers, this typically means collecting name, date of birth, address, and an identification number, and verifying those details against a reliable and independent source such as a government-issued identity document or an electronic verification service.

For corporate customers, it means identifying the legal entity, understanding its ownership and control structure, and identifying the individuals who ultimately own or control it (commonly referred to as beneficial owners). Most frameworks set a threshold of 25% ownership or control for mandatory beneficial owner identification, though some jurisdictions apply a lower threshold.

Understanding the purpose and intended nature of the relationship is as important as identity verification. Knowing who a customer is only helps if the organisation also understands what they are trying to do and whether that makes sense given what is known about them.

Enhanced due diligence

Enhanced due diligence applies where the risk of money laundering or terrorist financing is higher than normal. FATF identifies certain categories of customer or situation where enhanced scrutiny is automatically warranted: politically exposed persons (PEPs) and their family members and close associates; customers or transactions with connections to jurisdictions identified by FATF as high risk; correspondent banking relationships; complex or unusually large transactions with no apparent legitimate purpose; and any other situation where the organisation's own risk assessment identifies elevated risk.

What EDD looks like in practice varies depending on the risk and the nature of the relationship. It typically involves obtaining additional information about the customer and their background, seeking to understand the source of funds and the source of wealth, obtaining approval from senior management, and applying more frequent ongoing review. The key requirement is that the enhanced scrutiny produces a genuine assessment, not just a thicker file.

Simplified due diligence

Where the risk of money laundering is demonstrably low, simplified due diligence may be appropriate. This means proportionately less intensive verification than standard CDD, not the absence of any checks. The organisation must still identify the customer. It simply means the extent of verification can be reduced.

SDD cannot be applied as a default. It requires a genuine assessment that the specific customer or product presents low risk. If a regulator challenges the application of simplified measures, the organisation must be able to justify that assessment.

Politically exposed persons

PEPs are individuals who hold or have held prominent public positions: heads of state, senior politicians, senior judicial and military officials, senior executives of state-owned enterprises, and senior officials of major international organisations. Family members and known close associates of PEPs are also subject to enhanced scrutiny under most frameworks.

The rationale is that individuals in positions of public power or trust present a higher risk of involvement in bribery, corruption, and misuse of public funds. The obligation is not to refuse relationships with PEPs, but to apply appropriate scrutiny, understand the source of their wealth, obtain senior management approval, and monitor the relationship more closely.

It is important to apply proportionality here too. Not all PEPs present the same level of risk. A retired local councillor in a low-corruption jurisdiction presents a very different risk profile to a serving minister in a country with significant corruption concerns. The risk-based approach applies to PEPs just as it does to any other customer.

Beneficial ownership

Identifying the beneficial owners of corporate customers is one of the most challenging aspects of CDD in practice. Money laundering frequently involves complex ownership structures specifically designed to obscure who ultimately controls or benefits from assets and transactions.

Effective beneficial ownership identification requires going beyond the immediate legal entity to understand the chain of ownership and control. It requires using available sources, including corporate registries, land registries, public records, and commercial databases, to verify ownership information.

Most jurisdictions have introduced beneficial ownership registers in recent years. These have improved transparency, but their accuracy varies, and they are not a substitute for the organisation's own due diligence. A name on a register is a starting point for verification, not a conclusion.

Suspicious activity reporting

The obligation to report suspicions of money laundering to the relevant authority is one of the most important duties in the AML framework. It is also one of the areas where the gap between the legal requirement and what actually happens in practice is most pronounced.

The reporting obligation

FATF Recommendation 20 requires financial institutions to report suspicious transactions to the national financial intelligence unit. The obligation arises when there is a suspicion that funds are the proceeds of a criminal activity, or are related to terrorist financing.

Critically, the threshold for reporting is suspicion, not certainty. Organisations are not required to investigate and prove that money laundering has occurred before making a report. They are required to report when they have a suspicion, when they think there is a real possibility, based on the information available to them, that the funds or transaction may be linked to financial crime.

This is a deliberately low bar. The intelligence value of the reporting system depends on organisations reporting broadly rather than conservatively. Withholding a report because the evidence is not conclusive defeats the purpose of the regime.

Internal reporting

In most regulated organisations, front-line staff do not report directly to the national FIU. Instead, they report internally to a designated person, typically the Money Laundering Reporting Officer (MLRO) or nominated officer, who then decides whether to make an external report.

Effective internal reporting requires three things. Staff must know what suspicious activity looks like. They must know how to make an internal report. And they must feel confident that making a report is expected and supported, not something that will cause problems for them or their relationships with clients.

A culture where staff worry that reporting a suspicion will damage a client relationship, cause internal friction, or reflect badly on their judgement is a culture where the internal reporting process will break down. Senior management and the MLRO have a direct responsibility to address this.

Recognising suspicious activity

There is no definitive list of indicators that always signal suspicious activity. Context matters enormously. Many indicators have innocent explanations. The obligation is to report when there is a genuine suspicion, not to treat every unusual transaction as evidence of financial crime.

Common indicators that may warrant further consideration include a customer who is reluctant to provide identification or who provides identification that cannot be verified, a customer who has no apparent reason to be using the organisation's products or services, significant or unexplained changes in a customer's transaction patterns, a sudden and unexplained improvement in a customer's financial position, transactions that are inconsistent with the customer's known business or personal circumstances, requests for transactions that are unusually complex or appear structured to avoid reporting thresholds, payments to or from jurisdictions with high corruption or weak AML controls with no clear business rationale, and cash-intensive activity that is inconsistent with the customer's stated business.

The MLRO's role in reporting

Where a designated officer receives an internal report, they must consider it carefully and decide whether to make an external report to the national FIU. That decision should be documented, including the reasons for it, whether or not a report is made externally.

Good practice is for the MLRO to maintain a clear record of all internal reports received, the assessment made, and the outcome. This serves two purposes: it demonstrates to regulators that the reporting process is functioning, and it creates an audit trail that protects the organisation and the individual in the event of subsequent scrutiny.

Quality of reporting

The intelligence value of a suspicious activity report depends heavily on its quality. A vague report that simply states that a transaction seemed unusual provides limited intelligence value. An effective report clearly describes what happened, why it raised a suspicion, and provides the relevant details about the customer and the transaction.

Most national FIUs publish guidance on what good quality reporting looks like. Compliance teams should be familiar with that guidance and should treat it as part of their training programme.

Confidentiality and tipping off

Most AML frameworks include a prohibition on tipping off: disclosing to the subject of a suspicion that a report has been made, or that an investigation is underway, in circumstances where that disclosure might prejudice an investigation. This creates a practical challenge when a customer asks about a delayed transaction or queries why further information is being requested.

Organisations need clear procedures for handling these situations without inadvertently alerting the subject of a report. Training staff on how to manage these conversations is an important and sometimes overlooked element of an effective AML programme.

Staff training and awareness

An AML framework is only as effective as the people responsible for implementing it. Policies and procedures that exist only on paper, understood by the compliance team but not by the front-line staff who encounter customers and transactions every day, will consistently fail at the point where they matter most.

The training obligation

FATF Recommendation 18 requires financial institutions to implement AML and CTF programmes that include, among other things, ongoing employee training. This obligation is implemented in legislation across virtually all FATF-member jurisdictions. In most frameworks, it applies to all relevant staff, not just those in compliance roles.

The MLRO or compliance function is typically responsible for designing and overseeing the training programme, and for maintaining records that demonstrate training has taken place. Those records matter. A regulator conducting an AML review will expect to see evidence of regular, relevant, documented training.

What training should cover

Effective AML training needs to do more than describe the law. It needs to connect legal and regulatory obligations to the practical situations staff actually encounter in their roles.

At a minimum, training should cover what money laundering is, how it works, and why the AML framework exists; the organisation's specific risk exposure given its business, products, and customer base; the organisation's internal policies and procedures; how to identify indicators of suspicious activity in the context of the specific role; how to make an internal report, including who the MLRO is and how to reach them; and the personal obligations of staff and the potential consequences of failure to report.

Training that covers only the law in the abstract, without reference to the organisation's actual business and the situations staff encounter, is unlikely to change behaviour. The most effective training is specific, practical, and regularly updated.

Training methods

There is no single correct approach to AML training. The method that works best depends on the size and nature of the organisation, the diversity of the workforce, and the resources available.

Common approaches include written materials accessible on a company intranet, online training modules that generate completion records, face-to-face or virtual sessions for more complex topics or higher-risk roles, and targeted training for specific functions such as relationship management or customer onboarding.

Whatever method is used, training must be updated regularly. Changes in legislation, regulatory guidance, the organisation's own risk assessment, or emerging financial crime typologies all warrant a review of training content. A training programme last updated three years ago is unlikely to be adequate.

Internal controls and record keeping

Internal policies and controls

FATF Recommendation 18 requires financial institutions to develop and implement AML and CTF programmes including internal policies, procedures, and controls. Those programmes must be approved by senior management, communicated throughout the organisation, and subject to independent audit.

A comprehensive AML policy framework typically covers the organisation's overall approach to AML and CTF risk management; customer due diligence requirements, including when EDD and SDD apply; ongoing monitoring obligations; internal and external suspicious activity reporting procedures; staff training obligations and arrangements; record-keeping requirements; the role and responsibilities of the MLRO; and senior management responsibilities and governance arrangements.

Policies should be written in language that the people they govern can understand and apply. A lengthy, legalistic policy document that sits unread is not an effective control. The measure of a good policy is whether staff understand it and whether it changes behaviour.

Record keeping

Most AML frameworks require regulated businesses to maintain records of their CDD processes and their transaction history, and to make those records available to supervisors on request. FATF recommends a minimum retention period of five years, and most jurisdictions implement at least that requirement.

Records typically required include evidence obtained in the course of customer due diligence, including identification documents and verification records; records of transactions conducted in the course of a business relationship; and records of suspicious activity reports made internally and externally, including the designated officer's assessment of internal reports.

Records must be stored in a form that is accessible and retrievable. Poor record keeping is a common finding in regulatory inspections and can itself constitute a breach of AML obligations, independent of any underlying failure in the controls themselves.

The MLRO role

The Money Laundering Reporting Officer is the individual responsible for overseeing the organisation's AML compliance programme, receiving and assessing internal suspicion reports, making external reports to the national FIU, and serving as the primary point of contact with regulators.

The MLRO must have sufficient seniority, authority, and resources to carry out these responsibilities effectively. An MLRO without access to relevant information, without the authority to pause or exit relationships where concerns arise, and without a direct line to senior management, cannot do the job.

The role carries significant personal responsibility. In many jurisdictions, the MLRO can be held personally liable for failures to report or for failings in the overall AML programme. Regulators have demonstrated a consistent willingness to pursue individuals, not just institutions, when material failures occur. This is not a nominal accountability structure.

Governance

Senior management is responsible for ensuring that the organisation's AML framework is fit for purpose. This is not a responsibility that can be delegated entirely to a compliance team. The board or equivalent governing body should receive regular reporting on AML matters, including the volume and nature of internal reports, the number and type of external reports made, training completion rates, and any regulatory developments or emerging risks relevant to the business.

The MLRO should have a direct line to senior management and the board. Where AML concerns are identified that require a decision from senior leadership, for example, whether to exit a high-risk relationship, those decisions should be made at the appropriate level and documented.

Audit and review

An effective AML programme includes independent oversight of whether the controls are actually working. This typically involves internal audit review of the AML function, as well as periodic independent external assessment.

Audit should not simply verify that policies exist and training records are current. It should assess whether the programme is effective, whether controls are detecting the risks they are designed to detect, whether the quality of CDD and EDD is adequate, and whether the reporting process is functioning as intended.

Where audit identifies weaknesses, those findings should be taken seriously and remediated promptly. A pattern of repeated audit findings in the same area is a significant regulatory concern.

Implementation checklist

The following checklist summarises the practical steps involved in establishing and maintaining an effective AML framework. It is based on FATF standards and applies across jurisdictions, though readers should satisfy themselves as to the specific requirements in their own regulatory environment.

A final note

Money laundering is a global problem with real human and economic consequences. It enables drug trafficking, fraud, corruption, and human exploitation. It distorts legitimate markets, damages institutions, and undermines confidence in the financial system. The international AML framework exists to address those harms.

That framework only works if the organisations subject to it take it seriously. Compliance with the letter of the law, without commitment to the underlying purpose, produces programmes that look adequate on inspection but fail when tested. The organisations that genuinely contribute to fighting financial crime are those that have understood the international principles, applied them with judgement to their own context, and built programmes designed to detect and disrupt money laundering rather than just to satisfy regulators.

The FATF framework provides the international foundation. The principles in this guide apply across jurisdictions. The work of translating those principles into a programme that genuinely protects your organisation and contributes to the wider fight against financial crime is local, and it is yours.