Anti-Money Laundering Policies, Controls and Procedures

AML Pal - Blog - Policies, Controls and Procedures

TheCriminal Justice (Money Laundering and Terrorist Financing) Acts 2010 to 2021 places obligations on designated persons regarding Customer Due Diligence (CDD) and record keeping, procedures, and training. 

Within this post, we break down the key topics that need to be covered by firms when establishing AML policies, controls, and procedures. 


  1. Risk-Based Approach, Risk Assessment, and Management
  2. Customer Due Diligence (CDD)
  3. Record Keeping
  4. Internal Controls and Compliance Management
  5. Ongoing Monitoring
  6. Reporting Procedures
  7. Communication
  8. Training and Awareness

Risk-Based Approach, Risk Assessment, and Management

Firms should employ a risk-based approach with the application of proportionate due diligence based on the assessment of individual client risk within the context of the overall firm-wide risk profile.  

Firms should document their understanding of the key money laundering and terrorist funding risks that are faced in their firm by conducting a business risk assessment. This should include a record of the sources used to complete this assessment.  

An individual client risk assessment procedure must be documented to determine if each client fits within the risk tolerance of the firm and to assign an appropriate due diligence level.  

The methodology used to mitigate identified risks should be documented in the business risk assessment and the firm’s policies, controls, and procedures manual should be updated to reflect the agreed mitigating actions.  

Firms should undertake a periodic review of their client risk assessment and business risk assessment controls and procedures. 

Customer Due Diligence (CDD)

Policies, controls, and procedures must be defined so that appropriate and consistent due diligence is applied to all new clients and subsequent transactions. Specific CDD considerations to be covered include:

  • When CDD is to be undertaken and under what circumstances delayed CDD is permitted.
  • The level of information to be recorded on client identity.
  • How to verify identity.
  • When Simplified, Standard or Enhanced Due Diligence should be applied.
  • What steps need to be taken to conduct Enhanced Due Diligence.
  • What steps need to be taken to ascertain whether your clients are high-risk or low-risk Politically Exposed Persons (PEP) and subsequent controls that will be put in place.
  • How to conduct CDD on existing clients; when it is necessary to do so, and how often CDD information will be reviewed to ensure that it is up to date. 
  • What ongoing monitoring is required. 

Record Keeping

Firms need to comply with the record-keeping obligations contained in Anti Money Laundering (AML) Guidance and Legislation. Data retention and disposal policies should outline what records are kept, the form in which they are kept, and for how long they should be kept. Firms should delete any personal data obtained solely for the purposes of AML record retention compliance after the expiry of the appropriate data retention period.

Internal Controls and Compliance Management

Policies, controls, and procedures and your business risk assessment need to be maintained and kept up to date. In addition, compliance with your policies should be monitored on an ongoing basis. Your AML compliance program must implement internal controls that increase the chances of preventing or detecting money laundering-related activities. AML internal controls include those policies, procedures, and processes designed to mitigate the risks of money laundering and support compliance with AML regulations. Defined and documented internal controls should: 

  • Assign responsibility for AML compliance to an appropriate person who will keep senior management and the board informed. 
  • Provide dual control and segregation of duties as appropriate.
  • Identify reportable transactions and comply with reporting requirements.
  • Use the risk assessment process to identify the services and customers that are more vulnerable to money laundering.
  • Implement risk-based CDD policies to help identify vulnerable accounts.
  • Train and monitor employees as needed to be aware of and compliant with AML regulations.
  • Report and maintain records as required.

It is important to note that the firm’s senior management adopts the PCP’s and that they are kept under review and up to date. Effective management of AML and terrorist financing risks are the responsibility of senior management. Policies, controls, and procedures and your business risk assessment need to be maintained and kept up to date. In addition, compliance with your policies should be monitored on an ongoing basis. 

Firms need to demonstrate that:

  • Measures are taken to keep documents and information relating to risk assessments up to date.
  • Internal systems and controls to identify emerging risks and keep business-wide risk assessments up to date.
  • Monitoring and managing compliance with, and the internal communication of, these policies, controls, and procedures.

Ongoing Monitoring

Policies, controls, and procedures need to be documented and applied to maintain appropriate ongoing monitoring of all client transactions to prevent activities related to money laundering and terrorist financing. 

The firm will need to document the frequency, triggers, and procedures to verify the information held for each client. The procedures will detail how the firm’s records are to be updated, the reassessment of risk to the firm, and any required escalation to the Money Laundering Reporting Officer (MLRO) or nominated Compliance Officer.  

The ongoing review of the firm’s business risk assessment also forms an important part of an effective risk mitigation program and must be documented within the broader ongoing monitoring procedures. 

Reporting Procedures

Should any individual within the firm have any suspicion regarding the activities of a client, then this fact and the circumstances surrounding the suspicion must be reported to the MLRO or nominated Compliance Officer

An internal report form should be used to report to the MLRO or nominated Compliance Officer.

The internal report should address the following points:

  • The individual who is making the report;
  • The date of the report; and
  • The identity of the suspect.

Once an internal report has been made to the MLRO or nominated Compliance Officer regarding a suspicion with a client or a suspicious transaction, they need to assess the report and determine whether, in their opinion, an external report is required to be raised to the Garda Síochána and/or to the Office of the Revenue Commissioners.


Communication is a key component to ensure effectiveness across a firm’s AML program.  Clear guidance is required for all personnel and staff in the following areas: 

  • Internal communication of AML policies, controls, procedures, and subsequent changes (including ongoing training updates).
  • Internal and external communication of Suspicious Transaction Reports (STRs).
  • The internal communication lines for reporting and escalations suspicions of money laundering firm’s procedures.
  • Appropriate and inappropriate communication to a client if a suspicion towards the client has been raised (tipping-off).

Training and Awareness

All personnel and staff involved in the conduct of your business need to be provided with ongoing training on identifying a transaction or other activity that may be related to money laundering or terrorist financing, and on how to proceed once such a transaction or activity is identified. Policies, controls, and procedures must be in place to ensure that all partners, directors, other officers, and all employees are:

  • Aware of what money laundering and terrorist financing are and how it is undertaken;
  • Aware of their legal and regulatory duties;
  • Understand how to put those requirements into practice in their roles; and
  • Continuously updated about changes in:
    • The firm’s AML policies, controls, and procedures, and
    • The MLTF risks faced.

The MLRO or nominated Compliance Officer should implement an appropriate AML training regime and maintain records of such. Key documents that need to be maintained include the Firm’s AML Training Log and the Annual Staff AML Training Confirmation.

You Focus on Your Clients, We Focus on Your AML

Although the AML obligations on firms are significant, there are technology options available that allow you to be effective, and compliant and improve your internal processes. Within AML HQ, we provide you with a full set of policies, controls, and procedures that you can use out of the box, or further tailor to suit your firm.

We have developed a one-stop AML portal that helps your team to achieve compliance through convenience. Our portal provides smart processes to help your team efficiently onboard clients with a risk-based approach that automatically creates the records and reports to demonstrate due process and compliance. In addition to policies, controls, and procedures templates, our service also includes: 

  • Digital risk assessments to easily complete firm and client risk assessments so that you can apply appropriate due diligence.
  • Client onboarding tools that allow you to identify and verify corporate and private clients and meet your CDD obligations.
  • Our AML training hub ensures that all staff are appropriately aware of their obligations and trained to apply the AML policies, controls, and procedures as adopted by your firm.
  • Access to instant reports that provide audit-ready extracts and compliance gap analysis.

AML Policies, Controls and Procedures

Who is AML HQ?

AML HQ's all-in-one compliance solution was created in line with guidance from competent authorities and governing bodies to solve the challenges faced in complying with ongoing Anti-Money Laundering regulations. 

Our service reduces your risk of exposure to Money Laundering by guiding your staff through efficient processes such as initial Risk Assessments and Client Due Diligence checks. AML HQ reduces onboarding times and provides your clients with a modern, secure, and professional impression of your firm. 

Our risk-based approach to Know Your Customer checks automatically creates the records and reports to demonstrate due process and compliance. All reports and evidence are automatically recorded in a GDPR-compliant process and can be efficiently retrieved on-demand to support audits and regulatory visits. 

Subscription to our service costs €45 per month for firms that have up to 100 customers.  Why not try out AML HQ on a free 14-day trial. 


Similar Posts