Designing an AML/CFT Framework — A Guide for FCA-Regulated Firms

The Regulatory Framework

The UK's anti-money-laundering and counter-terrorist-financing (AML/CFT) regime is built on three pillars:

1. The Money Laundering, Terrorism Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017): The MLR 2017 sets out the core AML/CFT obligations for regulated firms, including risk assessment, customer due diligence, record-keeping, suspicious activity reporting and staff training. The regulations apply to all FCA-regulated firms and are supplemented by the Joint Money Laundering Steering Group (JMLSG) guidance.

2. The Proceeds of Crime Act 2002 (POCA): POCA creates the criminal offences of money laundering and the obligation to report suspicious activity to the National Crime Agency (NCA). Key offences include concealing, arranging or acquiring criminal property, and failing to disclose knowledge or suspicion of money laundering.

3. The Terrorism Act 2000: The Terrorism Act creates parallel obligations relating to terrorist financing, including the duty to report knowledge or suspicion of terrorist property.

The FCA supervises compliance with all three pillars and has consistently identified financial crime as one of its top supervisory priorities.

The Business-Wide Risk Assessment

The business-wide risk assessment (BWRA) is the foundation of every firm's AML/CFT framework. Under Regulation 18 of the MLR 2017, firms must:

• Identify and assess the risks of money laundering and terrorist financing to which the business is subject
• Take into account risk factors including customers, countries or geographic areas, products, services, transactions and delivery channels
• Consider information made available by the supervisory authority (the FCA) and any relevant body
• Keep the assessment up to date

A good BWRA should: - Be specific to the firm's actual business activities, customer base and geographic exposure — not a generic template - Identify specific risk scenarios relevant to the firm's business model - Rate each risk scenario for likelihood and impact - Map existing controls against each identified risk - Identify residual risk after controls are applied - Recommend additional controls where residual risk is unacceptable - Be approved by the board or senior management - Be reviewed at least annually and updated for material changes

Common BWRA failures include: - Using off-the-shelf templates without customisation - Failing to identify risks specific to the firm's products and customer base - Not updating the BWRA when the business model changes - Treating the BWRA as a compliance document rather than an operational tool that drives the AML framework

Customer Due Diligence Programme

The CDD programme must implement risk-based procedures for verifying customer identity, understanding the purpose of the relationship and conducting ongoing monitoring. A comprehensive CDD programme includes:

Risk categorisation: Develop a customer risk-scoring methodology that considers: - Customer type (individual, corporate, trust, PEP, etc.) - Geographic risk (country of residence, nationality, transaction destinations) - Product risk (cash-intensive products, cross-border payments, etc.) - Channel risk (face-to-face vs. non-face-to-face onboarding) - Behavioural indicators (unusual transaction patterns, reluctance to provide information)

Tiered CDD approach: - Simplified due diligence (SDD): For demonstrably lower-risk relationships — reduced verification requirements. SDD should only be applied where a specific risk assessment supports it. - Standard CDD: The baseline for all customer relationships — identity verification, beneficial ownership identification, purpose of relationship. - Enhanced due diligence (EDD): For higher-risk relationships — additional verification, source of funds/wealth, senior management approval, enhanced ongoing monitoring. EDD is mandatory for PEPs, customers from high-risk jurisdictions and complex or unusual transactions.

Beneficial ownership: For corporate customers, trusts and other legal arrangements, identify the ultimate beneficial owners (UBOs) — individuals who own or control more than 25% of the entity. Where UBOs cannot be identified after exhausting all reasonable measures, identify the senior managing official.

Ongoing monitoring: CDD is not a one-off process. Firms must: - Keep CDD information up to date (periodic reviews based on risk rating) - Monitor transactions to detect activity inconsistent with the firm's knowledge of the customer - Apply enhanced monitoring to higher-risk relationships - Trigger event-driven reviews when risk indicators change

Transaction Monitoring

Effective transaction monitoring requires a combination of:

Automated screening: - Sanctions screening against HM Treasury, OFAC, EU and UN sanctions lists - PEP screening against recognised PEP databases - Adverse media screening for negative news coverage

All screening should occur at onboarding and on an ongoing basis (at least daily for sanctions, periodically for PEP and adverse media).

Rule-based monitoring: Design monitoring rules calibrated to the firm's risk profile: - Threshold-based rules (transactions exceeding specified values) - Velocity rules (unusually frequent transactions within a period) - Pattern-based rules (structured transactions, round-sum payments, rapid movement of funds) - Geographic rules (transactions involving high-risk jurisdictions) - Behavioural rules (transactions inconsistent with the customer's declared profile)

Rules must be calibrated to produce a manageable number of meaningful alerts. Excessive false positives overwhelm investigators; insufficient sensitivity misses genuine risk.

Alert investigation: Each alert must be investigated by a trained compliance analyst. The investigation should: - Review the customer's CDD file and transaction history - Assess whether the activity is consistent with the customer's known profile - Determine whether additional information is needed from the customer - Conclude with a documented decision: clear (no suspicion), escalate to MLRO (potential SAR) or exit the relationship

Governance and Accountability

The MLRO (SMF17): The Money Laundering Reporting Officer must be a senior individual with: - Direct access to the board or senior management - Authority to halt suspicious transactions - Adequate resources (staff, technology, budget) - Sufficient knowledge and experience of financial crime risk

The MLRO is responsible for receiving internal suspicious activity reports, evaluating whether SARs should be filed with the NCA, overseeing the AML/CFT framework and reporting to the board on financial crime risk.

Board-level oversight: The board must: - Approve the BWRA and AML policies - Receive regular reports on financial crime risk (at least annually, more frequently for higher-risk firms) - Allocate adequate resources to the AML/CFT function - Ensure that financial crime risk is integrated into the firm's overall risk management framework

Three lines of defence: - First line — business units responsible for implementing CDD and transaction monitoring procedures - Second line — compliance function responsible for designing policies, monitoring adherence and providing advice - Third line — internal audit providing independent assurance on the effectiveness of the AML framework

Staff Training

All relevant staff must receive AML/CFT training that covers: - The firm's AML policies and procedures - How to identify and escalate suspicious activity - CDD requirements (standard, simplified and enhanced) - The legal consequences of non-compliance (criminal offences under POCA and the Terrorism Act) - Tipping-off prohibitions

Training must be: - Provided at induction (before the employee handles customer transactions) - Refreshed at regular intervals (at least annually) - Tailored to the employee's role and responsibilities - Documented (with records retained for at least five years)

Record-Keeping

Under the MLR 2017, firms must retain: - CDD records for five years after the business relationship ends - Transaction records for five years from the date of the transaction - BWRA and policy documents (current and superseded versions) - Training records - SAR decision records (including decisions not to file) - Compliance monitoring and audit reports

Records must be sufficient to permit reconstruction of individual transactions and to demonstrate compliance with regulatory requirements if requested by the FCA or law enforcement.

Practical Recommendations

Start with the BWRA. Every element of your AML framework should be traceable to a risk identified in the BWRA. If a control exists without a corresponding risk, it may be unnecessary; if a risk exists without a corresponding control, you have a gap.

Calibrate, don't copy. The most common AML framework failure is using generic, off-the-shelf policies that do not reflect the firm's actual risk profile. Invest time in calibrating your CDD, monitoring rules and risk scoring to your specific business.

Test your framework. Compliance monitoring should regularly test whether AML controls are operating effectively — not just whether policies exist. Sample CDD files, review alert investigation quality and assess whether the MLRO is receiving appropriate escalations.

Budget for technology. Manual AML processes are inadequate for all but the smallest firms. Invest in screening, monitoring and case management technology proportionate to your transaction volumes and risk profile.