Designing an Effective AML Training Programme for FCA-Regulated Firms

The Legal Obligation

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) impose a clear obligation on firms to provide AML training. Regulation 24(1) requires firms to take appropriate measures to ensure that relevant employees are:

• Made aware of the law relating to money laundering and terrorist financing
• Regularly given training in how to recognise and deal with transactions and activities that may be related to money laundering or terrorist financing

The FCA, as the supervisory authority for financial services firms, assesses compliance with these requirements through its supervisory framework. The FCA's Financial Crime Guide (FCG) provides detailed guidance on what constitutes adequate AML training.

Who Needs AML Training?

MLR 2017 requires training for all "relevant employees" — broadly defined as anyone whose work is relevant to the firm's compliance with the regulations, or who is likely to encounter money laundering or terrorist financing in the course of their duties. In practice, this means:

All customer-facing staff. Employees who interact with customers, process transactions, or handle account opening and ongoing relationship management must understand AML obligations, red flags and reporting procedures.

Compliance and risk staff. The compliance team must have deep knowledge of the regulatory framework, the firm's policies and procedures, and current ML/TF typologies.

Senior management. Board members and senior managers must understand their personal responsibilities under MLR 2017 and the SM&CR, including their obligation to ensure the firm maintains adequate AML systems and controls.

Support functions. Staff in finance, HR, IT and operations may encounter money laundering indicators in the course of their work and should receive appropriate awareness training.

New joiners. AML training should be part of the induction process, delivered before or as soon as practicable after the employee begins handling customer-related activities.

Designing a Risk-Based Training Programme

The FCA is clear that generic, one-size-fits-all AML training is insufficient. Training must be tailored to the firm's specific risks and the employee's role.

Step 1 — Identify training needs. Map all roles within the firm against the AML activities they perform. A customer onboarding agent has different training needs from a transaction monitoring analyst, who has different needs from the MLRO.

Step 2 — Assess firm-specific risks. The training content must reflect the firm's own money laundering risk assessment. If the firm operates in high-risk jurisdictions, provides services to high-risk customer segments, or handles high-value transactions, the training must address these specific risks and the controls the firm has in place.

Step 3 — Develop role-specific content. Create training modules tailored to each role group. Core content (legal framework, firm policy, reporting obligations) can be common, but practical application should be role-specific.

Step 4 — Select delivery methods. Consider a mix of e-learning for foundational knowledge, face-to-face or virtual sessions for practical application and case studies, and on-the-job coaching for complex roles like transaction monitoring and enhanced due diligence.

Step 5 — Assess effectiveness. Training must be assessed, not merely delivered. This means testing employees' understanding through quizzes, practical exercises, or scenario-based assessments. The FCA looks for evidence that training has been effective, not just that it has occurred.

Core Training Content

An adequate AML training programme must cover the following topics, with depth appropriate to the employee's role:

The legal framework. An overview of MLR 2017, the Proceeds of Crime Act 2002 (POCA), the Terrorism Act 2000, and relevant FCA rules and guidance. Employees should understand the criminal offences associated with money laundering and the penalties for non-compliance.

The firm's ML/TF risk assessment. Employees should understand the firm's key money laundering and terrorist financing risks, how these are assessed, and how the firm's policies and procedures mitigate these risks.

Customer due diligence (CDD). Training must cover the firm's CDD procedures, including: standard CDD, simplified CDD and enhanced CDD; the circumstances in which each applies; identification and verification requirements; ongoing monitoring obligations; and how to handle situations where CDD cannot be completed.

Suspicious activity reporting. All relevant employees must understand how to recognise suspicious activity, how to make an internal suspicious activity report (SAR), the role of the MLRO, and the tipping-off offences. Practical examples and case studies are essential.

Sanctions. Training must cover the UK sanctions regime, the firm's screening procedures, what to do when a potential match is identified, and the consequences of sanctions breaches.

Politically exposed persons (PEPs). Employees involved in CDD must understand PEP identification, the enhanced due diligence requirements for PEPs, and the firm's policies on PEP relationships.

Transaction monitoring. For employees involved in transaction monitoring, training must cover the firm's monitoring systems, alert investigation procedures, escalation processes and documentation requirements.

Record-keeping. Employees must understand the firm's record-keeping obligations, including what records must be maintained, for how long, and in what format.

Frequency and Refresher Training

MLR 2017 requires training to be provided "regularly." The FCA does not prescribe a specific frequency, but industry practice and regulatory expectation is:

Annual refresher training for all relevant employees, covering updates to the legal framework, new ML/TF typologies, changes to the firm's policies and procedures, and emerging risks.

Ad hoc training when material changes occur, such as new regulations (e.g., changes to sanctions lists), new products or services, new customer segments or markets, and significant changes to the firm's risk profile.

Induction training for new joiners, delivered as part of the onboarding process and completed before or as soon as practicable after the employee begins performing regulated activities.

Assessment and Effectiveness

The FCA expects firms to go beyond recording attendance at training sessions. Firms must be able to demonstrate that training has been effective — that employees have understood the content and can apply it in practice.

Effective assessment methods include:

• Post-training quizzes or tests with a defined pass mark
• Scenario-based exercises requiring employees to identify red flags and take appropriate action
• Practical assessments embedded in day-to-day work, such as reviewing an employee's CDD files or SAR submissions
• Monitoring key performance indicators such as SAR quality, CDD completion rates and false positive rates in transaction monitoring

Where assessment identifies knowledge gaps, firms must provide additional training and reassess. The training programme should be iterative, with content refined based on assessment outcomes and emerging risks.

Record-Keeping

Firms must maintain comprehensive records of AML training activities, including:

• Training plans setting out the content, frequency and target audience for each module
• Records of training delivered, including dates, content covered and attendees
• Assessment results for each employee
• Records of any remedial training provided
• Evidence of training content reviews and updates

These records should be retained for at least five years (consistent with the general record-keeping requirement under MLR 2017) and be available for FCA inspection.

Common FCA Findings

The FCA's supervisory work regularly identifies deficiencies in firms' AML training:

• Generic content. Training does not reflect the firm's specific risks, products or customer base. Employees receive the same generic module regardless of their role.
• No assessment. Training is treated as a content delivery exercise. Firms cannot demonstrate that employees have understood the material.
• Insufficient coverage. Key topics such as sanctions, PEPs, or enhanced due diligence are covered superficially or not at all.
• Infrequent delivery. Training is provided once at induction and not refreshed, or refresher training is repeatedly deferred.
• Poor records. Firms cannot evidence who received training, when, and whether they passed any assessment.
• No board engagement. Senior management and board members do not receive AML training appropriate to their oversight responsibilities.

Practical Recommendations

Align training to your risk assessment. Your AML training programme should directly reflect the risks identified in your firm-wide money laundering risk assessment. If your risk assessment identifies particular jurisdictions, customer types or products as higher risk, your training must address these.

Invest in quality content. Consider using a combination of internal expertise and external providers. Internal content ensures firm-specific relevance; external providers can bring current typology knowledge and industry benchmarks.

Make training engaging. Regulatory training has a reputation for being dry. Use case studies, real-world examples (anonymised), and interactive elements to improve engagement and retention.

Track and report. Implement systems to track training completion, assessment results and competence gaps. Report training metrics to the board as part of regular compliance reporting.

Review annually. The training programme itself should be reviewed and updated at least annually to reflect regulatory changes, new risks and lessons learned from internal and external events.