AML Awareness - Policies and procedures

Office building at night
By Jeremy Clarke, Practice Support

3 November 2016

All businesses must establish policies and procedures that create a culture in which relevant staff in the business are aware of their responsibilities under the UK anti-money laundering regime and where they understand what they are required to do if they suspect money laundering.  

Policies and Procedures

Some businesses, by virtue of the kind of clients they deal with, the types of services they offer, or the type of business transactions they advise on, may be more at risk of encountering situations where money laundering or terrorist financing is more likely than in other circumstances, and will have to have very detailed policies and procedures to take account of this higher risk. 

For others, with a lower risk profile, the policies and procedures can be less complex.

These policies and procedures should cover the following:

  • Risk assessment and management, including customer due diligence measures and ongoing monitoring;
  • AML education and training for all principals and employees, including ongoing training on recognising and dealing with suspicious transactions, and more detailed training for principals and employees who deal directly with clients.  How these are communicated within the business should also be defined;
  • How to report suspicious transactions to the MLRO, prevent “tipping off”, and onward reporting to the National Crime Agency.
  • What records will be kept, what internal controls will be applied, and how compliance with the firm’s policies will be managed and monitored.

The ICAS General Practice Procedures Manual (GPPM) has an excellent chapter on Money Laundering. If your firm is eligible , that is with ICAS members constituting at least 50% of the principals, and you have not already signed up for access to the GPPM, you can do so for free here. It contains example policies.

Businesses are required to monitor and manage their compliance with these requirements on an ongoing basis to ensure the policies and procedures are properly and continually adhered to, as both the business itself, and any individuals involved in the failure of a business to meet its obligations under the Money Laundering Regulations 2007 may be subject to criminal sanction.


There is little value in having appropriate policies and procedures if these are not followed. It is therefore crucial that all ‘relevant’ employees must be ‘made aware’ of law relating to money laundering and terrorist financing, and regularly given training in how to recognise and deal with transactions which may be related to money laundering or terrorist financing. 

A training programme should be implemented with the aim of creating an environment effective in preventing money laundering and which thereby helps protect individuals and the business.

When considering which staff may be considered relevant, you should consider not only those who have involvement in client work, but also, where appropriate, those who deal with the business finances, and those who deal with procuring services on behalf of the business and who manage those services. 

It is therefore best practice to train all client-facing staff, including principals and senior support staff. MLROs and members of senior management may also benefit from supplementary training.

The training should cover the relevant law and how that applies to how the business operates.  It should enable recognition of suspected money laundering, and illustrate the ‘red flags’ which staff should be aware of in conducting business. 

Training also needs to cover how to deal with transactions which might be related to money laundering and terrorist financing. This includes training to assist individuals in assessing whether they have a valid suspicion, how to report any suspicions internally, and the businesses’ expectations for confidentiality and the avoidance of tipping off and alerting a money launderer.

New staff should be trained as soon as possible after they join the business, and everyone should be reminded of the importance of effective anti-money laundering work on a regular, possibly on an annual, basis.  Changes in the law, regulatory or professional guidance, should also be communicated to staff when appropriate.

Businesses should keep records of attendance at, or completion of, training and are recommended to provide for some form of test or other confirmation of understanding of the training. Each business should also document its assessment as to whether the current training and state of awareness of employees is sufficient, or whether an update is needed. It is recommended that these records are kept for at least 5 years.  

A useful form to record staff awareness can be found at A14.6 Initial and annual confirmation of money laundering awareness in the GPPM.

Record keeping

Finally, it is important that businesses and individuals can demonstrate that they have complied with their AML responsibilities, so keeping appropriate records is also extremely important.

Client identification evidence must be kept for 5 years from end of business relationship. This can be in hard copy or in an electronic form in accordance with the document retention policies employed within the business.  

Business relationships including contracts, letters of engagement, files etc.: As businesses will need to maintain records for a wide range of purposes that comply with both legal and professional requirements, the general document retention systems employed within the business should suffice. 

Again, these records should be kept for 5 years from the date when all activities in relation to the business relationship were completed.

Suspicious activities Although not specified in the 2007 Regulations, records of internal suspicion reports; the MLRO’s consideration of these and their decision on whether to report or not; issues connected to consent, production of documents, and liaison with law enforcement should all be retained for at least 5 years after being made and possibly longer, at least whilst the business relationship continues.  

Records of internal reports These are not a part of client working papers and should be kept separately and securely by the MLRO to minimise the likelihood of inadvertent disclosure to unauthorised personnel accessing the files, and to provide some protection against the threat of tipping off.

Training Again, while not prescribed by the 2007 Regulations, we recommend that evidence of assessment of training needs and steps taken to meet such needs is retained. for at least 5 years in order to demonstrate a continuing compliance with current and previous regulations.

Further details

These matters are considered in considerably more detail in the CCAB Anti-money laundering guidance for the accountancy sector, which can be downloaded here.

As previously mentioned the ICAS GPPM contains a comprehensive resource which is available to all eligible firms.

You can sign up for access to the GPPM, and there is useful guidance on how to use the AML section.


  • Anti Money Laundering
  • CPD
  • Practice hub

Previous Page