Ensuring compliance with laws and regulations requires a great deal of effort for businesses subject to Anti-Money Laundering (AML) rules. However, when done right, it not only keeps your company on the right side of the law but also becomes a huge strategic advantage.

This article focuses on the main requirements that businesses need to meet to achieve AML compliance.

What is Anti-Money Laundering (AML)?
What are the Anti-Money Laundering requirements?
    1. Customer Due Diligence
    2. Record-keeping
    3. Reporting of suspicious activities
    4. Policies, procedures, and controls


What is Anti-Money Laundering (AML)?

Anti-Money Laundering (AML) refers to laws, regulations, and procedures designed to prevent criminals from disguising illegal funds as legitimate income.

AML measures aim to deter illicit activities by making it harder for criminals to hide or launder the money obtained from them. To this end, regulated sectors need to meet an increasing number of AML requirements.


What are the AML requirements?

If your company is subject to Anti-Money Laundering laws, you must ensure compliance with four essential requirements:

  1. Customer Due Diligence measures
  2. Record-keeping
  3. Reporting of suspicious activities
  4. Policies, procedures, and controls

Let’s have a closer look at what each of them entails and how you can successfully meet them.


1. Customer Due Diligence measures

Customer Due Diligence (CDD) is the process of doing background checks on your customer to determine their identity and risk level. To meet this requirement, you should:


• Verify the identity of your customer and the purpose of the business relationship

Start by collecting information about the customer. If the customer is a natural person, you need to get their name, photographic ID, and residential address.

If the customer is a company, you need the company name, address, status, and registration number. On top of that, you need to understand who ultimately owns or controls the company (UBO) and collect their personal information.

After gathering the data, you need to verify its truthfulness by consulting National Registers in your country and EU or national AML watch lists and sanctions lists.

Eventually, you need to understand why the prospect wants to become your customer. Start by collecting information about their employment (for natural persons) or their business (for companies).

Last but not least, ask them about the anticipated level, frequency, and nature of transactions that your firm will perform for the client throughout the business relationship.


• Establish the risk profile of the customer

Based on the information collected, you need to determine the risk level posed by the customer.

Certain situations present a greater risk of money laundering or terrorist financing as opposed to others. Some factors that influence that risk profile are:

  • The type of customer
  • The location of the customer
  • The products or services they are transacting

A low-risk profile may justify less rigorous controls. However, a high-risk profile means that you should implement Enhanced Due Diligence (EDD) measures (i.e., additional identification materials).


• Continuously monitor the business relationship

In the event of a change in ownership structure or risk level, you need to update the information you have on the customer. On top of that, always ensure that your customer behaves consistently with the original purpose of the business relationship.

Let’s take an example. A client opens a bank account and claims they will only use it for up to 10 transactions per year within the country. Instead, they use the bank account to carry dozens of high-size transactions to multiple offshore accounts. Such behaviour is inconsistent with the initial purpose of the business relationship. Therefore, the bank needs to investigate the suspicious activity and potentially report the customer to the relevant authority.

Keep in mind that you should periodically update and review the information you have on the customers. While the frequency of the reviews needs to be proportionate with the risk level, you should still update all customer information at least once a year.


2. Record-keeping

For each customer, the identification process and the risk assessment must be documented, kept up-to-date, and stored for five years after the end of the business relationship.

The data retention period is five years for two reasons.

On the one hand, you need to have readily accessible information about each customer to be provided in the event of audits or after a request from relevant public authorities.

On the other hand, you need to meet the data minimization requirement set by the GDPR and delete the information after this fixed period.

The documentation you need to store consists of all CDD records, copies of the documents collected, and the records of transactions.


3. Reporting suspicious activities to the FIU or nationally designed self-regulatory body

Companies are required to cooperate in the fight against money laundering and terrorist financing by promptly filing a report to inform the FIU of their suspicions and provide them with all necessary information.

If you suspect a customer might be involved in illicit activities, start by filing a report. Next, refrain from carrying out unusual transactions with or on behalf of that customer. Last but not least, do not disclose that you filed the report and an investigation is underway.


4. Policies, procedures, and controls

This requirement touches on the previous three, combining them in an official format. For full AML compliance, companies must have a detailed written description of the measures designed to fulfill their AML obligations. The law defines these measures as policies, procedures, and controls and requires them to be:

  • documented via written document(s);
  • approved by the senior management of the company;
  • kept up-to-date – i.e., monitored and adjusted periodically to ensure their continued effectiveness;
  • distributed to all concerned staff;
  • available to the relevant national authorities and self-regulatory bodies concerned.

Additionally, companies should provide training to their employees to make them aware of the legal provisions that the company is subject to and implement internal measures to ensure compliance with them.

In simple words, internal policies, procedures, and controls are the documents where you detail how your company meets all the other AML requirements, what measures are in place to ensure compliance, and how you control the ongoing effectiveness of such measures.

As a result, this is the documentation that helps you demonstrate the AML compliance of your company – and the first thing you will have to provide in case of an audit.

What exactly should be the content of this documentation?

EU law is not explanatory on the topic. Hence, this requirement is a common headache for most AML-regulated organizations.

However, the EU legislation clearly states that policies, procedures, and controls should be risk-based. Consequently, their provisions should result from the internal risk assessment performed by the company.


What is the internal risk assessment?

The internal risk assessment is a periodical evaluation of the level of risk that a company is subject to in terms of chances of being exploited for money laundering or terrorist financing.

Just as you assess the risk level of your customer, you also need to determine the risk profile of your company.

There are no black and white rules that tell you whether your firm is at high or low risk of exposure to money laundering activities. However, the following factors play a role in determining your risk rating:

  • the type of work you do
  • the countries in which your work takes place
  • the types of clients you have
  • how often you engage in regulated activities

Additionally, use specific industry risk levels, trends, and practices.

EU member states must perform a risk assessment and write down policies, procedures, and controls just like private companies. Therefore, you should also consider the information provided in the latest national risk assessment of your country.

Generally, large enterprises with diversified cross-border activities should have more detailed procedures than small firms involved in less complex transactions within the borders of one country.

Linked to this proportionality principle is the requirement of appointing a compliance officer at a management level, employee screening, and an independent audit function to test the internal policies, controls, and procedures.

The internal risk assessment is the essential basis for all other measures implemented to meet AML requirements and, therefore, the foundation of the internal policy, procedures, and controls.



Once you assessed your company risk profile, you can start drafting an AML/CFT policy.

The policy is a document where the company writes down its self-imposed AML/CFT objectives and the guidelines to be complied with to achieve these objectives. Accordingly, you should detail:

  • How you manage risks: Provide a general description of the risk-based approach adopted in your company, the modalities used to map and analyze risk factors and variables, and the maximum risk tolerance limits for each activity segment subject to ML/FT risk.
  • How you manage customer acceptance: Describe the general criteria that your employees should use to assign new customers to different risk categories and determine a framework for the decision-making process.



Based on the AML/CTF policy, you should draft your AML/CFT procedures and distribute them to your employees. These procedures explain how your company complies with AML requirements.

Generally, a proper set of procedures should include the following:

Customer due diligence measures
  • How to gain insight into the ownership and control structure of the customer;
  • Which additional persons to include in the CDD process;
  • Which type of data and documents are to be collected;
  • How to verify the identity of the customers;
  • How to determine whether the customer has a low-/standard- or high-risk profile;
  • What to do when one cannot identify or verify the identity of a person;
  • What the decision-making process should be for entering into a business relationship;
  • When to repeat the identity verification process.

How to detect atypical facts and transactions, report suspicions to the relevant authority, and process the related requests for information
  • Which facts and transactions should be recognized as atypical or suspected of being linked to money laundering or terrorist financing;
  • What the employees are required to do should such situations occur and how to file a report;
  • How the company processes requests for information addressed by relevant public authorities;
  • The legal prohibition for managers and staff members from informing the customer or third parties about the suspicion and the ongoing investigation;
  • The measures that ensure the protection of reporting persons, as well as the internal whistleblowing procedure.

Procedure for data and document retention and protection

This procedure should list the information and documents to be retained and the retention periods. Additionally, it should include the modalities for their deletion at the end of the retention period.

To ensure the confidentiality of data, it should also detail the storage location, the persons with access to them, the terms for accessing, and the mechanisms to access customer records when needed to answer requests for additional information from the FIU.



This last element refers to the implementation of policies and procedures. Once you have established the procedures your staff has to follow, you need to have internal measures to support them and document their effectiveness.

Companies should establish:

  • a database of customers and beneficial owners containing all the information collected during the identification phase;
  • a monitoring system enabling the detection of atypical facts and transactions;
  • an electronic data storage and archiving system (or a paper-based system for small legal entities) used to register and document the measures implemented to fulfill AML obligations.
  • This internal control system should also cover all persons and activities within the legal entities. Therefore, it should document the initial checks and periodical monitoring relating to internal staff and management, operational services and departments, and third-party businesses or subcontractors.

    Furthermore, companies should periodically audit their governance and internal control systems. Similarly, they should also examine the proper functioning of their compliance function to prepare risk assessment reports enabling the identification of weaknesses.


    Penneo can help you

    We hope that these guidelines will help you ensure full AML compliance in your firm.

    Penneo can assist in your compliance journey by offering your organization an easy-to-use and efficient digital solution to address AML requirements. With our software, you can:

    • Collect your client’s documents and personal information
    • Verify their identity and screen them against national registers
    • Monitor any changes in their control structure and risk-level
    • Store all KYC documentation collected
    • Detect suspicious profiles

    With a single digital solution, both you and your clients will get a smoother experience.

    Penneo lets you effortlessly meet the first three requirements listed in this article (customer due diligence, record-keeping, and reporting).

    As for the fourth, the law allows you to leverage electronic solutions for your AML activities. Therefore, you will only need to specify in your policies, procedures, and controls that you rely on Penneo for data collection, identity verification, and retention of documents.



    If you're looking to learn more, we have a few suggestions for you

    Know Your Customer (KYC)

    Know Your Customer (KYC): Digital Identity Verification

    KYB & UBO

    KYB & Ultimate Beneficial Owners (UBOs)

    Customer Due Diligence (CDD)

    Customer Due Diligence: Requirements, Procedures & How to Comply