Most anti-money-laundering programmes are not weak because they lack controls. They are weak because the controls cannot be shown to work. An inspection rarely turns on whether you have a policy; it turns on whether you can demonstrate that the policy is followed, calibrated to your risk, and producing the outcomes a supervisor expects.
Start from the risk, not the template
A framework copied from another firm describes that firm’s risk, not yours. The foundation is a business-wide risk assessment (BWRA) that maps your customers, products, channels and geographies to specific money-laundering and terrorist-financing threats — and grades them honestly.
The BWRA is the spine of the whole programme. Every control should trace back to a risk it is there to mitigate.
When an examiner asks “why is your transaction-monitoring threshold set here?”, the answer should point to the BWRA, not to a vendor default.
Controls that produce evidence
Each control should be designed to leave a trail:
- Customer due diligence that records not just what was collected, but the risk decision it informed.
- Screening against sanctions and PEP lists with documented match-handling and false-positive rationale.
- Transaction monitoring with rules tied to risk scenarios, plus a tuning log showing thresholds reviewed over time.
- Reporting — SARs/STRs raised, escalated and filed, with the reasoning preserved.
The point is not volume. A monitoring system that fires ten thousand alerts nobody triages is worse than one tuned to surface the few that matter.
Assure, then evidence
A framework is only defensible if someone independent has tested it. Periodic assurance — sample testing of CDD files, alert dispositions and reporting decisions — closes the loop and produces exactly the artefact an inspection wants to see: proof that the firm checks its own work and fixes what it finds.
The firms that pass inspection are not the ones with the thickest policy binders. They are the ones who can hand the examiner a folder and say: here is the risk, here is the control, here is the evidence it worked.