AML: Your first steps


Decide who is the appropriate person to be your AML/CFT Compliance Officer. It is essential for any successful AML/CFT programme that your Compliance Officer has the on-going support of the organisation at the executive level, and the ability to report to that executive.


Consider what additional resources may be required to support that individual?


One of the first steps you will need to do is in establishing your AML/CFT programme is defined by Section 58(1) which requires that you undertake an assessment of the risk your business may reasonably expect.


Does our business have the experience or in-house capability to undertake this assessment in a robust and honest manner ? Your AML / CFT Risk Assessment will be a core company document going forward. If you do require assistance are several companies offering AML consulting services. Infolog does not offer these services.

AML risk assessment requirements

Your risk assessment must be in writing and must address the following issues:

  • Identify the risks faced by the company in the course of its business.
  • Describe how the company will ensure the assessment remains current.
  • Enable the company to determine the level of risk involved in relation to relevant obligations under the Act.

In assessing risk, your business must have regard to the following:

  • The type, nature, size and complexity of your business.
  • The products and services offered.
  • The methods by which you deliver products and services to customers.
  • The types of customers you deal with.
  • The countries you deal with.
  • The institutions you deal with.
  • Any applicable guidance material produced by the AML/CFT Supervisors.
  • Any other factors that may be provided for in regulations.

Taking the next step.

You will need to execute on how you will meet the requirements identified in your risk assessment. You do have options and your decision may be based on the timeframe for compliance, your lack of current skills, and the need to control costs.

  • Section 34 allows for the use of an Agent to conduct customer due diligence procedures.
  • You can operate and meet all AML / CFT requirements in house.
  • You can utilise a blended service using both options as above.
  • Or you may use an Agent until your internal capability is in place.

One of the services Infolog works with and recommends is Trust Integrity and Compliance Company (TIC)

In-house AML / CFT operation

Your risk asessment must be in writing and must address the following issues:

  • Consider what procedures will need to be applied firm-wide, and or to specific teams.
  • Consider any need to implement and change the IT system or business processes to align with your AML/CFT obligations.
  • Should your customer due diligence (CDD) be centralised or implemented by front-line staff?
  • What process will you use for the collation of the data in respect of existing customers?
  • Avoid re-identification of the same individuals. Where an individual is linked to multiple entities you handle, specify a process where the AML/KYC identification requirements for that individual can be linked to the multiple entities.

AML Staff

Under section 57(b) of the AML/CFT Act, Senior Managers, the Compliance Officer and all staff involved in AML/CFT duties must be trained in AML/CFT matters such as the following:

  • Relevant AML/CFT legislation and any changes to legislation.
  • Your organisations AML/CFT risks as identified during your Risk Assessment.
  • The current operation of your AML/CFT Programme, including reporting lines. This is important as a Reporting Entity must submit the Report with the Financial Intelligence Unit no later than three working days after forming the suspicion.
  • AML training should be provided at the start of employment, and then annually.

Your AML programme must also set out your procedures, policies and controls for vetting senior managers, your compliance officer and any other employees who will conduct AML/CFT duties.

  • The purpose of vetting is to avoid hiring a person who may themselves pose an AML/CFT risk. Vetting involves checking someone’s background to determine suitability for an AML position, making sure they are who they say they are, and checking that the information they have provided is correct.
  • The training requirements may dictate that you centralise your AML/CFT activities at first then roll out as training of staff progresses. Again the option of outsourcing AML/CFT activities could be considered.