Anti-Money Laundering (AML) Policy Template Guide

Introduction

An AML policy template is a structured, customizable document that gives financial institutions a starting framework for detecting, preventing, and reporting money laundering. The operative word is starting. Most organizations download a template and treat it as a finished compliance product — which is where regulatory exposure begins.

The consequences of getting this wrong are concrete. FinCEN assessed a record $1.3 billion penalty against TD Bank in 2024 for willful failure to maintain a BSA-compliant AML program. In the UK, the FCA fined Santander £107.7 million for repeated AML failures. These weren't fringe cases — they reflect what happens when written policies don't translate into functioning programs.

This guide is written for fintech startups, crypto firms, neobanks, money transmitters, and embedded finance companies operating in the US, UK, EU, and Canada. It covers what a compliant AML policy must include, how to customize a template for your business model, jurisdiction-specific requirements, and the gaps most commonly flagged during regulatory examinations and sponsor bank reviews.

TL;DR

  • An AML policy template is a starting framework — not a finished compliance document. Every organization must customize it to its specific risk profile.
  • Core required elements include risk assessment, CDD/KYC, transaction monitoring, SAR filing, sanctions screening, record-keeping, staff training, and a designated compliance officer.
  • Your policy must reflect where you operate: BSA/FinCEN (US), MLR 2017 (UK), AMLD (EU), and FINTRAC (Canada) each carry distinct requirements.
  • Generic templates fail audits because they lack specific dollar thresholds, escalation paths, and risk-based adjustments specific to your business model.

What Is an AML Policy Template — and Who Needs One?

An AML policy template is a pre-structured document covering the core components of anti-money laundering compliance, built to be adapted to a specific organization's operations, risk profile, and regulatory jurisdiction.

The template is the starting point. A finalized AML program reflects actual business processes, named individuals, jurisdiction-specific obligations, and documented evidence that controls are actively in use.

Who Has a Legal Obligation

The scope is broad and determined by jurisdiction:

Jurisdiction Covered Entity Types Requirement Source
US Banks, MSBs, money transmitters, crypto exchanges Written AML program under 31 CFR 1022.210
UK Credit institutions, e-money issuers, payment service providers, crypto asset exchanges MLR 2017, Regulation 19
EU Credit and financial institutions, virtual currency exchanges, custodian wallet providers Directive 2015/849 as amended by Directive 2018/843
Canada Financial entities, securities dealers, MSBs, foreign MSBs PCMLTFA/PCMLTFR under FINTRAC

AML compliance jurisdiction comparison table US UK EU Canada requirements

For US money transmitters specifically: FinCEN applies no activity threshold. If you transmit money, you are an MSB and the written AML program requirement applies regardless of transaction volume.

What the Policy Is Designed to Achieve

  • Structured detection of suspicious activity before funds move
  • Documented regulatory compliance across applicable jurisdictions
  • Clear employee responsibilities at every stage of the process
  • Protection against the organization being exploited as a channel for illicit funds

What Every AML Policy Template Must Include

Regulators across the US, UK, EU, and Canada converge on five core pillars. The FFIEC BSA/AML Examination Manual identifies these as non-negotiable minimums for any AML compliance program:

  1. Internal controls and written procedures
  2. A designated compliance officer (BSA Officer, MLRO, or CAMLO depending on jurisdiction)
  3. Ongoing employee training
  4. Independent testing and auditing
  5. Customer due diligence — including beneficial ownership under FinCEN's CDD Final Rule (31 CFR 1010.230)

Beyond the five pillars, every policy template must address the following specific components:

Purpose and Scope

The policy opens with a clear statement of what it aims to prevent, the regulatory frameworks it satisfies (BSA, MLR 2017, Directive 2015/849, FINTRAC rules), and which employees, business units, products, and geographies fall within scope. This section cannot be generic: a scope that reads "all applicable laws" signals to an examiner that nobody actually mapped the obligations.

Customer Due Diligence, KYC, and Enhanced Due Diligence

CDD requires identity verification, beneficial ownership identification (individuals owning 25% or more of a legal entity under both the FinCEN CDD rule and FINTRAC guidance), and understanding the nature and purpose of each customer relationship. KYC procedures sit within CDD.

Enhanced Due Diligence applies to:

  • Politically exposed persons (PEPs)
  • High-risk third-country relationships
  • Complex or opaque ownership structures
  • Correspondent banking relationships

Under UK MLR 2017 Regulations 33–35 and EU Directive 2015/849 Articles 18–24, EDD requires deeper scrutiny and ongoing monitoring, not just a more detailed onboarding form.

Transaction Monitoring and SAR Filing

The policy must specify:

  • How transactions are monitored (automated systems, defined thresholds, red flag typologies)
  • Who reviews flagged alerts and within what timeframe
  • The exact SAR escalation workflow with named roles

SAR filing deadlines by jurisdiction:

  • US banks: No later than 30 calendar days after initial detection under 31 CFR 1020.320; maximum 60 days if no suspect is identified
  • UK: As soon as practicable after the information comes to the person, under POCA 2002 section 330 (the UK's FIU receives over 850,000 SARs per year)
  • EU: Promptly, under Directive 2015/849 Article 33; Member State rules set operational deadlines
  • Canada: As soon as practicable after establishing reasonable grounds to suspect

SAR filing deadlines by jurisdiction US UK EU Canada comparison infographic

Sanctions Screening, Record-Keeping, and Governance

Sanctions screening must cover OFAC's SDN list (US persons and those subject to US jurisdiction), plus UN, EU, and national lists for organizations with cross-border operations.

Record retention periods:

Jurisdiction Retention Period Authority
US 5 years 31 CFR 1010.430
UK 5 years from end of relationship MLR 2017 Regulation 40
EU 5 years Directive 2015/849 Article 40

Governance requirements cover compliance officer responsibilities, board-level policy approval, an internal audit function, and whistleblower protections. The FFIEC requires US BSA/AML programs to be written, board-approved, and recorded in board minutes — a documentation standard that examiners verify directly from meeting records.

How to Build an AML Policy from a Template: Step-by-Step

Before customizing any template, the foundational step is a formal risk assessment. This maps your specific exposure across customer types, products and services, geographic footprint, and distribution channels. The risk assessment output should drive every subsequent policy decision — without it, you're writing policy in a vacuum.

Step 1: Define Scope, Regulatory Obligations, and Risk Appetite

Identify every jurisdiction you operate in and map the applicable AML law. Your scope section must reflect this directly. If you're a US money transmitter also operating in Canada, your policy needs to address both 31 CFR 1022.210 requirements and FINTRAC's compliance program rules — not one or the other.

Risk appetite statements must be specific. Vague language like "we maintain a low risk tolerance" carries no regulatory weight — it needs without specific thresholds and escalation criteria. At minimum, define:

  • Acceptable customer risk tiers and what triggers escalation to EDD
  • Transaction volume or velocity limits that flag for review
  • Geographic restrictions or high-risk country handling procedures

Step 2: Appoint a Designated Compliance Officer

Regulators require a named individual to own AML compliance:

  • US: BSA Officer
  • UK: MLRO (Money Laundering Reporting Officer)
  • Canada: CAMLO (Chief Anti-Money Laundering Officer)

A common audit finding: the policy describes CDD thoroughly at onboarding but gives frontline staff no guidance for what to do when a customer's behavior changes post-onboarding. That documentation gap is avoidable — and regulators notice it.

Step 4: Build in Training, Auditing, and Review Cycles

A policy without a training plan is incomplete. Include:

  • Onboarding training for all relevant staff before they handle customer interactions
  • Annual refreshers tied to regulatory updates, new typologies, or product changes
  • Role-specific modules that address the actual decisions compliance, operations, and customer-facing teams face

Independent audits should review the policy's effectiveness at least annually. FINTRAC requires an effectiveness review every two years — but annual is the practical standard across all four jurisdictions. The review cycle must also be triggered by regulatory changes, new product launches, or significant shifts in customer or geographic risk profile.

Common Mistakes When Using a Generic AML Policy Template

Three mistakes account for most AML policy rejections during bank onboarding and regulatory review. Knowing them upfront prevents the rework that costs weeks of delay.

  • Submitting templates unchanged — boilerplate language with no firm-specific thresholds or named officers
  • Treating CDD as a one-time step — skipping ongoing monitoring after account opening
  • Neglecting policy maintenance — letting a policy age past the business and regulatory changes it was built for

Three common AML policy template mistakes that cause regulatory audit failures

Submitting the Template Unchanged

This is the most costly mistake. Sponsor banks and regulators can identify boilerplate language immediately. During pre-deal reviews, Fraxtional has seen policies fail bank onboarding simply because they contained no specific thresholds, no named compliance officer, and no evidence the procedures were actually followed.

One client's AML policy didn't survive a sponsor bank review. Fraxtional rebuilt it within days and cleared onboarding — a policy that names no specific thresholds or processes doesn't qualify as risk-based, and reviewers know it.

Treating CDD as a One-Time Onboarding Exercise

CDD doesn't end at account opening. AML regulations across all four jurisdictions require ongoing monitoring — customer profiles must be refreshed when behavior changes, and high-risk customers require periodic re-screening. UK MLR 2017 Regulation 19 and FINTRAC's ongoing monitoring requirements both make this explicit.

Policies that only address initial onboarding CDD leave a gap that examiners flag routinely.

Ignoring Policy Maintenance

The regulatory environment doesn't hold still. FATF updates its grey list, FinCEN issues new guidance, and EU directives get revised — often in the same year. A policy written for your business at Series A doesn't automatically cover your business at Series B with new products and geographies added.

Many startups build a policy for initial licensing and never revisit it. UK MLR 2017 Regulation 19 requires that policies be regularly reviewed, updated, and communicated within the business — and "regularly" carries real enforcement weight. An unmaintained policy typically creates exposure within 12–18 months of any significant regulatory or business change.

Frequently Asked Questions

What are the 5 pillars of AML policy?

The five pillars are internal controls and written procedures, a designated compliance officer, ongoing employee training, independent testing and auditing, and customer due diligence. Regulators across the US (FFIEC), UK (MLR 2017), EU (Directive 2015/849), and Canada (FINTRAC) treat all five as a baseline requirement.

What should be included in an AML policy template?

Core components include: policy purpose and scope, risk assessment methodology, CDD/KYC/EDD procedures, transaction monitoring rules, SAR filing protocols, sanctions screening, record-keeping requirements, employee training schedules, internal controls, and defined review cycles.

Who is required to have an AML policy?

Financial institutions, banks, fintechs, money service businesses, crypto firms, payment processors, and other regulated entities are required to maintain a written AML policy. Specific obligations are determined by jurisdiction and business type — in the US, no activity threshold applies to money transmitters.

What is the difference between AML and KYC?

AML refers to the full compliance framework for preventing money laundering, encompassing policies, controls, monitoring, and reporting. KYC (Know Your Customer) is a specific component within that framework, focused on verifying customer identity and assessing risk level before and during the business relationship.

What is a Money Laundering Reporting Officer (MLRO)?

The MLRO is the UK-designated individual responsible for overseeing the AML program, receiving internal suspicious activity disclosures, filing SARs with the National Crime Agency, and acting as the primary regulatory contact. The equivalent role is the BSA Officer in the US and the CAMLO in Canada.

How often should an AML policy be reviewed?

At minimum annually — and immediately after regulatory changes, business model shifts, new product launches, audit findings, or material shifts in customer or geographic risk. FINTRAC formally requires an effectiveness review every two years, but annual is the practical standard across all four jurisdictions.