Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
An Anti Money Laundering (AML) Policy is a formal internal document that establishes how an organization identifies, prevents, monitors, and reports potential money laundering and financial crime activity. It defines the business's risk appetite, the procedures staff must follow when onboarding customers, the thresholds and systems used to flag unusual transactions, the escalation path for suspicious activity reports, and the governance structure β including a designated Compliance Officer β responsible for keeping the program current and effective. Unlike a general compliance policy, an AML policy is a specialized operational document driven by specific regulatory requirements that apply to businesses handling financial transactions or operating in sectors known to be vulnerable to money laundering.
Operating in a regulated sector without a written AML policy exposes your organization to regulatory fines, license suspension, and personal liability for senior officers β in many jurisdictions, regulators treat the absence of a written policy as a standalone violation, regardless of whether any actual money laundering occurred. Beyond the regulatory penalty, a business without documented controls is significantly more likely to be exploited as a conduit for illicit funds, which can result in asset freezing and criminal investigation of the organization and its principals. Examiners and auditors request the AML policy as the first document in any compliance review β having a customized, up-to-date policy in place signals that controls are operational rather than theoretical. This template gives you a compliant, fully structured starting point that you can adapt to your specific business, sector, and jurisdiction in hours rather than weeks.
| If your situation is⦠| Use this template |
|---|---|
| Bank or credit union subject to BSA examination | BSA/AML Compliance Program |
| Fintech or payment service provider seeking licensing | AML/CFT Compliance Policy (Fintech) |
| Real estate firm handling cash or high-value transactions | Real Estate AML Policy |
| Law firm or accounting practice meeting FATF guidance | Professional Services AML Policy |
| Cryptocurrency exchange or virtual asset service provider | VASP AML/KYC Policy |
| Internal audit or annual AML program review | AML Compliance Audit Report |
| Onboarding a new high-risk customer or PEP | Enhanced Due Diligence Checklist |
Why it matters: Regulators and examiners look for evidence that the policy reflects the organization's actual risk profile, products, and customer base. A generic policy signals that controls are theoretical rather than operational.
Fix: Customize the risk assessment, KYC document list, and monitoring thresholds to match your specific business activities and customer types before finalizing.
Why it matters: A designated AML officer who lacks the authority to reject a customer relationship or escalate to the board cannot fulfill the role β regulators treat this as a control failure, not a naming formality.
Fix: Include an explicit authority clause in the governance section granting the Compliance Officer power to decline onboarding, freeze transactions, and report directly to the board.
Why it matters: Employees who are not specifically told that disclosing a SAR is a criminal offense may inadvertently tip off a customer β exposing both the employee and the organization to serious legal liability.
Fix: Include a standalone tipping-off prohibition clause in the SAR section, written in plain language, and reinforce it in every AML training session.
Why it matters: If a regulatory examination or investigation requires records that have been destroyed because the retention period was set too short, the organization faces penalties for non-compliance even if no underlying wrongdoing occurred.
Fix: Audit every regulation in your scope section, identify the longest retention requirement, and apply that period uniformly to all AML records.
Why it matters: Front-line staff who onboard customers or handle cash face entirely different red flags than back-office staff. One-size-fits-all annual training leaves frontline employees underprepared and fails proportionality requirements in most regulatory frameworks.
Fix: Segment training by role β at minimum, separate customer-facing staff from operational and management staff β and increase frequency to semi-annual for the highest-risk roles.
Why it matters: An AML policy referencing superseded regulations or missing controls for a new product line is treated as a compliance gap regardless of the organization's actual practices.
Fix: Assign the Compliance Officer a standing task to review the policy within 30 days of any material regulatory update or new product launch, in addition to the annual scheduled review.
Before editing the template, list every AML law or regulation that applies to your business β federal, state/provincial, and sector-specific. The scope section must reference each one by name.
π‘ For US businesses, start with the Bank Secrecy Act and FinCEN guidance for your sector. For UK businesses, reference the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017.
Run a documented risk assessment across three dimensions β customer risk, product/service risk, and geographic risk β and save the results as your AML Risk Register. The policy references this register; it cannot be completed without it.
π‘ Score each risk dimension on a 1β5 scale and multiply to get a composite risk score. Anything above 12 should trigger enhanced controls.
List the exact documents you will collect from individual customers (e.g., passport or driver's license) and from entities (e.g., certificate of incorporation, register of directors, beneficial ownership declaration). Avoid generic language like 'government-issued ID' without specifying what qualifies.
π‘ Attach a KYC Document Checklist as an appendix β reviewers and staff find a checklist more actionable than prose descriptions.
Enter dollar thresholds and behavioral triggers calibrated to your typical customer transaction volumes. A threshold set too high will miss suspicious activity; one set too low will generate false positives that staff learn to ignore.
π‘ Review your last 12 months of transaction data to establish a baseline 'normal' range before setting monitoring thresholds.
Fill in the name and title of the Compliance Officer, the internal reporting form or channel employees should use, and the statutory SAR filing deadline for your jurisdiction. Ambiguity in this section is the most common cause of delayed or missed filings.
π‘ Include a backup escalation contact for when the Compliance Officer is unavailable β regulators expect continuity of the reporting function.
Look up the retention period required by every regulation in your scope section and use the longest one. Enter the specific number of years in the record-keeping section.
π‘ Cloud-based document management systems can automate retention schedules β reference your system name in the policy so staff know where to store records.
The governance section should be signed off by the board or senior management and include the next scheduled review date β most regulators expect at least annual review. Enter the approval date and the name of the approving authority.
π‘ Calendar the review date immediately after approval β AML policies that drift out of date are a top finding in regulatory examinations.
Once finalized, share the policy with all employees in scope and schedule the first training session within 30 days. Log attendance from day one so you have a compliance record from the policy's effective date.
π‘ For small teams, a 45-minute workshop with a short written quiz generates a more defensible training record than a PDF acknowledgment alone.
An anti money laundering (AML) policy is a formal internal document that defines how an organization identifies, prevents, and reports potential money laundering and financial crime. It covers customer due diligence procedures, transaction monitoring controls, suspicious activity reporting obligations, staff training requirements, and the governance structure that oversees compliance. Regulators in most jurisdictions require businesses handling financial transactions to maintain a written AML policy.
In most jurisdictions, AML policies are mandatory for banks, credit unions, payment processors, money service businesses, and insurance companies. Increasingly, the requirement extends to real estate agents, lawyers, accountants, high-value goods dealers, and cryptocurrency exchanges. The specific obligation depends on the applicable national law and sector regulator β in the US, the Bank Secrecy Act governs most financial institutions, while FATF recommendations shape requirements globally.
An AML policy is the written document that states the organization's principles, risk appetite, and procedural commitments. An AML program is the broader operational framework β the people, systems, training, and controls that implement the policy. Regulators expect both: the policy provides the foundation, and the program demonstrates that the policy is actually being carried out. A policy without an operational program is a paper exercise that examiners will reject.
The five pillars widely cited by regulators are: a designated compliance officer, written internal policies and procedures, an ongoing employee training program, independent testing and audit of the program, and customer due diligence controls. The US Bank Secrecy Act originally defined four pillars for banks; a fifth β customer due diligence β was added by FinCEN in 2016. Many frameworks internationally reference the same five elements under different terminology.
A SAR is a confidential report filed with a financial intelligence unit when a transaction or customer behavior raises a reasonable suspicion of money laundering, fraud, or terrorist financing. In the US, most financial institutions must file with FinCEN within 30 days of identifying suspicious activity, or 60 days if no suspect is identified. Filing thresholds and timelines vary by jurisdiction and institution type. The existence of a SAR must not be disclosed to the subject β doing so is a criminal offense known as tipping off.
Most regulatory frameworks require an AML policy to be reviewed at least annually and updated whenever a material regulatory change or significant business model change occurs. In practice, the Compliance Officer should monitor regulatory updates continuously and trigger an out-of-cycle review within 30 days of any relevant change. A policy that references superseded regulations β even if the organization's actual practices are current β is treated as a compliance gap during examination.
At minimum, an AML policy should require retention of customer identification and verification documents, transaction records, internal suspicion reports, SAR filings (subject to confidentiality), and staff training attendance logs. The standard retention period is five years from the end of the business relationship or the date of the transaction, though some jurisdictions require seven years. The policy should specify the longer period where multiple requirements apply.
It depends on the business type. A retail shop selling everyday goods typically has no AML reporting obligation. However, small businesses in real estate, legal or accounting services, money transmission, jewelry, art, or luxury goods dealing are subject to AML requirements in most jurisdictions regardless of size. Fintech startups and payment businesses face AML obligations from day one. When in doubt, check whether your sector is listed as a Designated Non-Financial Business or Profession (DNFBP) under your country's AML legislation.
Regulated businesses operating without a written AML policy face regulatory fines, license suspension or revocation, and personal liability for senior officers in many jurisdictions. Beyond regulatory penalties, a business without AML controls is at higher risk of being exploited as a vehicle for illicit funds β which can lead to asset freezing, reputational damage, and criminal investigation of the organization and its principals.
A KYC policy focuses specifically on the customer identification and verification procedures used at onboarding and during the relationship. An AML policy is broader β it incorporates KYC as one component alongside transaction monitoring, SAR filing, training, and governance. Organizations typically need both, with the KYC policy sitting as an appendix or companion document to the AML policy.
A general compliance policy addresses the full range of regulatory obligations β employment law, data protection, health and safety, and financial regulation. An AML policy is a specialized document covering financial crime controls exclusively. Regulated businesses need both: the compliance policy sets the governance framework, while the AML policy provides the operational detail required by financial regulators.
A fraud prevention policy addresses internal and external fraud β employee theft, payment fraud, and cyber-enabled scams. An AML policy addresses the specific risk of the organization being used to launder criminal proceeds. The two policies overlap in transaction monitoring and reporting procedures but serve distinct regulatory purposes and should be maintained as separate documents.
A risk management policy covers the organization's overall enterprise risk framework β strategic, operational, financial, and compliance risks. An AML policy is a compliance-specific document that implements the risk management framework's principles in the context of financial crime. The AML risk assessment should feed into and align with the enterprise risk register.
Banks, credit unions, and payment processors face the most detailed AML obligations β BSA examination, FinCEN SAR filing, and CDD rules for legal entity customers with 25% beneficial ownership thresholds.
High-value cash transactions and anonymous shell company purchases make real estate a high-risk sector β brokers and developers must implement KYC for buyers and flag transactions structured to avoid reporting thresholds.
Law firms and accounting practices handling client funds, company formations, or real estate transactions are classified as DNFBPs and must maintain AML registration, risk assessments, and SAR filing procedures.
Virtual asset service providers face FATF Travel Rule obligations requiring sender and recipient information on transfers above threshold amounts, plus full KYC/EDD for customer onboarding and wallet verification.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small businesses in regulated sectors building their first written AML policy for registration or internal governance | Free | 4β8 hours to customize and finalize |
| Template + professional review | Growing financial services firms, fintechs seeking licensing, or businesses preparing for their first regulatory examination | $500β$2,000 for a compliance consultant review | 1β2 weeks |
| Custom drafted | Banks, payment institutions, and businesses with complex multi-jurisdiction obligations or a history of regulatory findings | $5,000β$20,000+ for specialist AML counsel or a Big Four compliance team | 4β12 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
