AML / KYC & Financial-Crime Programs

Every credible AML programme starts from a documented, business-wide risk assessment — your products, customers, geographies, delivery channels, and the money-laundering and terrorist-financing risks each carries. It’s the foundation the rest of the programme is built on and tailored to; a policy that isn’t anchored to a risk assessment reads as generic, and supervisors notice.

This is also a structural feature of the incoming EU rules. The EU’s 2024 AML package replaces the old patchwork of national transpositions with a directly applicable single rulebook — the Anti-Money Laundering Regulation (AMLR), Regulation (EU) 2024/1624 — which applies from 10 July 2027, alongside a recast directive (AMLD6, Directive (EU) 2024/1640) and a new EU-level supervisor.

On top of the risk assessment sit your customer-facing controls: onboarding, customer due diligence (CDD), enhanced due diligence (EDD) for higher-risk relationships, and ongoing monitoring. Internationally, this maps to the FATF standard on customer due diligence (Recommendation 10), which underpins most national AML regimes.

• CDD — identifying and verifying the customer and, where relevant, the beneficial owner, and understanding the purpose of the relationship.
• EDD — heightened measures for higher-risk customers, products, or jurisdictions (for example, those connected to higher-risk third countries).
• Ongoing monitoring — keeping customer information current and scrutinising transactions against the expected profile across the life of the relationship.

If you transfer crypto-assets on behalf of customers, the Travel Rule almost certainly applies. Internationally it’s FATF Recommendation 16, which the FATF extended to virtual assets and virtual-asset service providers in 2019. It requires the originator and beneficiary information to "travel" with a transfer so it can be screened and traced.

In the EU, the Travel Rule is implemented through the recast Transfer of Funds Regulation, Regulation (EU) 2023/1113, which applies from 30 December 2024, with the European Banking Authority’s Travel Rule Guidelines applying from the same date. A few features matter for how you build the control:

• Originator and beneficiary information must accompany crypto-asset transfers between providers, and the receiving provider checks for missing information.
• In the EU, the information requirement applies to transfers between crypto-asset service providers without a de-minimis threshold — broader than the FATF baseline, which sets a USD/EUR 1,000 threshold for virtual-asset transfers.
• Self-hosted (unhosted) wallets carry their own information and, above set thresholds, verification expectations.

A programme needs an owner and a reporting path. Across the UK and EU, that owner is typically the Money Laundering Reporting Officer (MLRO) — a suitably senior, fit-and-proper person responsible for the firm’s AML controls and for suspicious-activity reporting. The supporting pieces:

• Escalation and reporting — internal escalation routes and the procedures for filing suspicious activity / suspicious transaction reports (SARs / STRs) with the relevant Financial Intelligence Unit.
• Training — staff training and awareness, documented so you can show it happened.
• Internal controls and independent review — the governance that keeps the programme working, including sanctions screening as part of the control framework.

For most firms the AML framework is a core part of the licence application itself, not a later add-on — regulators want it in place and evidenced. Two timing realities to plan around if the EU is in your map:

• AMLA, the new EU Anti-Money Laundering Authority, headquartered in Frankfurt, has been operational since July 2025; it will set EU-wide standards and, in time, directly supervise certain higher-risk firms.
• The single rulebook (AMLR) applies from 10 July 2027, so programmes built now should be designed to converge on the harmonised EU-wide standard rather than only today’s national rules.