AML Policy for Payment Firms: What to Include, How to Maintain It, and FCA Expectations

The AML policy is the foundational document of a payment firm's financial crime compliance framework. It is the document against which the FCA first benchmarks a firm's compliance quality, which regulators scrutinise in supervisory reviews, and which every member of staff who handles customer relationships or processes transactions should understand and follow. Yet the AML policy is one of the most frequently deficient documents the FCA encounters — either too generic to provide meaningful operational guidance, or outdated relative to the current state of the business.

What the MLR 2017 Requires

Regulation 19 of MLR 2017 requires relevant persons (which includes EMIs and payment institutions) to establish and maintain policies, controls, and procedures to prevent activities related to money laundering and terrorist financing. Regulation 19(1) specifies that these must include: risk assessment; customer due diligence; transaction monitoring; record retention; internal reporting; staff screening and training; and independent audit. Regulation 21 requires that the policies be approved by a senior manager — in the context of an EMI, this means board or MLRO approval is required, not simply the compliance team's sign-off.

What "Business-Specific" Actually Means

The FCA's most consistent criticism of AML policies is that they are generic — they describe the MLR 2017 requirements rather than explaining how the firm meets them in the context of its specific business. A business-specific AML policy for a payment firm serving iGaming operators will look materially different from one serving retail SME clients. The specificity must cover:

Risk Assessment Integration

The AML policy should explicitly reference and incorporate the firm's Regulation 18 enterprise risk assessment. Where the risk assessment identifies high-risk client categories (iGaming operators, crypto exchanges, offshore-registered companies), the policy should describe the specific additional controls applied to those categories — not just state that EDD applies to high-risk clients.

CDD and EDD Procedures

The policy should describe exactly what documents and information are collected at standard CDD, what additional documents and approvals are required for EDD, and which roles have authority to approve EDD relationships. Vague statements that "enhanced due diligence will be conducted as appropriate" provide no operational guidance.

Transaction Monitoring

The policy should describe the firm's transaction monitoring approach — the system used, the general nature of the rules (not necessarily revealing specific thresholds, but explaining the methodology), how alerts are escalated, and what the SLA is for alert review. It should also address CTF-specific monitoring as a distinct component.

SAR Procedures

The internal reporting procedure — how employees escalate suspicions to the MLRO, what form this takes, the MLRO's decision timeline, and the process for filing SARs with the UKFIU — should be clearly described. The tipping-off prohibition and its practical implications for client-facing staff should be addressed explicitly.

Training

The policy should describe the firm's AML training programme: frequency, content, who is required to complete it, and how completion is recorded. The FCA expects annual AML training at minimum, with refreshed content that addresses current typologies relevant to the firm's sector.

Maintaining the Policy

An AML policy that accurately described the firm at authorisation but has not been updated in two years is not an adequate control. Material changes to the business model, client base, product set, or regulatory environment require a corresponding update to the AML policy. The MLRO should maintain a policy review schedule with defined triggers for off-cycle updates: a significant new client category, entry into a new geographic market, a material regulatory development, or a significant finding from internal audit or the safeguarding audit.

The version control and approval history of the AML policy is itself evidence of maintenance — the FCA will look at dating on the policy and at board approval records. An undated policy, or one with a single approval date at launch and no subsequent review record, is a significant concern.

Communicating the Policy to Staff

MLR 2017 Regulation 24 requires relevant persons to take appropriate measures to make relevant employees aware of the law relating to money laundering and terrorist financing and the applicable policies and procedures. A policy that exists but that frontline staff have never read or been trained on provides almost no protection. Payment firms should maintain records of policy distribution, staff acknowledgment, and training completion. The MLRO should conduct periodic spot-checks — asking frontline onboarding or payments staff to explain the firm's SAR escalation procedure — as a proxy for policy awareness quality.