AMLR and the Anti-Money Laundering Act

AMLR and the Anti-Money Laundering Act: advisory & implementation on anti-money laundering regulations

The anti-money laundering regulations require responsible entities (firms in scope of the regime) to run a structured, risk-based AML/CTF programme that can be evidenced and explained under audit. Morling Consulting’s AML lawyers help firms translate the Anti-Money Laundering Act and the AML Regulation (AMLR) into governance, processes and controls that withstand internal audit and external review. For the business, it is about setting the right level of governance, accountability and control environment—without creating unnecessary internal burden. We provide legal advice and implementation support grounded in national law and the AMLR across Europe, focusing on solutions that work. Deliverables are designed to be clear for management and the business, and simple to document.

The AML Regulation (AMLR) brings a more harmonised EU-level framework and will influence how responsible entities plan and run their AML work. This is particularly important for firms with cross-border operations, high transaction volumes or dependencies on external providers for onboarding, screening and transaction monitoring. For many mid-sized companies, preparations involve identifying what needs to be strengthened, which processes should be reviewed and how to secure management buy-in. We help break the requirements into a manageable action plan with priorities that are easy to follow.

In practice, compliance is determined by the interplay between the enterprise-wide risk assessment, internal governance documents and how controls function in customer due diligence (KYC), PEP and sanctions screening, as well as ongoing monitoring and exception handling. We can support end-to-end—from gap analysis and updates to policies and procedures, to requirements for systems and suppliers, and preparation of documentation for review. Work is carried out in close dialogue with the business to secure clear roles, traceability and a proportionate control level based on risk. The goal is an AML function that is stable, proportionate and operable over time.

Team reviewing an Anti-Money Laundering Act (AML) compliance program, with risk assessment, controls, monitoring and reporting dashboard.

The Anti-Money Laundering Act in practice: risk-based approach and effective internal control

AML in practice is about turning the requirements of the Anti-Money Laundering Act and the AML Regulation (AMLR) into a way of working that is proportionate, consistent and traceable. For responsible entities, the aim is for internal control, processes and systems to connect so the business can demonstrate how risks are identified, managed and monitored over time.

  • Enterprise-wide risk assessment: It should cover the firm’s customers, products, channels and geographies.
  • Governance and accountability: Must be clearly anchored at executive level, with defined roles and decision points.
  • Policies and operating procedures: Provide practical guidance and can be followed up day to day.
  • Customer due diligence (KYC): Builds a coherent chain that includes risk classification, documentation and ongoing updates.
  • PEP and sanctions screening: Include clear procedures for handling hits and investigations.
  • Monitoring and exception management: Including escalation, investigation and reporting.

When these elements connect, AML work becomes more predictable, easier to lead and simpler to explain at internal audit or external review. We help design and quality assure the whole— from risk-based method and governance documents to control activities, follow-up and documentation. The work is structured and close to the business, so the solution is practical to implement and sustainable over time. Where relevant, we prepare clear decision materials for management and a prioritised action plan that can be delivered stepwise.

Anti-Money Laundering Act

EU AMLR and anti-money laundering regulations – map, prioritise and implement

The AMLR and the anti-money laundering regulations set the requirements for how firms must prevent and counter money laundering and terrorist financing. For many firms, the challenge is not understanding individual rules, but creating a coherent structure where governance, processes and controls align. The AML Regulation drives greater harmonisation at EU level, which affects how work needs to be planned and followed up. It is therefore important to form a clear view, in good time, of what is required and where your business stands today.

An effective way to start is to map the current state against the requirements that actually govern the business: risk assessment, internal rules, customer due diligence and ongoing monitoring. The mapping should be concrete and traceable, focused on how the work operates in practice and what documentation exists. This often reveals gaps between governance documents and operational execution, or between system support and the expected control level. The outcome is a basis that can be used both for internal prioritisation and for dialogue with internal audit or supervision.

For the business, choosing the right order is often decisive: which enhancements have the greatest impact on the control environment and which can be delivered in stages without disrupting operations. Prioritisation should also consider external dependencies, such as providers for onboarding, screening or transaction monitoring, where requirements and follow-up must be clear. In short, a good plan is one you can run, measure and update.

Implementation is about making the whole work: clear roles, operating procedures, control activities and follow-up that captures exceptions and changing risks. The work must also be documented so that decisions, judgements and control results are traceable over time. We structure the work from mapping to action plan and delivery, focusing on proportionate solutions that withstand scrutiny under the Anti-Money Laundering Act and the AML Regulation.

AML compliance risk assessment illustration showing declining risk indicators, due diligence checklist, and monitoring to meet Anti-Money Laundering Act requirements.

Policy, procedures and training: a maintainable AMLR delivery

For AML efforts to be sustainable over time, more is needed than “having documents”—you need documentation that can be used, updated and followed up. With the AMLR and developments in the European regulatory environment, demands increase for structure, clear accountability and traceability in internal governance. Policy, procedures and training therefore need to be designed as a coherent delivery that fits your business and regulatory environment. The aim is to make AML requirements manageable in daily operations and maintainable even as the organisation, products or risk profile change.

  • Policy under the Anti-Money Laundering Act and AMLR: scope, principles, roles and decision levels.
  • KYC procedures under the Anti-Money Laundering Act: risk classification, documentation requirements, update cycles and decision points.
  • PEP and sanctions procedures: handling hits, investigation, decisions and traceable documentation.
  • Monitoring and exception management: escalation, investigation, reporting and feedback.
  • Training + maintenance: training materials, evidence of delivery, cycles for updates and responsibility for ongoing revision.

A maintainable delivery reduces the risk that AML work becomes person-dependent or loses effectiveness between reviews. It also makes it easier for management to track status, take prioritised decisions and demonstrate that the control environment works in practice. We produce materials in a format that is easy to approve, communicate and implement—and that can be updated without restarting the project each year.

Frequently asked questions on anti-money laundering regulations

The term refers to companies and professionals that are in scope of the Anti-Money Laundering Act and the AML Regulation (AMLR) and must therefore apply the regime’s requirements. Scope depends on the nature of the business, services and, in some cases, how products are distributed and to whom.

The Anti-Money Laundering Act defines national implementation parameters, whereas the AML Regulation is an EU regulation that drives more consistent requirements and ways of working across the EU. In practice, firms may need to map both sources to processes, roles, systems and documentation. A workable model is to document a common set of requirements identifying obligations from the Act and the AMLR.

It sets the logic for the risks the business actually faces and how the control level should be calibrated across customers, products, distribution channels and geographies. Without a sound risk assessment, policies, KYC procedures and controls easily become inconsistent and hard to defend under review. The enterprise-wide risk assessment:

  • defines the risk profile (customers, products, distribution channels and geographies) and provides a traceable assessment of risk,
  • calibrates the control level in practice with KYC flows, risk classification, update cycles, escalation and documentation requirements,
  • drives priorities and resources so the control environment is proportionate and does not create unnecessary internal burden, and
  • creates a red thread in governance documents and follow-up, making the work easier to lead and simpler to defend at internal audit or external supervisory review.

A structured comparison between the requirements and how the company works in practice, including governance documents, processes, system support and outcomes. The deliverable is a concrete decision basis highlighting deficiencies, dependencies and prioritised actions.

A manageable plan breaks requirements into clear deliverables with accountable roles, decision points and milestones. It is written so leadership can steer by priorities rather than detail. It prioritises actions with the highest impact on the control environment and therefore reduces actual risk before time is spent on fine-tuning. It also factors in resources and phased delivery so the business maintains momentum.

Requirements should translate regulatory obligations into clear control requirements: which controls must exist, how they work and what documentation (logs, traceability and reports) must be available. It should also specify how incidents are handled, how changes are communicated and how quality is monitored. Accountability must be crystal clear: what the provider does, what you are responsible for and how you retain control over the process. The goal is to show how the provider is governed and controlled over time, not merely that a contract exists.

An end-to-end flow where risk classification; identity and ownership; purpose and intended nature of the relationship; documentation requirements; and decision points all connect without gaps. Each step needs a clear logic that can be followed and revised. The chain should be consistent and traceable, with a clear link between risk and the measures actually taken—making KYC easier to manage and easier to explain during review.

Procedures should describe a clear flow from the initial match to investigation, decision, any escalation and documentation, with defined roles and timelines. The focus is that decisions can be justified and followed afterwards. To withstand scrutiny, the process must be repeatable and quality assured so judgements are not ad hoc or person-dependent. It should also be clear how false positives are handled, when supplementary information is needed and how decisions are documented.

You need to define what constitutes an exception, how it is captured, who investigates, what decisions are taken and how actions are followed up. A robust exception process gives leadership control and makes the control environment measurable over time.

Commonly requested items include the enterprise-wide risk assessment, policy and procedures, role and responsibility matrices, control plans, training materials and traceable records from performed controls and decisions. The point is to evidence both “design” and “operation”—what you have decided and how it actually works.

We work in a structured manner in close dialogue with the business and deliver decision materials, a prioritised action plan and updated governance documents that can be implemented stepwise. The goal is a proportionate, stable and traceable AML function that can be operated and explained over time under the Anti-Money Laundering Act and the AML Regulation (AMLR).

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields