Smaller firms often have strong intentions but limited resources when it comes to managing anti-money laundering (AML) risks. Over the years, I’ve seen many of the same issues arise, not out of neglect, but from trying to balance business pressures with regulatory expectations.
Here are five of the most common pitfalls I’ve observed:
- Copy-paste policies – Adopting templates without tailoring them to your firm’s size, structure, or actual risk profile. A policy should reflect what you do, not just what’s written in the regulations.
- Weak onboarding checks – Relying on ID documents alone, without really understanding ownership, control, or purpose of the relationship.
- Inconsistent risk ratings – Applying “low”, “medium”, or “high” risk labels without clear rationale or supporting evidence. Regulators often focus on why a rating was assigned.
- Poor record-keeping – Failing to document decisions. If it isn’t written down, it effectively didn’t happen.
- No independent review – Many smaller firms skip AML audits or testing until the regulator asks for it. Regular, proportionate reviews identify weaknesses before they become findings.
The Financial Conduct Authority (FCA) consistently emphasises the importance of proportionality. Under SYSC 6.3 of the FCA Handbook and in its Financial Crime: A Guide for Firms, the regulator states that AML systems and controls should be “proportionate to the nature, scale and complexity” of a firm’s activities. In other words, smaller firms are not expected to mirror the frameworks of large financial institutions but they must be able to demonstrate clear, risk-based decision-making.
Good AML compliance doesn’t need to be complicated. Start by understanding your specific risks, keeping clear records, and revisiting your procedures annually. Regulators appreciate clarity and proportional effort more than lengthy policies that no one reads.
