With rising instances of money laundering and financing of terrorism (ML/FT), governments worldwide are implementing rigorous Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations. And India is no exception. India has also introduced the Prevention of Money Laundering Act, 2002 (PMLA), mandating that regulated entities like banks, other financial institutions, and designated non-financial businesses and professions like real estate, accountants, jewelers, etc. develop adequate AML/CFT policies and procedures.

What is an AML policy and Procedure?

An Anti-Money Laundering Policy (AML Policy) is a set of internal rules to detect and manage money laundering risk and related predicate offenses. A well-framed AML policy assists the reporting entity in India to protect its business from being exploited by money launderers. It also goes a long way in ensuring compliance with PMLA and other applicable regulatory framework.

An AML policy must clearly law down the entity’s commitment to combat money laundering and must be communicated to all the organization’s employees, from frontline staff to senior management.

AML procedures are the practical measures that the company shall adopt to implement the AML policy. Procedures provide detailed instructions, stepwise processes, and controls on implementing the AML policy to ensure regulatory compliance and prevent money laundering crime.

What is a CFT Policy and Procedure?

An effective AML Policy and Procedure is a foundation for navigating the AML compliance journey and safeguarding the business from money laundering and related predicate offenses.

Though named separately as CFT policy or Countering the Financing of Terrorism policy, it is an integral part of the reporting entity’s AML landscape. The CFT policy significantly aims to guide the employees around detecting and preventing terrorist financing activities. The CFT Policy also generally covers local and international Sanctions regime compliance.

CFT Policy compliments the entity’s overall AML framework to manage the financial crime risk and protect the economy from money laundering and terrorism financing crimes.

What are the Key Elements of AML Policy?

As mentioned, the AML Policy is a larger ambit covering the CFT policy. Now, let us understand the key elements to be included in the AML Policy to ensure timely identification of ML/FT risks and effectively mitigate the same.

Enterprise-Wide or Business Risk Assessment

Evaluating the overall business exposure to financial crime risk is pertinent. Thus, the reporting entities must conduct robust Enterprise-Wide Risk Assessments.

The AML Policy must define the methodology adopted by the entity to perform the overall business assessment. The risk factors considered for the assessment must include the customer base, the nature of products and services offered, the geographies involved, the transaction parameters posing a risk to the business, etc.

The management-approved ML/FT risk appetite must also be documented in the AML Policy. The outcome of the business risk assessment must be made part of the AML Policy, the basis on which the structure and the AML/CFT controls have been designed.

The AML policy must provide for the periodic review of the business risk and its significance in driving the AML/CFT framework of the reporting entity.

Customer Due Diligence (CDD) Process

Establishing a comprehensive customer onboarding process, including Customer Due Diligence measures, is essential. The company’s CDD program must be included in the AML policy.

The AML Policy must cover the company’s detailed CDD process, including the customer identification and verification measures, the data, documents to be obtained, etc. As a recommended practice, the Know Your Customer (KYC) form should also be part of the AML Policy to ensure the consistency and accuracy of the collected customer information. The requirement related to identifying the beneficial owners must be prescribed under the Customer Due Diligence process.

The factors to be considered for the customer risk assessment must also be documented under the “Customer Due Diligence” section of the AML Policy. The customer risk rating methodology should form part of the AML policy. The company must define the nature of the customer due diligence measures to be applied based on the particular risk profile of the customer, adopting a risk-based approach, e.g., how and what Enhanced Due Diligence measures would be followed to manage the increased risk posed by the high-risk customers.

Ongoing Monitoring of Transaction and Business Relationship

Ongoing monitoring of the transactions and business relationships is essential to AML compliance, necessary to detect suspicious activities. The AML Policy of the company must include the procedures and systems implemented by the reporting entity to continuously monitor customer behaviour and transactions to identify any inconsistency in the customer’s activities or unusual patterns.

The Policy should also define the monitoring rules to be followed by the entity to monitor the transactions and how the alerts generated would be disposed of.

The company should also provide for regular reviewing of the functioning of the ongoing monitoring program to ensure its relevance and accuracy in identifying the red flags and reducing the number of false positives.

Reporting of Suspicious Transactions

The list of relevant risk indicators or ML/FT red flags must form part of the AML policy for better employee awareness and timely detection of suspicious transactions.

The reporting entity must establish internal procedures and controls for reporting any red flags or suspicious transactions observed during business operations. This should include the manner or form in which the front-line employees shall report the AML Principal Officer, the information to be provided and the timeline to be adhered to, the duties of the employee observing the suspicious transactions, and the AML Principal Officer, the documentation requirement, how the reporting to India’s Financial Intelligence Unit (FIU-IND) shall be done.

Employee Training and Awareness

The reporting entity must train its employees, including senior management, to create awareness around the AML/CFT program of the company. The policy must include the AML training program, the topics to be included in the training, the mode of training, and the mandatory requirement for all employees to attend the same. The requirement for refresher training must also form part of the AML policy.

Overall AML Governance

he AML Policy shall provide for the roles and responsibilities of the person appointed as an AML Principal Officer and the Designated Director.

The AML support expected from the senior management of the organizations should also be defined in the policy regarding approval of the policy, AML program oversight, approval of the onboarding of high-risk customers, etc.

The policy should also include the requirement for the independent AML audit function to be maintained by the reporting entity.

AML Record Keeping

Maintaining complete AML records in an organized manner is one of the critical requirements of AML regulatory compliance. The company’s record retention policy related to AML/CFT documents and procedures performed must be included in the AML Policy and appropriately communicated with the relevant team. The AML Policy must provide for maintain the records about overall business risk assessments, customer due diligence measures applied, information and records about financial transactions conducted, any red flags observed, intimations filed with the AML Principal Office, records of Suspicious Transaction Reports filed with FIU-IND, etc.

What are the Steps to Set up an Effective AML Policy?

Following a systematic method to define the AML/CFT policy would ensure effectiveness in mitigating the money laundering and terrorism financing risks:

Understanding the AML/CFT regulations and compliance obligations:

The reporting entity must know the applicable jurisdictional AML regulatory framework and the compliance requirements imposed on the business to identify and report financial crimes. The entity must also understand the best practices adopted by the industry to enhance the quality of the AML policy.

Assessing the business risk:

PMLA suggests adopting the risk-based approach to manage the risks with efficient utilization of the resources effectively. Thus, the reporting entity must conduct the business risk assessment to identify the ML/FT risk exposure, considering all the relevant risk factors – customers, products and services, complexities of the transactions, geographies, delivery and distribution channel, etc.

Defining the AML Policy:

The AML policy of the entity must be tailor-made considering the nature and size of the business, the outcome of the business risk assessment, and the regulatory landscape as applicable to the business. The policy must be drafted clearly and concisely, easy to understand, and practical to implement.

Communication and Implementation:

To ensure that the designed policies are implemented in their true sense, the reporting entity must circulate the policy to all its staff, including senior management, and impart necessary training.

Periodic review of the policy:

The defined AML Policy must be periodically reviewed to assess its relevance and adequacy to identify and manage the risks. The AML/CFT policies must always be aligned with the latest regulatory landscape and the company’s evolving risk profile.

Significance of Defining Comprehensive AML/CFT Policies Under PMLA

Having a well-defined, comprehensive AML/CFT policy shall ensure the following:

Regulatory compliance:

Establishing and maintaining AML/CFT policies and procedures is one of the regulatory requirements. Further, having a defined set of rules and procedures will ensure that the employees adhere to these steps to comply with other AML compliance obligations, such as performing timely customer due diligence processes, conducting ongoing monitoring, reporting suspicious transactions, etc.

Shield against money laundering and terrorism financing:

The robust set-by-step guidelines and instructions to identify and report the financial crime risks will ensure that the entity does not inadvertently indulge in any money laundering or terrorism financing crime. Established AML/CFT controls will ensure the timely detection of red flags and refrain from conducting business with any money launderer or other criminals.

Building reputation and trust:

Internal AML/CFT policies and procedures demonstrate the reporting entity’s commitment to combating financial crime and developing the entity’s reputation as a responsible business organization. This enhances the trust of the customers and business partners in the company, attracting more revenue and business growth.

How Can AML India Assist The Reporting Entities In Developing Effective AML Policies Aligned With PMLA?​

The reporting entities must assess the business risk and tailor-made the internal policies and procedures to mitigate the money laundering and terrorism financing risks effectively.

AML India, a leading AML consulting firm, understands this requirements and jurisdictional regulatory landscape necessary to design strong AML/CFT policies and procedures to stay PMLA compliant. The personalization of the AML policy will help the reporting entity protect its business and the economy against money laundering and terrorist financing activities.

Let’s restrict financial crime with recorded AML/CFT policies and procedures!

About the Author

Pathik Shah


Pathik is a Chartered Accountant with more than 25 years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.