AML implementation planning meeting focused on governance, controls and compliance rollout

How to sequence your AML implementation plan

AML Insights
April 07, 20267 min read

Introduction

Many AML programs do not struggle because businesses are unwilling to act. They struggle because the work starts in the wrong place.

A business buys software before it understands its risk. It drafts policies before roles are clear. It trains staff before workflows are settled. Each step looks productive in isolation, but the result is usually the same: rework, confusion, weak control design, and a program that does not fit how the business actually operates.

That is the problem with poor sequencing.

AML implementation works best when it is approached as a structured uplift, not a collection of disconnected compliance tasks. The order matters. If you get the foundations right first, the rest of the program becomes clearer, more proportionate, and far more workable in practice. That is the central logic running through your draft: start with risk and operating reality, then move through governance, control design, technology, documentation, training, testing, and review.

Start with the business, not the policy

Before drafting documents or selecting tools, the business needs to understand its own risk profile.

That means looking closely at how the business actually operates: the services it provides, the customer types it deals with, the jurisdictions it touches, the way funds or assets move, and the points at which exposure is most likely to arise. Without that foundation, the business is effectively guessing at which controls matter and why.

This first stage should not be treated as a paper exercise. It should be grounded in operational reality.

How are customers onboarded now?
Who approves exceptions?
What information is already collected?
Where are staff relying on judgement rather than structured guidance?
Where are key decisions being made without consistent documentation?

Those questions matter because AML programs only work when they reflect the real workflow of the business, not an idealised version of it.

Set governance and accountability early

Once the risk picture is clear, the next step is governance.

Someone needs to own implementation. Someone needs to own oversight. Escalation pathways need to be clear. Leadership needs visibility of higher-risk issues, and the business needs to know who makes decisions when standard processes are no longer enough.

If governance is left until later, implementation often fragments. Legal assumes compliance is leading it. Operations assumes legal is handling it. Management assumes the framework is progressing. In reality, no one is driving it properly.

Strong AML implementation requires visible accountability from the outset. That includes role clarity, escalation points, and a clear understanding of how issues will move up to decision-makers when risk increases or controls are not working as intended.

Design controls before choosing technology

Only after risk and governance are understood should the business move into control design.

This is where the program begins to take practical shape. Customer due diligence, beneficial ownership checks, risk rating logic, enhanced due diligence triggers, ongoing monitoring, record-keeping, suspicious matter escalation, and review arrangements should all be designed around the business’s actual risk profile.

This is also where many businesses make a costly mistake. They adopt generic controls because they look standard or familiar. But standard controls are not always suitable controls.

A process that is too complex for a lean business will not be followed consistently. A process that is too light for higher-risk work will not hold up under scrutiny. Controls need to be proportionate, usable, and aligned to actual operating conditions.

That is why sequencing matters. Control design should follow risk and governance, not precede them.

Use technology to support the framework, not define it

Technology has an important role in AML implementation. But it should support the operating model, not determine it.

Once the business knows what it needs its framework to do, it can make better decisions about software and systems. Does it need onboarding workflow support, screening capability, monitoring functionality, case management, audit trails, record retention, reporting, or a combination of these? What decisions should remain human-led? What data points matter to risk settings? What needs to be escalated rather than automated? These are design questions first, technology questions second.

When software is selected too early, businesses often end up shaping the program around the limitations of the tool. That may create efficiency, but not necessarily effectiveness. A stronger approach is to design the framework first, then choose technology that supports it properly.

Document the program once the operating model is clear

Documentation matters, but it should reflect the agreed framework rather than substitute for it.

Policies are important. Procedures are equally important. A policy may state that enhanced due diligence is required in higher-risk matters. A procedure needs to explain when that threshold is met, who conducts the additional review, what information is required, who signs off, and how the decision is recorded.

Programs begin to fail when businesses treat policy drafting as though it completes the work. It does not. Documentation should capture the design of the program, not mask the absence of one.

Train people against real workflows

Training should follow the design of the actual controls.

Too often, businesses train staff against draft concepts before processes are settled. The result is usually superficial awareness but low operational confidence. Staff may understand the vocabulary of AML, but not what they are expected to do in their role.

Training is most effective when it is tied directly to real workflows and responsibilities. Frontline staff need to know what to collect, what to identify, and what to escalate. Decision-makers need to understand risk tolerance, governance responsibilities, and when exceptions require formal attention. Senior leaders need to understand their accountability for oversight and program integrity.

Training should not be delivered as a generic compliance event. It should be embedded into the operating model the business expects people to follow.

Test before you assume the program is live

Before the business treats the program as operational, it should test it.

Walk through sample onboarding matters. Review hypothetical higher-risk scenarios. Test how alerts are handled. Check whether staff understand escalation points. Look for friction, ambiguity, and undocumented workarounds.

This is often where the real weaknesses appear.

A process may look coherent on paper but collapse under actual use. A decision pathway may appear clear until responsibility crosses teams. A control may look proportionate until it proves too burdensome to apply consistently. Testing is where the business learns whether the framework is workable, not merely well written.

Go live with oversight, then review and refine

Implementation does not end at go-live.

Early-stage operation almost always reveals issues that need attention. Thresholds may need adjustment. Procedures may need tightening. Some controls may prove too weak. Others may be too cumbersome. A sensible review period after implementation is essential if the business wants a functioning program rather than a static one.

In practical terms, the sequence is straightforward:

  • Understand the business and its risk.

  • Set governance and accountability.

  • Design the controls.

  • Choose and configure supporting technology.

  • Document the framework.

  • Train by role.

  • Test the workflows.

  • Go live with active oversight.

  • Review and refine.

That order is not bureaucratic. It is efficient. It reduces duplication, improves clarity, and gives the business a far better chance of building a program people can actually operate. That sequencing structure is the core of your original draft and remains the strongest organising logic for the article.

Final thought

AML implementation does not need everything done at once. It needs the right things done first.

Businesses that start with risk, governance, and control design generally build stronger, more defensible programs. Businesses that start with software, policy templates, or fragmented activity often end up circling back to fix the foundations later.

That is usually the difference between a workable AML program and a collection of disconnected compliance tasks.

If you want a clearer implementation pathway, Integrity Solve can help assess your current position, prioritise the uplift work, and build a more workable AML framework.

AMLAML imlementationTranche 2AUSTRACmoney launderingfinancial crimeFirst AMLAML HubInfotrackrisk managementAML governanceAML risk
Daniel Baulch is the founder of Integrity Solve and an experienced investigations, governance, risk and compliance executive. He writes on AML implementation, financial crime risk, investigative capability, and practical compliance frameworks for business and government.

Daniel Baulch

Daniel Baulch is the founder of Integrity Solve and an experienced investigations, governance, risk and compliance executive. He writes on AML implementation, financial crime risk, investigative capability, and practical compliance frameworks for business and government.

LinkedIn logo icon
Back to Blog