AML policy how to build a short version that business will read

Nikita Veremeev

08.03.2026 | 6 min read

Updated: 08.03.2026

I founded COREDO in 2016, when the demand for clear and effective compliance was just taking shape. Over the years the COREDO team has carried out company registrations in the EU, Asia and the CIS, helped clients obtain financial licences in the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai, and has also built hundreds of effective AML programmes. The more complex the environment became — from crypto licensing to correspondent banking — the clearer one pattern became to me: an executive needs a short, clear and practically applicable AML policy that fits on a single page and serves as a daily guide.

My goal, is to show how to turn an AML policy from an overloaded document into a tool for managing risk, growth and relationships with banks and investors. Below is a picture of how we at COREDO construct a one-page AML policy for boards of directors and the top executive, what we rely on from a regulatory perspective, which metrics we use, how we automate, and how we deploy solutions across different jurisdictions in the EU, Asia and Africa. This text is not theory: it is based on projects the COREDO team has implemented for payment companies, forex brokers, VASP and fintech startups across several continents.

A Short AML Policy for Executives

Illustration for the section «Short AML Policy for Executives» in the article «AML policy - how to build a 'short' version that the business reads»

Managers complain about the same thing: hundreds of pages of regulations do not help make a decision on client onboarding, incident escalation, or when communicating with a correspondent bank. When documents are written in “auditor-speak”, they lose their main purpose — managing risk in real time. If instead the manager has a one-page AML policy for leadership in front of them, a clear frame appears: what we check, how we assess risk, who is responsible, what thresholds and deadlines apply.

My experience at COREDO showed that a short AML policy for small and medium-sized businesses speeds up onboarding, reduces the share of false positives in monitoring, and increases partner trust. It is a working matrix: a minimal set of AML requirements, the key elements of AML policy and the risk-based approach briefly for business. If necessary, a detailed “tome” of procedures sits alongside it, but that is a reference for specialists, not for the director.

Creating a one-page AML policy

Illustration for the section «Creating a one-page AML policy» in the article «AML policy — how to build a 'short' version that business reads»
The solution developed at COREDO is based on international standards and regulatory practice: FATF recommendations, the AMLD5 and AMLD6 requirements for the EU, the Wolfsberg principles, EBA guidance, FCA practice, and local expectations of FIUs and supervisory authorities. We adapt the structure to the client’s jurisdiction and business model, from a VASP in Estonia to a payment institution in Cyprus and an EMI in the United Kingdom. For companies in Asia we take into account MAS (Singapore) requirements and the specifics of onboarding non-residents; for Africa: features of country risk scoring, availability of UBO registers and sanctions lists.

Contents of the AML executive summary: an example for a board of directors on one page looks like this:

Purpose and scope: whom it applies to, which products and channels are covered (KYP – know your product).
Risk appetite statement and AML heatmap: which risks we accept and which we do not.
Key policies: KYC/KYB in a simplified format, CDD and EDD on one page, a short PEP risk management policy.
Beneficial owner (UBO) checking briefly: methods and data sources.
sanctions screening: brief guidance: OFAC, EU, UN and local lists.
Transaction monitoring, rules, thresholds, tuning; alert triage and escalation.
Suspicious activity and SAR/STR, what you need to know; FIU reporting requirements.
Roles and responsibilities: CCO, lines 1/2/3 of defense; escalation procedures.
KPI dashboard: SARs, alerts triaged, time-to-close, FPR and SAR rate; target SLAs.
Data protection memo: GDPR, DPIA, retention periods, cross-border transfers, audit logs.

Such a “skeleton” does not replace detailed procedures but sets a management framework and reduces informational noise. COREDO’s practice confirms: when top management has a one-page AML policy for guidance, implementation becomes faster and the discipline of risk appetite is more stable.

What to include in a short AML policy

I start from a minimally sufficient set that can be quickly communicated to owners and the board of directors:

KYC/KYB briefly: identification via IDV and biometrics, collection of corporate documents, LEI, address and source-of-funds checks where required. For SDD: a simplified scheme; for EDD: enhanced requests and independent sources.
UBO verification: matching with government beneficiary registers (where available), commercial databases, corporate structure and complex groups: UBO checks along the chain, monitoring nominee directors and shell companies; accounting for risks of bearer shares and their prohibitions.
Sanctions and PEP screening: sources: OFAC, EU, UN, local lists; PEP screening: classification domestic/foreign/close associates; PEP risk management policy with mandatory EDD and CCO approval.
Transaction monitoring: transaction risk scoring, rules and thresholds, tuning to reduce analyst workload, precision/recall tradeoff; alert triage and process optimization; handling false positives and false negatives.
Suspicious activity: criteria, SAR/STR formats and filing deadlines, CTR (where applicable), automated generation of SARs and accompanying documents.
Client onboarding: AML checklist, onboarding SLAs and KYC refresh cycles, incident escalation and a compliance playbook; vendor Due Diligence and third-party risk policy.
Data and security: GDPR and privacy impact assessment (DPIA) for KYC; document retention periods and record keeping requirements; encryption and security of KYC data in the cloud; access control and audit logs; GDPR compliance when transferring KYC to third parties.

Implementation from startup to group

Illustration for the section “Implementation from startup to group” in the article “AML policy — how to build a ‘short’ version that business reads”

One fintech startup in Estonia approached us to register as a VASP and to build an AML process designed to scale. The COREDO team developed a template for a short AML policy for the startup, including AML for cryptocurrencies and VASP — the essence on one page: sources of blockchain analytics, on-chain monitoring policies, criteria for high-risk jurisdictions and EDD rules for certain types of addresses. Thanks to RegTech solutions for the short AML policy and clear KPIs (FPR, SAR rate, time-to-close) the company reduced false positives by 38% in three months without loss of quality.

Another example: a payment institution in Cyprus with correspondent banking in the EU and international payments. We implemented compliance for international payments and correspondent accounts: risk taxonomy, country risk scoring, trade-based money laundering indicators and countermeasures for clients’ trade transactions. As a result the correspondent bank approved an expansion of limits subject to independent testing: COREDO prepared the scope and methodology and set the frequency of independent testing with reporting to the board of directors.

Case studies: effectiveness of the short policy

In the United Kingdom the COREDO team adapted a one-page AML policy taking into account FCA guidance and EDD expectations for PEPs and complex structures.
We embedded a KPI dashboard into the monthly package for the CCO: SARs, alerts triaged, time-to-close, percentage of automated cases, share of repeat alerts, as well as AML effectiveness metrics: CTR and SAR rate where appropriate. This increased transparency, and the board of directors received an AML executive summary in a consistent format once a month.

In Singapore we strengthened the focus on KYC refresh cycles and on integrating AML systems with ERP and CRM to synchronize master data.
Internal control and AML reporting for management became more compact: a one-page AML policy for branches and local offices, plus short policy templates for investors and banks.
This approach sped up bank account approvals and improved SLAs for onboarding corporate clients.

Regulatory framework for managers

Illustration for the section «Regulatory framework for managers» in the article «AML policy — how to build the “short” version that the business reads»
In my work I rely on FATF recommendations and their impact on company policy: the mandatory risk-based approach, proportionality of controls and independent testing. For the EU: the main AMLD requirements and modernisation through AMLD5/AMLD6: expansion of the list of obliged entities, beneficial owner registers and strengthened sanctions requirements. The Wolfsberg principles help in correspondent banking and standardise due diligence questions between banks and non-bank financial institutions.

Regulators EBA and FCA set standards for the quality of risk management, while the FIU specifies SAR/STR requirements and submission deadlines.
Sanctions lists (OFAC, EU, UN) require regular updating and accuracy testing; sanctions list management and watchlist management are a separate process with data quality controls: completeness and timeliness.
The beneficial owner register and data availability vary by country: I always build in a combination of official registers and commercial sources, as well as UBO verification methods with checks of corporate structure, nominee arrangements and the existence of bearer shares.

Notifications, retention and audit

Requirements for FIU notifications and regulators: in short: record triggers for SAR/STR, responsible persons and SLAs; retain evidence of the formulation of suspicion and the supporting rationale. Document retention periods should comply with AMLD and local law, with clear record-keeping rules and an end-of-term deletion plan. The frequency of independent testing and audit procedures depends on the risk profile, but I always recommend an annual independent review and quarterly internal control.

In the governance model the role of the CCO and boards of directors is critical: allocation of responsibilities, escalation procedures and a playbook for compliance, and a notification plan when regulation changes.
Such practices simplify communication with auditors and correspondent banks and reduce decision-making time.
The solution developed at COREDO typically includes notification templates and checklists for audits.

How RegTech strengthens the short policy

Illustration for the section 'How RegTech strengthens the short policy' in the article 'AML policy — how to build a short version that business reads'
Automation of AML for small businesses is no longer a luxury. RegTech solutions for a short AML policy cover identification (IDV and biometrics), transaction monitoring, sanctions screening and PEP screening, as well as automated SAR generation. Machine learning and anomaly detection in AML help reduce false positives, and rule tuning to lower analyst workload balances the precision/recall tradeoff.

In COREDO projects we often deploy blockchain analytics for VASP investigations, identifying risk profiles of addresses, mixers and sanctions exposures.
The KPI dashboard consolidates metrics: SAR rate, FPR (false positive rate), time-to-close, share of escalated alerts, precision/recall on core rules.
We measure ROI from RegTech and automation through savings on manual processing, reduced cost of false positives for the business and faster onboarding, which increases sales conversion.

Integration of AML systems with ERP and CRM is critical for data quality: master data, sources, refreshability, version control. The COREDO team configures PEP/sanctions watchlist management processes so list updates are rolled out safely, with a test environment (AML sandbox and RegTech pilot projects) and rollback in case of incidents. At the same time we strengthen privacy: DPIA, encryption, access control, log audit and cross-border transfers policy.

Implementation plan for the executive

I like to propose a short AML implementation plan for the executive:

risk assessment and risk appetite statement; building a heatmap.
One-page AML policy and KPI dashboard.
Quick customer risk assessment for small businesses: SDD/CDD/EDD templates.
Configuration of transaction monitoring and alert triage; tuning.
Staff training: microcourses and training for sales and operations teams.
Independent testing: scope and methodology; audit schedule.
Response plan and remediation playbook, including rapid response scenarios for KYC data breaches.

Short policies for branches and local offices speed up scaling and reduce practice divergences.
I add onboarding SLAs and KYC refresh cycles so the team sees time boundaries and priorities.
This approach helps convey AML to executives and owners without overloading them with details.

Outsourcing and scaling: when

Outsourcing AML services: when and how is a frequent question.
I see the value in outsourcing sanctions and PEP screening, the second line for alert triage, and independent testing, especially at early stages.
We assess the cost of personnel vs AML outsourcing transparently: the cost of licenses, FTEs for verification, alert handling and filing SAR/STRs, plus pricing models for AML services.

A scalable AML policy as the company grows implies unified standards and local implementations. Compliance when registering legal entities in the EU, Asia, Africa requires taking into account country risk scoring and the availability of UBO data, as well as due diligence requirements in M&A: a short version of the policy for due diligence in M&A, a checklist for checking owners and transactions. Short policy templates for investors and banks increase the chances of getting correspondent accounts approved and attracting financing.

How to assess effectiveness and ROI?

The ROI calculation methodology for a compliance project relies on three pillars: reducing operating costs, protecting revenues, and lowering the cost of risk. I include metrics: FPR, SAR rate, alerts per analyst per day, time-to-close, precision/recall for key scenarios, share of automated cases and repeat alerts. KPI dashboard: SARs, alerts triaged, time-to-close: provides the board of directors with a transparent picture.

The cost of false positives for the business shows up as lost time, payment delays and reputational risks.
Fines and the cost of non-compliance: it’s not just regulatory sanctions, but also the closure of correspondent accounts and missed deals; reputational monitoring and crisis PR help in AML breaches if an incident does occur.
In COREDO projects we assess the benefits of AML policy and the ROI from implementing RegTech and automation, to link compliance with P&L.

AML policy template: what to include

Here is a short AML policy template for businesses that the COREDO team often adapts to a specific model:

Purpose and scope: products, channels, markets; KYP and key risks.
Risk appetite statement and heatmap: prohibited segments, EDD thresholds, transaction limits.
Identification (KYC/KYB): IDV, biometrics, LEI, list of required documents, SDD/CDD/EDD.
UBO verification: registries, commercial databases, corporate structure map, signs of nominee and shell.
Sanctions and PEP screening: sources (OFAC, EU, UN), update frequency, escalation and EDD.
transaction monitoring: scenarios, thresholds, tuning, alert triage, documentation of decisions and escalations.
Suspicious activity: triggers, SAR/STR formats and timelines, interaction channels with the FIU.
Third parties (vendor due diligence): selection criteria, monitoring, control of third-party risk.
Data and privacy: GDPR, DPIA, retention periods, encryption, access control, audit logs.
Roles and responsibilities: CCO, first and second lines of defense, escalation procedures and allocation of AML responsibilities.
Testing and training: frequency of independent testing, scope and methodology; micro-courses for sales and operations teams.
Updates and regulatory changes: notification plan, update release process, AML sandbox and piloting.

This template does not replace detailed standard operating procedures, but allows the board of directors and senior management to stay on course. For M&A we add a short version of the policy focused on vetting owners, transaction histories and the sanctions profile of the assets being acquired.

How COREDO implements and maintains AML policy

The COREDO team has carried out projects in the EU, Asia and the CIS – from company formation to obtaining financial licenses: crypto (VASP), forex, payment services, as well as establishing banking and correspondent relationships. In the Czech Republic and Slovakia we assist companies in obtaining local authorisations, in Estonia we build AML for crypto services using blockchain analytics, in Cyprus we prepare payment institutions and EMI for central bank requirements. In the UK we adapt practices to the FCA, in Singapore to the MAS, in Dubai to local supervision and the specifics of international settlements.

Our experience at COREDO has shown that resilience to AML risks is built on three things: a clear risk appetite, execution discipline and meticulous work with data.
I help boards of directors see the full picture and enable operational teams to rely on short, precise instructions.
Outsourcing certain functions, independent testing, staff training and regular audits form an ecosystem in which the AML policy remains a living, understandable and manageable document.

Make AML a growth tool

Compliance shouldn’t slow the business down. A short AML policy is a way to align management, risk management, sales and operations teams around a clear map of risks and decisions. When a policy fits on one page, with clear procedures, KPIs and technologies beneath it: you speed up onboarding, maintain access to international payments and strengthen the trust of banks and investors.

If you are planning to register a company in the EU, Asia or Africa, are obtaining crypto, payment, forex or Banking licenses, or want to rebuild AML for new markets, the solution developed at COREDO will embed a short policy into your operating model.
Start with a one-page AML policy for management, set metrics and test them in a pilot.
Then scale up: confidently and transparently, with the support of the COREDO team, which is used to being accountable for results at every stage.