Leave an application
COREDO > Blog > Top 10 mistakes in developing AML policies

Top 10 mistakes in developing AML policies

Avatar photo
Updated: 27.01.2026
Content

I have been leading COREDO since 2016 and every quarter I see the same thing: companies that treat the fight against money laundering (AML) as “a checkbox for the regulator” end up paying a high price for it — from account freezes and halted operations to prolonged inspections and the loss of partners. AML compliance works as an asset when it is embedded in a growth strategy, rather than living in a separate file on a server. When the COREDO team implements AML processes taking into account the specifics of the jurisdiction, business models and IT architecture, clients receive not only licenses and peace of mind during inspections, but measurable efficiency — reduced false positives, faster onboarding and a better ROI on investments in AML technologies.

Regulatory guidelines are clear: recommendations of FATF, EU directives AMLD5/AMLD6, EBA guidance, principles of the Wolfsberg Group. But a dry list of requirements rarely leads to a working system. The solution developed at COREDO always relies on a risk-based approach (RBA), a clear Risk Appetite Statement and transparent AML team KPIs. I call this “operational compliance”: not only do we comply, but we also bring value to the business.

RBA in AML compliance

Illustration for the section 'RBA in AML compliance' in the article 'Mistakes in developing AML policies – TOP 10'

A proper risk-oriented approach sets priorities, allocates resources and establishes rules for monitoring. Without it, TMS (Transaction Monitoring Systems) are overwhelmed with alerts, CDD (Customer Due Diligence) unduly burdens low-risk customers, while high-risk scenarios remain blind spots. COREDO’s practice confirms: a mature RBA is the best way to both strengthen protection and reduce operational costs.
We start by mapping the business model: product range, geography, channels, transaction typologies, counterparty and third-party risk. Then we form a Risk Appetite Statement, embed Customer risk rating and KRI at the board level. Such an RBA helps explain to the regulator why these monitoring rules are appropriate, and it also shows investors that the company manages risk systematically.

RBA mistakes and how to avoid them

  • Mixing product and customer risks into a single scoring. I separate these dimensions; otherwise we lose transparency and explainability.
  • Lack of a Risk Appetite Statement for AML. Without it, escalation and investigations become chaotic.
  • Universal rules that don’t consider the National Risk Assessment (NRA) of operating jurisdictions. The COREDO team always calibrates rules to the specific country and sector.
  • Underestimating false negative risk. We include stress tests and red-teaming to uncover blind spots.
  • Errors in customer risk scoring algorithms. Validation and periodic review of factor weights address this issue.

Mistakes in developing AML policies

Illustration for the section «Mistakes in developing AML policies» in the article «Mistakes in developing AML policies – TOP 10»
Each of these mistakes regularly occurs in real projects, and each can be fixed with a simple but disciplined approach.

  1. Mistakes in developing AML policies not tied to operational reality. The policy describes an ideal, but procedures and systems do not support it. I ensure full alignment: “policy: procedure: control, data”.
  2. Typical KYC mistakes in a client’s policy. Insufficient verification of documentary evidence, lack of dynamic data updates, ignoring LEI. We connect reliable data sources and set update frequency according to risk level.
  3. Shortcomings in the policy for identifying beneficial owners (Beneficial ownership). Errors arise when using only registries. I add a cascading approach: corporate trees, independent sources, verification of indirect control.
  4. Errors in screening PEPs and sanctions lists. Incomplete sources, infrequent updates, narrow matching algorithms. At COREDO we build multi‑source screening, take into account Sanctions lists update frequency and flexibly configure fuzzy matching.
  5. Errors when configuring transaction monitoring. Universal thresholds lead to an avalanche of False positives, while excessive filtering leads to missing suspicious schemes. I apply alert tuning, analysis of the economic efficiency of rules and Explainable AI.
  6. How to set up SAR/STR procedures without errors. Clear escalation criteria, deadlines, roles, Case management and quality control. We build standard templates and train analysts to work with FIU.
  7. Mistakes in the risk appetite statement for AML. Uncertainty creates delays and paralysis in decision-making. I document the principles and threshold values at the board level.
  8. Insufficient customer segmentation in CDD as an error. One size does not fit all. In COREDO projects segmentation is based on behavior, geography, product and channel.
  9. The impact of shortcomings in data recording and storage on STR investigations. Without a quality Retention policy and Audit trail, investigations stall. We implement Data quality and MDM practices.
  10. Why an independent AML audit is mandatory. An external view reveals model drift, process conflicts and weak spots in Governance. I schedule an audit annually and after major changes.

Implementing an AML policy in the company

Illustration for the section «Implementing an AML policy in the company» in the article «Mistakes in developing AML policies – TOP 10»
My principle is simple: I don’t implement a policy until I see how it “works through” the system from onboarding to the report to the FIU. Each role understands its tasks, and integrations and access rights are exercised on test scenarios.

ERP/CRM implementation roadmap

  • Audit of current systems, data catalog, API integration map, assessment of real-time monitoring vs batch processing.
  • Setting up Role‑based access control and Segregation of duties to eliminate conflicts of duties.
  • Integration of KYC services and sanctions providers with ERP/CRM and the front office.
  • Testing end-to-end scenarios: onboarding, data updates, escalation, SAR/STR.
  • Documentation, version control, training, and go-live with metrics for alert disposition.

TMS configuration: rules and results

I always start with transaction typologies and historical data. This allows us to set thresholds, rule and scenario sensitivity without guesswork. We measure false positives, processing time, share of escalations, share of SAR/STR, and calculate cost‑benefit for each rule. If the model uses ML/AI, we configure Explainable AI, perform model validation, guard against model drift, and document the pipeline.
To reduce false positives in the TMS, I take three steps: risk segmentation, contextual features (behavioral, geographic, seasonal) and iterative alert tuning with analyst participation. This reduces backlog and eases the team’s workload.

SAR/STR: Case management and escalation

A clear SAR/STR procedure is about speed and quality. I set SLAs at every stage: initial analysis, escalation, final decision, submission to the FIU. Best practices for escalating suspicious transactions include dual control for high-risk cases and involvement of the AML officer at “bottlenecks”. Case management must store a full audit trail, document versions, decision history and timeline controls.

KYC, CDD and EDD: depth and control

Illustration for the section «KYC, CDD and EDD: depth and control» in the article «Mistakes in developing AML policies – TOP 10»
KYC – it is not a form, but a process. It begins with proper segmentation, continues with collecting Documentary evidence and ends with the continuous updating of the client’s profile. CDD: the basic level of verification, EDD – enhanced for high-risk clients and complex structures.

Client risk segmentation

Insufficient client segmentation in the CDD methodology leads to unjustified workload and gaps. I apply a Customer risk rating that takes into account the industry, country, product, channel, counterparty type, PEP status and sanctions risks.

We eliminate errors in client risk scoring algorithms through periodic validation, back‑testing and peer benchmarking across the industry.

Beneficial owners, LEI and evidence

Identifying beneficial owners: an area where mistakes are often made. I use a multi-layered methodology: registries, corporate trees, contractual links and signs of indirect influence. LEI speeds up legal entity verification and facilitates matching. For CDD/EDD it is important to accumulate Documentary evidence with clear controls on timeliness and sources.

Depth of PEP and sanctions screening

PEP screening and Sanctions screening require up-to-date sources and flexible algorithms. We set the Sanctions lists update frequency, use multiple data providers and configure fuzzy matching with control of False negative risk.

Sanctions compliance overlaps with trade compliance, so the policy should describe the areas of intersection and the escalation procedure.

GDPR and cross-border data transfers

Illustration for the section «GDPR and cross-border data transfers» in the article «Mistakes when developing AML policies – TOP 10»
Without a data culture, AML processes lose effectiveness. I start with data quality and master data management: consolidation of reference data, field quality control, automatic validators, unified identifiers. Audit trail records all actions, and the retention policy accounts for retention periods by jurisdiction and processing purpose.

GDPR: security and access

For cross-border data transfers I assess legal bases, standard contractual clauses and local restrictions. Cloud-based AML solutions provide flexibility if RBAC, encryption and monitoring are configured correctly.

The incident response plan outlines actions in case of a data breach, and regular drills help the team act quickly and cohesively.

Role of the board in governance

Governance and oversight shape the compliance culture. I ensure board engagement: approval of the Risk Appetite Statement, review of KRIs and KPIs, AML officer reports and a development plan.

Board-level accountability increases discipline in business units and speeds up decision-making.

AML officer independence and training

How to set up the role and independence of the AML officer? A direct channel to the board, veto rights in high-risk areas, a resourcing mandate and performance assessment based on KPIs, not on “no incidents”. Training and awareness programs raise the “compliance literacy” in sales, operations and IT.

Third-party management

Outsourcing AML functions helps to scale, but typical mistakes when outsourcing AML functions include: unclear SLAs, lack of quality control and a weak data access model. I build Third‑party risk management and vendor due diligence: provider assessment, test assignments, KPIs, sample case audits, and a contingency plan.

For VASPs and payment companies integrations are important: API integration, Travel Rule, data exchange with partners and correspondent banking risks (Correspondent banking risks). The COREDO team configures these processes so that compliance doesn’t slow down business.

Preparation for FIU and regulator inspections

Why an independent AML audit is mandatory and what to avoid? An external assessment will reveal gaps the internal team doesn’t notice because of a “jaded” view. I use Realistic testing and red‑teaming of AML policies to ensure scenarios actually catch risk typologies.

Preparation for an FIU and regulator inspection

I build an “inspection folder”: policies and procedures, versions and change history (Documentation and version control), KPI/KRI reports, training log, TMS logs, examples of SAR/STR, escalation decisions, Independent audit results and a remediation plan. Regulatory change management records how the company updates policy to meet new requirements. We take into account the National Risk Assessment of each country of presence.

AML Technologies and Effectiveness

The business expects measurable results. Therefore, I build KPIs and performance metrics for the AML team:

  • Alert disposition metrics: false positive rate, average processing time, escalation rate, confirmed case rate, share of SARs/STRs.
  • Backlog remediation: a plan to reduce backlog and keep it within SLA.
  • Cost‑benefit analysis for AML solutions: cost per alert, cost per SAR, cost-effectiveness of monitoring rules and models.
  • KRI: percentage of high-risk customers, percentage of customers with EDD, sanctions match rate.
I measure the ROI of investments in AML technologies through reduced FP, faster onboarding, reduced manual work, and lower regulatory fines and reputational risk. When COREDO configures Explainable AI and optimizes rules, companies see faster processes and improved investigation quality.

Crypto AML and VASP specifics

For providers of virtual assets the Travel Rule, on‑chain analytics and integration of address risks into the TMS are important. Common mistakes in virtual asset service provider (VASP) policies include ignoring mixer chains, weak counterparty due diligence and lack of procedures for high‑risk jurisdictions. We implement real‑time monitoring, sources of address and route risk assessments, and STR procedures for higher‑risk transactions.

Mistakes in the use of ML/AI in transaction monitoring are common:
  • insufficient training dataset,
  • lack of model validation and drift monitoring.

The COREDO team sets the MLOps standard for AML: data versioning, result replication, Explainable AI and regular retraining.

COREDO cases in the EU, Asia and the CIS

  • EMI‑license in the EU and TMS integration. A client with a product in the Czech Republic and Slovakia was preparing for licensing in one of the EU countries. The COREDO team implemented RBA, Risk Appetite Statement, deployed a TMS with contextual features and Explainable AI. Result: a 42% reduction in False positives, shortening corporate client onboarding from 7 to 3 days, and a successful regulatory review without findings.
  • payment license in Singapore. For the payment services license under MAS we created an AML policy and procedures, taking into account local requirements and the GDPR for cross-border data transfers. The solution developed by COREDO included RBAC, case management and strict SLAs. Outcome: the regulator noted the maturity of governance and the quality of escalations.
  • VASP‑project in Estonia with Travel Rule. A client from the EU was planning expansion to Dubai. We established Crypto AML and Travel Rule processes, conducted vendor due diligence for providers of address risk, set up an independent audit and a Regulatory change management plan. Result: flawless STR filing and a successful product launch in several jurisdictions.

How to remediate AML violations

When the FIU or a regulator points out deficiencies, it’s important to respond quickly and in a structured way.

Our experience at COREDO has shown that an effective roadmap consists of the following stages:

  1. Gap assessment and prioritization by risk and business impact.
  2. Quick «wins» (quick wins): policy updates, alert tuning, eliminating bottlenecks in SAR/STR.
  3. Strategic changes: review of RBA, update of the Risk Appetite Statement, implementation of KPI/KRI at the board level.
  4. Data & tech: improving data quality, Model validation, drift monitoring, tuning Explainable AI.
  5. Governance: strengthening the role of the AML officer, updating documentation and version control, a plan for an independent audit.
  6. Backlog remediation and monitoring the sustainability of changes.
I record responsibilities, deadlines, and success metrics for each step. COREDO’s experience confirms: this discipline restores the trust of the regulator and partners.

How COREDO supports businesses

When we launch projects, I look beyond just AML compliance. Legal entity registration in the EU, Czech Republic, Slovakia, Cyprus and Estonia, support in the United Kingdom, Singapore and Dubai, is the foundation. Obtaining financial licenses (crypto, payment, forex, banking) requires consistent policies and a mature operating model. The COREDO team builds the entire chain: from corporate structure to AML processes, integrations, training and independent audit.

For those scaling across multiple countries, we design an AML/CFT centre of excellence, a single policy framework with local branches, a common metrics system and a unified data standard. This reduces cost of ownership, accelerates market entry and strengthens the trust of banking partners and payment providers.

AML as a competitive advantage

A good AML policy works like navigation: it shows routes, warns about risks and helps you move faster. AML compliance delivers business results when it relies on a mature RBA, a clear Risk Appetite Statement, high-quality data and technological discipline. I see client teams start making decisions faster, reduce false positives, ease the burden on the front office and strengthen relationships with banks and regulators.

COREDO builds exactly such a system: practical, measurable and scalable. If you are planning to register a company in the EU, Asia or CIS countries, preparing to obtain a financial license or want to strengthen the fight against money laundering (AML), draw on experience. My team has already solved similar tasks in the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai. We speak the language of both business and regulators and turn requirements into working processes – with transparent KPIs, reliable governance and a sustainable ROI.

LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt