Across the financial services sector, Anti-Money Laundering (AML) frameworks are almost universally in place. Policies exist, procedures are documented, and risk assessments are completed.
However, regulatory scrutiny is increasingly focused on a different question:
“Are these programs actually operating in practice?”
Recent regulatory and enforcement themes indicate that, in many cases, the answer is no.
The Core Failure: Execution, Not Design
Most firms have taken the initial step of building AML/CTF programs aligned to legislative requirements. This typically includes:
- AML/CTF policies and procedures
- Customer identification programs (KYC)
- Risk assessments
- Training frameworks
On paper, these elements meet compliance expectations.
The failure arises in how these controls are executed day-to-day. AFCA systemic issue findings consistently highlight that governance failures are not driven by missing frameworks, but by weak operational execution and ineffective controls.
This creates a disconnect between:
What the framework says should happen.
and
What the business actually does.
What Is Breaking in Practice
Where AML programs are not properly operationalised, the same patterns emerge across firms:
- KYC performed inconsistently — documentation collected but not verified, or not refreshed over time
- Ongoing customer due diligence not conducted — risk profiles remain static despite changing client behaviour
- Transaction monitoring ineffective or absent — alerts not generated, reviewed, or escalated
- Suspicious activity not assessed — no clear decision-making framework for identifying and reporting concerns
In many cases, firms believe they are compliant because requirements have been documented, but there is limited evidence of actual monitoring or intervention.
Why This Matters: Effectiveness Is the Regulatory Test
Regulators are no longer assessing AML compliance based on documentation alone. The focus has shifted to effectiveness.
AFCA and broader regulatory insights emphasise that firms must demonstrate that their frameworks:
- Identify real risks
- Operate consistently across the organisation
- Trigger timely escalation when issues arise
Where controls exist but are not functioning, this is viewed as a control failure, not a documentation issue.
This has significant implications — weak execution means risks go undetected, and firms may unknowingly facilitate financial crime or fail to meet reporting obligations.
The Structural Risk: False Comfort from Frameworks
A key issue across many organisations is the reliance on an AML program as evidence of compliance.
This creates a false sense of assurance:
- Policies are approved and reviewed annually
- Training has been delivered
- Systems are in place
However, without testing whether these elements are actually operating, firms cannot confirm whether risks are being managed.
Regulatory findings continue to highlight that frameworks that “exist but do not function” are a recurring governance failure across financial services.
What Regulators Are Actually Testing
In practice, regulators are now testing AML programs at the operational level.
This includes assessing:
- Evidence of ongoing monitoring activity
- Whether alerts are generated, reviewed, and actioned
- Documentation supporting suspicious matter assessments
- Timeliness and rationale of escalation decisions
- Staff understanding of AML obligations in real scenarios
- Effectiveness of training in driving behaviour
The key test is simple:
Can the firm demonstrate that its AML controls are actively working?
If not, the program will be considered ineffective — regardless of how well it is documented.
The Structural Problem: Static Programs in a Dynamic Risk Environment
Money laundering risk is dynamic. Customer behaviour changes, products evolve, and transaction patterns shift over time.
However, many AML programs are treated as static compliance documents, resulting in:
- Outdated risk assessments
- Controls not aligned to current business activities
- Monitoring rules not calibrated to actual risk exposure
- Limited integration with operational workflows
This leads to a situation in which the AML framework no longer reflects the business’s real risk profile.
What Good Looks Like
Leading firms are shifting their approach from AML documentation to AML operational effectiveness.
This includes:
- Active transaction monitoring frameworks with defined review and escalation workflows
- Regular refresh of customer risk profiles and KYC data
- Documented decision processes for assessing suspicious activity
- Clear thresholds and triggers for escalation and reporting
- Integration of AML controls into day-to-day operations
- Periodic independent testing of the AML program effectiveness
- Training aligned to real scenarios, not just policy awareness
The focus moves from:
“Do we have an AML program?”
to
“Is our AML program actively identifying and responding to risk?”
AICS Perspective
From an AICS standpoint, AML risk exposure is increasingly tied to control effectiveness rather than framework design.
Regulators expect firms to demonstrate that:
- Controls are operating as intended
- Risks are being actively monitored
- Issues are escalated and addressed in real time
Where firms rely on static documentation without operational evidence, AML programs will fail regulatory scrutiny.
The standard is clear:
“An AML framework must function as a live control environment, not a static compliance document.”
Call To Action
If your AML program cannot demonstrate that monitoring and escalation are actively occurring, it presents a material compliance risk.
Many frameworks satisfy documentation requirements but fail in execution, with limited evidence of ongoing monitoring, risk reassessment, or evaluation of suspicious matters. Regulators are now focused on control effectiveness, not program existence.
AICS assists firms in assessing and strengthening AML operational frameworks, ensuring controls function as intended and risks are actively identified and managed.
If you would like to review the effectiveness of your AML program, click here to contact Cheyenne and the team, email [email protected] or call 07 3251 2481.
References
- Australian Financial Complaints Authority (AFCA), Systemic Issues Insights Report (FY2025–26)
Read insight - Australian Financial Complaints Authority (AFCA), Guide to Systemic Issues
View guidance
