Foundation
AML risk assessment
The institution-wide analysis the framework is the operational response to.
AML risk assessmentAML policy
framework
The law requires written AML policies, directives and procedures, but a framework lifted from a template describes a firm that is not yours, and an auditor sees it at once. We draft the framework to your business model and your risk assessment, so it governs what the firm actually does, holds together as one system, and passes the SRO audit. Specific, consistent, and matched to real practice, not a binder of generic documents.
At a glance
The rulebook of what the firm actually does.
Drafted to your business, not from a template.
- What it is
- Policies, directives, procedures
- Built on
- The institution risk assessment
- Governs
- Onboarding, monitoring, screening
- Approved by
- The governing body
- Tested by
- The annual SRO audit
The essentials
What the policy framework is
The AML policy framework is the set of written policies, directives and procedures a financial intermediary must maintain under the framework around the Anti-Money Laundering Act. It translates the law and the firm’s risk assessment into concrete instructions on identification, risk classification, monitoring, escalation, reporting and training. It is the operational rulebook — the document that says what the firm actually does. Drafted to the firm it is coherent and defensible; lifted from a template it describes someone else and fails the audit.
Who this is for
- financial intermediaries building their framework from the start;
- firms whose policies are templated or out of date;
- firms whose documents contradict their actual practice;
- firms preparing for an SRO audit that tests the framework.
Where it fits
The framework is built on the risk assessment and governs the onboarding and monitoring controls.
The documents
What the framework contains
The framework is a connected set of documents, sized to the firm. Each governs a part of the AML function and is consistent with the rest.
| Document | Governs |
|---|---|
| Overarching AML directive | The firm’s whole AML approach |
| KYC & onboarding procedure | Identification and risk classification |
| Monitoring & reporting procedure | Alerts, escalation, MROS reporting |
| Screening & training procedures | Sanctions screening and staff training |
The point is not the volume of paper but the coherence of the system: documents that derive from one risk assessment, agree with each other, and describe what the firm genuinely does. A binder of generic policies that contradict practice is a liability; a tight, firm-specific framework is an asset at audit. We build the latter.
How we work
How we draft it
We draft from the firm’s real business and risk, not from a template, and connect the documents into one system.
- Step 1
Understand the firm
Mapping the business model, client base and how the firm actually operates its controls today.
- Step 2
Anchor to the risk
Grounding the framework in the institution-wide risk assessment so the controls respond to real exposure.
- Step 3
Draft to the firm
Writing policies, directives and procedures specific to the firm and consistent with each other.
- Step 4
Board approval
Preparing the framework for genuine ownership and approval by the governing body, documented.
- Ongoing
Maintain & defend
Keeping the framework current and ready for the SRO audit as the business and rules change.
Budget
What it costs
The framework is scoped to the firm’s size and complexity: a small, low-risk intermediary needs a proportionate set of documents, while a large, multi-product firm carries more. It is usually drafted once and maintained, rather than rebuilt each year.
We scope and quote against the firm’s profile. Pricing is on request.
Discuss your framework
What it takes
What a sound framework requires
A framework that governs the firm and passes the audit rests on:
- grounding in the firm’s institution-wide risk assessment;
- documents specific to the business, not a template;
- internal consistency across all the procedures;
- a match with what the firm genuinely does;
- genuine ownership and approval by the governing body.
A policy that says one thing while the firm does another is a finding
The most damaging framework is not the one that is missing a document; it is the one that describes controls the firm does not operate. At audit, the gap between the written policy and the observed practice is exactly what the auditor tests, and a framework that fails that test undermines confidence in everything else. The value of the framework is that it is true: it says what the firm does, and the firm does what it says. We draft for that match, because a polished binder that contradicts practice is worse than no binder at all.
Why Goldblum
The framework, in practice
A framework drafted to the firm, grounded in its risk and matched to its practice is what passes the audit. Building that, and operating it where the firm wants, is the work this firm does.
Specific
Drafted to your firm
Policies written from the firm’s real business and risk assessment, not a template that describes someone else and fails the audit.
Coherent
One system, not a binder
Documents that derive from one risk assessment and agree with each other, so onboarding, monitoring and screening are consistent parts of a whole.
True
Matched to real practice
A framework that says what the firm does and that the firm follows: the match an auditor tests, kept current as the business changes.
Related
Around the framework
The test
SRO audit preparation
Closing gaps before the SRO arrives and liaising through the audit the framework must pass.
SRO audit preparationRun it for me
External AML officer
The officer who maintains the framework and operates the controls it sets out.
External AML officer
FAQ
AML policy framework: FAQ
01What is an AML policy framework?
An AML policy framework is the set of written policies, internal directives and operating procedures a financial intermediary must maintain to control money-laundering and terrorist-financing risk. It translates the law and the firm's risk assessment into concrete instructions: how clients are identified and risk-classified, how transactions are monitored, when due diligence is escalated, who decides on a suspicious-activity report, and how staff are trained. It is the operational rulebook of the firm's AML obligations: the document that says what the firm actually does, not just what the law requires.
02What documents make up the framework?
Typically an overarching AML policy or directive, supported by procedures for KYC and onboarding, for transaction monitoring, for sanctions screening, for escalation and suspicious-activity reporting, and for training, plus the institution-wide risk assessment that drives them. The exact set scales with the firm's size and complexity: a small intermediary needs a proportionate framework, not the volume a large one carries. What matters is that the documents are consistent with each other, grounded in the risk assessment, and reflect what the firm genuinely does. We build the set the firm needs, sized to its business.
03Why can't I use a template?
Because a template describes a generic firm, and your auditor is examining yours. A framework lifted from a template tends to reference controls the firm does not operate, omit the ones it does, and contradict the firm's actual practice, all of which an auditor sees quickly. The policy framework must reflect the firm's real business model, client base and risk assessment, or it fails its purpose, which is to govern what the firm actually does. Templates are a common root cause of audit findings. We draft to the firm, not from a template.
04How does the framework relate to the risk assessment?
The risk assessment is the analysis; the policy framework is the response. The assessment identifies where the firm's money-laundering risk concentrates, and the framework sets out how the firm controls it: what due diligence applies where, how monitoring is calibrated, where enhanced measures kick in. Policies written without a risk assessment beneath them are generic and disconnected; policies built on a real assessment are targeted and coherent. The two are designed together, assessment first. We build them as a connected pair so they are consistent by construction.
05Who has to approve the framework?
The firm's governing body owns and approves the AML framework (it is a management responsibility, not a back-office formality) while the AML officer typically maintains it day to day. Board ownership matters because the framework governs how the firm manages financial-crime risk, and the governing body is accountable for AML compliance. We prepare the framework to a standard the governing body can genuinely own and approve, and document that approval, rather than producing a document the board signs without engaging.
06How often should the framework be updated?
Whenever the business, the risk or the rules change: a new product, a new client segment, a new market, a regulatory development, or a finding from the SRO audit. A framework written once and left untouched drifts away from what the firm actually does and from the current rules, which an auditor will flag. It is a living set of documents, not a one-off deliverable. We build it to be maintained and review it when the business or the regulatory environment moves, so it stays accurate.
07Does the framework have to match what the firm actually does?
Yes. That is the single most important property. A framework that describes controls the firm does not operate, or omits controls it does, is worse than useless: it misleads the auditor and exposes the firm. The documents must reflect genuine practice. This is why we draft the framework from the firm's real operations and risk assessment, and why we keep it current as practice evolves. A policy that says one thing while the firm does another is a finding waiting to happen.
08Will the framework satisfy the SRO audit?
That is what it is built for. The SRO's annual audit tests whether the firm's AML framework meets the standard and is genuinely operated, and the policy framework is the core of what they examine. A framework that is specific to the firm, grounded in the risk assessment, internally consistent and matched to actual practice is what passes; a generic or contradictory one is what generates findings. We build the framework to that standard and can prepare the firm for the audit and liaise through it. See our SRO audit preparation.
09How does it connect to onboarding, monitoring and screening?
The framework is the layer that governs them. The KYC and onboarding procedures, the transaction-monitoring rules and the sanctions-screening process are all parts of the framework, derived from the risk assessment and bound together by the overarching policy. Built well, the framework makes those controls consistent with each other and with the firm's risk; built as disconnected documents, it leaves gaps between them. We design the framework so onboarding, monitoring and screening are coherent parts of one system, not separate documents that happen to coexist.
10Can Goldblum draft the framework and run it?
Yes. We draft the AML policy framework to the firm's business model and risk assessment, build it to satisfy the SRO audit, and connect it to onboarding, monitoring and screening so the whole system is coherent. Where the firm wants the framework operated as well as written, our external AML officer mandate maintains it and runs the controls it sets out. We can do the framework alone or as part of the full AML function, whichever the firm needs.
Is your AML framework drafted to your firm?
Tell us your business model and risk profile. A partner drafts an AML policy framework specific to your firm — grounded in the risk assessment and built to pass the SRO audit.