Case Study: One Program, Two Gaps
Luc was midway through his quarterly review when he came across a case involving a small EU-based MSB. At first glance, their AML compliance framework appeared well-structured: procedures for filing suspicious transaction reports, internal controls for identifying red flags, and regular customer monitoring. All employees underwent online AML training every January and July, covering essential regulatory updates and risk awareness.
However, two elements raised concern.
First, while employees received their AML training via the firm's e-learning platform, the board of directors received the same core content in a different format. They attended a live in-person session conducted by the compliance officer, supported by a visiting subject matter expert. There was no superfluous content—just a practical, focused briefing tailored to the board’s governance responsibilities.
Second, and more critically, the same compliance officer responsible for designing and running the AML program was assigned to conduct the annual audit of that program.
Luc brought these points to his colleagues Ella and Marcus—senior compliance professionals at the same EU-based institution.
Ella addressed the training issue first:
"The delivery method isn't inherently problematic—as long as the learning objectives, depth of content, and evaluation are tailored and equivalent in effectiveness for each audience's specific responsibilities. But it’s important to document attendance, feedback, and outcomes consistently across formats."
Marcus focused on the audit:
"That’s the bigger risk. Independence is a core principle in testing. You can’t objectively evaluate a program you manage. Even in small firms, there must be separation—whether through internal audit or outsourcing."
Luc drafted his internal recommendations: standardize how training outcomes are documented for all staff and directors, and, more importantly, reassign the annual AML audit to an independent party. These steps would enhance transparency, credibility, and regulatory resilience.
Regulatory Insight: What Regulators Expect in Small-Firm AML Programs
Regulators understand that smaller financial institutions may have limited resources. However, core expectations for AML compliance remain unchanged—including robust training and truly independent program testing.
Training: Flexibility in Format, Consistency in Substance.
AML training may vary in delivery format across employee groups, but to be effective and compliant, it must:
- Convey current, role-specific AML risks and obligations.
- Be documented, with participant tracking and record retention.
- Include evaluation mechanisms to assess comprehension and retention.
- Apply equally to senior management and board members, who must understand their oversight responsibilities under national AML legislation.
No Self-Auditing
Under EU law—particularly the 6th Anti-Money Laundering Directive (6AMLD)—AML programs must undergo independent testing to ensure their design and operation are effective. This means:
- The compliance officer cannot audit the program they are responsible for implementing.
- Testing should be carried out by internal audit, an independent function, or a qualified third party.
- Testing must be periodic and risk-based, documented, and include remediation of identified gaps.
- It's important to note that regulatory findings related to a lack of independence in AML program audits are common and can lead to significant penalties.
Follow-Up & Continuous Improvement
Both training and testing processes should feed into continuous improvement:
- Training gaps or low scores may prompt refresher courses or updated content.
- Testing findings should lead to policy changes, enhanced controls, or workflow updates.
- Institutions must demonstrate a feedback loop between identified weaknesses and corrective action.
Conclusion
An AML program’s credibility lies in its execution—and in how well that execution is independently verified. Using different training formats is perfectly acceptable, provided the standards and learning outcomes are aligned. But assigning the compliance officer to audit their own program compromises both objectivity and regulatory trust.
By ensuring separation of roles, documenting training impact, and embedding feedback loops, even the smallest firms can build a program that’s compliant, resilient, and ready for scrutiny. As the EU tightens its AML framework, consistency—and independence—will count more than ever.