Back to Resources

AML Controls for Fintech CFOs: Financial Crime Frameworks That Satisfy Auditors

Raymond Shuai May 2025 8 min read Sources: JMLSG Guidance 2024 · FCA AML Supervisory Review 2024 · Money Laundering Regulations 2017 · FATF Recommendations

FCA & Regulatory

AML as a CFO Responsibility

Share
Executive summary: Financial crime compliance is simultaneously a regulatory obligation, a material operational cost, and a board-level risk with personal liability implications for senior managers. CFOs at regulated fintech businesses need a working understanding of the four operational pillars (CDD, transaction monitoring, SARs, and internal governance), the cost benchmarks for different business types, and the personal liability framework under the Economic Crime Act 2022.

The conventional view of AML compliance is that it sits with the MLRO and the compliance team, not with the CFO. This view is increasingly inadequate. Financial crime compliance is one of the most significant operational cost lines in any regulated fintech, typically consuming 1 to 5% of revenue depending on business type. The cost decisions (how many compliance analysts to employ, which technology to use for transaction monitoring, how to scope the CDD programme) are financial decisions with material P&L implications. And the personal liability framework for senior managers has expanded significantly under recent legislation.

This article provides a CFO-oriented overview of the UK AML framework, the cost structure of a compliant AML programme, and the personal liability considerations that make this a board-level issue rather than a delegated operational one.

The UK AML Framework: Who It Applies To

The primary UK AML legislation is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), as amended. The MLR 2017 applies to a defined list of regulated businesses, including all FCA-authorised firms. For fintech businesses, the relevant categories are:

  • Credit institutions: Banks, building societies, and firms with permission to accept deposits
  • Financial institutions: Payment institutions, electronic money institutions, investment firms, consumer credit firms, and others with FCA authorisation
  • Cryptoasset businesses: From January 2020, firms carrying on cryptoasset activities for UK customers must register with the HMRC under the MLR 2017 (separate from FCA authorisation for investment activities)

The Proceeds of Crime Act 2002 (POCA) applies more broadly, imposing obligations on all businesses to report known or suspected money laundering through the SAR regime. The Terrorism Act 2000 imposes equivalent obligations in relation to terrorist financing. Together, POCA and the Terrorism Act create obligations that extend beyond the regulated sector.

CDD: Customer Due Diligence

CDD is the process by which a regulated firm verifies the identity of its customers, understands the nature of the business relationship, and assesses the money laundering and terrorist financing risk that each customer presents. The MLR 2017 requires CDD to be applied before establishing a business relationship and to be kept up to date throughout the relationship.

Standard CDD

Standard CDD applies to all customers where there is no basis for either simplification or enhancement. It requires: verification of the customer's identity (name, date of birth, address for individuals; name, registered number, and registered address for companies); understanding of the purpose and nature of the business relationship; and assessment of the customer's risk level. For digital businesses, standard CDD is typically completed through electronic verification using credit reference agency data (Experian, Equifax) or document verification technology.

Simplified CDD

Simplified CDD may be applied where the customer presents a lower risk of money laundering, as assessed by the firm's risk methodology. Typical examples include listed companies, UK regulated firms, government bodies, and other lower-risk entity types specified in the MLR 2017. Simplified CDD does not mean no CDD: it means a proportionately reduced level of verification and ongoing monitoring.

Enhanced CDD

Enhanced CDD (EDD) is mandatory for higher-risk customers and business relationships. The MLR 2017 specifies categories where EDD is always required: high-risk third countries (as defined by the FATF blacklist); politically exposed persons (PEPs) and their associates; and correspondent banking relationships. For most fintech businesses, EDD is most commonly applied to PEPs, business customers in high-risk jurisdictions, and customers whose transaction patterns suggest elevated risk.

EDD requires obtaining additional information and scrutiny beyond standard CDD. In practice, this means: enhanced identity verification; source of wealth and source of funds documentation; senior management approval for onboarding; and enhanced ongoing monitoring. The cost of EDD for a single business customer can be £200 to £500 in staff time and third-party data costs.

Transaction Monitoring

Transaction monitoring is the ongoing process of reviewing customer transactions to identify patterns that may indicate money laundering, terrorist financing, or other financial crime. It is a legal obligation under the MLR 2017 and a practical necessity for managing regulatory risk.

Rule-based vs ML-based monitoring

There are two broad approaches to transaction monitoring. Rule-based systems generate alerts when transactions meet predefined criteria (e.g. cash transactions above a threshold, transactions to high-risk jurisdictions, unusual velocity relative to historical patterns). ML-based systems use machine learning algorithms to identify anomalies in transaction patterns without predefined rules, typically generating fewer false positives but requiring more data and more sophisticated infrastructure.

Most fintech businesses at Series A and B use rule-based systems, supplemented by manual review for complex cases. ML-based systems become cost-effective at higher transaction volumes and where the false positive rate of rule-based systems is generating unmanageable alert volumes for the compliance team.

Rule-Based Monitoring
StandardLower cost; predefined triggers; higher false positive rate; appropriate at lower volumes
ML-Based Monitoring
AdvancedLower false positives; higher implementation cost; requires significant transaction data
Alert Review
ManualEach alert requires human review; alert management process is a significant staffing cost driver
Review Outcome
Dismiss or SARAlert reviewed: either dismissed with documentation or escalated to potential SAR submission

Key triggers and thresholds

Standard transaction monitoring triggers for a payments or fintech business include: cash transactions above £10,000 (or multiple transactions that collectively exceed this threshold); transactions to or from FATF high-risk or blacklisted jurisdictions; unusual velocity (more transactions than expected given the customer's profile); structuring (multiple transactions just below reporting thresholds); and transactions inconsistent with the stated purpose of the business relationship.

Suspicious Activity Reporting

The SAR regime under Part 7 of POCA requires any person in the regulated sector who knows or suspects that another person is engaged in money laundering to make a disclosure to the National Crime Agency (NCA) before carrying out the relevant activity, or as soon as practicable afterwards. Failure to report known or suspected money laundering is a criminal offence carrying up to 5 years' imprisonment.

The consent SAR

Where a firm suspects a customer transaction may involve money laundering, but has not yet carried out the transaction, it can submit a "consent SAR" to the NCA and request a defence against money laundering charges. If the NCA does not refuse consent within 7 days of acknowledging receipt, the firm can proceed. If the NCA refuses, the firm must not proceed for a further 31-day moratorium period (during which the NCA may seek a court order to freeze the funds). The consent SAR mechanism is an important operational tool for compliance teams dealing with high-value suspicious transactions.

The tipping-off prohibition

Once a SAR has been filed or is under consideration, the firm is prohibited from tipping off the customer that a report has been made or is being considered. This prohibition is absolute and creates operational challenges for customer-facing staff, who must be trained to avoid inadvertently disclosing the existence of a SAR investigation.

CFO personal obligation: Where a CFO becomes aware of a transaction or pattern of activity that they know or suspect involves money laundering, they have a personal obligation to make or ensure a disclosure is made to the MLRO. This obligation is not discharged by delegating it to the compliance team. The CFO's knowledge of financial flows within the business means they are frequently in a position to identify red flags that the compliance team may not see.

Internal Controls and Governance

The MLR 2017 requires regulated businesses to appoint a nominated officer (the MLRO in practice), maintain an AML training programme, and conduct an annual AML risk assessment. These requirements have specific operational and cost implications.

The MLRO role

The MLRO (Money Laundering Reporting Officer) is the nominated officer to whom internal suspicious activity reports are made and who is responsible for deciding whether an external SAR should be filed with the NCA. Under the FCA's Senior Managers and Certification Regime (SMCR), the MLRO function is typically a prescribed responsibility attached to a specific Senior Manager. The MLRO must have adequate authority and independence to perform their role effectively; an MLRO who is not sufficiently senior to challenge business decisions that create AML risk is not an effective control.

AML training programme

All relevant staff must receive regular AML training, covering the legal obligations, how to identify suspicious activity, the internal reporting process, and the tipping-off prohibition. Training must be tailored to the employee's role. Compliance analysts require more detailed training than operational staff, but operational staff (including customer service teams) often need specific training on recognising and escalating red flags.

Annual AML risk assessment

The annual AML risk assessment is a documented assessment of the money laundering and terrorist financing risks facing the business, covering customer risk, geographic risk, product and service risk, and delivery channel risk. It must be reviewed and approved by the board (or a designated board committee) annually. The risk assessment drives the calibration of the CDD programme, the transaction monitoring rules, and the staffing of the compliance function.

"The FCA's AML supervisory approach has become increasingly data-driven. Firms with well-documented risk assessments, clean alert disposition records, and low false-positive rates are materially better positioned in a supervisory review than those with high activity but poor documentation."

AML Compliance Costs by Business Type

AML compliance is a significant operational cost that varies substantially by business type, customer risk profile, and transaction volume. The following benchmarks reflect the all-in cost of AML compliance (including compliance staff, technology, third-party data, training, and management overhead) as a percentage of revenue for different fintech business types:

Business Type
AML Cost as % Revenue
Key Cost Drivers
Exchange / Custodian
2–5%
High-risk customer base; large transaction volumes; EDD for PEPs and high-risk jurisdictions; CARF reporting
Payments Firm
1–2%
Volume-driven monitoring; merchant onboarding CDD; cross-border transaction monitoring
Lending Platform
0.5–1%
CDD at onboarding; lower ongoing monitoring intensity; source of funds for larger loans

These cost percentages decline as revenue scales, since a substantial proportion of AML compliance cost is fixed (compliance analyst headcount, technology platform, MLRO salary) rather than variable. A payments business processing £10m of transaction value annually may spend 3% of its revenue on AML; the same business processing £100m annually may spend 1.5%. Planning the AML cost trajectory as the business scales is a material financial planning input that belongs in the CFO's model.

CFO Personal Liability Under the Economic Crime Act 2022

The Economic Crime (Transparency and Enforcement) Act 2022 and the Economic Crime and Corporate Transparency Act 2023 have significantly expanded the personal liability exposure of senior managers at regulated firms in relation to financial crime failures.

The "failure to prevent fraud" offence (introduced in the 2023 Act, with application beginning September 2025) makes large organisations criminally liable for fraud committed by their employees or agents for the organisation's benefit, unless the organisation can demonstrate that it had adequate procedures in place to prevent the fraud. This creates a strong incentive for CFOs to ensure that the internal financial crime controls are genuinely robust, documented, and tested, rather than existing only on paper.

Under the SMCR, individual Senior Managers (including CFOs at firms with SMF roles) can be held personally accountable for regulatory breaches within their area of responsibility if they did not take reasonable steps to prevent the breach. A CFO who was responsible for the compliance budget and approved a reduction in AML staffing that subsequently contributed to a material AML failure is in a significantly more difficult position than one who can demonstrate that they raised the risk, funded the function adequately, and maintained appropriate oversight.

Practical governance step: Ensure the AML compliance function has a dedicated budget line in your management accounts, approved by the board annually. Any reduction in AML budget relative to the risk assessment should be explicitly risk-accepted at board level and documented. This creates an audit trail that demonstrates appropriate oversight rather than neglect.

Key Takeaways

  • AML compliance applies to all FCA-authorised firms, payment institutions, EMIs, and cryptoasset businesses registered with HMRC. The CFO's role is not limited to the budget; it extends to personal legal obligations.
  • The four operational pillars are CDD (standard, simplified, enhanced); transaction monitoring (rule-based or ML-based, with alert management); suspicious activity reporting (POCA regime, consent SAR, tipping-off prohibition); and internal governance (MLRO, training, annual risk assessment).
  • AML compliance costs range from 0.5 to 1% of revenue for lending platforms to 2 to 5% for exchanges and custodians. These costs decline as revenue scales but have a significant fixed component.
  • The "failure to prevent fraud" offence (effective September 2025) creates corporate criminal liability for organisations that lack adequate anti-fraud procedures, increasing the governance stakes for CFOs.
  • Under SMCR, CFOs with designated senior management functions can be personally liable for AML failures within their area of responsibility where they did not take reasonable steps to prevent them.
  • The annual AML risk assessment is a board-level document, not a compliance team deliverable. CFO involvement in its review and approval is a governance requirement, not optional.
  • Maintain a dedicated AML budget line, approved annually by the board. Document any budget decisions that reduce compliance capacity relative to the risk profile.

Work Together

Is your AML framework
audit-ready?

From risk assessment review to compliance budget benchmarking and SMCR responsibility mapping, financial crime governance is a CFO-level issue. Let's make sure yours is robust.

Book a Free Discovery Call →