AML compliance programmes need continuous risk-based governance

At a glance

What this is: This is a risk-based AML governance guide that argues compliance must be operational, continuously reassessed, and tied to changing customer, product, geography, and channel risk.

Why it matters: It matters to identity and access practitioners because AML controls now depend on reliable identity proofing, lifecycle decisions, escalation authority, and monitoring discipline across human and non-human workflows.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Veriff's guide to AML compliance programme best practices

Context

Anti-money-laundering governance works only when it tracks changing risk, not when it sits as a documentation layer over the business. In practice, AML programmes fail when customer due diligence, sanctions screening, and transaction monitoring are treated as fixed steps instead of controls that must adapt to product, geography, and channel risk.

For identity teams, the relevance is indirect but real: AML depends on trustworthy identity proofing, escalation, access review, and case-handling workflows. The same governance pattern appears across IAM, NHI, and human identity programmes, where policy exists but operating discipline lags behind real-world change.

Key questions

Q: How should organisations build a risk-based AML programme that actually works?

A: Start with clear ownership, a documented enterprise-wide risk assessment, and control settings that change when risk changes. Then connect onboarding, screening, monitoring, investigations, and reporting into one operating model. If the programme cannot show why controls are stronger for some customers, channels, or products than others, it is compliance theatre rather than risk management.

Q: Why do static AML controls fail in digital-first businesses?

A: Digital onboarding, fast payments, and cross-border services change exposure faster than annual reviews can catch. Static controls also miss event-driven risk changes such as new products, behaviour shifts, or jurisdictional expansion. The result is a programme that documents due diligence but does not keep pace with real transaction risk.

Q: How do you know if transaction monitoring is effective?

A: Look for calibrated scenarios, manageable alert volumes, consistent investigation quality, and timely filings that are supported by clear reasoning. If analysts are overwhelmed, closing alerts inconsistently, or filing late because the case record is thin, the monitoring function is not operating effectively even if the rules are technically live.

Q: Who is accountable when AML controls fail?

A: Accountability should be explicit across the three lines of defence. Business teams own day-to-day execution, compliance owns policy and challenge, and audit independently tests whether controls work. If every function can point to another group when a failure occurs, the programme has no real accountability model.

Technical breakdown

Risk-based AML governance and the three lines of defence

A risk-based AML programme starts with clear ownership, supervision, and escalation paths. The article reflects the standard three lines of defence model: business teams perform onboarding and transaction handling, compliance sets policy and monitors control quality, and internal audit independently tests whether the programme works. This structure matters because AML failures are often governance failures first. If responsibility is unclear, controls drift into checklist behaviour and the organisation cannot prove that risk decisions were made consistently or reviewed independently.

Practical implication: define accountable owners for onboarding, monitoring, escalation, and audit so AML decisions are testable, not informal.

EWRA, customer due diligence, and perpetual KYC

The enterprise-wide risk assessment, or EWRA, is the planning layer that determines how much AML control the business actually needs. It maps customer, geography, product and service, and delivery channel risk to the depth of customer due diligence, screening intensity, and monitoring thresholds. The article also stresses event-driven reviews and perpetual KYC, which means risk is re-evaluated when customer behaviour, product use, or jurisdictional exposure changes. That is the difference between static onboarding and living risk governance.

Practical implication: calibrate CDD depth and review triggers to risk changes, not only to periodic calendar cycles.

Transaction monitoring, investigations, and regulatory reporting

Transaction monitoring is only effective when scenarios are calibrated to business typologies and reviewed continuously. Alerts then move into a structured investigation cycle with documented reasoning, escalation thresholds, and quality checks before SAR or STR filing. The article makes clear that weak documentation, premature closure, and delayed reporting are common regulatory findings. In other words, the control is not just the detection rule, but the quality of the decision chain that follows it.

Practical implication: test monitoring scenarios and case workflows together so alert quality, investigation quality, and filing quality stay aligned.

Threat narrative

Attacker objective: The objective is to move illicit funds or hide terrorist-financing activity while staying inside the organisation's control blind spots.

1. Entry occurs through digital onboarding, high-speed payments, or other delivery channels that expand exposure before risk is fully understood.
2. Escalation happens when weak customer due diligence, poor sanctions screening, or uncalibrated monitoring fails to separate normal activity from suspicious behaviour.
3. Impact is the persistence of undetected illicit activity, late regulatory reporting, and a programme that can document compliance without actually controlling laundering risk.

Breaches seen in the wild

• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AML governance fails when risk assessment is treated as a one-time planning event. The article’s EWRA model is the right starting point because customer, geography, product, and channel risk change faster than annual policy refresh cycles. That means the real governance task is not documenting risk once, but continuously translating changing exposure into control depth, escalation thresholds, and review cadence. Practitioners should treat risk assessment as a living operating model.

The three lines of defence only work when escalation authority is real. The article correctly emphasises that compliance must be able to question business decisions, but many programmes still separate accountability from action. When business, compliance, and audit roles are vague, AML becomes a shared responsibility that no one fully owns. Practitioners should test whether each line can act independently at the point of decision.

Perpetual KYC is a governance correction, not just a technology feature. Event-driven review and ongoing due diligence reflect a broader shift away from calendar-bound compliance toward state-aware risk management. The named concept here is control drift: the gap that opens when written AML policy stays constant while the underlying customer or transaction reality changes. Practitioners should assume that static review cycles will miss meaningful risk movement.

AML programmes should be measured by decision quality, not policy volume. The article shows that monitoring, investigation, and SAR or STR filing are all linked stages, which means any weak handoff breaks the chain. That is why documentation quality, escalation discipline, and reviewer consistency matter as much as the initial detection scenario. Practitioners should assess whether the programme can defend its decisions end to end.

Identity assurance is now part of financial crime control architecture. The guide repeatedly ties onboarding, customer profiling, and risk reassessment to the quality of identity data. That is a reminder that AML effectiveness depends on trustworthy identity proofing and case data, not just rule engines. Practitioners should align identity controls with compliance controls instead of treating them as separate programmes.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, showing that identity and secrets failures still convert directly into business loss.
• The Ultimate Guide to NHIs is a useful next step for teams connecting compliance governance with identity lifecycle and secrets control.

What this signals

Control drift: AML programmes should be designed around changing exposure, not fixed annual review assumptions. The practical signal for teams is whether onboarding, screening, and monitoring thresholds are recalibrated when the business adds a new product, market, or delivery channel.

The same governance discipline used in identity and access management applies here: clear ownership, measurable control quality, and review cycles that can be defended to audit. Teams that cannot show why a review happened and what changed are already behind the risk curve.

For identity and compliance leaders, the next step is to treat customer due diligence and case management as part of a broader identity assurance model. That makes it easier to align AML with NIST Cybersecurity Framework 2.0 controls around governance, risk, and response.

For practitioners

• Map AML ownership across the three lines of defence Document who owns onboarding, who approves escalations, who maintains policies, and who independently tests control effectiveness. Make each handoff explicit so weak accountability cannot hide inside a shared service model.
• Rebuild EWRA around live risk triggers Use customer behaviour changes, new products, new geographies, and channel shifts as review triggers for risk scoring, due diligence depth, and monitoring thresholds. Keep the assessment current enough to drive actual operating decisions.
• Calibrate transaction monitoring to typologies and case capacity Tune alert scenarios against actual business typologies, then measure false positives, missed alerts, and investigation backlog together. A calibrated model should protect detection quality without overwhelming analysts.
• Separate detection from decision quality in QA reviews Review not only whether an alert fired, but whether investigators documented a defensible rationale, escalated correctly, and filed reports on time. Use QA to catch closure bias and weak evidence trails before regulators do.

Key takeaways

• AML programmes fail when they become documentation exercises rather than living risk controls.
• The article shows that EWRA, perpetual KYC, and calibrated monitoring only work when ownership and escalation are explicit.
• The practical priority is to connect identity assurance, case quality, and reporting discipline into one auditable operating model.

Key terms

• Enterprise-wide risk assessment: An enterprise-wide risk assessment is the structured process used to identify where financial crime exposure is highest across a business. It turns customer, geography, product, and delivery channel risk into control decisions, so due diligence and monitoring are proportional rather than uniform.
• Perpetual KYC: Perpetual KYC is an ongoing due diligence model that updates customer risk when relevant facts change, not just at fixed review intervals. It relies on event-driven triggers, refreshed profiles, and repeatable decision rules so organisations can respond before risk becomes embedded.
• Three lines of defence: The three lines of defence is a governance model that separates operational ownership, compliance oversight, and independent assurance. In AML, it helps prevent conflicts of interest by making sure the teams that execute transactions are not the only teams judging control effectiveness.
• SAR/STR filing: SAR or STR filing is the regulatory reporting step used when suspicious activity is identified and documented. The quality of the filing depends on the completeness of the investigation, the clarity of the rationale, and the organisation's ability to show why the activity was unusual.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Veriff: Chapter 4, AML compliance programme best practices. Read the original.