AML compliance governance: where risk-based controls still break down

TL;DR: AML programmes are no longer static compliance checklists. Veriff’s guide argues that effective anti-money-laundering governance needs continuous, risk-based controls across onboarding, sanctions screening, transaction monitoring, investigations, and training, because rapid payments, digital onboarding, and cross-border operations keep changing the threat profile. Static programmes fail when risk changes faster than policy.

NHIMG editorial — based on content published by Veriff: Chapter 4, AML compliance programme best practices

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should organisations build a risk-based AML programme that actually works?

A: Start with clear ownership, a documented enterprise-wide risk assessment, and control settings that change when risk changes.

Q: Why do static AML controls fail in digital-first businesses?

A: Digital onboarding, fast payments, and cross-border services change exposure faster than annual reviews can catch.

Q: How do you know if transaction monitoring is effective?

A: Look for calibrated scenarios, manageable alert volumes, consistent investigation quality, and timely filings that are supported by clear reasoning.

Practitioner guidance

• Map AML ownership across the three lines of defence Document who owns onboarding, who approves escalations, who maintains policies, and who independently tests control effectiveness.
• Rebuild EWRA around live risk triggers Use customer behaviour changes, new products, new geographies, and channel shifts as review triggers for risk scoring, due diligence depth, and monitoring thresholds.
• Calibrate transaction monitoring to typologies and case capacity Tune alert scenarios against actual business typologies, then measure false positives, missed alerts, and investigation backlog together.

What's in the full article

Veriff's full guide covers the operational detail this post intentionally leaves for the source:

• Detailed guidance on how to structure AML governance across the board, senior management, compliance, and internal audit.
• Operational examples for calibrating customer due diligence, sanctions screening, and transaction monitoring to risk level.
• The guide's step-by-step approach to investigations, SAR or STR reporting, and quality assurance.
• Practical discussion of event-driven reviews and perpetual KYC triggers in digital onboarding environments.

👉 Read Veriff's guide to AML compliance programme best practices →

AML compliance governance: where risk-based controls still break down?

Explore further

View Full Forum →  |  NHI Foundation Course →