AML Policy Template UK: What Supervisors Actually Check (2026)
Most AML policy templates are built for banks or generic SMEs; this one is written for UK estate agents, letting agents, and conveyancers, mapped section by section to the Money Laundering Regulations 2017.
An AML policy template is a pre-written framework you adapt to your own firm, not a finished document you sign and file. This guide gives you the section-by-section structure UK supervisors expect. It maps each part to the Money Laundering Regulations 2017, then shows how to turn a written policy into the live checks that keep you compliant.
What is an AML policy template?
An AML policy template is a reusable outline of the anti-money laundering (AML) controls your business will run, ready for you to tailor to your services, customers and risks. The word "template" matters: a download is a starting point, and it only becomes a compliant policy once it reflects your own written risk assessment.
Most templates returned by a quick search are built for banks or generic small businesses. Property firms face specific risks, from buyers paying with overseas funds to companies with hidden owners, so a property-specific policy is far stronger than a generic one. And a generic download that ignores your real risks is exactly what supervisors penalise.
Is an AML policy a legal requirement in the UK?
Yes, a written AML policy is a legal requirement in the UK. Regulation 19 of the Money Laundering Regulations 2017 requires regulated firms to establish and maintain written policies, controls and procedures, approved by senior management and proportionate to the size and nature of the business. Skipping this step is not an option for firms in scope.
HMRC guidance on who needs to register sets out who is in scope. Estate agency businesses, solicitors and accountants must register for money laundering supervision. So must letting agency businesses renting property worth the equivalent of 10,000 euros or more a month. Trading without registering is a criminal offence.
What a compliant AML policy must include
A compliant policy is more than a statement of intent. It documents the people, the checks and the records that stop your firm being used to launder money. The Money Laundering Regulations 2017 set out the building blocks, and a good template prompts you to complete each one.
Your policy should cover the following sections:
- Business-wide risk assessment. Your written view of where your firm is exposed, covering customers, geographies, services and delivery channels.
- Customer due diligence (CDD). How you identify and verify every client before acting, explained in our guide to customer due diligence for property.
- Enhanced due diligence (EDD). The extra checks for higher-risk clients, including any politically exposed person and customers in high-risk countries.
- Ongoing monitoring and screening. Sanctions and adverse media screening during the relationship, not just at onboarding.
- Reporting. How staff escalate concerns to your nominated officer, who decides whether to file a Suspicious Activity Report.
- Record-keeping and training. What you keep, for how long, and how often staff are trained.
Two roles sit at the centre of the policy. Regulation 21 requires you to appoint a board or senior-management officer responsible for compliance, appoint a nominated officer to review suspicious activity, screen relevant employees, and establish an independent audit function where appropriate. The nominated officer, often called the money laundering reporting officer (MLRO), is the person who decides whether a concern becomes a formal report.
The policy also has to connect to action. HMRC expects a risk-based approach. Its risk-assessment guidance tells firms to identify the money laundering risks, then risk-assess the business and each customer.
From there, firms must design and put controls in place, monitor those controls, and keep records of what they did and why. Your written policy is where each of those steps is recorded.
Free AML policy template (UK): section by section
Use the outline below as a free AML policy template you can paste into a document and complete. Each heading is a section of your policy, and the note under it explains what a UK supervisor wants to see there. Keep the language plain so any member of staff can follow it.
- Purpose and scope. State that the policy meets the Money Laundering Regulations 2017 and name the services and staff it covers.
- Roles and responsibilities. Name your compliance officer and your nominated officer, and confirm senior management has approved the policy.
- Risk assessment. Summarise your business-wide risk assessment and how often you review it.
- Customer due diligence. Set out when you verify identity, what evidence you accept, and how you check beneficial ownership.
- Enhanced due diligence. Explain the triggers for extra checks and your approach to a politically exposed person.
- Ongoing monitoring. Describe sanctions screening, adverse media checks and how you spot unusual transactions.
- Reporting and record-keeping. Describe how staff raise concerns, how reports reach the National Crime Agency, and your record retention period.
- Training. State how new and existing staff are trained and how you evidence it.
Once drafted, get senior management to approve and date the policy, then store the signed version where your supervisor can see it. Regulation 40 requires firms to keep AML records, and Regulation 24 requires staff training, so both belong in the policy and in your day-to-day routine.
How to write an AML policy
You write an AML policy by starting from your risks and working outwards to the controls that manage them. Do not start from someone else's finished document, because a policy that does not match your firm is the kind regulators reject. So follow a clear order.
- Complete your risk assessment first. You cannot write proportionate controls until you know your risks.
- Map each risk to a control. For every risk, state the check or process that reduces it.
- Assign the roles. Name your compliance officer and nominated officer in writing.
- Write the procedures in plain steps. Staff should be able to follow them without legal training.
- Get senior management approval. Sign, date and review the policy at least once a year.
Keep the document specific to your firm. A short policy that genuinely reflects how you work beats a long one copied from another sector. But do make sure every required section is present, because gaps are what supervisors look for first.
What are the 5 pillars of AML policy?
The five pillars of AML policy are a designated compliance officer, internal policies and controls, ongoing training, independent audit, and risk-based customer due diligence carried out on every client. The phrase comes from United States rules, but each pillar maps neatly onto the duties UK firms already owe under the Money Laundering Regulations 2017.
In UK terms, the pillars line up like this:
- Compliance officer. Your senior-management compliance officer and nominated officer under Regulation 21.
- Policies and controls. Your written policies, controls and procedures under Regulation 19.
- Training. Staff awareness and training under Regulation 24.
- Independent audit. A review of whether your controls actually work, where the size of your firm makes it appropriate.
- Customer due diligence. Risk-based identity and ownership checks on every client.
AML policy requirements for estate agents, letting agents and conveyancers
The core duties are the same across property, but the supervisor and the trigger differ by sector. Estate agents and letting agents are supervised by HMRC, while most conveyancers are supervised by their legal regulator. The table below summarises where each sits.
| Sector | Typical supervisor | Key trigger |
|---|---|---|
| Estate agency business | HMRC | Acting in the sale or purchase of property |
| Letting agency business | HMRC | Lettings at 10,000 euros or more a month |
| Conveyancer or solicitor | SRA or CLC | Acting in a property transaction |
Letting agents were brought into scope more recently, so many still need a first policy in place. Whatever your sector, you pay an annual supervision fee on top of the cost of compliance, and our guide to HMRC supervision fees sets out the current figures. For agents who want the practical onboarding detail, our KYC for estate agents guide walks through the checks your policy should require.
What happens if you do not have an AML policy
Missing or weak policies are one of the first things a supervisor penalises. HMRC publicly names the firms it sanctions, which adds reputational damage to the financial cost. So a written policy is cheap insurance against an expensive failure.
The figures are real. The HMRC list of businesses that have not complied with the regulations in 2024 to 2025 names the firms it sanctions. The largest single penalty on that list was 139,638 pounds.
That penalty was issued for breaches that included missing risk assessments, policies, procedures, staff training and due diligence. Smaller firms appear on the same list for the same gaps.
The charges are rising too. According to HMRC guidance on sanctions and appeals, from 1 December 2025 a 2,000 pound sanction administration charge applies on top of any financial penalty for breaches of the regulations.
Professional bodies act as well. In 2023, ICAEW reprimanded and fined accountant Malcolm Bass 14,700 pounds, plus 9,140 pounds in costs, for failing to demonstrate his firm's AML compliance, as reported by MLRO Support. Our guide to HMRC AML fines for estate agents covers the property-sector cases in more detail.
There is a reporting duty behind all of this. According to HMRC guidance on reporting, firms must keep records and send a Suspicious Activity Report to the National Crime Agency whenever they suspect a transaction relates to money laundering or terrorist financing. Your policy is what makes sure staff know when and how to do that.
AML policy template: common questions
What is the difference between an AML policy and AML procedures?
An AML policy sets out what your firm will do to prevent money laundering, while procedures are the step-by-step instructions staff follow to deliver that policy in practice. The policy is the senior-management commitment; the procedures are how onboarding, screening and reporting actually happen at the desk each day.
How often should you review your AML policy?
Review your AML policy at least once a year, and sooner if your risks change. A new service line, a new type of client, a merger or a fresh national risk assessment are all triggers to act. When one occurs, update the policy, re-approve it at senior level, and record the date of the change.
How Veyco turns your AML policy into live checks
A written policy only protects you if the checks behind it happen on every client. This is the gap Veyco closes for property firms. Veyco runs identity verification, AML and sanctions screening, politically exposed person checks and an audit-ready record in one workflow. So the controls your policy promises are carried out automatically, and most checks finish in under ten minutes.
Veyco also handles the part competitors cannot. With QEST, our qualified electronic signature for the TR1 transfer deed, your firm verifies the signer's identity to the Land Registry standard and captures the signature in the same secure flow. You can see how it works on our QEST page, and our UK-based team is here to help you get set up.
So treat the template above as step one and the live checks as step two. Write the policy, then book a Veyco demo to see your customer due diligence, screening and TR1 signing run as one fast, compliant process.
Latest Articles
