Anti-Money Laundering (AML) & Counter-Terrorist/Proliferation Financing (CFT/CPF): A Practical, 2025 Playbook for Banks, Fintechs, DNFBPs & Corporate Treasuries

By TRW Law Firm — Financial Crime Compliance, Investigations & Cross-Border Practice

Why this guide (and why now)

Financial crime risk has exploded in complexity: instant payments, platform business models, trade corridors, digital advertising, remote onboarding, and third-party sales channels. Regulators expect evidence of control—not just policies. Your survival kit is a risk-based, auditable operating system that: (1) identifies and rates risks, (2) onboards the right way, (3) monitors activity with context (not just thresholds), (4) files clean reports on time, and (5) keeps a provable trail.

This TRW guide is a field manual you can deploy immediately—built for banks & NBFIs, PSP/PSO/MFS providers, money changers, capital markets firms, insurers, importers/exporters, and DNFBPs (law/accountancy, real estate, dealers in precious metals & stones, company service providers).

No references or links are included, per your request. Treat any time-sensitive thresholds as examples—confirm current local rules before filing.

What AML/CFT/CPF actually covers (scope at a glance)

• Money Laundering (ML): concealing criminal proceeds via placement → layering → integration.
• Terrorist Financing (TF): small, fast, purpose-driven flows, often from ostensibly clean sources.
• Proliferation Financing (PF): funds or services that support acquisition/transport of WMDs or dual-use items.
• Sanctions/Targeted Financial Sanctions (TFS): asset freezes, services bans, and ownership/control tests for designated persons, entities, vessels, and sectors.
• Covered persons (you): banks, NBFIs, payment institutions (PSP/PSO), MFS/agent networks, money changers, capital markets participants, insurers, remitters, and DNFBPs (lawyers, accountants, real estate agents, dealers in precious metals/stones, company service providers).

Part A — The Risk-Based Approach (RBA): design once, apply everywhere

1) Enterprise-Wide Risk Assessment (EWRA)

Build a living EWRA that ranks risks by Customer, Product/Service, Channel, Geography, and Delivery (e.g., agents/third parties). For each combine:

• Inherent risk (before controls) with scored drivers
• Control effectiveness (policies, systems, people, data)
• Residual risk (what remains), with risk appetite statements

Output: a heat-map, control action plan, and metrics. Refresh at least annually or after major changes (new product/country, M\&A, incident).

2) Customer Risk Rating (CRR)

Assign risk bands at onboarding (Low/Medium/High/Prohibited) using:

• Customer type (individual, SME, NGO/NPO, SOE, FI correspondent, MSB, money changer, PSP)
• Occupation/business model; cash-intensity; TBML exposure
• Ownership/control (UBO complexity, bearer shares, nominee structures)
• PEP exposure (customer or close associates)
• Country risk (sanctions, PF, governance, conflict)
• Delivery/channel (face-to-face, remote, through agents)
• Adverse media hits and historical SARs

CRR drives CDD depth, KYC refresh cycle, monitoring scenarios, and approval levels.

Part B — Governance & Accountability (who owns what)

• Board: approves the AML/CFT/CPF policy, risk appetite, EWRA, and annual program. Receives quarterly MI (metrics, SAR stats, sanctions hits, training, audit).
• Senior management: allocates resources, removes blockers, signs off on high-risk relationships, and ensures remediation deadlines are met.
• MLRO/AMLCO (independent of business): owns the framework, STR/SAR filings, regulator liaison, and training.
• Three lines of defence:
• 1st line (Business/Ops): executes KYC, screening, and monitoring SOPs.
• 2nd line (Compliance/Risk): designs controls, conducts QA, challenges 1st line, manages alerts and reporting.
• 3rd line (Internal Audit): tests independently; reports to Audit Committee.
• Policies & charters: AML/CFT/CPF policy; Sanctions/TFS policy; KYC/CDD standard; EDD/PEP standard; Name Screening standard; Transaction Monitoring (TM) standard; TBML guideline; PF control; Investigation & Escalation SOP; Record Retention policy; Training policy; Model Governance standard.

Part C — KYC/CDD: what “good” looks like

1) Identification & verification (ID\&V)

Individuals: full legal name(s), DOB, current address, nationality, government ID, photograph; verify via reliable, independent sources.
Legal persons: legal name, registration number/date, registered & principal address, tax number, nature of business, directors/officers, UBOs down to the natural person(s) with ownership or control, plus control-via-other-means.
Legal arrangements (trusts/NPOs): settlor, trustee(s), protector (if any), beneficiaries/classes; controlling individuals; purpose and fund flows.

Remote/e-KYC: use certified document capture, liveness checks, and database cross-checks; maintain device/IP metadata and geo-risk overlays.

2) Purpose & nature of relationship

Document sources of funds (SoF) and, for wealthier or PEP-linked profiles, source of wealth (SoW). Capture expected activity profile (products, channels, countries, typical values/volumes)—this powers smart monitoring.

3) Beneficial ownership (UBO)

• Obtain attestations and supporting documents (register extracts, share certificates, partnership deeds).
• Validate ownership & control: direct/indirect percentages, control rights, board control, vetoes.
• Screen UBOs alongside the customer.

4) Screening at onboarding (and forever)

• Sanctions/TFS lists (including ownership/control rules)
• PEPs and close associates/family
• Adverse media (negative news)
• Sectoral/special risk lists (e.g., vessels, dual-use traders)

Set fuzzy-matching thresholds and escalation rules; store match rationales.

5) Risk-based KYC refresh

• High risk/PEP: frequent refresh (short cycles), periodic SoF/SoW updates, enhanced monitoring and senior sign-off.
• Medium/Low: standard cycles; triggers for interim refresh (address change, unusual activity, hits).

6) EDD (Enhanced Due Diligence)

Apply EDD when PEP, high-risk geography/sector, complex ownership, NPOs with cross-border flows, private banking, correspondent banking, MSBs, money changers, or when early monitoring flags concerns. EDD may include:

• Additional ID\&V sources and corroboration
• Independent SoF/SoW evidence (bank statements, audited accounts, title documents, tax returns)
• Site visits or video verification
• Senior management approval and reduced velocity limits until comfort is established

Part D — Sanctions/TFS & PF controls (how to stay off the rocks)

• Scope: apply to customers, counterparties, beneficial owners, directors, payments, vessels/aircraft, ports, banks, and goods/services linked to sanctions or PF regimes.
• Ownership & control: blocked persons owning/controlling non-listed entities can taint the transaction—apply aggregation rules.
• Routing risk: even clean trades can be contaminated by trans-shipment via restricted ports, AIS-dark vessels, STS transfers, or intermediary banks with exposure.
• PF (proliferation financing): flag dual-use goods, specialty metals/chemicals, electronics, optical/precision instruments, aerospace/aviation parts; require end-use/end-user statements; escalate unusual routing, high-risk counterparties, or front companies.

When a hit is true-positive: freeze/hold, block or reject per policy, escalate to MLRO, and report as required. Document the decision trail.

Part E — Transaction Monitoring (TM): from rules to intelligence

1) Build scenarios that fit your business

• Cash placement: structuring, rapid in/out, cash-heavy sectors beyond profile.
• Account behavior: sudden value/velocity spikes; pass-through or funnel patterns; round-dollar repeats; ATM/POS anomalies.
• Cross-border: unusual corridors, frequent third-country transit, use of multiple remitters/beneficiaries, mirror trades.
• Trade flows (TBML): over/under-invoicing signals, inconsistent Incoterms, value/quantity mismatches, repeated discrepancies.
• Channel abuse: new device/browser each time, multiple IPs, proxy/VPN, emulator use, rapid device switch.
• Network analytics: shared addresses/phones/devices across unrelated customers; daisy-chain transfers.

2) Risk-based thresholds & tuning

Start with conservative thresholds; track alert precision/recall, false positives, and “no SAR” rates. Tune quarterly. Apply peer groups and customer baseline deltas (e.g., ±3σ vs. cohort medians). Calibrate to your EWRA.

3) Alert handling workflow

• Triage → analyst case build (KYC, transaction trail, external data) → escalate/close.
• Use consistent case narratives: the “what, why, so what” test.
• Time-bound SLAs for each stage; quality checks by 2nd line.
• No tipping-off: customer communications must avoid signaling a report is being filed.

4) Model governance

Document scenario logic, data sources, assumptions, back-testing results, overrides, changes, and approvals. Internal Audit should test models yearly.

Part F — STR/SAR, CTR & asset freezing (reporting done right)

• STR/SAR (suspicious transaction/activity report): file promptly once knowledge, suspicion or reasonable grounds exist. Include KYC summary, timeline, counterparties, values, rationale, and documents.
• CTR/threshold cash reports (where mandated): automate from core systems; reconcile totals to GL and cash registers.
• Asset freeze/hold: if a TFS match is confirmed, freeze immediately, notify internally and file the required report; maintain logs of balances and interest accrued.
• Recordkeeping: keep KYC, transactions, and STR files for at least the statutory minimum (often 5+ years from relationship end or report date).
• Confidentiality: protect reporter identity; never disclose an STR to the customer or non-essential staff.

Part G — Trade-Based Money Laundering (TBML): controls that actually deter abuse

Red flags

• Counterparties with no visible commercial rationale for goods traded; unusual routing; newly formed offshore entities; repeated changes to consignee/Notify Party.
• Price/quantity/quality anomalies vs. market data; mismatched HS codes; inconsistent Incoterms; large amendments to LCs close to shipment.
• Ghost shipments: no verifiable cargo movement; suspicious chartering.
• Third-party payments with no contract linkage; split invoicing; rebates outside contract.

Controls

• Trade file with contract, invoice, packing list, B/L or AWB, inspection, insurance, certificate of origin, freight/port costs, payment method, and sanctions routing sheet.
• Price checks vs. public indices/quotes for sensitive goods.
• Vessel screening (ownership, flags, AIS).
• End-use/end-user statements for dual-use/sensitive items.
• Bank narrative scripts for payments to pre-empt de-risking.

For banks: strengthen documentary collections/LC checks, dual control on amendments, and integrate sanctions/TM flags into trade desks.

Part H — Sector specifics (what changes by industry)

Banks & NBFIs

• Correspondent banking: EDD on respondent FIs, understanding of their AML regime, nested relationships, payable-through risks, and usage monitoring.
• Private banking/wealth: SoW depth, PEP governance, and tighter alerting.

PSP/PSO, MFS, Agent Banking

• Agent onboarding/monitoring (KYC, training, liquidity patterns, fraud/AML flags).
• Transaction limits, device controls, geo-fencing, velocity rules; SIM swap and device-binding controls.
• Merchant acquiring: sector MCC risk, chargeback patterns, abnormal refunds, split payments, sleeper merchants.

Money Changers & Remitters

• Cash logs, camera coverage, currency source checks, structured cash patterns, and frequent cross-border small-value sends.
• Agent audits and mystery shopping.

Capital Markets & Insurers

• BO account KYC, omnibus accounts oversight, pump-and-dump/synchronized trading detection; life insurance SoF/SoW and beneficiary checks; early surrender patterns.

DNFBPs

• Law/accountancy: client due diligence on company formation, escrow handling, and complex structures; report suspicious trust/company service requests.
• Real estate: developer/agent KYC; high-value cash, third-country buyers; politically exposed purchasers; offshore companies; flips.
• Dealers in precious metals & stones: cash limits, supplier provenance, high-risk country sourcing; scrap/gold trading anomalies.

Part I — Training & culture (make people your strongest control)

• Induction + role-specific modules (front-line vs. back office vs. management vs. agents).
• Quarterly micro-learning on typologies (hundi/hawala, TBML, mule accounts, digital fraud, PEP risks, TF micro-payments).
• Tabletop exercises: sanctions hit, PF red flag, cyber breach producing anomalous payments, media crisis with potential insider leak.
• Certification & attestation: track completion; escalate non-compliance.

Part J — Technology stack (what to ask vendors for)

• KYC/CDD: dynamic forms, document capture, OCR, liveness, registry/API checks, UBO visualization, SoF/SoW repositories.
• Screening: batch + real-time; robust fuzzy logic with explainability; delta screening on updates; API hooks at payment and beneficiary creation; vessel/port screening where relevant.
• TM: risk-based scenarios, customer baselining, peer groups, graph analytics, and case management with audit trails.
• Case Management: workflow, SLA timers, evidence attachments, analytics, regulatory report exports.
• Data: lineage, quality scoring, deduplication; immutable logs and time-stamped evidence; role-based access.
• Model governance: version control, change logs, back-testing, champion/challenger, independent validation.

Part K — Investigations: from alert to decision

1. Assemble: KYC file, transactions, counterparties, external intel.
2. Hypothesis & narrative: what indicators suggest ML/TF/PF; alternative explanations tested.
3. Interviews & outreach: if policy allows, seek clarification without tipping-off; use neutral queries.
4. Decision: close with rationale or escalate to STR/SAR; apply risk-mitigation (limits, EDD refresh, exit if needed).
5. Post-mortem: feed learning into scenarios, thresholds, training, and product design.

Part L — Recordkeeping & evidence (your audit shield)

• KYC/CDD: full packs, UBO charts, attestations, approvals.
• Screening: match logs, disposition notes, list versions at time of decision.
• TM: alert IDs, data snapshots, investigator notes, decisions, QA reviews.
• STR/SAR: working papers, filings, regulator acknowledgments.
• Training: registers, materials, assessments.
• Model: documentation, validation, change logs.
• Retention: at least the statutory minimum after relationship ends; longer for investigations/litigation.

Part M — 30/60/90-day implementation plan (install a working program fast)

Days 1–30 — Stabilize

• Appoint/confirm MLRO/AMLCO; approve policy suite and risk appetite.
• Complete a rapid EWRA; identify top 10 risks and immediate fixes.
• Freeze onboarding of prohibited customer types; put interim caps on high-risk products/corridors.
• Deploy basic screening at onboarding and payments; ensure TFS freeze procedures work end-to-end.
• Stand up a single case tool (even if lightweight) and train analysts on narrative standards.

Days 31–60 — Institutionalize

• Ship CDD/EDD SOPs and forms; embed CRR in onboarding.
• Launch first TM scenarios (cash structuring, velocity spikes, cross-border anomalies, agent outliers, TBML basics).
• Create investigation & escalation SOP; define STR pathway and no-tipping-off script.
• Build a KPI/MI pack to board/management (alerts, SARs, sanctions hits, QA pass rates).
• Begin agent/partner onboarding and monitoring framework (if relevant).

Days 61–90 — Assure

• Tune scenarios from first data; add peer/baseline analytics.
• Run a sanctions/PF tabletop; fix gaps.
• Independent QA on closed alerts and internal audit scoping.
• Draft training calendar; run targeted sessions for sales, ops, agents.
• Approve model governance and data quality standards; implement change control.

Part N — Practical checklists & mini-templates (copy/adapt)

KYC essentials (individual)

• Full name(s), aliases, photo ID, DOB, nationality, addresses, occupation/employer, purpose, SoF, expected activity, PEP/adverse media/sanctions screening, signature/liveness.

KYC essentials (company/NGO)

• Legal name, registration, tax number, registered/principal address, directors/officers, UBO chart with % and control; SoF/SoW where relevant; business model; expected activity; sanction/PEP/adverse media.

EDD add-ons

• Independent SoF/SoW proofs (bank statements, pay slips, audited accounts, title docs); site visit report; senior approval.

Sanctions/TFS decision log

• Hit details → matching score → source lists → ownership/control analysis → business rationale → decision (block/reject/allow) → notifications filed.

TM case narrative (the 7 sentences)

1. Who is the customer (risk, business)?
2. What happened (timeline, amounts, counterparties, channels, locations)?
3. Why is it suspicious (indicators vs. baseline/peer)?
4. What could be legitimate explanations (tested)?
5. What we checked (docs/data) and results?
6. Decision and rationale (close/escalate); risk controls applied.
7. Next steps (STR filed, monitoring changes, EDD refresh).

Board dashboard (quarterly)

• Alerts opened/closed & SLA, false-positive rate, STRs filed, sanctions hits (TP/FN), high-risk customer counts and refresh status, training completion, audit/QA findings, open remediation actions.

Part O — Common failure modes (and how to avoid them)

1. Great policy, poor evidence: regulators ask “show me.” Fix: embed checklists & case tools; save artifacts by default.
2. No UBO clarity: hidden ownership behind layers. Fix: require attestations + docs, escalate when structures are needlessly complex.
3. Untuned screening: either floods or misses. Fix: adjust fuzzy thresholds; whitelist with governance; test regularly.
4. TM spaghetti: too many rules, low precision. Fix: start with high-value scenarios; add baseline/peer analytics; prune quarterly.
5. Agent/partner blind spots: great bank controls, weak agent nodes. Fix: agent KYC, training, audits, and risk-based limits.
6. Tipping-off: staff try to be “helpful.” Fix: scripts and training; strict comms control.
7. Stale KYC: PEP became minister two years ago and no one noticed. Fix: periodic delta screening and refresh calendars.
8. No PF lens: sanctions OK, but dual-use export financed unknowingly. Fix: PF checks in trade flows; end-use statements.
9. Model changes with no paper trail: audits fail. Fix: model governance with approvals and back-tests.

Part P — FAQ (fast, practical answers)

Do I need EDD on every PEP?
Yes—by definition they’re higher risk. Calibrate depth to role, proximity to power, country risk, and product exposure.

When should I file an STR?
As soon as suspicion or reasonable grounds exist—don’t wait for proof. Document your reasoning and file within required timelines.

What if a sanctions hit is on a shareholder at 40%?
Assess ownership/control. If rules aggregate to or above the blocking threshold or show control through other means, treat as restricted.

Can I rely on third-party KYC (e.g., marketplace, agent)?
Only under a controlled reliance framework: written agreement, audit rights, sample checks, and clear liability.

How long to keep AML records?
At least the statutory minimum after relationship end or transaction date; longer for investigations and litigation holds.

Is crypto relevant if we don’t offer it?
Yes—customers may try to move funds to/from platforms or P2P intermediaries; treat as a red-flag use case and monitor card/wallet rails accordingly.

Part Q — The TRW package (how we help end-to-end)

1. EWRA & risk appetite tailored to your products, channels, and geographies.
2. Policy suite & SOPs: AML/CFT/CPF, KYC/EDD, screening, TM, TBML/PF, investigations, model governance.
3. Technology selection & tuning: screening/TM tools, thresholds, baselines, peer analytics, case management.
4. Sanctions & PF: routing controls, vessel/port screening, end-use/end-user frameworks.
5. Training & drills: front-line to board; quarterly micro-learning and tabletop exercises.
6. Independent testing: QA and internal audit; remediation program with project management.
7. Incident support: investigations, regulator liaison, voluntary disclosures where appropriate.

Contact TRW Law Firm
Phones: +8801708000660 · +8801847220062 · +8801708080817
Emails: [email protected] · [email protected] · [email protected]
Offices: Dhaka — House 410, Road 29, Mohakhali DOHS • Dubai — Rolex Building, L-12 Sheikh Zayed Road

Final note

An AML/CFT/CPF program wins when it’s operational: risk-rated onboarding, tuned screening, intelligent monitoring, clean reporting, and strong evidence. Install the rhythm in 90 days, then keep tuning. If you’d like, we’ll convert this guide into a bespoke SOP + control library (forms, dashboards, scenarios, and training pack) tailored to your sector so your team can execute on autopilot.