Your company is probably spending too much time and money on anti-money laundering (AML) compliance – and it could still get fined by the regulator.

Religious adherence to passport copies and utility bills are as antiquated as the Ford Model T. And like the Model T on a race course, an antiquated compliance programme will serve only to get outpaced by the modern financial criminal.

So, in addition to the regulator not approving of your company's out-of-date AML compliance programme, it will do very little to stop actual financial crime from polluting the company's book of business.

The AML regulatory framework undertook a radical paradigm shift in 2009 that resulted in a very different emphasis from the previous framework. The current emphasis, called the risk-based approach, is a steep learning curve from the days when the 'spirit of the law' and 'best practice' were the guiding principles for regulation.

A company's ability to adhere to that learning curve is what differentiates those companies whose on-site examinations result in a fine (whether public or private) and those who are left to correct their own deficiencies.

AML regulation has long evolved past the stage of verification of identification and entered an era of risk-sensitivity. AML compliance is focused on and driven by an anti-money laundering risk assessment ("risk assessment").

A money laundering and terrorist financing (ML/TF) risk assessment is crucial to an AML compliance programme. That's because a risk assessment sets out what to do, how much of it to do, when to do it or whether you should do it at all. It lends credibility to decisions which is something that regulators consider very prudent and mature.

Another way to think about it is that the ML/TF risk assessment is any document, abbreviated or sophisticated, that answers the fundamental question of 'why'. Why do you collect this document, or ask this question, or accept that client?

To understand the ML/TF risk assessment, it may help to understand the role of the regulator and the state of the AML regulations.

The Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing) Regulations 2008 provide for a customised AML compliance programme. For example, a company can decide how often it reviews the customer's activities in any particular business relationship. The company can also choose how much information it should collect from the client at the beginning of the business relationship.

Some companies fail to appreciate the benefits in the malleability of AML compliance.

For example, prior to the requirement that companies take steps to ascertain the probability of money laundering or terrorist financing taking place, some companies favoured the certainty that comes from the prescriptive approach while bemoaning its limits. Embracing this strategy today would be a catastrophic mistake. The regulator may not fine a company it finds making such an error but it would be quite easy to establish that the company disregarded its regulatory obligations.

Some companies have argued that they have an undocumented risk assessment. Consequently, they treat all clients in the same way – and therefore they don't vary the intensity or frequency of their enquiries. This argument will serve only to immediately conclude the on-site examination though the conclusion may not satisfy the company's board of directors.

Only six pages of guidance notes discuss the risk-based approach and only about 660 words speak specifically to identifying and assessing ML/TF risk -- less than the word count for this article.

Given that lack of guidance, it is perhaps not surprising that companies undertake the compliance process with trepidation as it exposes the company to the scrutiny of the regulator -- and Monday-morning quarterbacking is always easier than front-line leadership.

Adding to this trepidation, the regulator can fine the company for a terribly wrong decision. Some quickly conclude that they would rather make no decision at all.

Indeed, while the risk-based approach provides flexibility, it does little to provide certainty to those unaccustomed to this style of regulation.

Simply put, the cost and effort of AML compliance is now in the hands of those who must comply.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.