| name | aml-compliance-program |
| language | en |
| description | Drafts board-ready Anti-Money Laundering compliance programs for UK financial institutions under POCA 2002, MLR 2017, and FCA requirements. Covers CDD, EDD, SAR/DAML reporting, OFSI sanctions screening, risk assessment, training, independent testing, and governance structures. Use when creating or updating AML policies or BSA-equivalent compliance programs for UK-regulated firms. Trigger keywords: AML, POCA, SAR, DAML, MLR 2017, FCA, OFSI, CDD, KYC, compliance program, money laundering regulations. [Atticus UK/Scots refined] |
| tags | ["SCOTS, drafting, memo, regulatory, research, UK, Scotland, legal, atticus, source-verification, evidence-matrix, hostile-review"] |
| atticus_refined | true |
| jurisdiction_focus | Scotland / UK, unless expressly classified otherwise |
| requires_live_source_verification | true |
| external_action_mode | prepare-only unless operator explicitly authorises filing/service/sending |
AML Compliance Program (UK/Scotland Adaptation)
Atticus UK/Scots Legal Excellence Overlay
Use this skill as an autonomous legal-operations module for Scotland/UK work. Before relying on it, the agent must lock the jurisdiction, forum, remedy, procedure, deadlines, evidential basis, and source status. Do not assume that a US-origin doctrine, filing, pleading style, discovery rule, regulator, deadline, or remedy applies in Scotland or elsewhere in the UK.
Mandatory operating rules
- Jurisdiction lock. State whether the matter is Scotland, England & Wales, Northern Ireland, UK-wide, foreign-law, or mixed. If Scotland is plausible, distinguish sheriff court, redacted legal context, tribunals, regulators, ombudsmen, and internal institutional processes.
- Official-source hierarchy. Prefer legislation.gov.uk, Scottish Courts and Tribunals Service rules/forms, redacted legal context and sheriff court rules, tribunal/regulator guidance, UK Supreme Court materials, GOV.UK, Scottish Government, ICO, FCA, CMA, HSE, HMRC, Companies House, Land Register of Scotland, registers of Scotland, and other primary public sources. Treat secondary commentary as orientation only.
- Live verification. Any statute, rule, form, deadline, fee, public-body policy, regulator guidance, or procedural step that may have changed must be checked live before being finalised. Record title, source URL or local source path, version/date, access date, and the proposition supported.
- Evidence discipline. Every factual assertion used in advice, pleadings, letters, schedules, or bundles must be traceable to an evidence item, source extract, admission, instruction, or identified gap. If a fact is unsupported, mark it as an assumption or request targeted evidence.
- Element-by-element reasoning. Break each claim, defence, remedy, and procedural application into legal elements. Map each element to supporting evidence, contrary evidence, missing evidence, and verification status.
- Autonomous depth. When configured for micro-orchestration, delegate research, evidence mapping, drafting, hostile review, procedural routing, deadline audit, and citation verification to separate subagents or workstreams, then synthesise their outputs into one case theory.
- External-action boundary. Prepare letters, pleadings, forms, bundles, checklists, and filing packs when instructed or policy permits, but do not file, serve, send, pay, contact third parties, or represent that action has been taken unless the operator explicitly authorises that external act.
- Uncertainty handling. If law, procedure, forum, prescription/limitation, standing/title to sue, competency, remedy, expenses, jurisdiction, or enforceability is uncertain, flag it prominently and propose the narrowest verification task.
Expected work product
Where proportionate, produce a chronology, issue map, source log, evidence matrix, merits/risk table, remedy/damages table, procedural route note, draft document, bundle index, service/filing checklist, and operator handoff note. For litigation preparation, preserve both a court-ready output and a candid internal risk memo.
Produces a comprehensive, board-ready AML compliance program tailored to a UK financial institution's risk profile, satisfying POCA 2002, MLR 2017, FCA Handbook, and OFSI requirements.
Checkpoint A: Pre-Draft Intake (Mandatory)
Before drafting, collect from the user:
- Existing policies - current AML program, risk assessments, FCA/PRA exam reports, regulatory correspondence
- Institutional profile - org chart, business lines, products, customer demographics, geographic footprint
- Risk data - prior assessments, audit findings, enforcement actions, FCA notices, consent orders
- Applicable regulations - confirm institution type (bank, MSB, broker-dealer, crypto-asset firm, payment institution) to determine which FCA Handbook sections and HMRC registration requirements apply
Do not proceed until items 1-2 are addressed. Items 3-4 may be developed during drafting if unavailable.
Quick Start
Draft a numbered policy document covering all sections below. Calibrate depth to the institution's size, complexity, and risk profile.
Step 1: Program Foundation
| Element | Requirement |
|---|
| Board endorsement | Explicit board/senior management approval and oversight |
| Scope | All business lines, customer relationships, geographies, transaction types |
| Risk-based approach | Controls calibrated to risk assessment findings |
| Resource commitment | Adequate personnel, technology, budget |
| MLRO appointment | Named Money Laundering Reporting Officer (MLRO) - statutory requirement under MLR 2017 reg. 21 |
Step 2: MLRO / Compliance Officer
| Element | Requirement |
|---|
| Qualifications | CAMS, ICA Diploma, or equivalent; demonstrated AML expertise |
| Reporting line | Direct to senior management; regular board access |
| Independence | Evaluation tied to compliance effectiveness, not production |
| Authority | Unrestricted access to all records, systems, personnel |
| Location | UK-based (usually); must be approved by FCA for regulated firms |
Core duties: Regulatory contact (FCA, NCA, OFSI, law enforcement) · SAR/DAML oversight · risk assessment coordination · training management · independent testing oversight · program design and updates.
The MLRO is the named point of contact for receipt of internal SARs and decision on external reporting to NCA. Under POCA s.331, the MLRO has a personal criminal liability for failing to disclose suspicious activity, a key difference from US law where no equivalent personal liability exists for the compliance officer.
Step 3: Customer Due Diligence (CDD)
Per MLR 2017 regs. 27-40:
| Data Point | Individual | Legal Entity |
|---|
| Full legal name | Required | Required |
| Date of birth | Required | N/A |
| Address | Residential address | Registered office / principal place of business |
| ID number | Passport / photo driving licence | Company registration number / EIN equivalent |
Verification: Documentary (passport, driving licence) · Electronic (credit reference agencies, identity verification services) · Non-face-to-face (video ID, digital identity solutions) · [SCOTS: Note, enhanced measures for remote verification per FCA guidance]
Simplified Due Diligence: Permitted for low-risk customers (e.g., UK public authorities, listed companies) per MLR 2017 reg. 16.
Timing: CDD must be completed before establishing business relationship or carrying out occasional transaction over €15,000 (or equivalent).
Retention: 5 years after business relationship ends (MLR 2017 reg. 40).
Step 4: Beneficial Ownership / PSC
Per MLR 2017 reg. 6, Sch. 2 and Companies Act 2006 Part 21A:
- Identify beneficial owners: each individual ≥25% shares or voting rights, or exercising significant control, UK companies already hold PSC Register at Companies House, cross-reference against it, Collect and verify via: company search, PSC register, trust documents, certification, For trusts: register on HMRC Trust Registration Service (TRS) if taxable, Update on risk-based schedule and upon known changes, Document relationship purpose, business activities, anticipated transaction profile, source of funds
Overseas entities owning UK land: Register on Register of Overseas Entities (ROE) under Economic Crime (Transparency and Enforcement) Act 2022.
Step 5: Enhanced Due Diligence (EDD)
Mandatory EDD triggers per MLR 2017 reg. 33:
| Category | Examples |
|---|
| PEPs (Politically Exposed Persons) | Per MLR 2017 reg. 35 - includes domestic PEPs (UK PEPs are in scope, unlike some EU regimes) |
| High-risk third countries | FATF high-risk/jurisdictions under sanction |
| Complex ownership | Opaque structures, offshore trusts, shell companies |
| High-risk businesses | Crypto-asset exchanges, money service businesses (MSBs), cash-intensive, high-value dealers |
| Unusual transactions | No clear economic or lawful purpose |
| Cross-border correspondent relationships | Enhanced measures per MLR 2017 reg. 34 |
| Elevated risk rating | Multiple risk factors per internal methodology |
Requirements: Senior management approval before establishing relationship · source of wealth/funds verification · enhanced ongoing monitoring (more frequent reviews, lower thresholds) · documented risk rating methodology (customer × geography × product × activity).
Step 6: Suspicious Activity Reporting (SAR)
Per POCA 2002 ss.330-332 (principal offences) and ss.337-338 (defences):
- Threshold: Any knowledge or suspicion (no monetary threshold, lower than US SAR $5,000)
- Internal SAR: Employee reports suspicion to MLRO (protected disclosure under POCA s.337)
- External SAR: MLRO reports to NCA if suspicion is confirmed
- Consent (DAML): Defence Against Money Laundering request, must obtain NCA consent before proceeding with suspicious transaction (POCA s.335)
- Timing: As soon as practicable after suspicion formed
- Consent moratorium: Initial 31 working days; can be extended by court up to 186 calendar days (Criminal Finances Act 2017)
Key indicators: Structuring · activity inconsistent with profile · large cash transactions · wire transfers lacking rationale · high-risk jurisdiction involvement · recordkeeping avoidance · complex corporate structures · transactions with no economic purpose
Tipping-off: Strict prohibition under POCA s.342 - criminal offence to disclose that a SAR has been made. Penalties: up to 5 years imprisonment and/or fine.
Confidentiality: Need-to-know access only; separate SAR register; strict internal controls. SARs must not be filed on company-wide systems accessible to all employees.
Step 7: Large Cash Transactions (No UK CTR Equivalent)
[SCOTS: Note, UK does not have a Currency Transaction Report (CTR) system equivalent to FinCEN CTRs]
| Element | UK Position |
|---|
| Threshold | No mandatory cash reporting threshold |
| Internal logs | Keep internal records of large cash transactions > €10,000 (MLR 2017 reg. 31 - high-value dealers) |
| Reporting | Suspicion-based only via SAR mechanism |
| Retail cash payments | Kept for anti-fraud / audit purposes only |
| Cross-border cash | Cash controls (EU Exit) Regs 2019: declare cash > €10,000 entering/leaving UK |
High-value dealers (HVD): Registered with HMRC; must maintain cash transaction records; may have additional HMRC inspection obligations.
Step 8: OFSI Sanctions Compliance
UK sanctions regime under Sanctions and Anti-Money Laundering Act 2018 (SAMLA):
| Trigger | Timing |
|---|
| Account opening | Before relationship established |
| Existing customers | Minimum annually; risk-based frequency |
| Transactions (wires, faster payments) | Real-time or near real-time |
Lists: OFSI Consolidated List (UK regimes), HM Treasury Sanctions List, UN sanctions, autonomous UK sanctions (Russia, Belarus, Iran, etc.)
Actions:
- Asset freeze - mandatory for designated persons; report to OFSI within 10 working days
- Rejection - prohibited transactions not requiring freezing; notify originator; document decision
- OFSI licence - permission to carry out prohibited activity (e.g., payment of legal fees, basic needs)
Retention: All screening records ≥ 5 years (longer for asset-freeze cases).
Strict liability: UK sanctions offences are strict liability, the fact that a firm did not know it was transacting with a sanctioned person is no defence.
Step 9: Risk Assessment
Per MLR 2017 reg. 18:
| Dimension | Factors |
|---|
| Products/services | Velocity, geographic reach, anonymity, abuse susceptibility |
| Customers | Type, occupation, geography, relationship characteristics |
| Entities | Ownership structure, business purpose, formation jurisdiction |
| Geography | Physical presence, customer concentrations, FATF/UK government flag lists |
Assess inherent (pre-controls) and residual (post-controls) risk. Conduct annually minimum or upon significant changes. Findings drive CDD intensity, monitoring sensitivity, and resource allocation.
UK-specific risk factors: Threat assessment from National Risk Assessment (HMT/Home Office, updated periodically), NCA Strategic Assessment, FCA Financial Crime thematic reviews.
Step 10: Training
| Audience | Timing |
|---|
| All employees/officers/directors | Annual minimum |
| New hires | Within 30 days or before customer-facing duties |
| High-risk positions | Role-specific schedule with specialised content |
Core curriculum: Institution AML policies · POCA 2002 (ss.327-332) · MLR 2017 · SAMLA 2018 · FCA Handbook (SYSC 6.3 / FCG) · ML/TF typologies (FCA / NCA bulletins) · red flags · CDD/EDD procedures · SAR/DAML reporting obligations · OFSI screening · tipping-off prohibition
Documentation: Attendance records, completion certificates, comprehension assessments (including for Scottish-remote/online teams).
Step 11: Independent Testing
| Element | Standard |
|---|
| Independence | Personnel independent of AML function |
| Frequency | 12-18 months; higher-risk more frequent |
| Reporting | Findings to MLRO, management, board |
Scope: Regulatory compliance (MLR 2017, POCA, SAMLA) · policy adequacy · risk assessment methodology · transaction monitoring effectiveness · training adequacy · SAR timeliness · CDD/EDD compliance · OFSI procedures · data protection (ICO compliance).
Remediation: Management action plan required with timelines; follow-up verification.
Step 12: Governance
Board duties: Approve program and updates · review risk assessment · receive quarterly compliance reports · review testing results · allocate resources.
Quarterly metrics: SAR/DAML activity · OFSI screening alerts · CDD/EDD backlogs · training completion · testing findings · regulatory developments · FCA/PRA thematic review feedback.
Change management: Document rationale → compliance + legal review → management/board approval → communicate to personnel → maintain version history.
Step 13: Recordkeeping
| Record Type | Retention |
|---|
| SARs + supporting docs | 5 years from filing |
| DAML consents + supporting docs | 5 years from closure |
| CDD / beneficial ownership | 5 years after business relationship ends |
| OFSI screening / asset freeze reports | 5 years minimum (longer for frozen assets) |
| Risk assessments, testing, training | 5 years minimum |
| Internal SAR register | 5 years (retain in separate confidential location) |
Organised for prompt retrieval upon FCA/HMRC/OFSI regulatory request. Security controls and audit trails for SAR-related records. SARs must be stored separately from general customer records (to prevent accidental disclosure in Subject Access Requests under UK GDPR).
Checkpoint B: Post-Draft Review (Mandatory)
After delivering the draft, ask the user:
- Does the program scope match your institution's FCA permissions and risk profile?
- Are the CDD/EDD thresholds appropriate for your customer demographics?
- Do the governance and reporting structures align with your board/committee framework?
- Any FCA enforcement history, Section 166 Skilled Person reviews, or PRA regulatory actions that require specific program provisions?
Quality Checks
Guidelines
- Mark uncertain regulatory citations with [VERIFY] - regulations change; confirm at drafting date, OFSI obligations are strict liability, UK sanctions are distinct from US OFAC and operate independently, Tipping-off (POCA s.342) carries severe penalties (imprisonment) - embed protections in every procedure and training module, MLRO personal criminal liability (POCA s.331) is uniquely UK, ensure MLRO role is clearly defined and resourced, Program must be reviewed regularly for regulatory changes (FCA Handbook updates, new sanctions regimes, NCA guidance)
- Consult legal counsel (Scottish solicitors for Scotland-based firms) for interpretation questions
- [SCOTS: Note, Scottish criminal law applies for ML offences prosecuted in Scotland (COPFS); civil/criminal fines apply UK-wide]
Scotland/UK Adaptation
Adapted for: Scotland and UK law
Changes made:
- Replaced BSA/FinCEN with POCA 2002, MLR 2017, and FCA Handbook as primary AML framework, Replaced OFAC with OFSI (Office of Financial Sanctions Implementation) under SAMLA 2018
- Replaced CTR (Currency Transaction Report) - no UK equivalent; replaced with internal large cash records, Replaced SAR to FinCEN ($5,000 threshold) with SAR to NCA (any suspicion, no monetary threshold)
- Added DAML consent process (Defence Against Money Laundering, UK-specific, no US equivalent)
- Replaced 31 CFR § 1020.220 (CIP) with MLR 2017 reg. 27-40 (CDD requirements)
- Replaced PATRIOT Act with UK anti-terrorism framework (Terrorism Act 2000, Anti-Terrorism Crime and Security Act 2001)
- Replaced beneficial ownership (FinCEN BOI) with PSC Register (Companies House, operational since 2016)
- Replaced FinCEN GTOs with NCA / OFSI guidance and FCA thematic reviews, Replaced EDD triggers: PEPs include domestic UK PEPs (broader than some EU regimes)
- Added MLRO personal criminal liability under POCA s.331 (no US equivalent)
- Added tipping-off under POCA s.342 (imprisonment, more severe than US)
- Added Trust Registration Service (TRS) for registerable trusts, Added Register of Overseas Entities (ROE) for non-UK entities owning UK land, Replaced IRS with HMRC for registration/enforcement of non-FCA entities, Added Joint Money Laundering Steering Group (JMLSG) guidance as UK industry standard, Replaced OFAC SDN List with OFSI Consolidated List (UK autonomous sanctions) and HMT Sanctions List
Key Scottish/UK considerations:
- UK has no CTR system; no equivalent to FinCEN's $10,000 threshold reporting, UK's DAML consent regime requires NCA approval before proceeding with suspicious transactions (unique)
- POCA s.331: MLRO has personal criminal liability for failure to disclose, critical difference from US, Tipping-off (POCA s.342) is a criminal offence with potential imprisonment, UK sanctions (OFSI) operate independently of US/EU sanctions, dual-listing common but not automatic, Scottish criminal prosecutions: COPFS (Crown Office and Procurator Fiscal Service) handles ML offences in Scotland, FCA regulates most financial firms; HMRC registers MSBs, HVDs, crypto-asset firms, trust/company service providers, MLR 2017 is the core regulatory instrument (updated periodically); National Risk Assessment (NRA) informs risk appetite, JMLSG guidance: de facto standard for regulated firms, supplemented by FCA FCG (Financial Crime Guide)
- PSC Register at Companies House is publicly accessible, different from US beneficial ownership approach
Foreign-Law / US-Origin Guardrail
This skill may contain inherited US terminology. For Scotland/UK use, translate rather than copy. Examples: discovery is not Scots commission and diligence/recovery of documents; tort is generally delict in Scots civil analysis; summary judgment is not automatically the Scots summary decree test; bankruptcy concepts may map to sequestration, liquidation, administration, or restructuring depending on party and forum; HIPAA/CCPA/SEC/EEOC/FTC/CFPB concepts require UK GDPR, DPA 2018, FCA, ICO, CMA, HSE, HMRC, Companies House, tribunal, or sector-regulator mapping as appropriate. If the matter is genuinely US or foreign-law, quarantine the foreign-law analysis and warn that local counsel/source verification is required.
Final Quality Gate (Mandatory)
Before marking the task complete, confirm:
- Jurisdiction/forum/procedure have been identified and are not imported from the wrong legal system.
- Current law, rules, forms, fees, deadlines, and public-body guidance have been verified from official sources where necessary.
- Every material factual assertion is tied to evidence, a source, an admission, an instruction, or a clearly labelled assumption.
- Prescription, limitation, time bar, appeal periods, service rules, competency, standing/title to sue, expenses/costs exposure, and enforcement have been considered where relevant.
- The output separates client-facing conclusions from internal risk analysis.
- Drafts include placeholders only where evidence or instructions are genuinely missing; no fabricated citations, authorities, quotes, dates, forms, or procedural steps are allowed.
- A hostile reviewer could reconstruct the reasoning from the evidence matrix and source log.