ANQA Compliance Training | FATF R.11 & R.18 | 7 Pages | 30 Questions | 80% Pass Mark
Master the legal framework governing AML compliance programme design. Understand what FATF R.18 requires, how the Five Pillars and Three Lines of Defence work, and why personal liability makes the AMLCO role uniquely demanding.
The AML Compliance Officer (AMLCO) — often called the Money Laundering Reporting Officer (MLRO) — sits at the operational centre of a financial institution's AML/CFT programme. They are the person who makes the final decision to file or not file an STR, who reports to the board, who faces personal criminal liability if the programme fails, and who must hold their ground when senior management applies commercial pressure to overlook suspicious activity.
This course covers the full legal framework: what FATF Recommendation 18 requires, the Five Pillars of an effective AML programme, the Three Lines of Defence model, the board's responsibilities, and the record-keeping obligations under R.11. It is essential preparation for anyone in, or aspiring to, a compliance leadership role.
Core coverage: R.18 Five Pillars, board and senior management responsibilities, Three Lines of Defence, personal criminal liability, audit functions, R.11 record-keeping, and group-wide programme obligations.
R.18 and its Interpretive Note establish that every regulated financial institution must build and maintain a formal AML/CFT compliance programme. The programme is not optional, not scalable to zero, and not satisfied by appointing a single person without resources. The FATF has structured effective compliance programmes around five core pillars.
Common confusion: Pillars 4 and 5 are distinct. Internal controls (Pillar 4) are the mechanisms that prevent or detect AML failures. Independent audit (Pillar 5) tests whether those controls are actually working. The compliance team cannot audit itself — independence of the audit function is a FATF requirement.
The Interpretive Note to R.18 specifies that compliance management arrangements must include the appointment of a compliance officer at the management level. This means a named individual with:
New product rule: A critical and often overlooked R.18 obligation is that new products, services, and delivery channels must undergo an AML risk assessment before they are launched. This prevents ML/TF vulnerabilities being designed into new offerings from the outset.
FATF is explicit: responsibility for AML/CFT compliance rests with the institution's board and senior management — not solely with the MLRO/compliance officer. The AMLCO executes the programme, but accountability flows upward.
| Level | Key Responsibilities |
|---|---|
| Board of Directors |
|
| Senior Management (CEO / Executive) |
|
| AMLCO / MLRO |
|
The Basel Committee on Banking Supervision — in its Sound Management of Risks Related to ML and FT (BIS, 2014) — identifies culture as a fundamental driver of AML effectiveness. "Tone from the top" means that visible, credible commitment to compliance from the board and CEO sets the behavioural standard for the entire institution.
What good tone from the top looks like:
Several high-profile enforcement actions in Africa and globally have illustrated what happens when senior management consistently prioritises revenue over compliance. The consequences include:
Critical point: An MLRO who yields to commercial pressure and does not file a legitimate STR has not protected themselves by following management instructions. They remain personally liable for the failure to file.
The Three Lines of Defence is the globally accepted framework for organising AML/CFT responsibilities within a financial institution. It ensures that no single function carries all the risk, that oversight is genuinely independent, and that responsibility is clearly assigned.
The first line is often the weakest link in practice. Relationship managers and business development staff are commercially incentivised — their bonuses depend on client revenue, not compliance metrics. Effective AML governance must address this tension explicitly:
The compliance function (MLRO/AMLCO and their team) occupies the second line. Key activities include:
Authority: The FATF requires that the MLRO/AMLCO has sufficient authority to make STR filing decisions independently. Senior management cannot veto a legitimate STR. In most jurisdictions, the MLRO's decision to file is protected and cannot be overridden by commercial considerations.
The audit function must be genuinely independent of the compliance team whose work it is assessing. A common failure in smaller institutions is having the compliance officer also conduct the AML audit — this is a structural conflict that regulators consistently flag.
An effective AML audit covers: CDD file quality sampling; TM rule calibration testing; STR filing completeness and timeliness; training completion records; sanctions screening effectiveness; and control testing across all Five Pillars.
Audit reports: AML audit findings must be reported directly to the audit committee and the board — not filtered through senior management. This independence protects the board's ability to exercise genuine oversight.
The AMLCO role carries personal criminal liability in a way that most corporate roles do not. In many jurisdictions — including the UK, Singapore, Nigeria, South Africa, Kenya and others — the compliance officer can be personally prosecuted, fined, and imprisoned for AML failures. This is not a hypothetical risk.
| Type of Liability | Basis | Consequence |
|---|---|---|
| Criminal prosecution | Knowingly allowing ML, failing to file STRs, or assisting in tipping-off | Imprisonment, criminal record, disqualification from financial services |
| Regulatory sanction | Failure to implement an adequate AML programme; inadequate STR systems | Personal fines, prohibition orders, public censure |
| Civil liability | Negligence claims by the institution (unusual but possible) | Financial damages |
Real-world enforcement: In multiple African jurisdictions, financial institution compliance officers and senior managers have faced personal regulatory action following AML failures. The FATF's effectiveness framework (Immediate Outcome 7) explicitly asks assessors to evaluate whether personal liability is being enforced in practice.
Personal liability is the stick; independence is the shield. An MLRO who has genuine independence — structural, financial, and operational — is better positioned to make unpopular decisions without fear of commercial retaliation. Key elements of MLRO independence:
Best practice: Many institutions give the MLRO a formal "escalation right" to go directly to the board (or an independent non-executive director) if senior management prevents the MLRO from performing their legal duties. This is documented in the Terms of Reference for the MLRO role.
The decision to file or not file an STR belongs to the MLRO. Business lines, relationship managers, and senior management can provide information and raise commercial concerns — but the MLRO's filing decision is final and legally protected. An MLRO who is overruled and does not file a legitimate STR remains personally liable for that failure.
Documenting non-filing decisions: When the MLRO reviews an escalation and decides not to file, that decision must be documented with the reasoning. If a prosecution later arises and the file is reviewed by regulators, undocumented non-filing decisions attract scrutiny. The standard is: if you can't write down why you didn't file, you probably should file.
Record-keeping is not merely an administrative obligation — it is the foundation of any regulatory examination, law enforcement investigation, or internal audit. FATF R.11 sets the minimum standards.
Minimum retention period: 5 years from (a) the date of the transaction for transaction records, or (b) the end of the business relationship for CDD records. National law may require longer.
| Record Type | Content | Period |
|---|---|---|
| CDD Records | Identification documents, BO documents, risk classification, EDD records, source of funds/wealth documentation | 5 years from end of relationship |
| Transaction Records | Date, amount, currency, originator, beneficiary, account numbers — sufficient to reconstruct each transaction | 5 years from transaction date |
| STR Records | The STR filing, supporting case documentation, decision rationale for filing or non-filing | 5 years minimum (varies by jurisdiction) |
| Training Records | Completion records for each staff member, course content records, dates and assessment results | 5 years or as required by regulator |
Availability requirement: Records must be available to competent authorities promptly on request — not buried in inaccessible archives or deleted when a cloud storage contract expires. The AMLCO must ensure records management processes reflect this legal obligation.
An effective AML audit programme tests all Five Pillars. Key testing activities include:
For financial institutions operating in multiple jurisdictions, R.18 imposes group-level obligations. The group parent must ensure that:
Practical challenge in Africa: A bank headquartered in London or New York with subsidiaries in multiple African jurisdictions must navigate different national AML laws, different FIU reporting formats, different record-keeping requirements, and potentially different definitions of beneficial ownership. The group programme must set a floor that meets the highest standard across all jurisdictions.
Key takeaway: The AMLCO role is simultaneously a legal obligation, a personal liability, a governance function, and a front-line operational role. Its effectiveness depends on independence, resources, board support, and the quality of the Three Lines of Defence around it.
30 questions — Multiple Choice, Scenario, and True/False. Score 80% (24/30) or above to pass and receive your certificate.