What Is a Compliance Policy and What Should It Cover?
Compliance management
Risk management

There is a moment that most people responsible for compliance at a regulated business recognise immediately. You have been asked to produce the compliance policy, or to review the one that already exists, and you are looking at a document that is somewhere between thirty and two hundred pages long, full of regulatory citations and process descriptions, and you are genuinely not sure whether it covers what it needs to cover, or whether it would hold up if a regulator or banking partner examined it today.
That uncertainty is more common than most compliance professionals admit publicly. And it exists because the question of what a compliance policy actually is, and what it must contain under EU law, is not as simple as it should be. The term gets used interchangeably with compliance manual, compliance framework, AML policy, and internal controls document. Different regulators use different language. Different businesses structure their policies differently. And the regulatory standards themselves have been shifting, with the most significant change in a decade arriving on 10 July 2027 when the Anti-Money Laundering Regulation (AMLR) becomes fully applicable across all EU member states.
This article answers the question directly and practically. It explains what a compliance policy is, who needs one, what it must cover, and what the AMLR changes about the standard you need to meet.
Why This Question Matters More Than It Sounds
Before getting into the substance of what a compliance policy must cover, it is worth being honest about why the question is harder than it appears.
The regulatory frameworks that govern compliance policy requirements do not usually hand you a checklist with ten items and a tick box next to each one. What they give you is a set of obligations described at a level of principle and then fleshed out through regulatory technical standards, guidelines, and supervisory expectations that arrive over time and from multiple directions. The AMLR requires obliged entities to have internal policies, procedures and controls that are risk-based, proportionate to the nature and size of the business, and responsive to the ML/TF risks the entity actually faces. What that means in practice for a payment institution with five hundred business clients across twelve EU member states is different from what it means for a trust and company service provider with fifty clients in a single jurisdiction.
This is deliberate. The EU's AML framework is explicitly built on a risk-based approach, which means the content and depth of a compliance policy must reflect the institution's actual risk exposure rather than a generic template. A policy that has been copied from a template and not adapted to the entity's specific business, geography, customer types, and transaction profiles is not a risk-based policy. It is a document that looks like one.
The practical consequence is that there is no shortcut to producing a compliance policy that meets the standard. But there is clarity about what must be present, and that is what this article provides.

What a Compliance Policy Actually Is, and What It Is Not
A compliance policy is the written expression of how an obliged entity intends to meet its regulatory obligations, specifically in the areas of anti-money laundering, countering the financing of terrorism, sanctions compliance, customer due diligence, and the governance of those processes. It should describe the rules the business operates by, the responsibilities of the people who carry out compliance functions, and the controls that ensure those rules are followed.
What it is not is a piece of decoration. This distinction matters enormously in light of the EBA's own supervisory data, which found in its July 2025 Opinion on ML/TF risks that the most common compliance failure across EU financial institutions is not the absence of a policy but the failure to apply one. Customer due diligence shortcomings alone account for 61 percent of AML/CFT breaches reported to the EBA's EuReCA database, in institutions that almost universally had CDD policies in place.
A compliance policy is also not a single document in most regulated businesses. In practice, the compliance framework is usually a collection of interconnected policies covering different areas, a master policy or compliance manual that sets out the overall framework, supported by specific policies on CDD, sanctions, PEP handling, SAR filing, record retention, and so on. The important thing is that these documents connect coherently, that they reflect the entity's actual processes rather than aspirational ones, and that they are kept current as regulations change and as the business evolves.
Who Needs a Compliance Policy Under EU Law
Under the current EU AML framework, all obliged entities are required to have internal policies, procedures and controls in place to manage their ML/TF risks. The definition of obliged entities under Regulation (EU) 2024/1624 (the AMLR) is broad and includes credit institutions, financial institutions including payment institutions and EMIs, auditors, external accountants, tax advisors, notaries and other legal professionals, trust and company service providers, estate agents, providers of gambling services, and, from 2027, a range of newly added entities including crypto-asset service providers, professional football clubs and agents, and dealers in high-value goods.
If your business falls within that list and you operate in the EU, you need a compliance policy. The question is not whether you need one but whether the one you have meets the standard that regulators will apply when they assess it.
From 10 July 2027, the standard changes in several important ways. The AMLR replaces the existing patchwork of nationally transposed AML directives with a single, directly applicable regulation that sets the same binding requirements across all EU member states. This matters for compliance policy because it removes the national discretion that previously allowed different member states to interpret the policy content requirements differently. The AMLR sets a uniform floor, and every obliged entity's compliance policy will be assessed against that same floor, regardless of where in the EU the entity is based or supervised.
The Core Components Every Compliance Policy Must Cover
The following sections describe the components that an EU-regulated business's compliance policy must address. These are drawn from the AMLR, the Anti-Money Laundering Directive 6 (AMLD6), and published EBA guidance. They are minimum requirements, not aspirational standards, and the depth with which each component must be addressed in your policy will vary based on your entity type, size, risk profile, and the nature of your business relationships.
The Business-Wide Risk Assessment
The business-wide risk assessment is the foundation on which every other element of the compliance policy rests, and it is treated as such under the AMLR. Under Article 8 of the AMLR, the business-wide risk assessment must be documented and kept up to date, reviewed whenever internal or external events significantly affect the ML/TF risks associated with the entity's activities, and made available to supervisors on request.
Critically, the AMLR specifies that the business-wide risk assessment must be drawn up by the compliance officer and approved by the management body in its management function. This is not a compliance team exercise that sits in a document management system. It is a governance document that requires the active engagement of the people running the business.
What this means in practice is that the business-wide risk assessment must identify the specific ML/TF risks that the entity actually faces, based on its products, services, delivery channels, customer types, geographic footprint, and transaction profiles. A generic statement that "the business is exposed to money laundering risks" is not a risk assessment. An analysis of the specific risk factors present in your customer base, the higher-risk jurisdictions you deal with, the payment corridors you operate in, and the ownership structures of your business clients is.
The Customer Due Diligence Policy
The CDD policy describes how the business identifies and verifies its customers, the thresholds that trigger different levels of due diligence, how the purpose and intended nature of each business relationship is understood, and how customers are risk-rated. This is the area where the EBA's data shows the most persistent failures, and the most common reason is that CDD policies describe a verification standard that the institution's actual process does not deliver.
Under Article 20 of the AMLR, CDD measures must be applied at the start of a new business relationship, before carrying out occasional transactions above the relevant threshold, whenever there is a suspicion of money laundering or terrorist financing regardless of any applicable threshold, and whenever there is doubt about the accuracy or adequacy of previously obtained customer identification data.
The CDD policy must also describe the conditions under which simplified due diligence applies, which is permissible only where the entity has established, based on a risk assessment, that the risk is low. It must describe what enhanced due diligence looks like and when it is triggered. And it must describe how the entity monitors existing relationships on an ongoing basis, which is a distinct and separately documented obligation, not simply a description of what happens at onboarding.
Beneficial Ownership Identification and Verification
The beneficial ownership policy sits within or alongside the CDD policy and describes the process for identifying and verifying the ultimate beneficial owners of legal entity customers. This is a component where the AMLR makes a change that is small in wording but significant in practice.
Under Article 52 of the AMLR, a beneficial owner is any natural person who owns or controls 25 percent or more of a legal entity's shares, voting rights, or other ownership interests. The existing AML Directives define this as "more than 25 percent." The shift to "25 percent or more" means that a person holding exactly 25 percent of a company's shares is now caught by the definition and must be identified and verified. Compliance policies that reference the old threshold will need to be updated, and onboarding workflows that were built around the old threshold will need to capture that additional 0.01 percent.
The policy must also address what happens when no natural person meets the ownership threshold, in which case the AMLR requires identification of the natural person who holds senior managing responsibility. For trusts, foundations, and similar legal arrangements, the policy must address identification of settlors, trustees, protectors, beneficiaries, and any other natural person exercising ultimate effective control.
Sanctions and Targeted Financial Sanctions Policy
The sanctions policy must describe how the entity screens its customers, business relationships, and transactions against EU financial sanctions lists, how frequently screening is conducted, how alerts are managed, and how the entity ensures that its screening infrastructure reflects current designations.
The EBA's Guidelines on internal policies, procedures and controls to ensure the implementation of Union restrictive measures, applicable from 30 December 2025, are a mandatory reference point for credit institutions and financial institutions within the EBA's scope. They set out the governance framework, the screening requirements, and the escalation and reporting obligations that must be reflected in the policy.
For payment service providers offering instant payment services within SEPA, the EU Instant Payments Regulation (Regulation (EU) 2024/886) adds a specific requirement: PSPs must screen their customer base against EU sanctions lists at least daily. This daily customer-level screening requirement must be reflected in the sanctions policy and, critically, must be accompanied by an operational process that actually runs at that frequency.
Enhanced Due Diligence and the PEP Policy
The PEP policy is one of the most examined areas in supervisory inspections, and one of the areas where the EBA's data shows the most consistent failures. The policy must define how politically exposed persons are identified, what enhanced due diligence is applied to PEP relationships, how source of wealth and source of funds is assessed, and what senior management approval process is in place for establishing or continuing a PEP relationship.
Under Article 34 of the AMLR, enhanced due diligence measures for PEPs must include obtaining senior management approval, taking adequate measures to establish the source of wealth and source of funds, and conducting enhanced ongoing monitoring. The policy must be specific about what "adequate measures" means in practice for your entity, including which sources of information are used to assess source of wealth, how that assessment is documented, and what the approval chain looks like.
The EDD policy must also address the other categories of higher-risk relationship beyond PEPs, including correspondent relationships, business relationships involving high-risk third countries as listed in Commission Delegated Regulations, and relationships where the structure or circumstances present an elevated risk that cannot be adequately managed through standard CDD.
The Suspicious Transaction Reporting Policy
The SAR or STR policy must describe the internal process for identifying, escalating, investigating, and reporting suspicious transactions or business relationships to the relevant Financial Intelligence Unit. Under Article 74 of the AMLR, the compliance officer bears personal responsibility for reporting to the FIU, and the AMLR imposes a five-working-day deadline for responding to FIU requests for information.
The policy must describe the tipping-off prohibition clearly, meaning that once a report has been or is being filed, the customer must not be informed that their activity has been reported, nor should any action be taken that might prejudice the investigation. It should also address the internal escalation path: who can raise a suspicion, how it reaches the compliance officer, what investigation steps are required, and how the decision to file or not file is documented.
This documentation requirement is often underestimated. The decision not to file a SAR is as significant as the decision to file one. Both decisions must be documented with the reasoning recorded, because regulators may examine both.
The Record Retention Policy
Under Article 77 of the AMLR, obliged entities must retain the documents and information obtained during CDD for five years from the end of the business relationship or the date of the occasional transaction. Records of transactions must be retained for five years from the date of the transaction. Upon request from a competent authority or FIU, the retention period may be extended by a further five years.
The record retention policy must specify where records are stored, how they are organised and retrievable, who has access, how they are protected from unauthorised alteration, and what the deletion process is when the retention period expires. The practical challenge for most regulated businesses is that a five-year retention requirement applies to records that were created at a time when the business may have been using different tools, different processes, and different documentation standards. The policy needs to address not just how records will be retained going forward but how historical records are being maintained.
Compliance Governance: The Compliance Officer, Compliance Manager, and Management Body
The AMLR introduces a detailed governance framework for compliance that must be reflected in the compliance policy. Under Article 11 of the AMLR, every obliged entity at or above a defined size threshold must appoint a compliance manager, a member of the management body with specific responsibility for AML/CFT compliance. Under the same article, the compliance officer, who may be the same person as the compliance manager in smaller entities, must have sufficient hierarchical standing and must submit an annual report to the management body on the implementation of internal policies, procedures and controls.
The compliance policy must describe these roles, their responsibilities, their authority to access information and escalate concerns, and the mechanism by which they report to the management body. It must also describe the internal audit function, which under the AMLR must be independent of the compliance function and must assess the adequacy and effectiveness of the compliance policies, procedures and controls periodically.
Staff Training and Awareness
The AMLR requires that employees, agents, and distributors who play a role in AML/CFT implementation understand the requirements and the entity's internal policies. The training policy must describe how the entity ensures that relevant staff receive appropriate training at onboarding and on an ongoing basis, how training is updated when regulations or internal policies change, and how completion is recorded.
This is not a generic HR training requirement. The EBA's guidelines on internal governance make clear that training must be tailored to the role of the individual, not delivered as a single generic annual module. A compliance analyst who handles PEP relationships needs different training from a frontline customer service representative. The policy must reflect that differentiation.
Whistleblowing and Internal Reporting
The AMLR, read alongside Directive (EU) 2019/1937 on the protection of whistleblowers, requires that obliged entities have in place effective and appropriate channels for employees to report breaches of AML/CFT obligations internally. These channels must be independent of normal management lines, must protect the reporting person from retaliation, and must ensure confidentiality of the report.
The whistleblowing policy within the compliance framework must describe the internal reporting channels, the protections in place for reporters, how reports are investigated, and how findings feed back into the compliance improvement process.
What the AMLR Changes About Compliance Policy Requirements from 2027
The AMLR's most significant structural change for compliance policies is the shift from a directive-based system, where member states transposed AML requirements differently into national law, to a directly applicable regulation that sets the same binding standard across all EU member states. From 10 July 2027, every obliged entity across the EU will be assessed against the same compliance policy requirements rather than against their national implementation of the relevant directive.
This matters for three specific groups. First, entities that have relied on their member state having a lighter-touch national implementation of AML policy requirements will find those interpretive advantages disappear. Second, entities operating across multiple EU member states will be able to maintain a single compliance policy framework rather than adapting to the nuances of different national transpositions. Third, entities in sectors newly brought within scope under the AMLR, including crypto-asset service providers, certain luxury goods dealers, and professional football clubs, will be building their compliance policies from scratch against the AMLR's requirements rather than against existing national guidance.
The AMLR also introduces strengthened requirements in several specific areas. The compliance officer's personal accountability for SAR filing is more explicit than under the current framework. The management body's engagement with the business-wide risk assessment is mandatory and documented rather than recommended. The requirements around group-wide policies, for entities that are part of a group, are more detailed and require genuine implementation across all subsidiaries rather than simply circulation of a parent company policy.
What Separates a Strong Compliance Policy from a Weak One
The table below describes the distinguishing characteristics of a compliance policy that will hold up under regulatory scrutiny and one that will not, mapped across the key components covered in this article.
Policy Component | Strong Policy | Weak Policy |
|---|---|---|
Business-wide risk assessment | Specific to the entity's actual products, customers, geographies, and risk profile; drawn up by the compliance officer; approved by the management body; updated when material changes occur | Generic document copied from a template; not adapted to the entity; approved at a point in time and not revisited; no evidence of management body engagement |
CDD policy | Describes verification sources used in practice; distinguishes clearly between SDD, standard CDD, and EDD; links to the risk rating framework; addresses ongoing monitoring separately from onboarding | Describes an aspirational standard not matched by the operational process; conflates onboarding verification with ongoing monitoring; does not specify which sources are used or accepted |
Beneficial ownership identification | Uses the 25% or more AMLR threshold; addresses layered structures and fallback to senior manager where no natural person meets the threshold; specifies registry-based verification | Uses the old "more than 25%" threshold; relies on client self-declaration without independent verification; does not address what happens when no UBO meets the threshold |
Sanctions policy | Describes daily customer-level screening aligned with Instant Payments Regulation requirements; specifies list sources and update frequency; documents alert management and escalation | Describes transaction-level screening that does not meet the daily customer screening requirement; list sources not specified; alert management process undocumented |
PEP and EDD policy | Defines what constitutes a PEP with reference to the AMLR definition; specifies source of wealth and funds investigation steps; requires senior management approval with documented decision; addresses family members and close associates | Describes EDD as a concept without specifying the steps; senior management approval required but process not defined; close associates and family members not addressed |
SAR policy | Defines internal escalation path; specifies investigation steps and documentation requirements; addresses both the decision to file and the decision not to file; includes tipping-off prohibition and five-working-day FIU response timeline | Describes reporting obligation without specifying the internal process; does not address documentation of non-filing decisions; tipping-off prohibition either absent or not operationalised |
Record retention policy | Specifies five-year minimum; addresses historical records under previous systems; describes storage, access, retrieval, and deletion procedures | States five-year retention without specifying how records are stored, organised, or made retrievable for a regulatory examination |
Governance | Names the compliance officer and compliance manager roles; describes authority, reporting lines, and annual report to management body; describes independent audit function | Compliance officer role described generically; no named individual; management body reporting not described; audit function either absent or not independent |
Staff training | Role-specific training requirements; update triggers when policy or regulations change; completion recorded and auditable | Annual generic training module; no role differentiation; completion not systematically recorded |
Whistleblowing | Independent reporting channel described; protections for reporters specified; investigation and feedback process documented | Generic reference to a whistleblowing obligation without describing the operational channel or protections |
About SpeedyDD
SpeedyDD is a KYB and due diligence platform whose mission is to help complex, regulated businesses maintain audit readiness as a default state rather than something built in a hurry before an examination.
One of the most common gaps between a compliance policy and operational practice, and the one that regulators identify most frequently, is in the beneficial ownership verification layer: the policy requires registry-level verification, but the operational process relies on client self-declaration. SpeedyDD bridges that gap by connecting compliance teams directly to more than 3000 corporate registry data sources across more than 200 countries and territories, integrating directly with The KYB for registry data retrieval, and logging every verification, decision, and approval automatically so the audit trail exists in the form a policy says it should.
For PSPs, EMIs, CSPs, and iGaming operators preparing for the AMLR's July 2027 application date, the audit trail that the regulation requires, five years of documented, retrievable customer verification and monitoring records, starts being built today.

Frequently Asked Questions
What is the legal definition of a compliance policy for EU obliged entities?
The AMLR does not use the single term "compliance policy" as a defined concept. What it requires, under Article 9, is that obliged entities have in place an internal control framework consisting of risk-based policies, procedures and controls, and a clear division of responsibilities throughout the organisation. In practice, the collection of documents that make up that internal control framework is what compliance professionals mean when they refer to the compliance policy, including the business-wide risk assessment, the CDD policy, the sanctions policy, the SAR policy, and the governance framework that governs all of them.
How often should a compliance policy be reviewed and updated?
Under the AMLR, the business-wide risk assessment must be kept up to date and reviewed whenever internal or external events significantly affect the entity's ML/TF risk exposure. In practice, most supervisors expect the full compliance policy framework to be reviewed at least annually and updated whenever a material regulatory change occurs, a new product or service is launched, a new market or geography is entered, the ownership or control structure of the business changes, or a material weakness or supervisory finding identifies a gap. The AMLR's compliance officer is required to submit an annual report to the management body on implementation, which creates a natural annual review rhythm.
What is the difference between a compliance policy, a procedure, and a control?
These three terms are used together in the AMLR's internal control framework requirement and describe different but related things. A policy states the rule or standard: what the entity commits to doing and why. A procedure describes how the policy is implemented in practice: the steps followed, the tools used, and the decisions made. A control is the mechanism that verifies the procedure is being followed and the policy is being met. A strong compliance framework has all three, and they connect coherently. A policy without a procedure is an aspiration. A procedure without a control is an unverified assertion.
Can a compliance policy be outsourced?
Elements of the compliance function can be outsourced under the AMLR, but with significant restrictions. Certain critical tasks are prohibited from being outsourced entirely, and the outsourcing arrangement must meet strict conditions including contractual clarity, ongoing oversight by the entity, and continued accountability of the compliance officer for the outputs of the outsourced function. The compliance officer's personal responsibility for SAR filing cannot be outsourced. What can be outsourced in practice is specific technical tasks, such as identity document verification or registry data retrieval, provided those tasks are governed as part of a documented compliance process with appropriate oversight.
Does a compliance policy need to be approved by the board or management body?
Yes, under the AMLR. The business-wide risk assessment, which is the foundational document in the compliance framework, must be approved by the management body in its management function. The AMLR also requires that one member of the management body holds specific designated responsibility for AML/CFT compliance. This is a governance requirement, not a recommendation, and it means that the management body's engagement with the compliance policy framework is a regulatory obligation, not a matter of internal preference.
What happens if a compliance policy does not reflect the entity's actual practice?
This is precisely the gap that the EBA's 2025 supervisory data shows is the leading cause of AML compliance failures across EU financial institutions. When a regulator conducts an on-site inspection or a competent authority reviews an institution's compliance files, they are assessing what actually happened in practice, not what the policy says should have happened. A compliance policy that describes a verification standard the operational process cannot deliver, a monitoring frequency the team cannot maintain, or an escalation process that is not followed in practice, creates the conditions for a material weakness finding and, in more serious cases, an enforcement outcome. The policy and the practice must match.
How does the AMLR change what a compliance policy must cover compared to the current framework?
The AMLR makes several specific changes that compliance policies will need to reflect by July 2027. The beneficial ownership threshold shifts from "more than 25 percent" to "25 percent or more," meaning policies referencing the old threshold must be updated and onboarding workflows adjusted accordingly. The compliance officer's personal accountability for SAR filing becomes more explicit. The management body's designated responsibility for AML/CFT compliance becomes mandatory rather than recommended. The governance framework for the compliance function, including the annual report to the management body and the independent audit requirement, is more detailed. And the AMLR removes the national discretion that previously allowed different member states to implement these requirements differently, meaning a single directly applicable standard applies across the EU from 10 July 2027.
What should a compliance policy say about data protection and GDPR?
AML compliance involves the collection, storage, and processing of personal data, which means it operates within the framework of the General Data Protection Regulation. The AMLR and the GDPR interact in several ways that a compliance policy should address. Personal data collected for AML purposes can only be used for those purposes and must not be processed for other commercial reasons without a separate legal basis. The five-year retention requirement under the AMLR represents a legal basis for retaining personal data for that period, but the data must be deleted at the end of the retention period unless an extension has been granted. The policy should also address restrictions on sharing AML-related personal data, including the tipping-off prohibition, which limits what can be disclosed to the subject of a suspicious transaction report.
How detailed does a compliance policy need to be?
The AMLR's proportionality principle means the answer depends on the entity. A large credit institution processing millions of transactions daily and serving customers across multiple EU member states needs a more detailed and comprehensive policy framework than a small trust and company service provider with a single office and a limited client base. What matters is not the length of the policy but whether it accurately describes the entity's actual risk exposure, the controls in place to manage that risk, the processes followed by the people responsible for compliance, and the governance framework that ensures those processes are followed and reviewed. A ten-page policy that accurately describes how a small entity operates is better than a two-hundred-page document that describes a compliance programme the entity does not actually run.
