Application Guidance
Application Intake
Home AML / CFT Requirements

AML / CFT Programme Requirements

MSB licensing requires a risk-based AML/CFT programme that is demonstrably implemented. The weakest files are “policy-only.” The strongest files show how controls work in real transaction flows: onboarding, screening, monitoring, investigations, reporting, and records.

Programme principles

The programme should be proportionate to your risk profile: corridors, customer types, products, transaction volumes, and distribution model. A generic AML policy copied from the internet is a fast rejection trigger in bank onboarding and supervisory review.

Risk-based

Controls scale with corridor risk, product complexity, and transaction patterns.

Evidence-led

Policies must be supported by logs, dashboards, decisions, and audit trails.

Accountable

Clear ownership for monitoring, investigations, reporting, and remediation.

Programme build sequence (recommended) Start with scope → flows → risks → controls
1 Map scope and flows

Document how money moves end-to-end: who pays, where funds sit, when FX occurs, and how settlement completes.

2 Build risk assessment

Customer, product, corridor, channel, and partner risk—plus mitigation controls and residual risk rating.

3 Implement controls

CDD rules, screening, monitoring rules, investigations workflow, reporting triggers, and recordkeeping.

4 Evidence + governance

Logs, MI reporting, QA, training evidence, and escalation/decision accountability.

Customer due diligence (CDD / KYC)

CDD must match product risk and customer profile. The key test is whether you can identify the customer, understand the purpose of activity, and detect anomalies against expected behavior.

Minimum CDD expectations

  • Identity verificationReliable ID verification appropriate to the channel and geography.
  • Customer profilePurpose of relationship, expected activity, and source-of-funds logic where needed.
  • Beneficial ownership (business)UBO identification and control mapping for corporate customers.
  • Ongoing reviewPeriodic refresh, event-driven re-verification, and risk rating updates.

Enhanced due diligence (EDD) triggers

  • High-risk corridorsGeographies with elevated sanctions/ML risk indicators.
  • Complex ownershipMulti-layer entities or unclear control relationships.
  • Unusual activity patternsRapid volume ramp, structuring patterns, or inconsistent purpose.
  • PEP exposurePEP identification, adverse media indicators, or heightened reputational risk.

Sanctions and screening

Screening is evaluated by: coverage (who/what is screened), frequency (when screened), and disposition (how alerts are handled). A screening tool without an alert workflow is functionally incomplete.

Coverage

Customers, UBOs, directors, counterparties, and (where relevant) beneficiaries and merchants.

Frequency

At onboarding, periodically, and event-driven (changes in ownership, name, or risk rating).

Disposition

Alert triage, escalation, decision records, and evidence retention.

Minimum evidence expectation

Maintain an alert log showing: date/time, subject screened, match score (or rationale), analyst notes, decision outcome, escalation (if any), and supporting documentation.

Application guidance Assessment process

Transaction monitoring and investigations

Transaction monitoring must be aligned to your flow mechanics. The best programmes define clear rules/thresholds and show how alerts turn into investigations.

Monitoring elements

  • Rules and thresholdsDefined triggers for anomalies based on product and corridor risk.
  • Customer behavior baselinesExpected activity vs. observed activity and deviation controls.
  • Case managementInvestigation notes, evidence capture, and closure rationale.
  • Escalation logicWhen to freeze, refuse, report, or exit the relationship.

Common weak points

  • No real rules“We monitor transactions” without thresholds, logic, or evidence.
  • Missing investigation trailNo case notes or rationale for alert disposition.
  • Weak corridor controlsHigh-risk corridors without enhanced monitoring or limits.
  • Poor record retrievalInability to produce evidence quickly when requested.

Reporting triggers and recordkeeping

A credible programme defines what triggers internal escalation and external reporting, and how long records are kept. Recordkeeping is not a storage problem; it is a retrieval and auditability problem.

Typical reporting triggers

  • Structuring patternsRepeated transactions designed to avoid thresholds or detection.
  • Sanctions matchesConfirmed or high-confidence matches requiring escalation.
  • Unexplained source of fundsInconsistent purpose, documentation gaps, or high-risk behavior.
  • Third-party misuse indicatorsPatterns suggesting mule activity or proxy behavior.

Recordkeeping expectations

  • Customer filesKYC/EDD files, ownership mapping, and refresh records.
  • Transaction logsAudit trails, reconciliation evidence, and exception records.
  • Monitoring evidenceAlerts, investigations, and disposition rationale logs.
  • Training and governanceTraining logs, MI reports, policy approval evidence, QA results.

Next step

Use the Application Guidance page to obtain the AML/CFT checklist and submission structure. The fastest approvals happen when AML controls are mapped to the exact MSB scope and funds-flow narrative.

Open application guidance Capital & safeguarding
This site is an official category portal describing the Money Services Business (MSB) licensing framework under the Neves Licensing Authority ecosystem. It is intended for informational and due diligence support purposes.
Disclaimer: An MSB license is not a banking authorization and does not permit deposit-taking. Applicants and counterparties should rely on the Public Register and official notices for verification of status and scope.

Useful Links

© 2026 Neves Licensing Authority — MSB Licensing Category Portal.