Buyer Beware: You Can’t Contract Out Your AML Obligations

By Jeanette Kreft, MD, The Compliance Company


We have a regulatory regime that is sufficiently mature for reporting entities to fully appreciate the regulatory burden of having to comply. We have Sector Supervisors who are becoming less patient with non-compliance and more likely to take enforcement action where noncompliance is identified. We have a labour shortage when it comes to employees with compliance experience meaning that these employees are difficult to find and retain once found. We also have customers who are demanding a better customer experience and are less willing to deal with businesses that have cumbersome onboarding and account maintenance processes.

There is a much-needed place in the market for external providers to assist reporting entities in complying with their regulatory obligations. There is, however, a worrying trend that is emerging. It’s the “I’ll pay and make the problem go away” approach to compliance without fully understanding whether in fact the product or service that is being offered will result in the reporting entity complying with its obligations. Now I hate to be the bearer of bad news but unfortunately, you can’t contract out of your regulatory obligations meaning that you are liable irrespective of a contractual arrangement in place with an external provider.

Set out below are some important things that you should consider when engaging an external provider to assist you with the satisfaction of some or all your regulatory obligations. Some of these suggestions relate to your obligations as a reporting entity, others relate to good business practice.

Understand your obligations

It’s crucial that you understand the regulatory obligations that you are required to comply with. Without a robust understanding of these regulatory obligations, you won’t be able to understand what obligations the external provider is and is not assisting you in satisfying and whether the external provider is in fact satisfying those obligations.

Know who you are dealing with

Undertake due diligence on the external provider and document the due diligence undertaken. Set out below are some of the matters that could be considered when undertaking due diligence on an external provider, the exact matters that should be considered will depend on the product or service that the external provider is offering.


Does the external provider have the requisite capacity and internal knowledge and expertise to offer the product or service?


What initial and ongoing support does the external provider offer? > Privacy and Data How will information be stored and handled?

Cyber Security

What cyber security measures are in place to detect cyber threats and manage and mitigate cyber risks?

Business Continuity

How will the external provider deal with a business disruption event that affects the products or services that they provide and what measures do they have in place to restore business as usual functions?


What insurance does the external provider maintain and what is the level of cover?

Fees and charges

What are the fees and charges for the product or services? What additional fees and charges may be payable?


How are breaches, failures or issues identified and how are these notified and within what timeframes?


Can the external provider contract out some or all the services and if they can, are they required to notify you or obtain your consent?


How can either party terminate the contractual arrangement?

Cross your “t’s” and dot your “i’s” Ensure that there is a contractual agreement between yourself and the external provider which governs the relationship and clearly sets out the products and services to be provided, as well as the service levels that the external provider is expected to achieve and maintain.

Understand who does what

Understand what regulatory obligations the external provider is helping you to satisfy and what regulatory obligations they are not helping you to satisfy. Most external providers in the market offer customer due diligence services. Customer due diligence is only one part of your obligations. There are others that are equally important.

Reality should align with your Risk Assessment and AML/CFT Compliance Programme

Make sure that your Risk Assessment and AML/CFT Compliance Programme contemplates the engagement of an external provider to assist with the satisfaction of your regulatory obligations and that any procedures or controls that will be followed by the external provider or you are incorporated into your AML/CFT Compliance Programme.

Don’t be left behind

Ensure that you are in contact with your external provider following a regulatory change or the issue of new guidance to understand how their products or services are affected and what changes if any, will be made to give effect to the regulatory change or guidance. Where there is a change, check to see if your AML/CFT Programme needs to be updated.

If it isn’t written down, it didn’t happen

Make sure that the external provider gives you have access to all documents, information, and records. Remember if you don’t have evidence of something having taken place, it didn’t happen.

Are they doing what they said they would do?

Update your Compliance Assurance Programme to include monitoring of the performance of the external provider. This includes whether they are delivering the products or service in accordance with your contractual agreement and whether the product or service satisfies your regulatory obligations.

Read more about finding the right AML provider in ‘how to choose the right AML provider‘.

Jeanette Kreft The Compliance Company

Get insights and news delivered to your inbox

Webite Developed by Logo