Perspectives
Perspective 004Governance

What regulators mean by effective AML governance.

Governance is no longer assessed by organisation charts. Regulators want evidence of informed discussion, clear accountability and constructive challenge.

By Everett MorganAutumn 20267 min read
European executive boardroom interior
Executive brief

Reading time · 10 minutes  ·  Primary audience · Chairs, Non-Executive Directors, CEOs, MLROs, Heads of Compliance

Why this matters

European AML supervision has moved from the review of governance documentation to the testing of governance behaviour. SEPBLAC, the FCA, the Central Bank of Ireland and the Bank of Lithuania have each, in their recent enforcement reasoning, described the same expectation: Boards must be able to demonstrate informed discussion, clear accountability and constructive challenge, on evidence, not on assertion. That is a different bar from the one most governance frameworks were designed to meet.

Key findings
  1. 01Governance is now assessed by what Boards and committees actually do, not by their charters. Terms of reference and organisation charts are treated as necessary but not sufficient.
  2. 02The critical governance evidence is: management information that supports decisions, minutes that record specific challenge, and outcomes that can be traced back to the decisions that produced them.
  3. 03Recurring supervisory findings in Europe concentrate on three areas: the quality of information reaching the Board, the substance of the challenge exercised, and the traceability of accountability when things go wrong.
  4. 04Effective governance is a habit, not a structure. Firms that build the habit gradually cope with supervisory engagement comfortably. Firms that attempt to install it in response to a supervisory letter rarely succeed in time.
Questions Boards should ask
  1. 01Would our last four Board packs, read cold by a supervisor, allow them to understand our financial crime risk profile without further explanation?
  2. 02For each of the last three material financial crime decisions taken by the Board, can we identify the challenge exercised, the evidence relied upon and the accountable owner of the outcome?
  3. 03If our regulator asked us to demonstrate effective governance, would we describe our charters and committee calendar, or would we describe decisions we have taken?

The change in supervisory posture

For much of the last decade, European AML supervision could largely be satisfied by evidence that a firm had the right governance architecture: a Board committee with a financial crime mandate, an MLRO with the requisite standing, an approved Business-Wide Risk Assessment, a policy manual and a training programme. The presence of the architecture was treated as reasonable evidence of the outcomes it was meant to produce.

That inference is no longer accepted. SEPBLAC's 2025 Annual Report is explicit on the point. So is the reasoning behind the FCA's Starling Bank Final Notice, the Central Bank of Ireland's action against Coinbase Europe and the Bank of Lithuania's engagement with Revolut Bank. In each case, the architecture was present. What supervisors found missing was the behaviour the architecture was meant to enable.

This is the context in which the term "effective governance" is now used. Perspective 002 set out the questions a Board should be able to answer. Perspective 003 examined the independent challenge that helps produce those answers. This Perspective describes what regulators are looking for when they test governance directly.

The three tests supervisors now apply

From the reasoning in recent enforcement decisions and from supervisory dialogue observed during inspections, three consistent tests emerge.

Information quality

The first test is whether the information reaching the Board is fit to support the decisions being asked of it. Effective MI in this sense has three properties. It is risk-oriented, answering the question of where residual exposure is concentrated and how it is trending. It is analytical, interpreting rather than reciting numbers. It is comparable across periods, so that the direction of travel is visible rather than inferred.

Challenge quality

The second test is whether the challenge exercised in governance forums is substantive. Supervisors read minutes closely. Where minutes record only that a matter was discussed, or that the Committee took note, the challenge is not evidenced. Where they record specific questions asked, specific responses given and the resolution reached, the challenge is defensible.

This is not a documentary exercise. The purpose of the minute is not to protect the firm, it is to record what actually happened, in enough detail that eighteen months later a supervisor could reconstruct the debate. If nothing happened, the honest minute is short. If something substantive happened, the minute reflects it.

Accountability traceability

The third test is whether accountability for financial crime outcomes can be traced through the governance structure to specific individuals. The point is not to apportion blame after the fact. It is to make it possible, during an inspection, to answer the question of who is accountable for a given outcome without ambiguity. Where accountability is diffuse, either between the first and second line or between the executive and the Board, the framework is treated as weaker than the sum of its parts.

The habits that produce effective governance

Effective governance is not installed. It is practised. The habits that produce it are visible in every firm that handles supervisory engagement comfortably.

What AMLA will inherit

The Anti-Money Laundering Authority becomes operational in 2028 and will directly supervise a limited number of the largest cross-border obliged entities from that date. For the smaller regulated firms that are the primary audience for Claritas, direct supervision by AMLA is not the principal issue. Indirect supervision, through the harmonised expectations AMLA will apply to national supervisors, is.

The governance expectations described in this Perspective are, in substance, the expectations that AMLR sets out and that AMLA will consolidate. Firms that build the habits now will find the transition uneventful. Firms that wait for national supervisors to translate the harmonised standards into local expectations will find themselves preparing under time pressure they could have avoided.

How Claritas approaches governance work

Governance reviews in the Claritas model are diagnostic rather than architectural. We start from the assumption that the architecture is largely correct and that the useful question is whether it is being used.

The work typically has four elements. A cold read of the last four Board packs, the associated MI and the minutes, looking at the material financial crime decisions taken and the trail behind them. A structured conversation with the Chair, the CEO, the MLRO, the Head of Risk and, where relevant, internal audit, focused on the three tests described above. A short thematic file sample to test whether the operational reality supports the governance narrative. A findings note, written for the Board, that distinguishes clearly between issues requiring a decision and issues requiring a change in practice.

The intended output is not a redesign. It is a small number of specific, named-owner improvements that shift the framework from documented to demonstrable.

What success looks like
  • 01Board packs open with the firm's residual financial crime risk position and its direction of travel, not with activity volumes.
  • 02Minutes record specific challenge, specific evidence and specific resolution for every material financial crime decision.
  • 03The escalation register shows a consistent pattern of items raised, resolved and closed on the record, with named owners and dated evidence.
  • 04The Board can identify, unprompted, at least one financial crime decision in the last year that changed as a result of substantive challenge.
  • 05Governance improvements progress on a defined cycle and are not driven principally by supervisory events.
References
About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation