LSAG AML guidance: how to build a defensible audit trail
Published
If you work in risk and compliance, you already know the difficult part is not always making the right AML decision. It is being able to show, months or years later, how you reached it.
That is why documentation matters. The LSAG AML guidance makes clear that a risk-based approach only works if firms can evidence the judgement behind it: what was considered, what was decided, who approved it and why.
The simplest rule of thumb is still the most useful: if in doubt, write it down.
Why documentation matters (and who it helps)
Writing things down isn’t pointless admin, it protects you when:
A supervisor asks how you reached a client or matter risk rating.
Law enforcement needs a fast answer on whether you have, or have had, a business relationship with someone.
Your team needs to pick up a matter and understand what has already been checked and agreed.
Most importantly, documentation turns your AML approach into something you can stand behind with confidence.
What you should be documenting (and what “good” looks like)
There's a lot that needs documenting. Let's look at the areas that need documentation and what you should be documenting.
Firm level records
1. Governance decisions
The guidance says firms should document board level AML governance decisions. That includes:
Discussions and decisions on AML compliance.
Approvals of AML policies, controls and procedures, and recording that approval.
Any delegation from the board level role to the MLRO.
If it is a decision that sets direction, it needs a record.
2. Firm wide risk assessments (FWRA)
The guidance says firms should keep risk assessments in writing, and they should show the thinking, not just the output.
That means documenting:
The factors you considered.
Including the risk factors set out in the money laundering regulations, namely:
your firm's customers
the countries or geographic areas in which you operate
the products or services which your firm provides
your firm's transactions
how your firm's products and services are delivered
The rationale behind your assessment both qualitative and quantitive.
The overall risk level you assigned.
Who completed it, and when, signed and dated digitally or manually.
The FWRA should include a change log. A chronological record that documents all reviews, revisions, updates, and modifications made to the document over time. And remember, a review is still a review, even when nothing changes.
3. Policies, controls and procedures
The regulations require policies, controls and procedures to be maintained in writing, and changes should be tracked. That includes:
What changed and why.
The steps taken to communicate changes internally.
A record of changes over time.
4. Training records
The guidance says firms should keep training records that are traceable, a comprehensive written record of all training undertaken.
Materials used, such as slides, notes and handouts.
Attendance.
Dates.
Assessment results, where relevant.
LSAG AML guidance sets out that some form of high-level, basic AML awareness/refresher training should be taken annually across all relevant employees. The SRA thematic review into training states that firms who had provided more recent AML training were more likely to be compliant.
5. Independent audit records
If you are audited, keep the evidence. That includes:
Scope and sampling basis.
What was checked, and by whom.
Findings and recommended actions.
Senior management discussions about the findings.
Your response and implementation plan, including reasons for not implementing recommendations.
Client and matter-level records
6. Client and matter risk assessments
The guidance says firms should document client and matter risk assessments in writing, and they should show the thinking, not just the output.
That means documenting:
The factors you considered.
The rationale behind your assessment.
The overall risk level you assigned to the client or matter.
Who completed it, and when, signed and dated digitally or manually.
7. Client due diligence records
CDD evidence needs to be complete and accessible. Records should cover:
Identity verification.
Client and matter risk assessments.
Ongoing monitoring activity.
Enhanced due diligence measures.
Additional steps for Politically Exposed Persons, including senior management approval, source of wealth checks and enhanced monitoring.
8. Source of funds and wealth checks
These are called out for a reason. You need to be able to show:
What checks were undertaken.
What evidence was obtained.
The analysis of the checks.
The conclusion you reached, and how you got there.
A short file note that captures this clearly is often the difference between “we did it” and “we can prove it”.
9. Ongoing monitoring
Each time you monitor, you should record:
What you reviewed.
What you did, if anything.
Why you took that action.
Who carried it out, and when.
This is where an audit trail becomes real. Not a one off document, but an ongoing record of oversight.
Escalation and judgement records
10. Suspicious activity decisions, including when you do not disclose
The guidance says firms should keep a comprehensive record whether you do or do not make a disclosure.
That record may include:
Concerns raised by staff.
Monitoring performed.
Discussions with the MLRO.
Declined clients.
Advice sought and received.
Copies of any disclosures made.
Conversations with the NCA or law enforcement.
The reasoning for deciding concerns did not amount to suspicion.
The decision not to submit a report.
Firms should be mindful of where this information is stored and recorded. While it can be valuable, it should be available only to those who need access, as it could create additional risks if it falls into the wrong hands.
A key pressure point: privilege vs disclosure
The guidance also highlights the importance of documenting decisions where legal professional privilege (LPP) may apply, particularly when deciding whether to submit a Suspicious Activity Report.
Where there is uncertainty, you need a defensible decision making trail. The guidance even includes a decision template, section 13.8.1, to help practitioners capture their analysis.
How long should records be kept?
The key rule here is in Regulation 40.
In most cases, records need to be kept for five years from the date you know, or have reasonable grounds to believe, that the transaction is complete or the business relationship has ended.
There is also a long-stop for transaction records. Practices are not required to keep records of transactions within a business relationship for more than ten years.
Once the retention period has passed, personal data should usually be deleted unless there is a clear reason to keep it, such as ongoing legal proceedings or another regulatory requirement.
Some firms decide to keep full files for longer because of limitation periods. If they do, that decision needs to be thought through carefully, documented, and usually supported by client consent.
The takeaway
The LSAG guidance is clear: AML compliance needs to be demonstrable. It is not enough to make a reasonable decision; firms need to be able to evidence why that decision was reasonable at the time.
That means treating documentation as part of the AML process itself. When judgement is involved, write down the rationale, keep the evidence together, and make sure the record can be found when it matters.
Because when a supervisor, auditor or law enforcement agency asks “why did you do it that way?”, the best answer is one you can prove.
Subscribe to our newsletter
Subscribe to our monthly newsletter for recaps and recordings of our webinars, invitations for upcoming events and curated industry news. We’ll also send our guide to Digital ID Verification as a welcome gift.
Our Privacy Policy sets out how the personal data collected from you will be processed by us.
