AML is the day-to-day work teams use to understand customer risk, screen relevant signals, and make review decisions that can still be explained later. It matters at onboarding, during periodic review, and when trigger events change the risk picture for a customer, company, or ownership structure. Record source + timestamp + rationale + policy version + owner role for every material outcome.

Quick answer

• It applies when a relationship starts, when an existing customer is reviewed again, and when new risk facts change the basis for an earlier decision.
• Keep the record that shows which facts were collected, which internal logic applied, what the reviewer concluded, and who owned the outcome.
• A common mistake is treating a screening output as the answer instead of as one input to a documented AML decision.
• Clear AML compliance makes follow-up faster and makes later decisions easier to explain, compare, and reopen.

Records to keep (for traceable control)

• Customer due diligence sources: Show which facts the assessment relied on — Store as: Source log with timestamp
• Screening rule or policy version: Make the outcome reproducible against the right internal logic — Store as: Policy ID and version reference
• Decision note and risk rationale: Explain why the outcome was accepted, escalated, or reopened — Store as: Review note with rationale field
• Responsible role and decision date: Show accountability and timing — Store as: Decision record with owner and date

‍

Definition and scope

AML is the combined work of understanding who the customer is, which risk signals matter, and when a relationship needs to be reviewed again. It covers customer due diligence, screening, ongoing follow-up, and the review decisions that tie those signals to a real operational outcome.

For risk and compliance teams, that means the topic is broader than a single check. It includes which facts need to be collected, how those facts are interpreted, and how the reasoning behind a decision is preserved.

When those parts stay connected, the organisation can compare like with like over time. When they are fragmented across systems, teams, or notes, similar customers are harder to assess consistently.

Why it matters

AML affects who you onboard, what needs closer review, and when a relationship should be revisited. It shapes customer due diligence, sanctions screening, PEP checks, ownership follow-up, and the judgement that decides whether a previous outcome still holds.

Weak documentation creates avoidable remediation work. If a reviewer cannot reconstruct why a customer was approved, why a case was escalated, or which policy version applied at the time, the organisation ends up arguing from memory rather than from evidence.

It also affects the quality of AML compliance over time. Similar situations should be assessed against the same logic unless there is a documented reason to treat them differently.

What AML covers in operations

The work starts before the first decision is final. Customer due diligence sets the baseline facts, screening adds risk signals, and ongoing follow-up captures changes that may require renewed review.

That means AML should not be framed only as documentation. It also covers which person and company data should be collected, which lists or attributes should be checked, and when new information should trigger a fresh decision.

It also covers how earlier outcomes are reopened. A change in sanctions exposure, PEP status, ownership, or company data should not force a team to start from zero, but it should provide enough context to assess whether the earlier outcome still makes sense.

Common pitfalls

• Screening outputs are treated as final answers instead of as evidence for a documented review decision.
• Customer due diligence is documented at onboarding but not revisited when new risk facts appear.
• Similar situations are handled differently across teams because policy thresholds and decision logic are not explicit enough.
• Findings on sanctions, PEP status, or ownership are stored, but the reasoning behind the outcome is too thin.
• Follow-up events reach the organisation without enough context for the right team to act quickly.

These problems are usually operational rather than theoretical. The issue is rarely lack of awareness. The issue is whether facts, rules, and review notes can actually be kept together in day-to-day work.

A practical process

1) Define what should trigger renewed review

Set out which risk events should lead to enhanced review, a new decision, or follow-up. That makes it clear which changes require action and which should only be recorded.

2) Keep evidence separate from decision

Separate source data, screening outputs, and the final review conclusion in each material case. That makes it easier to see when a signal needs more context and when an earlier outcome should be reopened.

3) Store rationale and ownership

For each material outcome, you need to show why it was accepted, escalated, or left open for follow-up. Policy version, responsible role, and decision date should travel with the outcome.

4) Re-review when facts change

AML is not only an onboarding activity. When sanctions exposure, PEP status, ownership, or company information changes, the same logic for follow-up needs to be applied again so the work remains comparable over time.

Roaring field guide

• Define which signals should trigger review, enhanced measures, or renewed control before live cases reach the team.
• Keep source references, timestamps, policy versions, and decision notes so outcomes can be replayed later.
• Keep core decision logic consistent across channels and document where exceptions are made.
• Route new risk events to the right team or process with enough context to support a review.
• Track sanctions, PEP, ownership, and company-data changes over time instead of relying on one-off checks.

How Roaring can help

• Integration Suite can bring person and company data into existing AML workflows so collection, screening, and decision support can work in the same process.
• Lookup can act as the entry path for teams that have not automated yet, or that want to inspect the data before deciding how an integration should work.
• Monitoring and webhooks can support follow-up when sanctions exposure, ownership, or other risk facts change after onboarding.
• Selected sanctions and ownership datasets can make re-review easier because the same evidence inputs can be compared over time.