Buyer Beware: You Can't Contract Out Your AML Obligations

By Jeanette Kreft, MD, The Compliance Company

We have a regulatory regime that is sufficiently mature for reporting entities to fully appreciate the regulatory burden of having to comply. We have Sector Supervisors who are becoming less patient with non-compliance and more likely to take enforcement action where noncompliance is identified. We have a labour shortage when it comes to employees with compliance experience meaning that these employees are difficult to find and retain once found. We also have customers who are demanding a better customer experience and are less willing to deal with businesses that have cumbersome onboarding and account maintenance processes.

There is a much-needed place in the market for external providers to assist reporting entities in complying with their regulatory obligations. There is, however, a worrying trend that is emerging. It’s the “I’ll pay and make the problem go away” approach to compliance without fully understanding whether in fact the product or service that is being offered will result in the reporting entity complying with its obligations. Now I hate to be the bearer of bad news but unfortunately, you can’t contract out of your regulatory obligations meaning that you are liable irrespective of a contractual arrangement in place with an external provider.

Set out below are some important things that you should consider when engaging an external provider to assist you with the satisfaction of some or all your regulatory obligations. Some of these suggestions relate to your obligations as a reporting entity, others relate to good business practice.

Understand your obligations

It’s crucial that you understand the regulatory obligations that you are required to comply with. Without a robust understanding of these regulatory obligations, you won’t be able to understand what obligations the external provider is and is not assisting you in satisfying and whether the external provider is in fact satisfying those obligations.

Know who you are dealing with

Undertake due diligence on the external provider and document the due diligence undertaken. Set out below are some of the matters that could be considered when undertaking due diligence on an external provider, the exact matters that should be considered will depend on the product or service that the external provider is offering.


Does the external provider have the requisite capacity and internal knowledge and expertise to offer the product or service?


What initial and ongoing support does the external provider offer? > Privacy and Data How will information be stored and handled?

Cyber Security

What cyber security measures are in place to detect cyber threats and manage and mitigate cyber risks?

Business Continuity

How will the external provider deal with a business disruption event that affects the products or services that they provide and what measures do they have in place to restore business as usual functions?


What insurance does the external provider maintain and what is the level of cover?

Fees and charges

What are the fees and charges for the product or services? What additional fees and charges may be payable?


How are breaches, failures or issues identified and how are these notified and within what timeframes?