How to Build an Effective AML Training Program for Financial Services Teams

The FCA issued more than $124 million in fines during 2025, and the majority were linked to anti-money laundering failures. Nationwide paid $44 million. Barclays paid $42 million. Monzo paid $21 million. In every case, the regulator pointed to the same root cause: inadequate systems and controls - including training that failed to equip staff with the knowledge to spot and report suspicious activity.

If you are a compliance officer, MLRO, or HR leader at a financial services firm, these numbers should sharpen your focus. Your AML training program is not just a regulatory checkbox. It is an operational control - one that regulators will test, and one that can cost your firm tens of millions if it falls short.

This guide walks you through how to build an AML training program that meets FCA, JMLSG, and MLR 2017 requirements - and actually changes how your people respond to financial crime risks. Whether you are starting from scratch or overhauling a program that is not delivering, these are the steps that matter.

Why AML Training Matters More Than Ever in Financial Services

Financial crime is growing more sophisticated, and regulators are responding with sharper enforcement. Global regulatory fines for AML failures surged by 417% in the first half of 2025 compared to the same period in 2024, totaling approximately $1.23 billion worldwide.

In the UK, the FCA has made its expectations clear. The regulator's 2024/25 Annual Report showed that open investigations dropped from 188 to 130 - not because enforcement softened, but because the FCA is closing cases faster and hitting harder. Total fines jumped from approximately $38 million to between $179 million and $186 million. The majority of cases concerned financial crime and deficiencies in AML controls.

The enforcement pattern is consistent: firms get fined not because they lacked an AML policy, but because their training and controls failed to keep pace with their risk profile. When the FCA fined Monzo $21.1 million, the regulator specifically noted that the bank's financial crime controls had not scaled alongside its rapid customer growth. When Barclays paid $42 million, the issue was failing to gather adequate information and conduct proper ongoing monitoring.

The message is unmistakable: a static AML training program that does not evolve with your firm's risk exposure is a regulatory liability.

What the Regulators Expect: FCA, JMLSG, and MLR 2017 Training Requirements

Before building your program, you need to understand the regulatory framework that governs AML training in the UK. Three sources set the expectations:

The Money Laundering Regulations 2017 (MLR 2017)

Regulation 24

Requires relevant persons to take appropriate measures so that employees are made aware of the law relating to money laundering and terrorist financing, and are trained in how to recognize and deal with transactions and activities that may be related to money laundering or terrorist financing. Training must be regular and appropriate to the role.

Source: Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017

The FCA Financial Crime Guide (FCG)

FCG Chapter 3

The FCA's Financial Crime Guide expects senior management to take responsibility for the firm's AML measures - including knowing about the money laundering risks the firm is exposed to and ensuring steps are taken to mitigate them. Training should be tailored to each individual's specific responsibilities and should cover BSA regulatory requirements, supervisory guidance, and the firm's internal policies, procedures, and processes.

Source: FCA Financial Crime Guide, Chapter 3 (February 2026 edition)

JMLSG Guidance (Part I) — February 2026 Revisions

JMLSG Part I

The Joint Money Laundering Steering Group provides industry best practice guidance. JMLSG recommends that firms ensure all relevant staff receive AML training that is proportionate to the firm's size, complexity, and risk profile. The February 2026 revisions strengthened requirements around the MLRO role, adding explicit cross-border oversight obligations and updating data protection alignment with UK GDPR.

Source: JMLSG Guidance, Part I (February 2026 revisions)

Regulation Note

The FCA considers whether a firm has followed JMLSG guidance when assessing AML compliance. While not legally binding, failing to follow JMLSG guidance without a documented alternative approach puts your firm at risk during supervisory review.

Step-by-Step: How to Build Your AML Training Program

Step 1: Conduct a Risk-Based Training Needs Assessment

Your AML training program must reflect your firm's specific risk profile - not a generic industry template. Start by reviewing your firm's business-wide money laundering and terrorist financing (MLTF) risk assessment. This should already be board-approved and refreshed annually under the MLR 2017.

Map your risk assessment findings to training requirements. Consider your products and services, delivery channels, customer types, geographic exposure, and any high-risk third-country relationships. A payments firm processing cross-border transactions has very different training needs from a domestic wealth manager.

Step 2: Define Role-Specific Training Requirements

The FCA has made clear that one-size-fits-all training is not acceptable. Different roles carry different AML responsibilities, and training must reflect this. Here is how to segment your workforce:

Step 3: Select the Right Training Content and Delivery Method

Your AML training content must cover the core regulatory requirements while being specific to your firm. At minimum, every AML training program should address:

• Legal and regulatory framework: Money Laundering Regulations 2017, Proceeds of Crime Act 2002, Terrorism Act 2000, and relevant FCA Handbook requirements
• Customer due diligence: KYC procedures, enhanced due diligence for high-risk customers, beneficial ownership identification, and ongoing monitoring
• Suspicious activity recognition: Red flags for money laundering across your specific products and services, typologies relevant to your sector, and the three stages of money laundering (placement, layering, integration)
• Reporting obligations: Internal reporting procedures, SAR filing with the NCA, tipping off offences, and the role of the MLRO
• Sanctions and screening: OFSI sanctions lists, PEP identification, and the consequences of sanctions breaches
• Financial crime typologies: Current and emerging methods relevant to your firm - trade-based laundering, crypto-related risks, fraud and money laundering convergence

For delivery, consider a blended approach. Online micro-lessons work well for ongoing awareness and knowledge reinforcement. Instructor-led sessions - whether in person or virtual - add value for scenario-based discussions where staff can ask the "what if?" questions that build practical judgment. The FCA's investigation into Santander specifically flagged that e-learning alone, without opportunity for direct discussion, left employees unable to apply requirements to their day-to-day roles.

Step 4: Set Your Training Frequency and Refresh Cadence

The MLR 2017 requires training to be "regular" but does not prescribe a specific frequency. In practice, the minimum standard is annual training for all staff, with more frequent refreshers for high-risk roles. HMRC guidance recommends training at least every 18 months, or sooner when regulatory changes require it.

A strong program goes beyond annual completion. Build in:

• Quarterly micro-refreshers on specific topics (new typologies, regulatory updates, case studies from enforcement actions)
• Event-triggered training when regulations change, when your firm's risk assessment is updated, or when new products or markets are launched
• Ongoing knowledge checks to verify retention between formal training cycles - short assessments that take minutes, not hours

Tip: Move Beyond Annual Tick-Box Training

Regulators increasingly expect evidence of ongoing competence, not just annual completion certificates. Firms that deliver continuous, bite-sized AML training throughout the year can demonstrate to the FCA that their staff maintain current knowledge - a significant advantage during supervisory reviews. Microlearning platforms like 5Mins.ai deliver 95%+ completion rates compared to under 5% for traditional annual e-learning, and provide real-time compliance dashboards that show exactly who has completed what and when.

Step 5: Build a Monitoring and Assessment Framework

Training without assessment is just information delivery. Your program needs mechanisms to verify that staff have actually absorbed and can apply what they have learned.

• Pre- and post-training assessments to measure knowledge gain (the FCA flagged Santander for setting pass marks at 70% on compliance modules while other courses required 80%)
• Scenario-based testing using real-world examples relevant to your firm's products and customer base
• Periodic knowledge checks between formal training cycles to identify knowledge decay before it becomes a risk
• Completion tracking with automated reminders and escalation paths for non-completion

Track completion rates, assessment scores, and time-to-completion across all role groups. These metrics tell you whether training is working - and give you evidence to present during FCA supervisory visits or independent audits.

Step 6: Document Everything for Regulatory Audits

The FCA and independent auditors will want to see evidence that your training program is operational, current, and effective. Maintain documented records of:

• Training content delivered, including version history and dates of updates
• Attendance and completion records for every employee, by role and business unit
• Assessment results and pass rates
• Evidence of management oversight (board reporting on training metrics)
• Records of training content updates following regulatory changes
• Any gaps identified and remediation actions taken

Your records should demonstrate a clear link between your risk assessment, your training content, and your staff's demonstrated competence. If an examiner asks why a specific team received specific training, you should be able to trace it back to a documented risk.

Step 7: Review, Test, and Update Regularly

An AML training program is never finished. Schedule formal reviews at least annually - or more frequently if your risk profile changes. Each review should ask:

• Has our risk assessment changed? Do new products, markets, or customer segments create training gaps?
• Have regulations or supervisory expectations changed? (The February 2026 JMLSG revisions, for example, added new MLRO cross-border oversight requirements.)
• What do our completion and assessment data tell us? Are specific teams or topics showing weak results?
• Have there been relevant enforcement actions that highlight new risk areas we should cover?
• Is our delivery method working? Are staff engaging with the content, or just clicking through?

Independent testing by a qualified third party adds another layer of assurance. Many firms commission annual AML program audits as part of their overall compliance review.

Common AML Training Mistakes (and How to Avoid Them)

Warning: Generic, One-Size-Fits-All Content

Using the same training for every employee regardless of role is the single most common failure regulators identify. The FCA expects training to be tailored to each individual's responsibilities. A teller should receive training focused on large currency transactions and suspicious activity indicators relevant to their counter. A lending officer should see examples specific to money laundering through lending arrangements.

Warning: Treating Training as a Once-a-Year Event

Annual e-learning sessions with a multiple-choice quiz at the end produce low engagement and poor retention. Staff forget most of what they learned within weeks. Regulators are increasingly looking for evidence of continuous competence - not just a certificate dated 12 months ago. Build in regular touchpoints throughout the year.

Warning: Failing to Update Content When Risks Change

Your AML training content should be a living document. When the FCA issues new guidance, when your risk assessment changes, when enforcement actions highlight new typologies - your training must reflect these developments promptly. Firms that continue delivering outdated content are exposed to regulatory criticism, as Monzo's case demonstrated when controls failed to keep pace with business growth.

Warning: No Senior Management Engagement

When the FCA fined Nationwide $44 million, the regulator highlighted governance and oversight failings at senior levels. Board members and senior managers cannot delegate AML responsibility entirely to the compliance team. They need their own training - focused on strategic oversight, governance accountability, and the ability to ask the right questions about the firm's financial crime controls.

Annual Tick-Box vs. Continuous Learning: Why the Old Model Fails

Traditional AML training follows a familiar pattern: once a year, staff sit through a 45-minute e-learning module, answer a quiz, and receive a certificate. Completion rates for this type of training typically sit below 5%. Knowledge retention drops off sharply within weeks. And when the FCA comes knocking, a 12-month-old certificate does not prove current competence.

The alternative is a continuous learning model that delivers AML content in short, frequent bursts throughout the year. This approach aligns with how adults actually learn and retain information:

Platforms like 5Mins.ai deliver CPD-accredited AML training through short, mobile-first lessons that staff complete in the flow of work. Real-time compliance dashboards give compliance officers and senior management instant visibility into who has completed what - eliminating the last-minute scramble before audits and providing regulators with continuous evidence of staff competence.

If you're looking for a place to start, explore 5Mins.ai's free AML training or browse the compliance training solution for full program deployment.