Who is responsible for KYC within the firm?

Legal versus operational responsibility

From a legal perspective, the firm as an entity is responsible for complying with AML legislation. In practice, however, it is the staff – such as the handling solicitor – who manage matters, assess risks and evaluate clients or investors. This division between internal and external responsibility is unavoidable. The firm must ensure that clear processes and policies are in place, but the individual professional remains responsible for compliance within his or her own files.

This means that in the event of breaches, both the firm and the individual may be held accountable. From a regulatory perspective, responsibility lies with the firm; from a disciplinary perspective, it lies with the professional. We outline both below.

Firm responsibility: the importance of a clear firm policy

The firm is responsible for ensuring that employees are provided with the tools and support necessary to comply with their AML obligations. This includes, among other things:

• AML policies and procedures
• A documented risk assessment and risk-based approach
• Appointment of a compliance function (where required)
• Where applicable, compliance with any audit requirements
• Providing training to employees to meet mandatory training obligations

The firm is therefore responsible for establishing a clear and workable compliance framework. Such a framework prevents ad hoc practices. Ambiguity on paper leads to ambiguity in practice, and that uncertainty increases the risk of errors and regulatory scrutiny.

A well-designed process determines who takes which steps during client onboarding. This includes identifying who collects and verifies the necessary information, who assesses that information, and who ultimately approves the file.

Within law firms: the handling solicitor remains central in this process, given his or her substantive knowledge of the matter.

The larger the firm, the more complex the process. In medium-sized and large firms, multiple approval stages are often built in, for example through compliance officers or internal controls. However, smaller firms would also be well advised to document their processes carefully.

An important point to remember: do not make the firm’s policy overly complex. Do not attempt to describe every exception — otherwise the exception risks becoming the rule.

Individual responsibility

Although the firm is legally responsible, this does not relieve the individual professional of his or her own responsibility. The employee must independently assess whether the matter complies with AML requirements. Remember: the absence of a AML policy does not exempt you from this responsibility.

Where a AML policy is in place — as should be the case for every AML-regulated organisation — everyone must adhere to it. For example, if the policy requires the solicitor to approve the file, that task cannot be delegated to support staff.

In broad terms, individual responsibilities include:

• Compliance with internal procedures
• Compliance with AML requirements within one’s own matters (including establishing and verifying the identity of the client and ultimate beneficial owners (UBOs), determining the purpose and nature of the business relationship, screening, risk assessment, and approval or rejection)
• Identifying and reporting suspicious or unusual transactions (reporting obligation)
• Ongoing monitoring of client matters
• Meeting mandatory training requirements
• Complying with document retention obligations

The role of the compliance officer

The compliance officer plays a central role in safeguarding AML compliance. It is essential that the responsibilities attached to this role are clearly defined. Merely appointing a compliance officer is not sufficient. It must be clear what this person does, how the policy is implemented and who is responsible for what.

In practice, compliance officers are sometimes appointed without a clear framework. This leads to inefficiencies and increases the risk of errors. A well-defined role ensures control over processes and strengthens the internal organisation.

For example, within investment firms, responsibility for a clear and effective AML process and policy often lies with compliance officer(s) or a central compliance team. These individuals not only manage onboarding and documentation but are also responsible for risk monitoring and full compliance with AML obligations. During regulatory inspections, the compliance officer is often the primary point of contact.

Please note: the obligation to appoint a compliance officer differs by sector and depends on the size and nature of the organisation. You can read more about this topic. 

Centralisation within international firms

Some international firms operate with centralised compliance structures, where one team in a single country is responsible for KYC. From there, processes are developed and policies drafted. This is possible, but differences in national AML legislation must be taken into account.

An entity operating in one jurisdiction cannot rely on a policy developed in another jurisdiction if it does not meet local legal requirements. Local AML legislation remains leading, and appropriate local processes must be aligned accordingly.

Note that national differences in AML legislation are expected to decrease in the coming years due to increasing European harmonisation, including the introduction of the Anti-Money Laundering Regulation (AMLR) and the Anti-Money Laundering Authority (AMLA), which aim to create more uniform supervision across EU Member States.

Supervision and its consequences for firm and individual

Supervision of AML compliance takes place through audits, sampling and ongoing inspections by regulators or professional supervisory bodies. As discussed above, a distinction is made between supervision of the firm and supervision of the individual.

Supervision of the firm focuses on the design of processes, policies and the functioning of the compliance framework. It examines the extent to which the firm as a whole complies with AML obligations.

Supervision of the individual focuses on personal compliance with procedures and the degree of alertness in identifying suspicious transactions.

A fine or regulatory sanction may be imposed on the party committing or co-committing a breach. Both natural persons and legal entities may be held liable. In addition to the firm (which is subject to supervision), a person exercising effective control or managerial responsibility may also be sanctioned.

How internal errors in the KYC process are handled varies by organisation. In many firms, errors lead to a review of procedures. In practice, this often results in amendments to working instructions, additional training or even disciplinary measures.

Where inspections reveal deficiencies in onboarding or documentation, the compliance officer or handling solicitor is often the first to be addressed. In disciplinary proceedings, this distinction is becoming increasingly clear: failure to comply with internal guidelines may lead to personal accountability, particularly in cases of repeated or serious shortcomings.

Awareness and European developments in AML supervision

Awareness among AML-regulated professions contributes to effective compliance. Awareness of AML obligations is increasing, partly due to media attention and high-profile enforcement cases. Nevertheless, significant progress remains to be made. Supervision and enforcement play a key role in this regard.

New European legislation, such as AMLA and the AMLR, will further strengthen supervision and reduce differences between Member States.

FATF evaluations also contribute to increased awareness. A negative assessment can place pressure on policymakers and supervisory authorities. This often leads to enhanced supervision and revisions of national frameworks, which ultimately affect individual institutions and professional groups.