What additional AML readiness considerations apply to medium and large firms?
Project and change management with dated delivery plan, business continuity for the CO function, Board-level reporting, IT and security alignment, and risk and audit committee oversight.
If your firm has the headcount, formal governance, or operational complexity to require it, several additional readiness areas apply on top of the common task list. As a rough guide: medium = 15-50 people, large = 50+. Adjust your considerations to suit your structure.
The medium-and-large additional areas:
- Project and change management - a dated delivery plan working backwards from 1 July with a hard freeze two weeks before go-live; a planned post-go-live hypercare period of 4-8 weeks with daily issue triage; a project sponsor at partner/director level and a project manager who isn't the AMLCO; a cross-functional steering group (Finance, IT, HR, Marketing, Operations).
- Technology and IT at scale - integration work between CDD, PMS, accounting and document storage; updated backup, disaster recovery and cyber incident response plans for the new data footprint; automated retention timers and deletion workflows (manual deletion isn't viable at volume).
- Finance and billing at scale - forecast the revenue timing impact of extended onboarding (the instruction-to-first-invoice lag); update WIP and lock-up reporting to reflect the longer onboarding curve.
- HR and workforce - design the AMLCO role (full vs part time), deputy AMLCO, and client onboarding coordinator; start AMLCO recruitment early if hiring externally (the market is tight); review incentive and bonus structures so speed-to-bill doesn't conflict with CDD discipline; plan staff wellbeing through the transition.
- Client experience for VIP clients - design a VIP / top-client handling approach so they aren't treated like a walk-in, without compromising CDD.
- Privacy Impact Assessment - a formal PIA for the chosen CDD provider documenting how privacy risks have been considered and mitigated.
- Insurance and risk - review cyber insurance cover, sub-limits and premium for increased PII volume; add operational AML risks to the enterprise risk register; review D\&O implications for the governing body under the new personal accountability regime.
- Communications and marketing - an internal comms plan (all-staff, partner, client-facing staff briefings); a pre-prepared holding statement for public complaints or reviews during transition; updated proposal and tender documents for RFP responses on AML posture.
- Business continuity - documented AMLCO unavailability delegation and sign-off authority, including the systems access that goes with it.
Full detail and ownership guidance in our Operational Readiness Checklist, Part 2.
Related articles
- What operational tasks does my business need to do beyond setting up easyAML?
- Who in my business needs to make decisions before we can start preparing for AML/CTF?
- What do we need to do about our existing clients on 1 July 2026?
- What external parties do we need to engage for AML/CTF readiness?
- What internal documents and templates need updating before AML go-live?