AML is about layers of defence
Listen to this Ai conversation. This post is not legal or regulatory advice.
- AML Compliance_ Like an Onion- Layers Matter.wav00:00
This post provides a lighthearted look at AML thorough the Lens of Shrek and onions. It is conversational and humours.
It is not intended to provide legal or regulatory advice.
Your AML Programme: Like an Onion, It Needs Layers!
We all remember Shrek's iconic speech: "Ogres are like Onions... Layers! Onions have layers..."
He wasn't just talking about vegetable structures; he was giving us a valuable lesson in complexity.
Just like ogres, and onions, AML compliance isn't a simple, surface-level issue. It's layered, nuanced, and requires peeling back those layers to truly understand the core risks and obligations.
Layers Matter
🗣 “You know, not everybody likes onions..." Donkey to Shrek
💡 Not everyone likes anti-money laundering Firm Wide Risk Assessments (FWRA) either, but they are vital to an AML programme and to legal and regulatory compliance.
Let’s peel back the layers of a robust AML framework and explore why its crucial.
Governance: The Core of AML Compliance
At the heart of AML compliance is strong governance.
This includes appointing a Money Laundering Reporting Officer (MLRO) and ensuring senior management takes ownership of compliance efforts.
Without leadership buy-in, the entire AML structure weakens.
✅ Key Requirement: Regulation 21 of the Money Laundering Regulations 2017 (MLR 2017) mandates that firms establish internal controls and appoint an MLRO where necessary.
💡Strong governance is the foundation of an effective AML framework, fostering a culture of compliance through clear accountability, adequate resourcing, and robust oversight. This includes appointing a competent Money Laundering Reporting Officer (MLRO) and well-trained compliance staff to support the AML functions. Compliance efforts must not only align with statutory requirements but also be properly implemented, actively maintained, and demonstrably effective in mitigating financial crime risks.
Firm-Wide Risk Assessment (FWRA): Understanding Your Exposure
Under Regulation 18(1) of the Money Laundering Regulations 2017 (as amended), a relevant person (such as a firm) must take appropriate steps to identify and assess the risk of money laundering and terrorist financing to which its business is subject. To carry out a Firm Wide Risk Assessment, a firm must take into account:
(a) information made available to them by the supervisory authority under regulations 17(9) and 47
(b) risk factors including the factors relating to:
🔹 The types of clients you serve
🔹 The countries or geographic area in which it operates
🔹 The products or services it provides
🔹 Transactions
🔹 The Delivery channels
And Just as Shrek and Donkey adapt to changing risks at the Swamp and Castle, firms need a robust and adaptable Firm-Wide Risk Assessment (FWRA).
This proactive approach allows them to identify, evaluate, and manage diverse risks, ensuring resilience in the face of evolving Anti-Money Laundering conditions.
✅ Key Requirement: Regulation 18 of the MLR 2017 requires firms to conduct a written risk assessment to identify, assess the risk of money laundering and terrorist financing to which their business is subject.
Shrek identifies risk, on arriving at the location of the castle, where Princess Fiona is held captured
🗣 "Sure, its big enough, but look at the location" - Shrek
🗣 "Donkeys don’t have layers. We wear our fear right out there on our sleeves." – Donkey
💡 Donkey openly expresses his risk appetite, a critical concept in anti-money laundering (AML) frameworks.
Shrek, has a high risk tolerance in relation to this quest.
Donkey, however, demonstrates a low risk appetite, openly displaying his fear and reluctance to cross the bridge over molten lava.
Regulated firms' likewise must identify, and assess risk and consider their risk appetite—determining the level of AML risk they are willing to accept.
From an AML perspective, crossing the bridge represents engaging with higher-risk jurisdictions, clients, or transactions.
Donkey’s hesitation reflects the cautious stance taken by firms with low risk tolerance, which may:
Avoid high-risk jurisdictions with weak AML controls.
Some may decline business relationships with clients with opaque financial backgrounds.
Reject transactions that fail to pass their "smell test."
Conversely, firms with a higher risk appetite—akin to Shrek’s approach—may be more willing to engage in riskier ventures but must implement stronger mitigation measures such as enhanced due diligence, transaction monitoring, and adverse media screening.
By applying AML principles, Donkey’s reluctance serves as a reminder that understanding and defining risk appetite is essential—whether crossing rickety wooden bridges over molten lava or navigating complex financial crime risks.
Shrek employs risk mitigation, guiding Donkey across the bridge by breaking the journey into smaller, controlled steps. In AML terms, this reflects the application of risk-based controls, such as:
Enhanced Due Diligence (EDD) when engaging in high-risk scenarios.
Ongoing monitoring of suspicious activity.
Mitigating transactional risk through layered defences.
Client Matter Risk Assessments: Case-by-Case Scrutiny
Every client and matter is different—so your AML approach must be flexible.
A Client Matter Risk Assessment (CMRA) ensures that you’re evaluating risks at an individual and matter level.
✅ Key Requirement: Regulation 28 states that firms must assess the risk of money laundering for each business relationship.
🗣 "I’m a Princess. And this is not how a Princess is supposed to look." – Fiona
💡 Not everything is as it seems—proper risk assessments help uncover the true picture. In anti-money laundering (AML) compliance, firms must conduct a granular Client and Matter Risk Assessment (CMRA) to fully understand who they are dealing with and the true nature of the matter.
Fiona’s statement highlights the importance of looking beyond surface appearances.
A client’s status, wealth, and risk profile may not always match a firm's initial understanding, necessitating Enhanced Due Diligence (EDD).
Here, The Magic Mirror—akin to an adverse media screening tool—attempted to provide a warning about Fiona’s true nature, but Lord Farquaad refused to listen, demonstrating a failure in risk-based decision-making, and a willingness to overlook red flags for the sake of his his gain.
Further Red Flags: Influence & Control Risks
Beyond Fiona’s Foreign Politically Exposed Person status as the daughter of a ruling Foreign King, additional concerns arise regarding external influence and control risks. Her father, King Harold, was known to be under the influence of the Fairy Godmother, who had previously transformed him from a frog into a Prince. This raises questions about his legitimacy as a ruler and whether undue influence affected his decision-making and governance—a key consideration when assessing the financial crime risks associated with high-profile individuals and High Risk Third Countries.
Additionally, Fiona’s placement in the tower was not an ordinary royal decision but was the result of a witch’s curse, with the belief that "true love’s first kiss" would free her. This unusual circumstance suggests a lack of direct control over her own affairs, further reinforcing the need for enhanced scrutiny over both her and those influencing her.
The Fairy Godmother’s control extended beyond King Harold’s personal transformation—she also manipulated succession planning to install her own son, Prince Charming, as the future King by ensuring he would marry Fiona. This represents a classic case of state capture, where a politically connected individual exerts influence over governance structures for personal gain.
However, her succession plan ultimately failed because Fiona and Shrek fell in love, disrupting the pre-arranged political marriage that would have consolidated the Fairy Godmother’s influence. This underscores the importance of ongoing due diligence in AML, as circumstances change and influence networks can weaken or collapse over time.
AML Implications: Key Considerations
Client, Counter Party, Third Party Risk: Lord Farquaad, is a Domestic Politically Exposed Person, his legitimacy of authority requires further investigation, his wealth, and control of the land and the fairy tale creatures. Lord Farquaad showed a lack of due diligence by ignoring red flags. Fiona, as a Foreign Politically Exposed Person, requires heightened scrutiny due to her royal status, external influences, and prolonged concealment.
Matter Risk: The arranged marriage with Lord Farquaad raises red flags regarding coercion, political manipulation, and beneficial interests concerns.
Influence & Control Risks: The Fairy Godmother’s influence over King Harold suggests a potential conflict of interest, abuse of power, or hidden agendas, Foreign Politically Exposed Person, thus warranting further investigation.
Adverse Media & Ignored Warnings:Just as Lord Farquaad dismissed The Magic Mirror’s insights, failing to review adverse media or intelligence reports in AML compliance could lead to engagement with high-risk clients or involvement in illicit activities.
By undertaking a comprehensive risk assessment, compliance professionals can ensure they are not misled by outward appearances and can apply appropriate controls to mitigate AML risks—whether in assessing a prospective client, counterparty or third party.
Client Due Diligence (CDD): Knowing Who You’re Dealing With
A solid AML defence starts with knowing your clients. CDD involves verifying a client’s identity, source of funds, source of wealth and business activities to prevent criminals from exploiting regulated services.
✅ Key Requirement: Regulation 27 requires firms to conduct CDD before establishing a business relationship or carrying out a transaction.
🗣 "Sometimes things are more than they appear" - Shrek
💡 This stresses the importance of considering risk identification, assessment, mitigation and risk appetite, and not just blanket excluding potential clients because they are a Politically Exposed Person, or they have a link to a high risk country without any other red flags or risk indicators or without proper consideration of risks and mitigation and risk appetite.
🗣 "You know , you're not exactly, what I expected" - Shrek to Fiona
🗣 "Well may be you shouldn't judge people before you get to know them" – Fiona to Shrek
💡 Just like in Shrek’s world, appearances can be deceiving—proper due diligence helps uncover the real story.
Fiona's encounter with Monsieur Hood
🗣 "Look pal, I don't know who you think you are - Fiona to Monsieur Hood
💡 Fiona is surprised by her encounter with Monsieur Hood, but Fiona steps on the breaks, and seeks to identify and verify him.
Monsieur Hood, instead of providing verification from a reliable independent source, presents a song and dance by his unscrupulous gang - his Merry Men. He also misleadingly states that he has a strong moral compass.
Fiona uses robust risk treatments to reduce the risk from Monsieur Hood and the Merry Men.
Ongoing Due Diligence (ODD): Keeping an Eye on Clients
AML compliance isn’t a one-and-done task. Just like onions (and ogres), risk levels change over time. Ongoing Due Diligence ensures the firm is kept up-to-date with any changes to their client's risk profile or the matter risk profile, throughout the business relationship.
✅ Key Requirement: Regulation 28(11) requires firms to conduct ongoing monitoring of transactions and client relationships.
💡 Shrek and Donkey are consistently reassessing the risk factors throughout the life cycle of the quest.
Shrek and Donkey's ongoing risk reassessment throughout their quest mirrors the need for firms to dynamically update their AML/CTF risk assessments.
Specific triggers for reassessment include: government guidance and legal changes, FATF list updates, industry-specific risk shifts, internal firm changes affecting AML risk, and material changes in client, counterparty, and third-party profiles, including beneficial ownership and changes to the matter risk profile. These reassessments are crucial for adapting risk mitigation strategies and that the client and their matter are within the firm's risk appetite.
Enhanced Due Diligence (EDD): Handling High-Risk Clients
Some clients and transactions demand extra scrutiny—like politically exposed persons, high-risk jurisdictions, or unusually complex transactions. EDD adds deeper layers of verification and risk assessment.
✅ Key Requirement: Regulation 33 sets out specific situations where EDD is required, such as dealing with Politically Exposed Persons or High-Risk Third Countries.
🗣 “I like that boulder. That is a nice boulder.” – Donkey's comment when he arrives at Shrek's Swamp.
💡Not everything that looks nice is safe. And what may seen safe, may become more risky as circumstances change.
Just as Donkey saw a boulder as harmless, firms may encounter clients or transactions that initially appear benign.
However, as Donkey's experience shows, circumstances can change rapidly.
Within hours of his arrival at Shrek's Swamp, the seemingly peaceful environment was overrun by displaced fairy tale creatures, dramatically altering the risk landscape.
Similarly, in AML, a client who initially presents a low risk profile can quickly become high-risk due to unforeseen or changing factors. These factors can include changes in their business activities, involvement in suspicious transactions, or exposure to high-risk jurisdictions.
What may seem like a 'nice boulder' or a safe and stable client or transaction—can suddenly become a source of significant risk, requiring immediate reassessment and mitigation.
This highlights the crucial need for ongoing due diligence and a dynamic risk assessment framework, as even seemingly innocuous situations can harbour hidden dangers that materialise as circumstances evolve.
Ongoing Enhanced Due Diligence (OEDD): Extra Vigilance for High-Risk Cases
For high-risk clients or matters ongoing monitoring is a necessity. OEDD helps firm identify red flags, suspicious patterns, or changes in behaviour and use risk mitigation.
✅ Key Requirement: Regulation 33(1) requires continuous monitoring of high-risk clients and transactions.
Some High Risk Characters:
Lord Farquaad
Potential AML Risks and Red Flags
- Politically Exposed Person - His title is Lord, investigate how he came to rule over the Kingdom
- Has a torture room, uses violence or the threat of violence to gather information
- Appears to have kidnapped the Gingerbread Man and The Magic Mirror
- Expresses his dislike for Fairy Tale Creatures
- Displaced all the Fairy Tale Creatures
- Requested his Knights to kill Shrek
- Political goal to be King - through marriage
- Willingness to risk the lives of the Knights to progress his desire to become a King
- Makes unfair contracts and unusual property transaction
- Ignores Red Flags from The Magic Mirror (Adverse Media)
Princess Fiona
Potential AML Risks and Red Flags
- Heir to the throne of a Foreign Kingdom - FAR FAR AWAY - Foreign PEP
- Subject to a witches curse - not entirely in control of herself
- The Magic Mirror has Adverse Media or negative media on her
- Identification concerns as has been locked away for years in a tower
- By day one way by night another - dual identification issues
- Uses advance combat skills, without a credible explanation
- Influence of external factors - Father King Harold - under influence of The Father Godmother - agreement that Fiona would marry Prince Charming
The Fairy Godmother
Potential AML Risks and Red Flags
- Associate of a Foreign PEP - The Fairy Godmother is an associate of King Harold
- She granted his wish to transform from a frog to a prince to marry a Princess and then become King of the Kingdom FAR FAR AWAY
- Political Coercion through - threatening King Harold
- Agenda - manipulating Royal Succession. To replace Shrek with her son Prince Charming - via identity theft and fraud
- Her empire - spells
King Harold
Potential AML Risks and Red Flags
- King Harold - Foreign Politically Exposed Person
- Change of Identity - From frog to King through the fairy Godmother's intervention - concerns - legitimacy and undue influence
- Under of influence - Kind Harold hired Puss in Boots to remove Shrek
- Initially agreeing to drug his daughter to enable a fraud
Examples of enhanced due diligence could include:
- More regular use of adverse media checks, and negative media checks
- Frequent sanctions checks
- Review FATF countries plenary, and corruption reports from various agencies
- Checks business structure, ownership, control and influence
- Regular Checks on counterparties and third parties
- More regular AML file reviews
- Requests for source of funds and source of wealth
- Scrutiny and authentication of documentation
- Review the nature and purpose:
- initial instructions
- why they chose the firm
- the client's location
- individual circumstances
- the past engagements with the firm
- unusual requests
- unusual instructions
- sudden change in payment
- whether there are any themes or changes that 'don't add up,' or don't pass the 'smell test.'
- Updating the Client Matter Risk Assessment
- Reassess risk and mitigation
- Consider Risk Appetite
- Internal escalation
- Consider second sight reviews
- Consider requesting further approval by the MLRO
- Taking independent legal advice where necessary
- SARs reporting
- Reporting to government agencies
- Reports to the regulator
Updating Client Matter Risk Assessments: Adapting to Change
Circumstances change, and so should your risk assessments.
If a client’s behaviour or transaction pattern shifts, you must review and update their risk profile.
✅ Key Requirement: Firms must regularly update risk assessments based on new information or changes in the business relationship.
Remember how Shrek's swamp was relatively peaceful until Lord Farquaad's eviction order?
Suddenly, the whole place changed.
That's just like how client risk can shift.
You might think you know a client, like Shrek thought he knew his swamp, but then, BAM! Something happens.
Maybe, they start requesting unusual or complex transactions, or requesting Rumpelstiltskin dodgy contracts terms.
Or their behaviour changes, they start acting like they're hiding something, just like how the Fairy Godmother had an underlying hidden agenda.
Client Matter Risk Assessments are not static documents. You can't just stick with the old assessment, like Shrek can't just pretend his swamp is still empty.
Just like Shrek had to reassess his situation when the fairy tale creatures moved in, you've got to reassess your client when their behaviour or transaction patterns change.
If you don't keep up with the changes, you're going to end up with a swamp full of trouble, or in AML terms, a client full of money laundering risks.
Internal AML Audits: Checking Your Defences
Even the best AML policies need regular testing.
Internal AML audits help firms identify weaknesses, and improve processes.
A firm that doesn’t audit its AML framework is flying blind.
✅ Key Requirement: Regulation 21(1)(c) requires firms to maintain an independent audit function where appropriate.
Shrek/AML Analogy
🗣 "You didn't slay the dragon?" - Fiona to Shrek
(Fiona's question highlights Shrek's lack of proactive risk elimination.)
💡 Regular AML audits help protect your firm—because waiting until things go wrong is never a good strategy.
This dialogue is a stark reminder of the potential pitfalls of neglecting thorough risk assessment in favour of on the ill planned reaction action.
Whilst Shrek rescued Fiona, Donkey was in danger from a Fire Breathing Dragon and their exit route was not established.
Shrek, focused on rescuing Donkey, prioritised speed over strategy. He didn't eliminate the dragon threat, nor did he fully assess the castle's dangers.
He relied on a previous unmentioned, unimplemented 'to-do list' and improvisation, instead of a pre-emptive plan.
This flags up a poorly implemented AML Compliance as Fiona pointed out.
A tailored risk programme: Having a Firm Wide Risk Assessments, 'Policies, Controls and Procedures' will not assist you if they are not tailored, regularly updated, and if they are poorly implemented. Exposing you and your team to AML risks, ineffective risk mitigation, and potential risk to your staff and your firm.
- Inadequate Risk Identification: Shrek's lack of castle knowledge parallels a firm's failure to identify all AML risks.
- Proper Knight' as Idealised Compliance: Fiona's vision of a 'proper' rescue is like a firm thinking their AML is perfect on paper, this lacks reality. Firms often create perfect compliance manuals, but they fail to take into account the reality of their business, and the ever changing risk environment.
External Oversight is Vital: It was immediately obvious to Fiona, the flaws in Shrek's plan. Likewise an independent audit provides a crucial second opinion. Having a 'second set of eyes' may help you plug those gaps.
'Bursting into Flame' as Compliance Failures: The other knights' demise represents the real-world consequences - that you may have proper procedures, but you have to be risk agile.
- Reactive vs. Proactive Mitigation: Shrek's on-the-fly armoury grab is reactive, not proactive, risk mitigation.
Inadequate AML Programme: Shrek relied on knowledge Princess saving and castle layout from a fairy tale book he read whilst on the loo. Likewise reliance only on a un-tailored template or a text book could signal inadequate risk identification, risk assessments and risk mitigation strategies. Shrek cladding himself with discarded armoury from dead knights, shows reactive, and poor risk mitigation to a poorly assessed immediate risk.
Adequate and Effective AML Staff Training: Donkey though eager to 'Master the Stairs," he did not have adequate training, he did not have the tools to assist him, and help was not immediately available to him. These failings put him and his task in a position of extreme risk.
Risk Agility vs. Preparedness: Shrek and Donkey's risk agility doesn't excuse a lack of planning. In the AML compliance world this approach solely would lead to regulatory consequences.
A firm that doesn’t audit its AML framework is like trying to outrun a dragon.
Regular independent audits are essential, providing recommendations on your AML defences.
Final Thought: Build a Multi-Layered Defence
AML compliance isn’t about one single measure—it’s about layering multiple defences to create a strong, resilient framework. If one control fails, the others should still hold firm against financial crime risks.
🗣 “Better out than in, I always say!” – Shrek
💡 And in AML? Better detect the risk early than deal with the fallout later.
💬 Need help - we undertake Anti-Money Laundering Audits - contact Alexander Christian today.
Fairy tales
Fairy tales, far from mere children's stories, are our earliest case studies – relatable narratives that often conceal stark warnings.Credit:
Credit: Shrek films, Dreamworks Animation and all contributors.
Netflix: for hosting and streaming.
Copyright: The use of quotes and storyline is for educational purposes only, no copyright infringement is intended.
Blog: The concept of linking themes of AML and fairy tales, and writing this blog - by the author
Graphic: Onion - Ai generated
Source:
Money Laundering Regulations 2017 (as amended)
Regulation 17(9) - Risk Assessment by Supervisory Authorities
Regulation 18 (1) - Risk Assessment by Relevant Persons
Regulation 21 (1) (c) - Internal Controls
Regulation 27 - Customer Due Diligence
Regulation 28 - Customer Due Diligence Measures
Regulation 28 (11) - Ongoing Monitoring of a Business Relationship
Regulation 33 - Obligation to apply Enhanced Due Diligence
Regulation 33 (1) - Obligation to apply Enhanced Due Diligence
Regulation 47 - Duties of Supervisory Authorities - Information
Inspiration and wonderful hours viewing the Shrek movies: Shrek
Contact Us:
Call Us Call Us: 020 4578 4684
Disclaimer:
This post is not legal or regulatory advice.
Please see our Disclaimer Page.