AML Insurance — UK guide for accountancy and law firms
Cover types, what insurers underwrite against, the typical claims scenarios, and where mid-market firms commonly over- or under-insure their AML exposure.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •AML insurance is the family of professional-indemnity, regulatory-investigation, and management-liability cover that responds when an AML compliance failure becomes a regulatory matter, a civil claim, or a criminal investigation.
- •Standard professional-indemnity (PI) policies cover claims by clients alleging professional negligence — including AML-adjacent claims like missed sanctions exposure or inadequate beneficial-ownership tracing — but typically exclude criminal proceedings and may exclude fines.
- •Regulatory investigation cover (often added to PI or sold as a standalone Regulatory Defence Cost cover) responds to the costs of defending an HMRC, SRA, FCA, or professional-body inspection finding — increasingly expected by mid-market firms.
- •Management liability (directors & officers, or D&O) cover responds to claims against individual partners, directors, MLCO, or MLRO arising from regulatory or civil action — particularly relevant where individual liability is being asserted.
- •Insurers underwrite AML risk by reviewing the firm's AML programme — risk assessment, policies, MLRO/MLCO, training, monitoring, sanctions screening. A strong, documented programme reduces premium and improves cover terms.
Answer-first summary
What is AML insurance?
AML insurance is the family of professional-indemnity, regulatory-investigation, and management-liability cover that responds when an AML compliance failure becomes a regulatory matter, civil claim, or criminal investigation. UK regulated firms typically carry mandatory PI (required by SRA, ICAEW, ACCA, etc.) plus optional regulatory investigation cover, D&O cover, and cyber cover. The fine or criminal sentence itself is typically not insurable; the defence cost almost always is.
- PI mandatory, others optional but increasingly carried
- Insurers underwrite against AML programme quality
- Fines not insurable; defence costs typically are
- Most overlooked: regulatory investigation defence cost cover
Four cover types
Professional indemnity (PI)
Required by SRA, ICAEW, ACCA, and other professional supervisors. Responds to civil claims alleging professional negligence — including AML-adjacent claims like missed sanctions exposure, inadequate beneficial-ownership tracing, or failure to identify a PEP. Typically excludes criminal proceedings and may limit fines coverage.
Regulatory investigation defence cost cover
Often added to PI or sold standalone. Responds to the legal and consulting costs of defending an HMRC, SRA, FCA, or professional-body inspection finding or enforcement action. Does not usually cover the fine itself but covers the substantial cost of responding to the investigation.
Management liability (D&O)
Responds to civil and regulatory claims against individual partners, directors, MLCO, or MLRO arising from regulatory or civil action. Increasingly relevant where regulators are asserting individual liability — particularly under POCA s.330 (MLRO failure to report) or MLR 2017 individual penalties.
Cyber and data breach
Adjacent but relevant — AML data is sensitive personal data. A cyber breach exposing CDD records creates dual exposure (data-protection breach + AML data leak). Cyber cover responds to incident response, notification costs, and any resulting regulatory action under UK GDPR.
What insurers look at
Ten primary factors that drive AML-related insurance underwriting:
- Documented firm-wide AML risk assessment under MLR 2017 Reg 18, reviewed at least annually
- Written policies and procedures under Reg 19, kept current with regulatory change
- MLCO and MLRO appointments under Reg 21, with named individuals and current role specifications
- CDD operating reality — evidence that the policy translates into consistent file-level execution
- Training records — annual refresher completion, content keeping pace with regulatory change
- Ongoing monitoring evidence — review cadence, transaction monitoring, change-of-circumstance updates
- SAR pipeline records — internal disclosure escalation, MLRO decision-making, NCA submissions
- Sanctions screening — list coverage (UK Consolidated List minimum), match disposition records
- Recent supervisory history — clean inspection history reduces premium and improves cover terms
- Material incidents — historic SAR matters, DAML moratoriums, inspection findings (typically subject to disclosure during proposal)
Five typical claims scenarios
Missed PEP triggers EDD failure claim
Mid-market firm onboarded a client who turned out to be a foreign PEP not surfaced by the firm's screening. Subsequent SRA enforcement action for inadequate EDD. PI policy responds to civil component (client allegation of professional negligence); regulatory investigation cover responds to SRA defence costs; D&O potentially responds to action against the partner who approved onboarding.
OFSI civil penalty for sanctions screening failure
Firm acted for a sanctioned individual without identifying the OFSI Consolidated List match — strict liability under the SAMLA framework. OFSI civil penalty up to £1m or 50% of breach value. The fine itself may not be insurable (public-policy considerations); regulatory investigation cover responds to defence costs; D&O may respond if individual liability is asserted.
POCA s.330 prosecution against the MLRO
MLRO faces personal criminal exposure for failing to file a SAR where suspicion existed. D&O cover (with criminal-defence-cost extension) responds to legal costs of defending the prosecution. The maximum 5-year sentence is not insurable; the defence cost is the insurable exposure.
Civil claim from a client whose transaction failed CDD
Client whose transaction was paused for CDD investigation alleges professional negligence — the pause caused commercial loss. PI policy responds to the civil claim. Where the CDD pause was properly documented and the firm followed its risk-rated CDD policy, the defence is typically strong.
Data breach exposing AML records
Cyber incident exposes the firm's CDD database including ID copies and beneficial-ownership records. UK GDPR notification obligations trigger. ICO investigation possible. Cyber cover responds; PI may respond to client claims for the data exposure component.
FAQ
Answer-first summary
What is AML insurance?
AML insurance is the family of professional-indemnity, regulatory-investigation, and management-liability cover that responds when an AML compliance failure becomes a regulatory matter, civil claim, or criminal investigation. UK regulated firms typically carry mandatory PI (required by SRA, ICAEW, ACCA, etc.) plus optional regulatory investigation cover, D&O cover, and cyber cover. Mid-market firms often carry all four. The fine or criminal sentence itself is typically not insurable (public-policy considerations); the defence cost almost always is.
Answer-first summary
Is AML insurance mandatory?
Professional indemnity is mandatory for SRA-regulated solicitors, ICAEW-supervised accountants, ACCA members, and most other professional-body-supervised firms. The minimum cover limits are set by each supervisor. Regulatory investigation cover, D&O cover, and cyber cover are not mandatory but are increasingly carried by mid-market firms — particularly after sector enforcement trends (HMRC's growing accountancy-sector enforcement, SRA's increasingly visible AML scrutiny, OFSI's published civil penalties) raised awareness of defence-cost exposure.
Answer-first summary
What do AML insurers underwrite against?
Ten primary factors. Firm-wide risk assessment quality. Written policies and procedures currency. MLCO/MLRO appointments and competence. CDD operating reality (not just policy). Training records and content currency. Ongoing-monitoring evidence. SAR pipeline records. Sanctions screening coverage and match disposition. Recent supervisory history (inspection findings, enforcement actions). Material incidents in disclosure. A strong, documented programme reduces premium and improves cover terms — including lower retentions, broader cover, and faster claims response.
Answer-first summary
Are fines insurable?
Generally not — UK insurance public-policy considerations restrict cover for fines arising from intentional or grossly negligent breach of law. Some narrow categories of regulatory fines may be insurable depending on the specific cover wording, but the safer assumption is that the fine itself is uninsurable. The defence costs of contesting the fine, the costs of responding to the underlying investigation, and the civil liability that may arise from the underlying conduct are typically insurable.
Answer-first summary
What's the most overlooked AML cover?
Regulatory investigation defence cost cover. Many firms carry the mandatory PI minimum but no separate cover for investigation defence costs — and then face six- or seven-figure legal costs responding to an HMRC, SRA, or FCA investigation where their PI policy excludes regulatory defence. Adding a regulatory investigation cover extension to the PI policy, or buying a standalone regulatory defence cost cover, is typically the highest-leverage AML insurance buy.
Answer-first summary
Does having Certivus reduce AML insurance premium?
Indirectly — yes. Insurers underwrite against the firm's AML programme quality. A documented, structured, consistently-applied AML programme reduces underwritten risk and typically reduces premium. Certivus produces the documentation insurers ask to see — firm-wide risk assessment, CDD evidence consistency, training records, SAR pipeline, sanctions screening records. Mid-market firms moving from spreadsheet-driven AML to a structured platform like Certivus often see premium improvements at the next renewal.