Your AML/CFT policy runs to forty or sixty pages. A compliance consultant or in-house lawyer wrote it. It cites legislation accurately and covers every conceivable scenario. The board approved it, the MLRO signed it off, and someone circulated it to all staff.
Almost nobody reads it.
Frontline staff are not negligent. The policy was written for the regulator, the auditor, the board. The result serves its audit function while failing its operational function. This is policy as PDF theatre: a performance of compliance that does not translate into consistent behaviour on the ground.
The Cost of Unclear Policy
Exception Volume
Staff facing an unclear policy do not guess. They escalate. They email compliance to ask what the policy requires in their specific situation. A fund administrator with two hundred staff might receive dozens of policy clarification requests per week, each one a signal that the policy has failed to communicate its intent. That query volume consumes the same capacity that should go toward risk assessment and framework improvement.
Inconsistent Practice
Where queries are not raised, the alternative is worse: staff interpret the policy themselves, and their interpretations diverge. One team applies enhanced due diligence; another, facing the same risk indicators, applies standard due diligence because they read the same clause differently. An inspector reviews a sample of client files and finds different approaches to the same requirement. The finding goes against the firm, not the individual.
The Wrong-Audience Problem
Policy unreadability is not accidental. Most compliance policies are drafted by working backwards from the regulation: paraphrase the text, add cross-references, wrap it in governance. The result is thorough, accurate, and nearly impossible for a non-specialist to follow. The structure follows the regulatory framework, organised by topic rather than by business process.
A single document is trying to serve two incompatible purposes: demonstrating compliance to an examiner and providing operational guidance to frontline staff. A document that serves one well will almost always fail the other.
Readable Policy in Practice
The solution is to separate the compliance record from the operational output. Two layers, generated from the same underlying mapping:
- The compliance layer: A detailed, fully mapped policy document that links each statement to its regulatory source, interpretation rationale, and evidence chain. For the compliance team, the auditor, and the board.
- The operational layer: Role-specific, action-oriented guidance that tells frontline staff what to do, when to do it, and how to escalate. Organised by business process, not by regulatory topic. Plain language. Decision trees and checklists. Designed to be used in the moment.
The operational layer should be generated from the compliance layer, not written independently. A policy change should trigger corresponding updates to operational outputs, ensuring consistency between what the framework says and what staff are told to do.
What Good Operational Outputs Look Like
- Role-aligned. A client onboarding officer sees onboarding content. A relationship manager sees ongoing monitoring content. Neither is burdened with material outside their responsibilities.
- Scannable. Staff find the answer to a specific question within thirty seconds. Clear headings, short paragraphs, numbered steps. A forty-page PDF achieves none of this.
- Traceable. Every operational instruction traces back to the specific policy statement and regulatory source. Staff do not need to see the traceability, but auditors can access it.
The Shift in Compliance Culture
The measure of success changes from "did we cover everything?" to "can our staff follow this?" Compliance outputs that help staff do their jobs correctly turn compliance from perceived overhead into enablement. Policy should work for the people who follow it, not only for the people who review it.