AML Policy

BSA/AML/OFAC Program

For many years AML compliance programs were built on the four internationally known pillars: development of internal policies, procedures and controls, designation of a AML (BSA) officer responsible for the program, relevant training of employees and independent testing. In May 2018, a fifth pillar –due diligence – was added after the finalization of the “CDD Rule.”

Beginning in 1987, regulators examined the AML compliance programs of financial institutions (FI) by reviewing the programs for effective implementation of the four pillars. The pillars are the required foundation of an effective compliance program. Such a program starts with the first pillar: implementation of effective internal controls through the establishment of internal policies and procedures. These controls need to appropriate for the risk profile of the institution and be in written form.

PILLAR 1

The policies and procedures should define the roles and responsibilities of each part of the FI, including the board of directors, senior management and all parts of the institution.

PILLAR 2

The second pillar requires the designation of a compliance (AML) officer responsible for managing the program. The designated person must have the requisite knowledge and experience to manage a program for the institution for which they are appointed.

Pillar 3

The third pillar sets an expectation that appropriate periodic training for employees will be given; the focus of the training should be the programs and its controls, and the roles and responsibilities of employees within the program. Since employees around the institution will have different roles and responsibilities, an effective training program will not be “one size fits all”and should be tailored. Certain elements of the training will be common to the entire organization, but operations areas will have different responsibilities from customer facing areas and their respective training activities should reflect those differences. Training must include senior management and the board of directors. Training should also be refreshed on a regular basis and any significant changes to the compliance program should include “off cycle” training to inform impacted employees about the program changes.

Pillar 4

The fourth pillar requires for independent testing of the program. The independent testing can be performed by thirds parties or by FI staff with no responsibility for establishing or managing the program. The testers should have sufficient knowledge and experience with AML compliance to understand and analyze the program. The purpose of the review is to confirm that the program is operating as designed and that the internal controls are effective. This includes review of the policies and procedures for compliance with existing regulations, testing of internal controls, review of training program elements and training records. An independent review should be performed at least annually.

Pillar 5

The fifth pillar now requires MSBs to include: risk-based procedures for conducting ongoing customer due diligence which include understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.