AML Compliance Program

AML Compliance Program

Produces a comprehensive, board-ready AML compliance program tailored to a financial institution's risk profile, satisfying BSA, FinCEN, and federal/state requirements.

Checkpoint A: Pre-Draft Intake (Mandatory)

Before drafting, collect from the user:

1. Existing policies — current AML program, risk assessments, exam reports, regulatory correspondence
2. Institutional profile — org chart, business lines, products, customer demographics, geographic footprint
3. Risk data — prior assessments, audit findings, enforcement actions, consent orders
4. Applicable regulations — confirm institution type (bank, MSB, broker-dealer) to determine which CFR parts, FinCEN guidance, and agency bulletins apply

Do not proceed until items 1–2 are addressed. Items 3–4 may be developed during drafting if unavailable.

Quick Start

Draft a numbered policy document covering all sections below. Calibrate depth to the institution's size, complexity, and risk profile.

---

Step 1: Program Foundation

Element	Requirement
Board endorsement	Explicit board/senior management approval and oversight
Scope	All business lines, customer relationships, geographies, transaction types
Risk-based approach	Controls calibrated to risk assessment findings
Resource commitment	Adequate personnel, technology, budget

Step 2: AML Compliance Officer

Element	Requirement
Qualifications	CAMS or equivalent; demonstrated BSA/AML expertise
Reporting line	Direct to senior management; regular board access
Independence	Evaluation tied to compliance effectiveness, not production
Authority	Unrestricted access to all records, systems, personnel

Core duties: Regulatory contact (FinCEN, regulators, law enforcement) · SAR/CTR/BSA filing oversight · risk assessment coordination · training management · independent testing oversight · program design and updates.

Step 3: Customer Identification Program (CIP)

Per 31 CFR § 1020.220:

Data Point	Individual	Legal Entity
Full legal name	Required	Required
Date of birth	Required	N/A
Address	Residential/business street	Principal place of business
ID number	SSN/TIN or passport + country	EIN or equivalent

Verification: Documentary (government ID / incorporation docs) · Non-documentary (consumer reporting, public databases) · Non-face-to-face (additional measures for remote channels).

Retention: 5 years after account closure.

Step 4: Customer Due Diligence (CDD)

Per 31 CFR § 1010.230:

• Identify beneficial owners: each individual ≥25% equity + one with significant management control
• Collect via certification form; verify per CIP standards
• Update ownership on risk-based schedule and upon known changes
• Document relationship purpose, business activities, anticipated activity, source of funds
• Build expected transaction profiles (type, industry, geography, history)
• Ongoing monitoring: automated systems, periodic reviews, exception reporting

Step 5: Enhanced Due Diligence (EDD)

Mandatory EDD triggers:

Category	Examples
PEPs	Per FinCEN guidance
High-risk geographies	FATF high-risk/monitored jurisdictions
Complex ownership	Opaque structures obscuring beneficial ownership
High-risk businesses	MSBs, virtual currency exchanges, cash-intensive
Elevated risk rating	Multiple risk factors per internal methodology

Requirements: Background investigation · senior management approval · enhanced monitoring (lower thresholds, more frequent reviews) · documented risk rating methodology (customer × geography × product × activity).

Step 6: Suspicious Activity Reporting (SAR)

Per 31 CFR § 1020.320:

• Threshold: ≥ $5,000 where institution knows/suspects illegal activity, BSA evasion, no business purpose, or criminal facilitation
• Deadlines: 30 days (suspect identified) · 60 days (no suspect identified)
• Key indicators: Structuring · activity inconsistent with profile · large currency transactions · wire transfers lacking rationale or involving high-risk jurisdictions · recordkeeping/CIP avoidance · shell company transactions
• Confidentiality: Federal law prohibits disclosure to subjects; civil/criminal penalties for violation; records retained 5 years; need-to-know access only
• Escalation: Immediate report to Compliance Officer; good-faith reporters protected

Step 7: Currency Transaction Reporting (CTR)

Per 31 CFR §§ 1010.310, 1020.310:

Element	Requirement
Threshold	Currency transactions > $10,000 per person per business day
Aggregation	Multiple transactions by/on behalf of same person in one day
Filing deadline	15 calendar days via BSA E-Filing
Currency	Coin and paper money only (excludes cashier's checks, money orders)

Exemptions (31 CFR § 1020.315): Banks, government entities, listed public companies, qualifying businesses. Require documentation, approval, biennial renewal, annual review.

Step 8: OFAC Compliance

Trigger	Timing
Account opening	Before relationship established
Existing customers	Minimum annually; risk-based frequency
Transactions (wires, ACH)	Real-time or near real-time

Lists: SDN, Consolidated Sanctions, country-based programs.

Actions:

• Blocking — mandatory for sanctioned persons' property; interest-bearing account; report to OFAC within 10 business days
• Rejection — prohibited transactions not requiring blocking; notify originator; document decision

Retention: All screening records ≥ 5 years.

Step 9: Risk Assessment

Dimension	Factors
Products/services	Velocity, geographic reach, anonymity, abuse susceptibility
Customers	Type, occupation, geography, relationship characteristics
Entities	Ownership structure, business purpose, formation jurisdiction
Geography	Physical presence, customer concentrations, FATF/State Dept. flags

Assess inherent (pre-controls) and residual (post-controls) risk. Conduct annually minimum or upon significant changes. Findings drive CDD intensity, monitoring sensitivity, and resource allocation.

Step 10: Training

Audience	Timing
All employees/officers/directors	Annual minimum
New hires	Within 30 days or before customer-facing duties
High-risk positions	Role-specific schedule with specialized content

Core curriculum: Institution AML policies · BSA/PATRIOT Act/FinCEN/OFAC · ML/TF typologies · red flags · CIP/CDD procedures · reporting obligations.

Documentation: Attendance records, completion certificates, comprehension assessments.

Step 11: Independent Testing

Element	Standard
Independence	Personnel independent of AML function
Frequency	12–18 months; higher-risk more frequent
Reporting	Findings to Compliance Officer, management, board

Scope: Regulatory compliance · policy adequacy · risk assessment methodology · transaction monitoring effectiveness · training adequacy · SAR/CTR timeliness · CIP/CDD compliance · OFAC procedures.

Remediation: Management response required; action plans with timelines; follow-up verification.

Step 12: Governance

Board duties: Approve program and updates · review risk assessment · receive quarterly compliance reports · review testing results · allocate resources.

Quarterly metrics: SAR/CTR activity, OFAC screening, CDD/EDD activities, training completion, testing findings, regulatory developments.

Change management: Document rationale → compliance + legal review → management/board approval → communicate to personnel → maintain version history.

Step 13: Recordkeeping

Record Type	Retention
SARs + supporting docs	5 years from filing
CTRs + supporting docs	5 years from filing
CIP/CDD/beneficial ownership	5 years after account closure
OFAC screening/blocking	5 years minimum
Risk assessments, testing, training	5 years minimum

Organized for prompt retrieval upon regulatory request. Security controls and audit trails for SAR-related records.

---

Checkpoint B: Post-Draft Review (Mandatory)

After delivering the draft, ask the user:

1. Does the program scope match your institution's business lines and risk profile?
2. Are the CIP/CDD/EDD thresholds appropriate for your customer base?
3. Do the governance and reporting structures align with your board/committee framework?
4. Any enforcement history, consent orders, or MRAs that require specific program provisions?

Quality Checks

• [ ] All 13 sections addressed with institution-specific detail
• [ ] CFR citations verified — uncertain citations marked [VERIFY]
• [ ] Risk-based approach: controls scaled to institution size and complexity
• [ ] SAR confidentiality protections embedded in relevant sections
• [ ] OFAC strict-liability posture reflected throughout
• [ ] Retention periods consistent across sections
• [ ] Disclaimer included: framework requires qualified legal counsel review and institution-specific tailoring

Guidelines

• Mark uncertain CFR citations with [VERIFY] — regulations change; confirm at drafting date
• OFAC obligations are strict liability — err on the side of caution in all screening procedures
• SAR confidentiality violations carry serious penalties — embed protections in every relevant procedure and training module
• Program must be reviewed regularly for regulatory changes, emerging risks, and implementation lessons
• Consult legal counsel for interpretation questions