aml-compliance-program
AML Compliance Program
Produces a comprehensive, board-ready AML compliance program tailored to a financial institution's risk profile, satisfying BSA, FinCEN, and federal/state requirements.
Checkpoint A: Pre-Draft Intake (Mandatory)
Before drafting, collect from the user:
- Existing policies — current AML program, risk assessments, exam reports, regulatory correspondence
- Institutional profile — org chart, business lines, products, customer demographics, geographic footprint
- Risk data — prior assessments, audit findings, enforcement actions, consent orders
- Applicable regulations — confirm institution type (bank, MSB, broker-dealer) to determine which CFR parts, FinCEN guidance, and agency bulletins apply
Do not proceed until items 1–2 are addressed. Items 3–4 may be developed during drafting if unavailable.
Quick Start
Draft a numbered policy document covering all sections below. Calibrate depth to the institution's size, complexity, and risk profile.
Step 1: Program Foundation
| Element | Requirement |
|---|---|
| Board endorsement | Explicit board/senior management approval and oversight |
| Scope | All business lines, customer relationships, geographies, transaction types |
| Risk-based approach | Controls calibrated to risk assessment findings |
| Resource commitment | Adequate personnel, technology, budget |
Step 2: AML Compliance Officer
| Element | Requirement |
|---|---|
| Qualifications | CAMS or equivalent; demonstrated BSA/AML expertise |
| Reporting line | Direct to senior management; regular board access |
| Independence | Evaluation tied to compliance effectiveness, not production |
| Authority | Unrestricted access to all records, systems, personnel |
Core duties: Regulatory contact (FinCEN, regulators, law enforcement) · SAR/CTR/BSA filing oversight · risk assessment coordination · training management · independent testing oversight · program design and updates.
Step 3: Customer Identification Program (CIP)
Per 31 CFR § 1020.220:
| Data Point | Individual | Legal Entity |
|---|---|---|
| Full legal name | Required | Required |
| Date of birth | Required | N/A |
| Address | Residential/business street | Principal place of business |
| ID number | SSN/TIN or passport + country | EIN or equivalent |
Verification: Documentary (government ID / incorporation docs) · Non-documentary (consumer reporting, public databases) · Non-face-to-face (additional measures for remote channels).
Retention: 5 years after account closure.
Step 4: Customer Due Diligence (CDD)
Per 31 CFR § 1010.230:
- Identify beneficial owners: each individual ≥25% equity + one with significant management control
- Collect via certification form; verify per CIP standards
- Update ownership on risk-based schedule and upon known changes
- Document relationship purpose, business activities, anticipated activity, source of funds
- Build expected transaction profiles (type, industry, geography, history)
- Ongoing monitoring: automated systems, periodic reviews, exception reporting
Step 5: Enhanced Due Diligence (EDD)
Mandatory EDD triggers:
| Category | Examples |
|---|---|
| PEPs | Per FinCEN guidance |
| High-risk geographies | FATF high-risk/monitored jurisdictions |
| Complex ownership | Opaque structures obscuring beneficial ownership |
| High-risk businesses | MSBs, virtual currency exchanges, cash-intensive |
| Elevated risk rating | Multiple risk factors per internal methodology |
Requirements: Background investigation · senior management approval · enhanced monitoring (lower thresholds, more frequent reviews) · documented risk rating methodology (customer × geography × product × activity).
Step 6: Suspicious Activity Reporting (SAR)
Per 31 CFR § 1020.320:
- Threshold: ≥ $5,000 where institution knows/suspects illegal activity, BSA evasion, no business purpose, or criminal facilitation
- Deadlines: 30 days (suspect identified) · 60 days (no suspect identified)
- Key indicators: Structuring · activity inconsistent with profile · large currency transactions · wire transfers lacking rationale or involving high-risk jurisdictions · recordkeeping/CIP avoidance · shell company transactions
- Confidentiality: Federal law prohibits disclosure to subjects; civil/criminal penalties for violation; records retained 5 years; need-to-know access only
- Escalation: Immediate report to Compliance Officer; good-faith reporters protected
Step 7: Currency Transaction Reporting (CTR)
Per 31 CFR §§ 1010.310, 1020.310:
| Element | Requirement |
|---|---|
| Threshold | Currency transactions > $10,000 per person per business day |
| Aggregation | Multiple transactions by/on behalf of same person in one day |
| Filing deadline | 15 calendar days via BSA E-Filing |
| Currency | Coin and paper money only (excludes cashier's checks, money orders) |
Exemptions (31 CFR § 1020.315): Banks, government entities, listed public companies, qualifying businesses. Require documentation, approval, biennial renewal, annual review.
Step 8: OFAC Compliance
| Trigger | Timing |
|---|---|
| Account opening | Before relationship established |
| Existing customers | Minimum annually; risk-based frequency |
| Transactions (wires, ACH) | Real-time or near real-time |
Lists: SDN, Consolidated Sanctions, country-based programs.
Actions:
- Blocking — mandatory for sanctioned persons' property; interest-bearing account; report to OFAC within 10 business days
- Rejection — prohibited transactions not requiring blocking; notify originator; document decision
Retention: All screening records ≥ 5 years.
Step 9: Risk Assessment
| Dimension | Factors |
|---|---|
| Products/services | Velocity, geographic reach, anonymity, abuse susceptibility |
| Customers | Type, occupation, geography, relationship characteristics |
| Entities | Ownership structure, business purpose, formation jurisdiction |
| Geography | Physical presence, customer concentrations, FATF/State Dept. flags |
Assess inherent (pre-controls) and residual (post-controls) risk. Conduct annually minimum or upon significant changes. Findings drive CDD intensity, monitoring sensitivity, and resource allocation.
Step 10: Training
| Audience | Timing |
|---|---|
| All employees/officers/directors | Annual minimum |
| New hires | Within 30 days or before customer-facing duties |
| High-risk positions | Role-specific schedule with specialized content |
Core curriculum: Institution AML policies · BSA/PATRIOT Act/FinCEN/OFAC · ML/TF typologies · red flags · CIP/CDD procedures · reporting obligations.
Documentation: Attendance records, completion certificates, comprehension assessments.
Step 11: Independent Testing
| Element | Standard |
|---|---|
| Independence | Personnel independent of AML function |
| Frequency | 12–18 months; higher-risk more frequent |
| Reporting | Findings to Compliance Officer, management, board |
Scope: Regulatory compliance · policy adequacy · risk assessment methodology · transaction monitoring effectiveness · training adequacy · SAR/CTR timeliness · CIP/CDD compliance · OFAC procedures.
Remediation: Management response required; action plans with timelines; follow-up verification.
Step 12: Governance
Board duties: Approve program and updates · review risk assessment · receive quarterly compliance reports · review testing results · allocate resources.
Quarterly metrics: SAR/CTR activity, OFAC screening, CDD/EDD activities, training completion, testing findings, regulatory developments.
Change management: Document rationale → compliance + legal review → management/board approval → communicate to personnel → maintain version history.
Step 13: Recordkeeping
| Record Type | Retention |
|---|---|
| SARs + supporting docs | 5 years from filing |
| CTRs + supporting docs | 5 years from filing |
| CIP/CDD/beneficial ownership | 5 years after account closure |
| OFAC screening/blocking | 5 years minimum |
| Risk assessments, testing, training | 5 years minimum |
Organized for prompt retrieval upon regulatory request. Security controls and audit trails for SAR-related records.
Checkpoint B: Post-Draft Review (Mandatory)
After delivering the draft, ask the user:
- Does the program scope match your institution's business lines and risk profile?
- Are the CIP/CDD/EDD thresholds appropriate for your customer base?
- Do the governance and reporting structures align with your board/committee framework?
- Any enforcement history, consent orders, or MRAs that require specific program provisions?
Quality Checks
- All 13 sections addressed with institution-specific detail
- CFR citations verified — uncertain citations marked [VERIFY]
- Risk-based approach: controls scaled to institution size and complexity
- SAR confidentiality protections embedded in relevant sections
- OFAC strict-liability posture reflected throughout
- Retention periods consistent across sections
- Disclaimer included: framework requires qualified legal counsel review and institution-specific tailoring
Guidelines
- Mark uncertain CFR citations with [VERIFY] — regulations change; confirm at drafting date
- OFAC obligations are strict liability — err on the side of caution in all screening procedures
- SAR confidentiality violations carry serious penalties — embed protections in every relevant procedure and training module
- Program must be reviewed regularly for regulatory changes, emerging risks, and implementation lessons
- Consult legal counsel for interpretation questions