Course/Module 3/Lesson 1
Module 3 · Lesson 1

Five Pillars of an AML Program

Anti-Money Laundering (AML) Program

The Foundation of BSA/AML Compliance

Every financial institution subject to the Bank Secrecy Act must maintain an AML program. The original BSA framework established four pillars, and the Anti-Money Laundering Act of 2020 (AMLA) formally added a fifth. Together, these five pillars constitute the minimum requirements for an effective program. Regulators evaluate your AML program against these pillars during examinations — and failures in any single pillar can result in enforcement action.

Pillar 1: Internal Policies, Procedures, and Controls

Your AML program must include written policies and procedures that address all aspects of BSA compliance. These are not shelf documents — they must be operationally implemented and regularly updated.

What this includes:

  • Customer Identification Program (CIP) procedures
  • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures
  • Transaction monitoring rules and alert disposition procedures
  • Suspicious Activity Report (SAR) filing procedures, including the decision-making process and timelines (SARs must be filed within 30 calendar days of the initial detection of suspicious activity, per 31 CFR 1020.320)
  • Currency Transaction Report (CTR) filing procedures for cash transactions over $10,000
  • OFAC sanctions screening procedures
  • Record retention policies (five years for most BSA records, per 31 CFR 1010.430)
  • Information sharing procedures under Section 314(a) and 314(b) of the USA PATRIOT Act

Practical tip: Organize your policies into three tiers: (1) a board-approved AML policy that sets the overall framework and risk appetite, (2) departmental procedures that detail how each function implements the policy, and (3) operational playbooks or job aids that provide step-by-step guidance for specific tasks (e.g., how to investigate a transaction monitoring alert).

Pillar 2: Designated BSA/AML Compliance Officer

You must designate a qualified individual as the BSA/AML compliance officer. This person is responsible for the day-to-day operation of the AML program and serves as the primary point of contact for regulators and law enforcement.

Key requirements:

  • The compliance officer must have sufficient authority and resources to implement the program effectively. This means direct access to the board or a board committee — not buried three levels below the CEO.
  • The compliance officer must be knowledgeable about BSA/AML requirements. Certifications such as CAMS (Certified Anti-Money Laundering Specialist) or CFE (Certified Fraud Examiner) demonstrate competence but are not legally required.
  • The compliance officer must be empowered to make decisions about customer relationships, including the ability to file SARs, exit relationships, and decline to onboard high-risk customers.
  • For smaller fintechs, the compliance officer role can be part-time or combined with other responsibilities — but the person must have adequate time dedicated to compliance. If they're also the product manager and the head of operations, regulators will question whether the role is being given sufficient attention.

Common pitfall: Appointing a compliance officer in name only. Regulators will test whether the compliance officer actually has authority by examining whether their recommendations are implemented, whether they have budget autonomy, and whether they report directly to the board or senior management.

Pillar 3: Ongoing Training

All relevant employees must receive AML training appropriate to their roles. Training is not just an annual checkbox — it must be substantive, current, and tailored.

What regulators expect:

  • Initial training for new hires within 30 days of start date
  • Annual refresher training for all employees in customer-facing, compliance, and risk roles
  • Role-specific training: front-line staff need to know how to recognize suspicious activity, analysts need to know how to investigate and document, and senior management needs to understand their oversight responsibilities
  • Training on new regulations, typologies, and enforcement actions as they emerge
  • Documentation of all training delivered, including attendees, content covered, and completion dates

Practical tip: Supplement generic AML training with scenario-based exercises using real examples from your own transaction monitoring system. An analyst who has worked through 10 realistic case studies will be far more effective than one who has only completed a multiple-choice quiz.

Pillar 4: Independent Testing (Audit)

Your AML program must be tested independently — either by your internal audit function or by an external firm. The testing must be conducted by individuals who are not involved in the day-to-day operation of the AML program.

What independent testing should cover:

  • Evaluation of the overall adequacy of the AML program relative to the institution's risk profile
  • Testing of transaction monitoring — are alerts being generated appropriately? Are they being investigated and resolved correctly?
  • Review of SAR filing decisions — are SARs being filed when warranted? Are they timely and complete?
  • Testing of CIP and CDD procedures — is the institution collecting and verifying the required information?
  • Assessment of training program effectiveness
  • Review of the risk assessment methodology and conclusions
  • Testing of OFAC screening — are all customers and transactions being screened? Are hits being resolved appropriately?

Frequency: At minimum, independent testing should be conducted every 12-18 months. Higher-risk institutions or those with recent examination findings should test more frequently. For fintechs that are growing rapidly, consider semi-annual testing of high-risk areas (transaction monitoring, sanctions screening) even if a full audit is annual.

Pillar 5: Risk Assessment (Added by AMLA 2020)

The AMLA formally codified what had long been a regulatory expectation: that every AML program must be based on a thorough risk assessment. Your risk assessment identifies the specific money laundering and terrorist financing risks your institution faces and forms the foundation for all other program elements.

This is covered in detail in the next lesson, but key points include:

  • Risk assessments must be updated at least annually or when there are material changes to your business (new products, new geographies, new customer segments)
  • The risk assessment drives everything else — your monitoring rules, your CDD requirements, your staffing levels, and your training content should all be calibrated to the risks identified
  • Regulators will compare your risk assessment against your actual program to identify disconnects (e.g., if you identify high-risk geographies but don't have EDD procedures for customers in those geographies)

Five Pillars Checklist

  • ☐ Written AML policies and procedures covering all BSA obligations, approved by the board
  • ☐ Designated compliance officer with documented authority, resources, and direct board access
  • ☐ Training program with role-specific content, annual delivery, and complete records
  • ☐ Independent testing conducted at least every 12-18 months by qualified, independent reviewers
  • ☐ Documented risk assessment updated annually and used to calibrate program elements
Previous
Identity Verification Tools and Vendors
Next
Risk Assessment Methodology