Course/Module 3/Lesson 4
Module 3 · Lesson 4

Training and Culture of Compliance

Anti-Money Laundering (AML) Program

Why Training Is More Than a Checkbox

Training is the third pillar of an AML program, but it is arguably the most underinvested. Many institutions treat training as a once-a-year compliance exercise — a 30-minute e-learning module followed by a quiz. Regulators see through this immediately. What they want to see is evidence that your training program produces employees who can actually detect, investigate, and escalate suspicious activity — and that your institution's culture prioritizes compliance from the top down.

The FFIEC BSA/AML Examination Manual explicitly states that training should be "ongoing" and should cover "the [institution's] policies, procedures, and processes" as well as "new rules and regulations, and any changes in the BSA requirements." Training that fails to meet these expectations is a citable deficiency.

Training Frequency and Requirements

Minimum requirements:

  • New hire training: Within 30 days of start date for all employees in compliance, customer-facing, operations, and risk roles. This should include a baseline overview of your AML program, their specific responsibilities, and how to escalate concerns.
  • Annual refresher training: All relevant employees must complete annual training. "Relevant" extends beyond the compliance team — it includes customer service, operations, product, engineering (if they build compliance tools), and senior management.
  • Ad hoc training: When regulations change, when new products are launched, when enforcement actions in your sector reveal new typologies, or when your own internal audit identifies training gaps.
  • Board training: Board members and senior management should receive AML training at least annually, focused on their oversight responsibilities, emerging risks, and program performance metrics.

Role-Specific Training Content

One-size-fits-all training is ineffective. Tailor content to each audience:

Front-line / customer-facing staff:

  • How to recognize red flags during customer interactions (e.g., reluctance to provide identification, inconsistent information, excessive concern about reporting thresholds, requests to structure transactions)
  • How to escalate concerns to the compliance team without tipping off the customer (SAR confidentiality under 31 U.S.C. § 5318(g)(2) prohibits disclosure)
  • CIP and CDD data collection requirements — what to ask, what to document
  • Common social engineering and fraud tactics that may indicate identity theft or account takeover

Compliance analysts:

  • How to investigate transaction monitoring alerts: what data to pull, what patterns to look for, how to document findings
  • SAR narrative writing: structure, required content (who, what, when, where, why, how), and examples of well-written and poorly-written narratives
  • OFAC match disposition: how to evaluate potential matches, what constitutes a "true match," when and how to file a blocking report
  • Emerging ML/TF typologies from FinCEN advisories, FATF reports, and industry publications
  • Use of investigative tools and data sources (transaction monitoring system, case management, open-source intelligence)

Senior management and board:

  • Regulatory landscape updates and enforcement trends
  • Program performance metrics (SAR filing volumes and trends, alert volumes, examination findings, independent testing results)
  • Personal liability exposure — directors and officers can be held personally liable for willful BSA violations
  • Resource adequacy — does the compliance function have sufficient budget and staff to manage the institution's risk profile?

Effective Training Methods

The most effective AML training programs combine multiple delivery methods:

  • Scenario-based exercises: Present realistic case studies drawn from actual SARs, enforcement actions, or your own alert data (scrubbed of PII). Ask participants to identify the red flags, determine whether the activity is suspicious, and draft a SAR narrative. This is far more effective than multiple-choice quizzes.
  • Tabletop exercises: Walk through hypothetical but realistic scenarios with your compliance team: "A major customer is identified on an OFAC list update — what do you do in the first hour? The first day?" These exercises test your procedures and reveal gaps.
  • Lunch-and-learns: Brief (30-minute) sessions on specific topics — a new FinCEN advisory, a recent enforcement action, a change in OFAC regulations. These keep compliance top-of-mind without requiring formal training sessions.
  • External training and conferences: ACAMS, ABA, and industry-specific conferences provide valuable networking and current content. Budget for at least 1-2 external training events per year for your compliance team.

Building a Culture of Compliance — Tone from the Top

Training alone cannot create a compliant organization. Culture is what people do when no one is watching — and regulators are increasingly evaluating institutional culture as part of their examinations.

What "tone from the top" looks like in practice:

  • CEO and board engagement: The CEO publicly and privately communicates that compliance is a priority, not an obstacle to growth. Board meeting minutes document substantive discussion of AML program performance — not just receiving a written report.
  • Resource commitment: Compliance staffing and technology budgets are adequate for the institution's risk profile. When the compliance officer requests additional resources, the request is taken seriously and decided on merit.
  • No retaliation: Employees who escalate compliance concerns or file internal reports are protected from retaliation. This must be both policy and practice — if a relationship manager is penalized for flagging a lucrative customer as high-risk, the message is clear regardless of what the policy says.
  • Accountability: When compliance failures occur, there are consequences. Conversely, compliance excellence is recognized and rewarded — consider including compliance metrics in performance reviews for customer-facing staff.
  • Integration with business decisions: Compliance is involved early in product development, market expansion, and partnership decisions — not brought in after the fact to "bless" decisions that have already been made.

Documenting Your Training Program

Regulators will ask for documentation. Maintain:

  • Training calendar showing planned and completed sessions
  • Attendance records for each session (electronic sign-ins are acceptable)
  • Training materials and content for each session
  • Assessment results (quiz scores, exercise participation)
  • Evidence of follow-up for employees who failed to complete training or scored below acceptable thresholds
  • Board training records showing topic coverage and attendees

Training and Culture Checklist

  • ☐ New hire AML training delivered within 30 days of start date
  • ☐ Annual refresher training for all relevant staff, including senior management and board
  • ☐ Role-specific training content tailored to front-line, analyst, and management audiences
  • ☐ Scenario-based exercises conducted at least quarterly for the compliance team
  • ☐ Training records maintained with attendance, content, and assessment results
  • ☐ Board meeting minutes document substantive AML program discussion at least quarterly
  • ☐ Compliance metrics included in performance reviews for relevant staff
  • ☐ Whistleblower/escalation policy in place with documented non-retaliation protections
  • ☐ Compliance function involved in product development and market expansion decisions from inception
Previous
Policies and Procedures — What Regulators Actually Want to See
Next
Transaction Monitoring Rules and Red Flags