This post is part of our occasional series on AML program fundamentals which focuses on refreshing foundational knowledge for experienced members of the AML community and providing an introduction to key topics for those new to the subject.
For many years AML compliance programs were built on the four internationally known pillars: development of internal policies, procedures and controls, designation of a AML (BSA) officer responsible for the program, relevant training of employees and independent testing. In May 2018, a fifth pillar –due diligence – was added after the finalization of the “CDD Rule.”
Beginning in 1987, regulators examined the AML compliance programs of financial institutions (FI) by reviewing the programs for effective implementation of the four pillars. The pillars are the required foundation of an effective compliance program. Such a program starts with the first pillar: implementation of effective internal controls through the establishment of internal policies and procedures. These controls need to appropriate for the risk profile of the institution and be in written form. The policies and procedures should define the roles and responsibilities of each part of the FI, including the board of directors, senior management and all parts of the institution.
The second pillar requires the designation of a compliance (AML) officer responsible for managing the program. The designated person must have the requisite knowledge and experience to manage a program for the institution for which they are appointed. Depending on the size and complexity of the FI, the AML officer may hold other duties as well, but the amount of time that is committed to managing and maintaining the program will be closely scrutinized during examinations. Regulators have cited institutions for weaknesses in their program where the designated AML/BSA officer lacks the experience to manage the program or has too many duties outside of the program to effectively manage it.
The third pillar sets an expectation that appropriate periodic training for employees will be given; the focus of the training should be the programs and its controls, and the roles and responsibilities of employees within the program. Since employees around the institution will have different roles and responsibilities, an effective training program will not be “one size fits all”and should be tailored. Certain elements of the training will be common to the entire organization, but operations areas will have different responsibilities from customer facing areas and their respective training activities should reflect those differences. Training should include senior management and the board of directors. Training should also be refreshed on a regular basis and any significant changes to the compliance program should include “off cycle” training to inform impacted employees about the program changes. It is important to keep accurate records of all training provided and who received the training; this is a key element in substantiating compliance with this pillar.
The fourth pillar requires for independent testing of the program. The independent testing can be performed by thirds parties or by FI staff with no responsibility for establishing or managing the program. The testers should have sufficient knowledge and experience with AML compliance to understand and analyze the program. The purpose of the review is to confirm that the program is operating as designed and that the internal controls are effective. This includes review of the policies and procedures for compliance with existing regulations, testing of internal controls, review of training program elements and training records. An independent review should be performed at least annually.
The fifth pillar now requires FIs to include: risk-based procedures for conducting ongoing customer due diligence which include understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information [including information on the beneficial owners of legal entity customers].[1] While the first four pillars are set out in the text of the Bank Secrecy Act, the fifth pillar was created by regulation.[2] A focus of the new pillar is the requirement to identify beneficial owners of customers[3]. This requirement goes beyond prior regulatory expectations for customer due diligence. As with all changes to AML compliance programs, these program revisions impact the other pillars of an FI’s program.
A sound AML compliance program has all five pillars functioning effectively.
[1] 31 CFR § 1020.210
[2] See 81 Fed. Reg. 29399 (May 11, 2016)
[3] For more details about the beneficial ownership requirements, see The Beneficial Ownership Rule.
