The First Pillar of AML Compliance: Best Practices
Updated: Aug 12, 2022
AML — or Anti-Money Laundering— compliance programs come in all shapes and sizes. Statutorily they’re built on five pillars: developing internal policies, procedures, and controls; designating an AML (BSA) officer to oversee the program; employee training; independent testing; and customer due diligence.
Thirty-five years ago, the four pillars of AML (Anti-Money Laundering) compliance programs were established to help examiners perform their duties. The fifth pillar, or due diligence, was added in May 2018 after the “CDD Rule,” a FinCEN amendment to Bank Secrecy Act regulations, was finalized.
Because these foundational principles are so important, RiskScout will shine a spotlight on each of them in this and upcoming blog posts, starting with the first pillar.
Policies, Procedures, Controls
It makes sense that developing internal policies, procedures, and controls to conduct customer due diligence and ongoing monitoring would be considered the first pillar of an AML compliance program. Only after establishing a philosophical and practical underpinning can banks and credit unions know what they’re aiming for in compliance efforts.
Establishing internal policies and procedures to mitigate and manage money laundering and terror financing sounds straightforward, but this is not necessarily the case. First, an institution has to consider policies, procedures, and controls relative to the institution’s overall risk profile. The risk profile can be informed by a variety factors such as geography, customer type, or strategic objectives.
The FFIEC provides a little color on the risk assessment process: “Understanding its risk profile enables the bank to better apply appropriate risk management processes to the BSA/AML compliance program to mitigate and manage risk and comply with BSA regulatory requirements. The BSA/AML risk assessment process also enables the bank to better identify and mitigate any gaps in controls.[1]”
The internal policies your institution develops should promote an efficient process to monitor for suspicious activity and report the necessary data about flagged activities to FinCEN.
Outside of risk it’s important to define roles and responsibilities for key members of a financial institution, including members of the senior management team and the board of directors. Clear reporting lines and responsibility reduce the likelihood your institution may miss critical information.
Best Practices
Here is some practical advice for making the first pillar as effective as possible:
Put everything in writing. Documenting practices ensures future staff in the event of turnover are able to effectively complete their role. In addition, policies, procedures, and controls should appear in written form so that all bank employees can access them to better understand how department goals interrelate.
Keep abreast of regulatory changes. Banks and credit unions may be answering to more than one regulator on the BSA/AML front, and regulations can — and do — change. Be sure that you have processes or software solutions in place to remain apprised of regulatory change.
Strive for dual controls and a segregation of duties. Having ways to double-check processes can add what’s called a “second management layer” to your procedures, processes, and controls. This reduces the likelihood of process failure and creates a process that demonstrates impartiality.
Make sure resources are being managed. Ensure both technical and human resources support your practices. Empower employees to approach senior management and present a business case for additional resources, when the need arises.
Consider program continuity. The Covid-19 pandemic taught us that scenarios in our business continuity planning which we think unreachable are very much a possibility. Planning for varying operational capabilities and reducing single points of failure ensures your institution can operate in a safe and sound manner regardless of challenges.
Evaluate your program before the examiner arrives. Examination procedures are publicly available on the FFIEC site. By reviewing these procedures, you can know ahead of time what the examiner will be looking for.
Be ready to explain how technology is aiding your controls. Automated, cloud-based solutions can help reduce time for operational processes. But it’s important to be able to articulate how these processes work to third parties, and for staff to understand what responsibilities they have for ensuring technology operates as intended.