aml-compliance-program

# AML Compliance Program

Produces a comprehensive, board-ready AML compliance program tailored to a financial institution's risk profile, satisfying BSA, FinCEN, and federal/state requirements.

## Checkpoint A: Pre-Draft Intake (Mandatory)

Before drafting, collect from the user:

1. **Existing policies** — current AML program, risk assessments, exam reports, regulatory correspondence
2. **Institutional profile** — org chart, business lines, products, customer demographics, geographic footprint
3. **Risk data** — prior assessments, audit findings, enforcement actions, consent orders
4. **Applicable regulations** — confirm institution type (bank, MSB, broker-dealer) to determine which CFR parts, FinCEN guidance, and agency bulletins apply

Do not proceed until items 1–2 are addressed. Items 3–4 may be developed during drafting if unavailable.

## Quick Start

Draft a numbered policy document covering all sections below. Calibrate depth to the institution's size, complexity, and risk profile.

---

## Step 1: Program Foundation

| Element | Requirement |
|---|---|
| Board endorsement | Explicit board/senior management approval and oversight |
| Scope | All business lines, customer relationships, geographies, transaction types |
| Risk-based approach | Controls calibrated to risk assessment findings |
| Resource commitment | Adequate personnel, technology, budget |

## Step 2: AML Compliance Officer

| Element | Requirement |
|---|---|
| Qualifications | CAMS or equivalent; demonstrated BSA/AML expertise |
| Reporting line | Direct to senior management; regular board access |
| Independence | Evaluation tied to compliance effectiveness, not production |
| Authority | Unrestricted access to all records, systems, personnel |

**Core duties:** Regulatory contact (FinCEN, regulators, law enforcement) · SAR/CTR/BSA filing oversight · risk assessment coordination · training management · independent testing oversight · program design and updates.

## Step 3: Customer Identification Program (CIP)

Per 31 CFR § 1020.220:

| Data Point | Individual | Legal Entity |
|---|---|---|
| Full legal name | Required | Required |
| Date of birth | Required | N/A |
| Address | Residential/business street | Principal place of business |
| ID number | SSN/TIN or passport + country | EIN or equivalent |

**Verification:** Documentary (government ID / incorporation docs) · Non-documentary (consumer reporting, public databases) · Non-face-to-face (additional measures for remote channels).

**Retention:** 5 years after account closure.

## Step 4: Customer Due Diligence (CDD)

Per 31 CFR § 1010.230:

- Identify beneficial owners: each individual ≥25% equity + one with significant management control
- Collect via certification form; verify per CIP standards
- Update ownership on risk-based schedule and upon known changes
- Document relationship purpose, business activities, anticipated activity, source of funds
- Build expected transaction profiles (type, industry, geography, history)
- Ongoing monitoring: automated systems, periodic reviews, exception reporting

## Step 5: Enhanced Due Diligence (EDD)

**Mandatory EDD triggers:**

| Category | Examples |
|---|---|
| PEPs | Per FinCEN guidance |
| High-risk geographies | FATF high-risk/monitored jurisdictions |
| Complex ownership | Opaque structures obscuring beneficial ownership |
| High-risk businesses | MSBs, virtual currency exchanges, cash-intensive |
| Elevated risk rating | Multiple risk factors per internal methodology |

**Requirements:** Background investigation · senior management approval · enhanced monitoring (lower thresholds, more frequent reviews) · documented risk rating methodology (customer × geography × product × activity).

## Step 6: Suspicious Activity Reporting (SAR)

Per 31 CFR § 1020.320:

- **Threshold:** ≥ $5,000 where institution knows/suspects illegal activity, BSA evasion, no business purpose, or criminal facilitation
- **Deadlines:** 30 days (suspect identified) · 60 days (no suspect identified)
- **Key indicators:** Structuring · activity inconsistent with profile · large currency transactions · wire transfers lacking rationale or involving high-risk jurisdictions · recordkeeping/CIP avoidance · shell company transactions
- **Confidentiality:** Federal law prohibits disclosure to subjects; civil/criminal penalties for violation; records retained 5 years; need-to-know access only
- **Escalation:** Immediate report to Compliance Officer; good-faith reporters protected

## Step 7: Currency Transaction Reporting (CTR)

Per 31 CFR §§ 1010.310, 1020.310:

| Element | Requirement |
|---|---|
| Threshold | Currency transactions > $10,000 per person per business day |
| Aggregation | Multiple transactions by/on behalf of same person in one day |
| Filing deadline | 15 calendar days via BSA E-Filing |
| Currency | Coin and paper money only (excludes cashier's checks, money orders) |

**Exemptions (31 CFR § 1020.315):** Banks, government entities, listed public companies, qualifying businesses. Require documentation, approval, biennial renewal, annual review.

## Step 8: OFAC Compliance

| Trigger | Timing |
|---|---|
| Account opening | Before relationship established |
| Existing customers | Minimum annually; risk-based frequency |
| Transactions (wires, ACH) | Real-time or near real-time |

**Lists:** SDN, Consolidated Sanctions, country-based programs.

**Actions:**
- **Blocking** — mandatory for sanctioned persons' property; interest-bearing account; report to OFAC within 10 business days
- **Rejection** — prohibited transactions not requiring blocking; notify originator; document decision

**Retention:** All screening records ≥ 5 years.

## Step 9: Risk Assessment

| Dimension | Factors |
|---|---|
| Products/services | Velocity, geographic reach, anonymity, abuse susceptibility |
| Customers | Type, occupation, geography, relationship characteristics |
| Entities | Ownership structure, business purpose, formation jurisdiction |
| Geography | Physical presence, customer concentrations, FATF/State Dept. flags |

Assess **inherent** (pre-controls) and **residual** (post-controls) risk. Conduct annually minimum or upon significant changes. Findings drive CDD intensity, monitoring sensitivity, and resource allocation.

## Step 10: Training

| Audience | Timing |
|---|---|
| All employees/officers/directors | Annual minimum |
| New hires | Within 30 days or before customer-facing duties |
| High-risk positions | Role-specific schedule with specialized content |

**Core curriculum:** Institution AML policies · BSA/PATRIOT Act/FinCEN/OFAC · ML/TF typologies · red flags · CIP/CDD procedures · reporting obligations.

**Documentation:** Attendance records, completion certificates, comprehension assessments.

## Step 11: Independent Testing

| Element | Standard |
|---|---|
| Independence | Personnel independent of AML function |
| Frequency | 12–18 months; higher-risk more frequent |
| Reporting | Findings to Compliance Officer, management, board |

**Scope:** Regulatory compliance · policy adequacy · risk assessment methodology · transaction monitoring effectiveness · training adequacy · SAR/CTR timeliness · CIP/CDD compliance · OFAC procedures.

**Remediation:** Management response required; action plans with timelines; follow-up verification.

## Step 12: Governance

**Board duties:** Approve program and updates · review risk assessment · receive quarterly compliance reports · review testing results · allocate resources.

**Quarterly metrics:** SAR/CTR activity, OFAC screening, CDD/EDD activities, training completion, testing findings, regulatory developments.

**Change management:** Document rationale → compliance + legal review → management/board approval → communicate to personnel → maintain version history.

## Step 13: Recordkeeping

| Record Type | Retention |
|---|---|
| SARs + supporting docs | 5 years from filing |
| CTRs + supporting docs | 5 years from filing |
| CIP/CDD/beneficial ownership | 5 years after account closure |
| OFAC screening/blocking | 5 years minimum |
| Risk assessments, testing, training | 5 years minimum |

Organized for prompt retrieval upon regulatory request. Security controls and audit trails for SAR-related records.

---

## Checkpoint B: Post-Draft Review (Mandatory)

After delivering the draft, ask the user:

1. Does the program scope match your institution's business lines and risk profile?
2. Are the CIP/CDD/EDD thresholds appropriate for your customer base?
3. Do the governance and reporting structures align with your board/committee framework?
4. Any enforcement history, consent orders, or MRAs that require specific program provisions?

## Quality Checks

- [ ] All 13 sections addressed with institution-specific detail
- [ ] CFR citations verified — uncertain citations marked [VERIFY]
- [ ] Risk-based approach: controls scaled to institution size and complexity
- [ ] SAR confidentiality protections embedded in relevant sections
- [ ] OFAC strict-liability posture reflected throughout
- [ ] Retention periods consistent across sections
- [ ] Disclaimer included: framework requires qualified legal counsel review and institution-specific tailoring

## Guidelines

- Mark uncertain CFR citations with [VERIFY] — regulations change; confirm at drafting date
- OFAC obligations are strict liability — err on the side of caution in all screening procedures
- SAR confidentiality violations carry serious penalties — embed protections in every relevant procedure and training module
- Program must be reviewed regularly for regulatory changes, emerging risks, and implementation lessons
- Consult legal counsel for interpretation questions