casemark/aml-compliance-program

AML Compliance Program

Produces a comprehensive, board-ready AML compliance program tailored to a financial institution's risk profile, satisfying BSA, FinCEN, and federal/state requirements.

Checkpoint A: Pre-Draft Intake (Mandatory)

Before drafting, collect from the user:

1. Existing policies — current AML program, risk assessments, exam reports, regulatory correspondence
2. Institutional profile — org chart, business lines, products, customer demographics, geographic footprint
3. Risk data — prior assessments, audit findings, enforcement actions, consent orders
4. Applicable regulations — confirm institution type (bank, MSB, broker-dealer) to determine which CFR parts, FinCEN guidance, and agency bulletins apply

Do not proceed until items 1–2 are addressed. Items 3–4 may be developed during drafting if unavailable.

Quick Start

Draft a numbered policy document covering all sections below. Calibrate depth to the institution's size, complexity, and risk profile.

---

Step 1: Program Foundation

| Element | Requirement | |---|---| | Board endorsement | Explicit board/senior management approval and oversight | | Scope | All business lines, customer relationships, geographies, transaction types | | Risk-based approach | Controls calibrated to risk assessment findings | | Resource commitment | Adequate personnel, technology, budget |

Step 2: AML Compliance Officer

| Element | Requirement | |---|---| | Qualifications | CAMS or equivalent; demonstrated BSA/AML expertise | | Reporting line | Direct to senior management; regular board access | | Independence | Evaluation tied to compliance effectiveness, not production | | Authority | Unrestricted access to all records, systems, personnel |

Core duties: Regulatory contact (FinCEN, regulators, law enforcement) · SAR/CTR/BSA filing oversight · risk assessment coordination · training management · independent testing oversight · program design and updates.

Step 3: Customer Identification Program (CIP)

Per 31 CFR § 1020.220:

| Data Point | Individual | Legal Entity | |---|---|---| | Full legal name | Required | Required | | Date of birth | Required | N/A | | Address | Residential/business street | Principal place of business | | ID number | SSN/TIN or passport + country | EIN or equivalent |

Verification: Documentary (government ID / incorporation docs) · Non-documentary (consumer reporting, public databases) · Non-face-to-face (additional measures for remote channels).

Retention: 5 years after account closure.

Step 4: Customer Due Diligence (CDD)

Per 31 CFR § 1010.230:

• Identify beneficial owners: each individual ≥25% equity + one with significant management control
• Collect via certification form; verify per CIP standards
• Update ownership on risk-based schedule and upon known changes
• Document relationship purpose, business activities, anticipated activity, source of funds
• Build expected transaction profiles (type, industry, geography, history)
• Ongoing monitoring: automated systems, periodic reviews, exception reporting

Step 5: Enhanced Due Diligence (EDD)

Mandatory EDD triggers:

| Category | Examples | |---|---| | PEPs | Per FinCEN guidance | | High-risk geographies | FATF high-risk/monitored jurisdictions | | Complex ownership | Opaque structures obscuring beneficial ownership | | High-risk businesses | MSBs, virtual currency exchanges, cash-intensive | | Elevated risk rating | Multiple risk factors per internal methodology |

Requirements: Background investigation · senior management approval · enhanced monitoring (lower thresholds, more frequent reviews) · documented risk rating methodology (customer × geography × product × activity).

Step 6: Suspicious Activity Reporting (SAR)

Per 31 CFR § 1020.320:

• Threshold: ≥ $5,000 where institution knows/suspects illegal activity, BSA evasion, no business purpose, or criminal facilitation
• Deadlines: 30 days (suspect identified) · 60 days (no suspect identified)
• Key indicators: Structuring · activity inconsistent with profile · large currency transactions · wire transfers lacking rationale or involving high-risk jurisdictions · recordkeeping/CIP avoidance · shell company transactions
• Confidentiality: Federal law prohibits disclosure to subjects; civil/criminal penalties for violation; records retained 5 years; need-to-know access only
• Escalation: Immediate report to Compliance Officer; good-faith reporters protected

Step 7: Currency Transaction Reporting (CTR)

Per 31 CFR §§ 1010.310, 1020.310:

| Element | Requirement | |---|---| | Threshold | Currency transactions > $10,000 per person per business day | | Aggregation | Multiple transactions by/on behalf of same person in one day | | Filing deadline | 15 calendar days via BSA E-Filing | | Currency | Coin and paper money only (excludes cashier's checks, money orders) |

Exemptions (31 CFR § 1020.315): Banks, government entities, listed public companies, qualifying businesses. Require documentation, approval, biennial renewal, annual review.

Step 8: OFAC Compliance

| Trigger | Timing | |---|---| | Account opening | Before relationship established | | Existing customers | Minimum annually; risk-based frequency | | Transactions (wires, ACH) | Real-time or near real-time |

Lists: SDN, Consolidated Sanctions, country-based programs.

Actions:

• Blocking — mandatory for sanctioned persons' property; interest-bearing account; report to OFAC within 10 business days
• Rejection — prohibited transactions not requiring blocking; notify originator; document decision

Retention: All screening records ≥ 5 years.

Step 9: Risk Assessment

| Dimension | Factors | |---|---| | Products/services | Velocity, geographic reach, anonymity, abuse susceptibility | | Customers | Type, occupation, geography, relationship characteristics | | Entities | Ownership structure, business purpose, formation jurisdiction | | Geography | Physical presence, customer concentrations, FATF/State Dept. flags |

Assess inherent (pre-controls) and residual (post-controls) risk. Conduct annually minimum or upon significant changes. Findings drive CDD intensity, monitoring sensitivity, and resource allocation.

Step 10: Training

| Audience | Timing | |---|---| | All employees/officers/directors | Annual minimum | | New hires | Within 30 days or before customer-facing duties | | High-risk positions | Role-specific schedule with specialized content |

Core curriculum: Institution AML policies · BSA/PATRIOT Act/FinCEN/OFAC · ML/TF typologies · red flags · CIP/CDD procedures · reporting obligations.

Documentation: Attendance records, completion certificates, comprehension assessments.

Step 11: Independent Testing

| Element | Standard | |---|---| | Independence | Personnel independent of AML function | | Frequency | 12–18 months; higher-risk more frequent | | Reporting | Findings to Compliance Officer, management, board |

Scope: Regulatory compliance · policy adequacy · risk assessment methodology · transaction monitoring effectiveness · training adequacy · SAR/CTR timeliness · CIP/CDD compliance · OFAC procedures.

Remediation: Management response required; action plans with timelines; follow-up verification.

Step 12: Governance

Board duties: Approve program and updates · review risk assessment · receive quarterly compliance reports · review testing results · allocate resources.

Quarterly metrics: SAR/CTR activity, OFAC screening, CDD/EDD activities, training completion, testing findings, regulatory developments.

Change management: Document rationale → compliance + legal review → management/board approval → communicate to personnel → maintain version history.

Step 13: Recordkeeping

| Record Type | Retention | |---|---| | SARs + supporting docs | 5 years from filing | | CTRs + supporting docs | 5 years from filing | | CIP/CDD/beneficial ownership | 5 years after account closure | | OFAC screening/blocking | 5 years minimum | | Risk assessments, testing, training | 5 years minimum |

Organized for prompt retrieval upon regulatory request. Security controls and audit trails for SAR-related records.

---

Checkpoint B: Post-Draft Review (Mandatory)

After delivering the draft, ask the user:

1. Does the program scope match your institution's business lines and risk profile?
2. Are the CIP/CDD/EDD thresholds appropriate for your customer base?
3. Do the governance and reporting structures align with your board/committee framework?
4. Any enforcement history, consent orders, or MRAs that require specific program provisions?

Quality Checks

• [ ] All 13 sections addressed with institution-specific detail
• [ ] CFR citations verified — uncertain citations marked [VERIFY]
• [ ] Risk-based approach: controls scaled to institution size and complexity
• [ ] SAR confidentiality protections embedded in relevant sections
• [ ] OFAC strict-liability posture reflected throughout
• [ ] Retention periods consistent across sections
• [ ] Disclaimer included: framework requires qualified legal counsel review and institution-specific tailoring

Guidelines

• Mark uncertain CFR citations with [VERIFY] — regulations change; confirm at drafting date
• OFAC obligations are strict liability — err on the side of caution in all screening procedures
• SAR confidentiality violations carry serious penalties — embed protections in every relevant procedure and training module
• Program must be reviewed regularly for regulatory changes, emerging risks, and implementation lessons
• Consult legal counsel for interpretation questions