AML Policy Manual: Minimum Required Sections
Your AML policy manual is your written commitment to compliance. It documents how you implement the laws, regulations, and FinCEN guidance applicable to your business. Regulators expect to see a comprehensive, detailed, regularly updated AML manual. This appendix lists every section that should appear in a compliant manual.
1. Executive Summary and Policy Statement
A clear statement from your board or senior management committing the organization to AML compliance. This statement should affirm that compliance is a core value, that all staff are responsible for compliance, and that violations will result in discipline or termination. This is not a placeholder—regulators read this carefully.
2. Organizational Structure and Responsibilities
Describe your organization's structure, showing where the compliance function sits. Identify your Chief Compliance Officer or equivalent by title (even if it's the CEO). Clearly state that the CCO reports to the board or CEO, not to a business unit. Show all compliance staff and their specific responsibilities. Include any outsourced compliance functions and the vendor's role.
3. Customer Identification Program (CIP)
Describe how you identify and verify customer identity before accepting transactions. Address: - What information you collect (name, address, government ID, DOB) - How you verify information (match to government databases, check ID validity) - Timeline for verification (before transaction or within 30 days) - What you do if you cannot verify identity - How you handle customers who refuse to provide ID - Specific procedures for different customer types (individuals, businesses, foreign entities) - How you handle beneficial ownership identification for business customers - Standards you meet (FCRA for consumer reports, FATF recommendations for cross-border)
4. Customer Due Diligence (CDD) Standards
Describe the baseline due diligence you conduct on all customers. This should include: - Understanding the customer's source of funds - Understanding the customer's beneficial purpose for using your service - Understanding the customer's background and profession - What you do with the information you gather - How you document CDD findings
5. Enhanced Due Diligence (EDD) Framework
Describe when EDD is triggered and what it entails. Address: - Customer risk categories that trigger EDD - Geographic risk factors that trigger EDD - Product/transaction factors that trigger EDD - PEP identification procedures - Correspondent bank due diligence procedures - Investigation methods (OFAC checks, adverse media, beneficial ownership verification) - Documentation requirements for EDD investigations - Decision-making process (who approves/denies based on EDD) - Escalation procedures
6. Sanctions Compliance and OFAC Screening
Describe how you implement sanctions compliance. Address: - OFAC lists you monitor (SDN list at minimum; others as applicable) - Screening frequency (real-time, batch, etc.) - How you handle name matches (false positives, confirmed matches) - Procedures for screening customers, beneficiaries, and beneficial owners - Procedures for screening transaction counterparties - How you block transactions if a match occurs - How you report matches to OFAC - Timeline for reporting blocked transactions - How you handle unblocking requests
7. Customer Risk Categorization and Monitoring
Describe how you assign risk levels to customers and how you monitor them. Address: - Risk categories (high-risk, medium-risk, low-risk) and what triggers each - Monitoring frequency by risk level - What you're monitoring for (transaction patterns, beneficial ownership changes, adverse news) - Automated monitoring tools you use - Manual monitoring procedures - Escalation procedures when monitoring identifies concerns
8. Transaction Monitoring and Reporting
Describe how you monitor transactions and file SARs. Address: - What transactions you monitor (all, over certain thresholds, certain types) - Automated monitoring systems and alert thresholds - Manual review procedures - Red flags that trigger further investigation - How you investigate suspicious activity - SAR filing procedures and timelines - SAR content and required fields - Who approves SARs before filing - Record-keeping for SARs - Confidentiality procedures (SARs are confidential; you cannot tell the customer)
9. Currency Transaction Reporting (CTR)
Describe how you report transactions over $10,000. Address: - What constitutes a reportable transaction - Aggregation rules (multiple smaller transactions by same customer) - Filing procedures (you typically do this through your bank) - Timeline for filing - How you prevent structuring - Structuring detection procedures - Customer identification for CTR reporting
10. Suspicious Activity Reporting (SAR) Procedures
This is detailed because SAR filing is critical. Address: - Definition of suspicious activity for your specific business - Examples of suspicious activity (structuring, unusual geographic flows, unusually large transactions, round-dollar amounts, beneficial purpose inconsistencies, etc.) - Investigation procedures when suspicious activity is detected - Documentation of investigations - Decision logic for filing vs. not filing - SARs are filed within 30 days of detection - SARs must be filed even if your bank investigates the same activity - SARs must be filed even if activity is reported to law enforcement - SARs must be filed even if the suspicious activity is already known to law enforcement - Confidentiality of SARs - Internal reporting of SARs to compliance leadership - How to avoid tipping off subjects of SARs
11. Politically Exposed Persons (PEPs) Program
Describe how you identify and manage PEPs. Address: - Definition of PEPs (current and former high-ranking officials, family members, associates) - PEP list sources and update frequency - When PEP screening occurs (customer opening, ongoing monitoring) - What you do when you identify a PEP - Enhanced due diligence for PEPs - Source of funds verification for PEPs - Beneficial purpose identification for PEPs - Approval procedures for PEP transactions
12. Correspondent Banking Controls
If you work with correspondent banks or payment processors, describe your controls. Address: - Definition of correspondent relationships in your business - Due diligence on correspondents before engagement - Ongoing monitoring of correspondents - Contractual requirements from correspondents - Audit procedures for correspondents - How you're notified of correspondent compliance issues - Procedures for ending correspondent relationships
13. Agent Management and Oversight
If you use agents, describe how you manage them. Address: - Agent recruitment and qualification procedures - Due diligence on agents (beneficial ownership, background, sanctions screening) - Agent training requirements - Ongoing agent monitoring and supervision - Agent compliance audits (frequency, scope) - Compensation arrangements (how agents are paid) - Termination procedures for non-compliant agents - Customer fund handling by agents - Agent transaction records and reporting
14. Know Your Customer (KYC) File Maintenance
Describe how you maintain customer records. Address: - What information is maintained in KYC files - Duration of record retention (generally 5 years or longer) - Access controls (who can access KYC files) - Security procedures (data breach prevention) - Backup and disaster recovery - GLBA privacy safeguards - Customer consent for information collection - Procedures for customer data correction or deletion requests
15. Training and Staffing
Describe your compliance training program. Address: - Frequency of training (annual minimum, but quarterly is better) - Training topics (BSA/AML basics, red flags, customer identification, SAR procedures, sanctions compliance) - Who receives training (all staff, or all customer-facing staff at minimum) - Training materials and documentation - Compliance officer role and requirements - Staffing levels and qualifications - Third-party training resources used (if any)
16. Independent Audit and Testing
Describe how you verify compliance. Address: - Internal audit procedures (who audits, how often) - External audit procedures (annual or biennial) - Scope of audit (all AML program elements) - Audit findings and remediation procedures - Communication of audit results to leadership - Audit documentation and record-keeping
17. Technology and Systems
Describe the systems you use for compliance. Address: - Customer information database and security - Transaction monitoring system - OFAC screening system - Document imaging and storage - Reporting systems (CTR, SAR, FinCEN) - Backup and disaster recovery - Data security and encryption - Access controls and user permissions - System testing and validation
18. Suspicious Activity Examples Specific to Your Business
Provide detailed, realistic examples of suspicious activity in your specific business model. If you're a remittance operator, describe suspicious remittance patterns. If you're a check casher, describe suspicious check cashing patterns. This shows regulators that you understand your own risks.
19. Third-Party Service Provider Management
If you use outside vendors (compliance consultants, IT vendors, banks), describe how you manage them. Address: - Due diligence before engaging a vendor - Contractual requirements (AML compliance, confidentiality) - Ongoing monitoring of vendor compliance - Data security requirements - Audit rights
20. Money Laundering Risk Assessment
Describe your organization's specific money laundering risks. Address: - Customer base and inherent risks - Geographic footprint and jurisdictional risks - Products and services and inherent risks - Business model and transaction flow risks - Correspondent and agent relationships and risks - Mitigation procedures for each identified risk
21. Regulatory Change Management
Describe how you stay current with regulation and adapt your policies. Address: - Monitoring of regulatory updates (FinCEN guidance, state regulation changes) - Process for evaluating regulatory changes and determining impact on your business - Procedure for updating policies when regulations change - Staff notification of policy changes - Training on policy changes
22. Escalation and Approval Procedures
Describe the chain of command for compliance decisions. Address: - When issues are escalated (suspicious activity detection, EDD findings, correspondent failures) - To whom issues are escalated - How decisions are documented - Authority levels for different decisions
23. Customer Complaint Procedures
Describe how you handle customer complaints related to compliance. Address: - How customers report complaints (phone, email, mail) - Documentation of complaints - Investigation procedure - Response to customers - Documentation of resolution
24. Confidentiality and Whistleblower Procedures
Describe how you protect employee whistleblowers. Address: - Non-retaliation policy - How employees can report concerns - Investigation procedures - Protection from retaliation - Documentation
25. Record Retention and Document Management
Describe how long you keep records and how you store them. Address: - Record retention periods (generally 5 years) - What records are retained - Secure storage procedures - Access controls - Destruction procedures - Legal hold procedures (if litigation or investigation pending)
26. Policy Review and Amendment Procedures
Describe how and when your AML policy manual is reviewed. Address: - Annual review minimum - Circumstances that trigger review (regulatory changes, policy violations, audit findings) - Who reviews and approves changes - Documentation of changes - Communication of updated policies to staff
27. Risk-Based Approach
Affirm that your program uses a risk-based approach as required by the BSA. Address: - How you assess risk for each customer and transaction - How risk assessment drives compliance resource allocation - How risk assessment drives monitoring intensity - Examples of risk-based decision making in your program