Building Your AML/BSA Compliance Program

You can't license a money transmitter in the United States without an anti-money laundering program. The federal Bank Secrecy Act (BSA) mandates it. Every state that licenses money transmitters mandates it. The program must have specific components, and examiners verify compliance with all of them during examination. There's no discretion here, no "good enough" approach. Either you have a compliant AML/BSA program, or you don't.

Building that program from scratch is one of the most expensive undertakings in a money transmitter startup. A robust AML/BSA program at a national company might cost $500,000 to $2 million to build and $1 million to $5 million annually to operate. A smaller regional company might spend $100,000 to $300,000 building the program and $200,000 to $500,000 operating it. This is not a line item you can skip or under-resource.

I've seen companies cut corners on AML/BSA programs, and I've seen the consequences. The regulatory consequences are severe. Enforcement action, license revocation, criminal referrals, substantial fines. I've also seen companies over-invest in AML/BSA without building a program that actually works. They have sophisticated tools and extensive policies, but the program doesn't effectively catch suspicious activity. Both extremes are mistakes. The right approach is a program that's scaled to your risk profile, that actually functions, and that can demonstrate effectiveness to examiners.

The Five Pillars of an AML Program

The Office of Financial Crimes Enforcement Network (FinCEN), which is part of the Treasury Department and enforces federal BSA compliance, and regulators across the states have settled on a consistent framework for AML programs. Every program must have these five pillars.

First: Policies and procedures. You must have written policies and procedures that describe how you comply with AML/BSA requirements. The policies must address customer identification, due diligence, transaction monitoring, sanctions screening, suspicious activity reporting, record retention, and staff training. The policies must reflect your specific business model and risk profile. A company focusing on high-value international transfers needs different transaction monitoring rules than a company processing low-value domestic remittances. Your policies must match your business.

Second: Designation of a BSA/AML compliance officer. This person is responsible for managing the AML/BSA program, overseeing all compliance functions, and reporting to senior management and the board. The BSA officer is the single point of accountability for AML/BSA compliance. This role cannot be shared with multiple people, cannot be part-time, and cannot be delegated to a third party. It's a dedicated position. The BSA officer must have authority within the organization to implement policies and make compliance decisions without interference from revenue-generating functions. I've seen companies try to make a junior staff member the "BSA officer" while they're also doing other work. That doesn't work. The role is demanding, requires deep knowledge, and requires respect within the organization.

Third: Independent testing and audit. Your AML/BSA program must be tested and audited by a party independent from the people who run it. The tester might be your external auditor, a third-party compliance consulting firm, or an internal audit function that reports directly to the board (not to the CEO or compliance officer). The testing should occur at least annually and should review all components of the AML/BSA program. The test results must be documented and shared with senior management and the board. Finding issues during testing is expected and acceptable. Finding no issues when your program is substantial raises questions about whether the testing is actually rigorous.

Fourth: Training. All staff who interact with customers, process transactions, or have access to customer data must receive AML/BSA training at least annually. The training must cover your company's policies, relevant legal requirements, what suspicious activity looks like, how to report it, and what the consequences of violations are. New hires must be trained before they access customer data. The training should be documented, and the company must maintain records of who was trained and when.

Fifth: Risk assessment. Your company must conduct a documented risk assessment that identifies the risks specific to your business model, your customer base, your geographic footprint, and your transaction types. The risk assessment informs your policies and procedures. A company that identifies high risk in a particular customer segment must have enhanced due diligence procedures for that segment. A company that operates in high-risk jurisdictions must have transaction monitoring rules tailored to that risk. The risk assessment is not a one-time exercise; it should be updated periodically as the business changes.

These five pillars are not optional. Every AML/BSA program must have all five. During examination, the examiner will verify that all five exist and are functioning.

Designating a BSA/AML Compliance Officer

This is one of the most important structural decisions you'll make. The compliance officer is the linchpin of the entire program. Get this wrong, and the program fails.

The ideal compliance officer is someone with deep financial services experience, specific knowledge of AML/BSA requirements, and enough seniority in the organization to be heard when they raise concerns. The compliance officer needs to be able to push back on a business decision that creates compliance risk. If the CEO wants to onboard customers in a high-risk jurisdiction and the compliance officer says it's too risky, the compliance officer needs to win that argument. This requires authority and respect.

You can hire an experienced compliance officer from another financial services company. You can promote an internal person into the role if they have enough knowledge (and are willing to get trained). You can hire a consultant to serve as your BSA officer. The third option is common among smaller companies: they hire a compliance consulting firm to take on the BSA officer role, essentially outsourcing the function.

There are pros and cons to outsourcing. The advantage is that you're getting someone with extensive experience and you're not hiring a full-time employee. The disadvantage is that the outsourced officer is not day-to-day with your business, is splitting time across multiple clients, and may not have the authority within the organization that the role requires. For smaller companies, an outsourced BSA officer can work. For larger companies or companies with complex operations, an internal officer is essential.

If you hire an internal officer, invest in their training. AML/BSA compliance is a specialized field. There are certifications (CAMS, Certified Anti-Money Laundering Specialist, offered by the Association of Certified Anti-Money Laundering Professionals) that credentialing programs. Getting your compliance officer trained and certified is a good investment.

The compliance officer's responsibilities include developing and maintaining the AML/BSA program, overseeing transaction monitoring, managing suspicious activity investigation and reporting, coordinating with external auditors and regulators, training staff, and updating policies as regulations change. This is not a part-time job in any organization of meaningful size.

Written Policies and Procedures

Your AML/BSA policies must be documented in writing and must cover all major compliance functions. The specificity matters. A policy that says "we screen customers for sanctions compliance" is not sufficient. You need a policy that describes exactly how the screening is conducted, what tools are used, what constitutes a hit, how hits are investigated, and what happens if the hit can't be resolved.

The major policies include:

Customer Identification Policy (CIP): This describes how you identify customers. For individual customers, it typically includes obtaining name, date of birth, address, and government-issued identification. For business customers, it includes obtaining business name, business type, principal officers, and owner information. For all customers, it includes verifying identity through documentary or non-documentary methods. The policy must specify what documents are acceptable, how old documents can be, and how you handle customers who can't provide identification.

Customer Due Diligence Policy (CDD): This describes the due diligence steps you take beyond basic identification. For customers sending money, it includes understanding the purpose of the transfer, the source of funds, and the customer's occupation. For recipients, it includes understanding the intended use of the funds. For high-risk customers, it includes enhanced due diligence procedures. The policy must specify what information is collected, how it's verified, and what happens if the information raises red flags.

Transaction Monitoring Policy: This describes how you monitor transactions for suspicious activity. It covers the rules you use to identify potentially suspicious transactions, how you investigate alerts, how long investigations take, when and how you report suspicious activity, and how you handle false positives. This is the most detailed policy because transaction monitoring is your primary tool for detecting AML risk.

Sanctions Screening Policy: This describes how you screen customers and transactions against Office of Foreign Assets Control (OFAC) lists and other sanctions lists. It covers who is screened (customers, beneficiaries, intermediaries), when screening occurs, what tools are used, how hits are investigated, and what happens when a hit can't be cleared.

Suspicious Activity Reporting (SAR) Policy: This describes when and how you file Suspicious Activity Reports with FinCEN. A SAR is required when you detect suspicious activity involving $5,000 or more. The policy must specify what constitutes suspicious activity, how investigations are documented, when a SAR must be filed, and how you avoid tipping off the customer (a legal requirement).

Record Retention Policy: This describes what records you maintain, how long you keep them, and how you organize them for examination. Money transmitters must retain records of transactions, customer identification, correspondence with regulators, and AML/BSA program documentation for at least five years.

Staff Training Policy: This describes the training all staff must receive, the frequency of training, who must be trained, and how training is documented.

These policies must be detailed, they must be actually implemented (not just written), and they must be updated periodically. If your policies are three years old and your business model has changed, they're not current. Examiners will notice.

Independent Testing and Audit Requirements

Your AML/BSA program must be tested annually by someone independent from the people who run the program. This is a federal requirement, and every state enforces it.

The independent tester might be your external audit firm, a specialized compliance consulting firm, or an internal audit function that reports to the board or an audit committee, not to the CEO or compliance officer. The tester conducts a comprehensive review of the AML/BSA program, typically covering:

• Policies and procedures (are they complete, current, and appropriate for the business?)
• Compliance officer qualifications (is the officer appropriately trained and positioned?)
• Transaction monitoring (is the monitoring actually catching suspicious transactions?)
• Suspicious activity reporting (are SARs being filed appropriately?)
• Staff training (is training occurring and documented?)
• Customer identification and due diligence (are procedures being followed?)
• Sanctions screening (is screening occurring and documented?)
• Record retention (are required records being maintained?)

The testing results are documented in a written report, shared with senior management and the board, and provided to examiners during examination. The report identifies findings (areas of non-compliance), recommendations for improvement, and outstanding issues from prior years.

A finding during testing is not necessarily a violation, but it indicates that the program has a gap or weakness. The company must then remediate the finding, which means either implementing controls to address the gap or updating procedures to prevent recurrence. The remediation is documented and tracked.

I've seen companies struggle with the testing process because they view testing as a threat rather than as a quality control mechanism. The testing is meant to catch problems before regulators find them. If the testing finds issues and the company fixes them, the regulator later finding those same issues is unlikely because the company has already remediated. The testing protects the company.

The cost of testing ranges from $10,000 for a small, simple operation to $100,000 or more for large, complex operations. This is an annual expense, and it's non-negotiable.

Training Programs

Every employee at a money transmitter must receive AML/BSA training. This is federal law and state law. Examiners will verify that training has occurred and will spot-check staff to ensure they actually understand the training content.

Training should cover: - Overview of money laundering and terrorist financing - AML/BSA regulatory requirements - Company AML/BSA policies and procedures - How to identify suspicious activity - How to report suspicious activity internally - Consequences of AML/BSA violations - Practical scenarios specific to your business

Training must occur at least annually. New hires must be trained before they process transactions. Training must be documented, with records showing who was trained, when, and what was covered.

The training can be in-person or online. For geographically distributed teams, online training with a quiz at the end is common. For smaller teams, in-person training with discussion is better. The format matters less than the substance and retention. At the end of training, staff should understand AML/BSA requirements and your company's policies.

Many companies use third-party training providers (firms that provide off-the-shelf AML training content). This is acceptable and cost-effective. Some companies develop custom training specific to their business model. That's better in many ways because it includes scenarios relevant to your customers and transactions.

Training cost is typically $50 to $200 per employee annually, depending on whether you're using off-the-shelf content or custom training.

Risk Assessment Methodology

Your company must conduct a documented risk assessment that identifies the AML/BSA risks specific to your business. The risk assessment informs all other components of the AML/BSA program. If your risk assessment says you operate in high-risk jurisdictions, your transaction monitoring rules will be stricter. If your risk assessment identifies high-risk customer segments, your due diligence will be more stringent.

A comprehensive risk assessment covers:

Customer Risk: What types of customers do you serve? Are they primarily domestic or international? What industries are they in? Are any of them in high-risk industries like casinos, currency exchange, or import-export? Are any of them in high-risk jurisdictions? Do any of them represent PEPs (Politically Exposed Persons) or have beneficial owners that are PEPs?

Transaction Risk: What types of transactions do you facilitate? Are they primarily domestic or international? What are typical transaction amounts? Are there unusual patterns (very large transactions, very frequent transactions, transactions to unusual jurisdictions)?

Geographic Risk: Where do your customers send money? Are any of the destinations high-risk jurisdictions (defined by FATF, FinCEN, or other sources)? Are any destinations subject to sanctions?

Product Risk: What products do you offer? Money transfer? Stored value? Bill payment? Each product has different risks.

Compliance Infrastructure Risk: What's the maturity of your compliance infrastructure? Do you have experienced staff? Do you have appropriate technology? Have you had regulatory violations in the past?

The risk assessment is typically a document prepared annually by the compliance officer, reviewed by senior management and the board, and made available to examiners. Examiners will review the risk assessment and verify that the company's AML/BSA procedures match the identified risks.

A company that assesses itself as low-risk but operates in high-risk jurisdictions will get challenged by examiners. The risk assessment must be realistic and comprehensive.

Building the Program from Scratch vs. Buying Templates

When you're starting a money transmitter, you have a choice: build the AML/BSA program in-house or purchase templates and modify them.

Building in-house means you hire a compliance professional or consultant who develops custom policies and procedures tailored to your business. This is expensive (typically $30,000 to $100,000) but results in policies that match your business model precisely. The policies are easier to implement because they're built around your actual operations.

Buying templates means you license a compliance framework from a vendor and customize it for your business. This is cheaper (typically $5,000 to $15,000) but requires someone with compliance knowledge to customize the templates appropriately. Templates are often written for a generic money transmitter, which means they may include provisions that don't apply to you or miss provisions specific to your business.

I recommend starting with custom development if you're well-funded and can afford it. Custom development ensures the policies match your business and are written from scratch by someone who understands your specific risks. If you're bootstrapped or capital-constrained, templates can work if you customize them carefully. Just recognize that template policies are starting points, not final products.

Once the initial program is built, you'll maintain and update it over time. Budget 20 to 40 hours annually for compliance officer time to maintain and update the program.

Common Failures Regulators Find

Examiners have seen every failure mode. Here are the most common ones.

Policies that don't match practice: The company has written policies that describe procedures that are never actually implemented. Policies are documents sitting on a shelf; actual procedures are different. Examiners find this by comparing policies to actual transaction files and customer files. The disconnect is a major red flag.

Absent or inadequate customer identification: The company fails to collect required identification from customers. New customers are onboarded without any identification verification. This is a federal violation.

Absent or inadequate due diligence: The company collects customer names and addresses but doesn't understand the purpose of transfers or the source of funds. This is especially problematic for high-risk customers.

Ineffective transaction monitoring: The company has transaction monitoring in place, but it's tuned so poorly that it alerts on nearly every transaction (generating false positives) or misses obviously suspicious transactions. Examiners will test the monitoring with sample transactions and see if suspicious ones are flagged.

Absent or incomplete suspicious activity reporting: The company detects suspicious activity but doesn't file SARs. Or it files SARs but doesn't investigate the activity adequately before filing. SARs must be supported by documented investigation.

Staff training that's incomplete or not retained: The company conducts training but doesn't maintain records. Or staff attend training but don't retain the content—they can't explain what they learned.

Risk assessment that's unrealistic: The company assesses itself as low-risk when the business model is inherently higher-risk. Or the company lists risks in the assessment but doesn't implement controls to address those risks.

Absent or inadequate independent testing: The company doesn't conduct independent testing or conducts testing that's so limited it's not meaningful. Testing must be comprehensive and documented.

No clear ownership or accountability: No one is clearly responsible for the AML/BSA program. Multiple people have pieces of it. No one is the clear point of accountability. This creates gaps and enables problems to hide.

The way to avoid these failures is to have a clear AML/BSA program, to implement it consistently, to document implementation, and to maintain independent oversight through testing.