AML Compliance: The Four Pillars

AML DD5With all the attention to Anti-Money Laundering and Bank Secrecy Act enforcement, I thought it would be a good time to review some basic AML ethics and compliance principles.

Banks and most financial institutions are very familiar with surrounding regulation and risks.  It is difficult to explain how institutions as large as HSBC, BNP Paribas and others can run into serious enforcement problems.  It is a known risk and it requires attention. For a major bank or financial institution to run afoul of basic AML requirements reflects a systematic lack of care and/or attention.

Returning to basic requirements and building or enhancing from there, may be a good idea.

In the AML/BSA area, banks and financial institutions have been advised that there are four basic pillars of AML Program.  These include:

  • Designation of a BSA Compliance Officer
  • Development of Internal Policies, Procedures, and Controls
  • Ongoing and Relevant Training of Personnel
  • Independent Testing and Review

The company’s board of directors must approve an AML Compliance Program, and the Program should be designed to reflect the commensurate risk level faced by the institution.  Each year, the board should review and approve he AML Compliance Program.  In addition, each year a risk assessment should be conducted and/or updated, and an overall assessment of the program should be completed.AML DD7

The four pillars of an AML compliance program are just that – basic requirements.  HSBC, for example, earned the wrath of its regulators when it decided to make the Chief Compliance Officer’s position a part-time position.  Today, such a move would be considered regulatory and enforcement suicide but HSBC’s action reflects the absence of any significant concerns for regulators and compliance.

Each bank and financial institution has to designate a full-time Compliance Officer.  For mid-sized and smaller financial institutions, this is a more relevant requirement.

The second requirement is for internal policies, procedures and controls is the bread and butter way that banks and financial institutions operate their program.   These policies cover a range of requirements including filing Currency Transaction Reports, and Suspicious Activity Reports.  In addition, the bank and financial institution must establish procedures for Customer Identification Programs (aka KYC).  Also, the bank and financial institution must develop systems for transaction monitoring so that unusual transactions are flagged and evaluated to determine whether an SAR has to be filed.

At the core of the AML Compliance Program, the bank and financial institution has to conduct a risk assessment for its product line, its customers and the countries in which it operates.  Different accounts carry different kinds of risks, just as different customers carry different kinds of risks.  Melding these factors together requires a sophisticated evaluation of country risks, historical experience, intelligence information and knowledge of money laundering strategies.

AML Sanctions3A bank has to able to flag customers who present potential risks.  These customers are then subject to an enhanced due diligence process.  Once approved, the customer’s transactions may be monitored for unusual activity subject to certain guidelines established by the bank for high-risk customers operating in high-risk areas.

The third pillar of every AML/BAS Compliance Program is ongoing training of employees.  Every employee is already aware of the importance of the bank’s AML Compliance Program.  It is important, however, to reinforce the importance of compliance, and to ensure that employees are aware of company policies and procedures and the latest techniques being used by money launderers to evade detection and investigation.

Finally, the last pillar, which is equally important, is the requirement that the bank and financial institution conduct independent testing of its AML/BSA Program and review of its overall operation.  An internal review body can complete the independent test, so long as they are not responsible for operating the compliance program.

You may also like...