An Overview of the Five Pillars of a BSA/AML Compliance Program


In order to combat financial crime, banks, MSBs, credit unions, fintechs, payment providers and other types of financial institutions are required to develop and put in place an Anti-Money Laundering (AML) compliance program, being careful to include five important pillars.


What is included in an AML compliance program can vary by jurisdiction, the type of products and services offered by the financial institution, profiles and activities of customers and the risk appetite of the organization. To learn more general information about compliance programs, view our article on what is an AML compliance program.


However designed, an effective AML compliance program should ensure that it effectively detects suspicious activities associated with money laundering and terrorist financing, and report them to the appropriate authorities.


Financial institutions should consult with legal professionals, AML experts and their Financial Intelligence Unit (FIU) to understand their requirements.


For those in Canada, FINTRAC provides general guidance on what should be included in an AML compliance program. These requirements apply to individuals and entities subject to Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).



What Are the Five Pillars of a BSA/AML Compliance Program?

There are five required pillars included in FINTRAC’s compliance program. Each is essential to an effective anti-money laundering/anti-terrorist financing (AML/ATF) program:


  1. Appoint a compliance officer;
  2. Develop written compliance policies and procedures which must be kept up-to-date and “include enhanced measures to mitigate high risks”;
  3. Risk assess the company’s business activities and relationships;
  4. Develop and maintain a written ongoing compliance training program for employees;
  5. Institute and document an effectiveness review of your compliance program at least every two years.


FINTRAC states the size and level of detail of the compliance program must reflect the size, complexity, structure, and risk of exposure of your business to money laundering and terrorist activities.



1. Appoint a Compliance officer

You must appoint a compliance officer who is responsible for implementing all elements of your compliance program. That includes policies and procedures, ongoing training, risk assessment, and an effectiveness review conducted at least every two years.


Appointing a compliance officer alone does not fulfill compliance program requirements or the overall objectives of Canada’s money laundering laws and regulations.


Your AML/ATF program compliance officer needs to:


  • have the authority and access to resources in order to implement an effective compliance program and make any desired changes;
  • understand your business’s functions and structure;
  • know your sector’s ML/TF risks and vulnerabilities as well as ML/TF trends and typologies; and
  • understand your sector’s legal requirements under the PCMLTFA and its Regulations.


It is the reporting entity’s responsibility to meet its compliance program requirements under the PCMLTFA and its regulations.


Depending on the size of your business, you could be the compliance officer if you are a senior manager or an owner or operator of a small business, or someone from a senior level who has access to the board of directors.


If you are an individual, such as in the case of a sole proprietorship, you can appoint yourself as the compliance officer.  You could also have another individual to help you implement the compliance program.


FINTRAC suggests the appointed compliance officer of a larger business should not be directly involved in handling funds.


Some of the duties can also be delegated to others. However, the compliance officer remains responsible for the program.


The compliance officer should have the ability to report compliance-related issues to the board of directors, senior management or the owners on a regular basis.



2. Develop Written Compliance Policies and Procedures

Reporting entities must have written compliance policies and procedures that are subject to the PCMLTFA and its regulations. The policies and procedures must be:


  • written in a form/format that is accessible to other members of the compliance or leadership team;
  • kept up-to-date with changes in legislation, non-compliance issues, new services or products, or the two-year effectiveness review; and
  • approved by a senior officer, if you are an entity.


FINTRAC expects that your written policies and procedures outline all of the reporting entity’s obligations under the PCMLTFA including:


  • when your obligation is triggered;
  • the information that must be reported;
  • procedures to ensure fulfillment of the obligation; and
  • the timelines associated with your obligations


Policies and procedures should include the following:


  1. Compliance program requirements covering risk assessment activities, risk mitigation measures, written compliance training materials and the two-year effectiveness review. The review must cover policies and procedures, ongoing training and risk assessment.
  2. Know Your Client and other requirements: verifying client identity, politically exposed persons (PEPs), heads of international organizations, their family members and close associates requirements, ultimate beneficial ownership, and third-party determination.
  3. Ongoing monitoring and business relationship requirements, as well as special measures you have implemented based on your risk assessment. These must address:
    • enhanced measures to verify the identity or confirm the existence of high-risk clients;
    • enhanced measures to keep client information up-to-date;
    • enhanced measures to keep beneficial ownership information up-to-date;
    • enhanced measures to monitor business relationships for the purposes of detecting transactions that are required to be reported under section 7 of the PCMLTFA (i.e., Suspicious Transaction Reports); and
    • enhanced measures to mitigate the risks identified.
  4. Record-keeping requirements, including retaining copies of suspicious transaction reports, casino disbursement reports and maintaining large cash transaction records.
  5. Transaction reporting requirements, include the filing of suspicious transaction reports, terrorist property reports, large cash transactions reports, electronic fund transfer reports and casino disbursement reports.


Each reporting entity must also document how they will handle ministerial directives and transaction restrictions, which are targeted measures issued by the Minister of Finance to protect Canada and its financial system from money laundering and terrorist financing.


The reporting entity’s policies and procedures play a pivotal role in the compliance program as they set out the standards that employees, agents, and others must meet. They should be clear, easily understood and followed by all those who deal with clients, transactions or other activities.


FINTRAC will examine your policies and procedures and will focus on their completeness. The agency will also expect you to show how these measures are effectively implemented.



3. Risk Assessment

A risk assessment is an analysis of potential risks and vulnerabilities that could expose your business to ML/TF activities. This assessment allows you to identify inherent risk and help you develop mitigation measures.


The outcome of your risk assessment should reflect the reality of your business. It is also a best practice to include all the elements in FINTRAC’s Guidance on the risk-based approach to combatting money laundering and terrorist financing. FINTRAC has also published risk-based approach workbooks to include a “how to” methodology to assist different sectors in implementing an effective risk-based approach cycle.


The complexity of the risk assessment must consider:


  • clients and business relationships, including activity patterns and geographic locations;
  • your products, services and delivery channels;
  • geographic locations where you operate;
  • technologies and their impact on your clients, business relationships, and products;
  • other relevant factors affecting the business


Documenting Risk Assessment?

FINTRAC expects you to demonstrate that you have considered all facets of your business’s exposure to money laundering or terrorist financing activities when documenting your risk assessment. Document all the risks you have considered and the mitigation measures you have developed for those that are high risk.


You also need to show a FINTRAC compliance officer that you have reviewed and updated your risk assessment and mitigation measures as needed.


Enhanced Measures for High Risks

Enhanced measures are the development and application of written policies and procedures to mitigate high risks. If you identify a client as posing a high-risk, you must take additional steps to identify those individuals and confirm the existence of the entities.


You must also conduct enhanced ongoing monitoring of your business relationships to help you detect:


  • suspicious transactions that are required to be reported to FINTRAC;
  • keeping client identification information up-to-date;
  • re-assessing clients’ risk based on their transactions and activities; and determining whether the transactions or activities are consistent with “what you know” about the client.
  • obtaining additional information on a client (through public or other databases);
  • obtaining information on the source of funds or source of wealth of a client;
  • obtaining information on the reasons for attempted or conducted transactions;
  • increasing the frequency of your monitoring of higher-risk transactions, products, services and channels;
  • gathering additional documentation, data or taking additional steps to verify the documents you have obtained;
  • establishing transaction limits;
  • increasing internal controls for high-risk business relationships;
  • obtaining the approval of senior management for products and services that are new for clients; or
  • any other measures you consider appropriate.



4. Ongoing Compliance Training

Creating an ongoing compliance training program is required if you have employees, agents or other individuals authorized to act on your behalf. Anyone who deals with clients and/or transactions must be trained.


The training program must be in writing and must be kept up to date. Anyone authorized to act on your behalf needs to be trained for their specific function so they understand:


  • obligations, as a reporting entity under the PCMLTFA;
  • how your business or profession could be vulnerable to ML/TF activities;
  • business policies and procedures stemming from your obligations under the PCMLTFA; and
  • roles in detecting and deterring ML/TF activities from day-to-day tasks to high-risk situations.


Who Needs to Be Trained?


Your training program should be delivered and tailored to people who:


  • have contact with clients such as front-line staff;
  • are involved in client transactions;
  • handle cash or funds; and
  • are responsible for implementing or overseeing the compliance program.


FINTRAC expects that your training program will include:


  • ML/TF concepts, background information on ML/TF as it relates to your business, such as definitions of money laundering and ways the laundering process usually works.
  • Compliance policies and procedures for preventing and detecting laundering, including reporting, client identification, know-your-client, and record-keeping obligations.
  • The responsibilities of your employees or anyone else acting on your behalf when dealing with suspicious activities or transactions.


Training materials should include examples of how your particular type of business could be used to launder illicit funds or finance terrorist activities.


Does my training have to be written?

Your training program has to be documented, but the method used to deliver the training does not have to be in writing. You can deliver training using software, information sessions, face-to-face meetings or conferences.


However, it is a requirement that you document the following elements in writing:


  • who needs to be trained;
  • what type and topics of training are required;
  • how training is provided;
  • how often training is needed; and
  • documentation showing training has taken place.


Training Methods to Use

The method of training you choose will depend on the complexity and size of your business. For example, a business with hundreds of branches and thousands of employees will have different training needs than a business that has one location and few employees.



5. Two-Year Effectiveness Review

An effectiveness review is an evaluation conducted at least every two years to test the effectiveness of your compliance program, policies and procedures, risk assessment and ongoing training program.


It must be designed to allow for the identification and documentation of any gaps and weaknesses within your compliance program. The goal is to ensure the business is able to effectively detect and prevent ML/TF.


  • the review is required to assess that you are effectively meeting your requirements under the PCMLTFA.
  • In the case of your risk assessment, a review is required to determine whether the risk assessment is effective at identifying and mitigating the risks of ML/TF as it relates to the clients, affiliates, products, services, delivery channels and geographic locations where you do business.


Testing the effectiveness of your compliance program must be documented as part of the review. Your review may be triggered by requirements determined by your regulator at the federal or provincial level.


Examples of what can be included in your review:


  • Interview those handling transactions to determine whether they understand policies and procedures
  • Review your criteria and process for reporting suspicious transactions
  • Provide a sample of your account opening records followed by a review
  • A sample of large cash transactions followed by a review of the reporting of these transactions
  • A sample of electronic funds transfers followed by a review
  • A sample of your clients followed by a review to see if the risk assessment was applied correctly
  • A sample of your clients followed by a review to see if the frequency of your ongoing monitoring is adequate
  • A sample of high-risk clients followed by a review to ensure that enhanced mitigation measures were taken
  • A review of a sample of your records to ensure proper record-keeping procedures are being followed
  • A review of your risk assessment to ensure it reflects your operations
  • A review of your policies and procedures to ensure they meet current legislative requirements

Who Should Conduct the Review?

Your internal or external auditor must conduct the review. You can conduct your own review, but someone not directly involved in your compliance program activities should do it. Documentation should also specify who conducted the review.


The effectiveness review must examine whether your policies and procedures, risk assessment and training program are effective. You also need to demonstrate whether your practices comply with legislative and regulatory requirements.



Reporting Review Results

For entities, the following must be reported in writing to a senior officer no later than 30 days after the completion of the review:


  • the findings of the review
  • any updates that were made to your policies and procedures during the reporting period; and
  • the status of the implementation of the updates made to policies and procedures.


Remember that establishing and implementing a comprehensive and effective compliance program is the basis for meeting all of your reporting, record-keeping, client identification and know-your-client requirements under Canadian laws and regulations.



Software Tools for an Effective Compliance Program

Alessa provides all the capabilities that banks, money services businesses (MSBs), fintechs, and casinos need to meet the ongoing monitoring requirements of an AML compliance program. The solution allows FIs to perform:


  • Real-time due diligence during onboarding
  • Ongoing and periodic sanctions and watchlist screening of clients
  • Transaction monitoring with advanced analytics, including AI-based techniques, to flag suspicious transactions
  • Transaction screening or transaction filtering
  • Automated regulatory reporting to FIUs, including to FinCEN and FINTRAC
  • Alert and case management to track investigations of suspicious transactions and meet record-keeping requirements


To learn more about what Alessa can do to ensure you have an effective AML compliance program with the required five pillars, ask to speak with one of our risk specialists today.

Schedule a free demo

See how Alessa can help your organization

100% Commitment Free

Schedule a free demo

See how Alessa can help your organization

100% Commitment Free

Recent Posts

AML geographic risk

Assessing AML Geographic Risk

Learn more about a methodology used by financial institutions on how to interpret an AML country risk rating assessment.

Please fill out the form to access the webinar: