What is an AML Compliance Program?


An anti-money laundering (AML) compliance program is an essential component of a financial institution’s compliance regime. The primary goal of every good program is to protect the organization against money laundering and to ensure that the organization is in full compliance with relevant laws and regulations.


For that reason, designing, structuring, and implementing these programs should be included in the top priorities of any financial institution.


An AML program should be risk-based and should be designed to lessen the money laundering and terrorist financing risks the organization may encounter. The organization-wide program may be supplemented by policies and procedures for various lines of business or legal entities, according to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). The agency also states that compliance programs should also include corporate governance and overall management of money laundering and terrorist financing risks.


Before designing an anti-money laundering program, it is imperative to understand what is required of an institution, its employees, and its customers by the laws and regulations of the jurisdiction where the institution is located. The laws of each country vary, and there are international considerations when doing business over international boundaries.


The financial institution’s internal policies and risks related to the business must also be taken into consideration.  In addition, institutions may need advice on the complexities of anti-money laundering legislation before building an anti-money laundering program. They should not hesitate to reach out to competent advisors.


In this article, we will give you information from FINTRAC in Canada as well as the Financial Crimes Enforcement Network (FinCEN) and the Financial Industry Regulatory Authority (FINRA) from the U.S. to help guide you through the steps needed to establish a fulsome AML compliance program.




FinCEN: Establish AML Compliance Program

Each financial institution in the U.S. is required by law to have an effective anti-money laundering (AML) compliance program. Each program must be commensurate with the risks posed by the location, size, nature, and volume of the financial services.


For companies such as Money Services Businesses (MSBs), FinCEN says the complexity of the program is commensurate with the size of the company. For example, a large money transmitter with a high volume of business in the Los Angeles area is at higher risk than a small check casher with a low volume of business located in Idaho. Therefore, the large California money transmitter would be expected to have a more complex AML compliance program.


Each AML compliance program must be in writing and must:


  • Incorporate policies, procedures, and internal controls reasonably designed to assure compliance with the BSA;
  • Designate an AML compliance officer responsible for day-to-day compliance with the BSA and the compliance program;
  • Provide education and/or training of appropriate personnel; and
  • Provide for independent AML audits to monitor and maintain an adequate program.


FINRA’s View on Compliance Programs

FINRA and FinCEN are similar as they both follow U.S. laws and regulations, but there are some differences due to the types of business lines each of these organizations oversees.


FINRA says each member shall develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member’s compliance with the requirements of the Bank Secrecy Act (BSA) and its regulations. Each member’s anti-money laundering program must be approved, in writing, by a member of senior management. The anti-money laundering programs shall, at a minimum:


(a) Establish and implement policies and procedures that can be reasonably expected to detect and cause the reporting of transactions;

(b) Establish and implement policies, procedures, and internal controls reasonably designed to achieve compliance with the Bank Secrecy Act and the implementing regulations thereunder;

(c) Provide for annual independent testing for compliance to be conducted by member personnel or by a qualified outside party.

(d) Designate and identify to FINRA an individual or individuals responsible for implementing and monitoring the day-to-day operations and internal controls of the program and provide prompt notification to FINRA regarding any change in such designation(s);

(e) Provide ongoing training for appropriate personnel; and

(f) Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.


FINTRAC: Compliance Program Requirements

In Canada, guidance on the compliance program requirements is applicable to all individuals and entities that are subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations, FINTRAC states.


Establishing and implementing a comprehensive and effective compliance program is the basis for meeting all of your reporting, record-keeping, client identification and know-your-client requirements under the PCMLTFA and associated Regulations.


There are five required elements of a compliance program – virtually identical to those listed above for FinCEN and FINRA. Each of the following items is considered to be a pillar of an effective anti-money laundering/anti-terrorist financing (AML/ATF) program:


  • The appointment of a person who is responsible for the implementation of the compliance program – compliance officer;
  • The development and application of written compliance policies and procedures that are kept up-to-date, and include enhanced measures to mitigate high risks;
  • A risk assessment of your business activities and relationships;
  • The development and maintenance of a written ongoing compliance training program for employees, agents, and others authorized to act on your behalf; and
  • The institution and documentation of an effectiveness review of your compliance program (policies and procedures, risk assessment, and training program) every two years (minimum) for testing its overall effectiveness.


The level of detail and sophistication of your compliance program must reflect the size, complexity, structure, and risk of exposure of your business to money laundering and terrorist activity financing.


During a FINTRAC examination, it is important to demonstrate that the required documentation is in place, applied, and up-to-date. An institution must also show its compliance program is designed to effectively address the business’s vulnerability to threats and mitigates those that are high risk.


Next, we will run through some of the key elements required by your AML compliance program. The following guidance comes from FINTRAC but is similar to those required in the U.S. You should check with your FIU for specific requirements in your country.



Need for Compliance Officer

Your appointed compliance officer is responsible for effectively implementing all of the elements within your compliance program: policies and procedures, ongoing training, risk assessment, and effectiveness review conducted at least every two years.


Appointing a designated person to be your compliance officer alone does not fulfill your compliance program requirements. Your compliance officer needs to:


  • have the necessary authority and access to resources in order to implement an effective compliance program and make any desired changes;
  • have knowledge of your business’s functions and structure;
  • have knowledge of your sector’s money laundering and terrorist financing (ML/TF) risks and vulnerabilities as well as ML/TF trends and typologies; and
  • understand your sector’s legal requirements under the associated regulations.


While the compliance officer is appointed, it is the reporting entity’s responsibility to meet its compliance program requirements.


Depending on the size of your business, you could be the compliance officer or it could be another individual, such as a senior manager, the owner or operator of your small business; or someone from a senior level who has direct access to senior management and the board of directors of your large business.


If you are an individual, such as in the case of a sole proprietorship, you can be the compliance officer or choose another individual to help you implement the compliance program. The compliance officer should have the ability to report compliance-related issues and meet with the board of directors, senior management, or owner(s) on a regular basis. It is also beneficial to provide your compliance professional(s) with AML software solutions. Compliance involves a variety of tedious tasks that are too time-consuming to be completed manually. For additional information, view our blog on how to choose between AML software vendors.



Compliance Policies and Procedures

Written compliance policies and procedures must be developed and applied by all individuals and entities in your organization. This is an important component of your overall compliance program as it will guide your decisions and actions.


Your compliance policies and procedures must be:


  • written and should be in a form/format that is accessible to its intended audience;
  • kept up-to-date (several factors could trigger the need to update, such as changes in legislation, non-compliance issues, new services or products, or the two-year effectiveness review); and
  • approved by a senior officer, if you are an entity.


Risk Assessment

A risk assessment is an analysis of potential risks and vulnerabilities that could expose your business to ML/TF activities. This assessment will allow you to identify your inherent risk and will assist you and those authorized to act on your behalf in developing mitigation measures to deal with these risks.


The outcome of your risk assessment should reflect the reality of your business. The complexity of your risk assessment will depend on the size and risk factors of your business. However, you must consider the following:


  • your clients and business relationships, including their activity patterns and geographic locations;
  • the products, services and delivery channels you offer;
  • the geographic location(s) where you conduct your activities;
  • new technologies and their impacts on your clients, business relationships, and products or delivery channels of your activities;
  • other relevant factors affecting your business (e.g. employee turnover, rules and regulations for your industry, etc.); and
  • if you are a financial entity, life insurance company, or securities dealer, risks resulting from the activities of an affiliate that is also subject to the associated regulations under these sectors, or that is a foreign affiliate that carries out activities similar to these sectors.


How you document your risk assessment will depend on what makes sense for your business. You must demonstrate that you have considered all facets of your business’s exposure to ML/TF activities. To do this, you can document the risks you have considered and the mitigation measures you have developed for high-risk customers.


Ongoing Compliance Training Program

The development, implementation, and maintenance of an ongoing compliance training program is required if you have employees, agents, or other individuals authorized to act on your behalf.


Your training program must be in writing, must be reviewed, and kept up to date. It should be delivered and tailored to people who:


  • have contact with clients such as front-line staff or agents;
  • are involved in client transaction activities;
  • handle cash or funds in any way; and
  • are responsible for implementing or overseeing the compliance program (such as senior management, information technology staff or internal auditors).


At a minimum, your training program will include:


  • ML/TF concepts, and some background information on ML/TF in relation to your business, definitions of ML/TF, why criminals choose to launder money and how the process for ML/TF usually works. Helpful resources could include FATF’s Methods and Trends Publications.
  • Your compliance policies and procedures for preventing and detecting ML/TF, including your reporting, client identification, know-your-client, and record-keeping obligations.


Your training materials should include examples of how your particular type of business could be used to launder illicit funds or fund terrorist activity. This should help with the identification of suspicious transactions and may provide you some assurance that your services are not being abused for ML/TF purposes.



How Alessa Can Help

Alessa can help you implement your AML program. Alessa is an integrated AML compliance software solution for due diligence, sanctions screening, transaction monitoring, regulatory reporting and more. The solution integrates with existing core systems and includes:



Contact us today to see how we can help you implement or enhance the AML compliance program at your financial institution.

Schedule a free demo

See how Alessa can help your organization

100% Commitment Free

Schedule a free demo

See how Alessa can help your organization

100% Commitment Free

Recent Posts

AML geographic risk

Assessing AML Geographic Risk

Learn more about a methodology used by financial institutions on how to interpret an AML country risk rating assessment.

Please fill out the form to access the webinar: