Customizing AML Policies, Procedures, and Training to Fit Your Risk Profile

In our last article on AML risk assessments, we explored how an assessment must be designed to be consistent with the institution’s overall risk profile, and how it can be used to further the development of that same risk profile. In this article, we will explore how to design and customize the institution’s policies/procedures and training programs to be consistent with the institution’s overall AML risk profile and evidence the effectiveness of the Program to an examiner or auditor.

Avoiding the Copy-Paste Trap: Why Customization Matters

There are so many sample policies and procedures available on membership sites that it could be tempting for an AML Officer to download a sample, make a few tweaks, and release the document as a formal department policy or procedure. However, it’s important to resist that temptation. The best-case outcome would be a generic sample policy or procedure that simply addresses risks common to the industry as a whole. Such a policy wouldn’t necessarily cause harm, but it could lead to exam or audit criticism. The worst-case scenario would be a document customized to some other institution’s risk profile, possibly including products, services, and customer types that the AML Officer’s institution doesn’t offer or serve. If that language isn’t removed, the result will be a policy or procedure that addresses risks that aren’t at the institution and fails to address the risks that are. Neither situation is good for an AML Officer.

Similarly, AML Officers should resist the urge to copy the FFIEC Manual and insert it into the AML Policy. While FFIEC Manual language may be good for providing definitions and context, it won’t indicate an institution’s policies. Examiners and auditors won’t look upon an AML Policy that is a cut and paste job from the FFIEC Manual in a positive manner. FFIEC Manual language will certainly describe requirements, but it won’t discuss how an institution achieves compliance with the requirements.

Having established the importance of building an AML risk assessment that accurately reflects your institution’s risk profile, the next critical step is ensuring that your program components are designed with that same specificity. AML policies, procedures, and training must not only align with your assessed risks, but also clearly demonstrate to examiners and auditors how your institution puts intent into action. In the sections that follow, we explore how each component can be effectively tailored to reinforce your risk-based approach and avoid the pitfalls of generic, one-size-fits-all solutions.

AML Policy

Policies represent an institution’s statements of intent that will be implemented via procedures and protocols, and they help govern the institution. An AML Officer writing an AML Policy should start with a few typical section headers and add language that describes the institution’s intents. Most AML Policies include sections that:

• Describe the Board and Executive Management’s intent to comply with the Bank Secrecy Act, Patriot Act, and the various rules along with language that the Board and executive management acknowledge their oversight role and responsibilities for compliance.
• Indicate who, by name or title, is responsible for day-to-day AML compliance.
• Discuss CIP policies.
• Discuss CDD and EDD policies.
• Discuss the institution’s risk assessment policies, and that the risk assessment forms the foundation for the AML program.
• Discuss the identification and investigation of suspicious activity, the filing of CTRs, the filing of SARs, and the documentation of no-file decisions.
• Discuss the independent test.
• Discuss recordkeeping.
• Discuss BSA/AML training.
• Discuss the need for internal controls to maintain compliance.
• Discuss monitoring systems and models and the need to test and maintain monitoring systems, including internal tuning and external validations.

For the past few years, examiners and auditors have also expected to see language in the AML Policy that addresses the AML National Priorities.

AML Procedures

Written procedures have an equally important role in ensuring an AML Program reflects an institution’s risk profile. To illustrate this, we’ll consider two important procedures: CDD/EDD procedures and transaction monitoring procedures.

• CDD/EDD procedures: Financial institutions go about “knowing their customers” in a variety of ways. CDD procedures will, by design, discuss the customer types an institution serves, and will likely identify those not served. CDD procedures will discuss an institution’s customer on-boarding processes and will likely discuss a risk-based approach to gathering CDD information that enables them to “know their customer.”  CDD procedures can also be influenced by differing geographies of customers or the branches serving the customers. EDD procedures go a step further and discuss the additional information gathered for an NBFI, TPPP, MSB, MRB, FinTech, and any other higher-risk customer type, and might even differ based on what type of higher risk customer is being onboarded. EDD procedures will also address the nature, scope, and frequency of performing EDD/High Risk reviews on customers.
• Suspicious Activity Monitoring: Financial institutions experience financial crime differently. Thus, no two institutions should have the same procedures for the identification, investigation, and reporting of financial crime, even if they use the same systems. The type of products and services an institution offers, along with the types of customers served, will greatly impact which alerts/agents are enabled and how they are configured. Procedures will also be reflective of an institution’s risk profile in terms of how often alerts generate, the configuration of alerts, how quickly alerts must be decisioned, how they are escalated to a case, and the priority given to certain cases. Suspicious activity monitoring procedures will also address the minimum information needed to work an alert and case, and this could differ based on whether the customer is an NBFI, TPPP, MSB, MRB, Fintech, or some other higher risk customer type, or it may differ based on other attributes of the customer.

Training

AML training for the institution’s employees and Board members should address the unique risks of the institution and should be tailored based on the role of the attendees. This can be accomplished in a variety of ways, but consider this approach:

• A brief, off-the-shelf overview of the Bank Secrecy Act, CIP/KYC, the importance of identifying and reporting suspicious activity, recordkeeping, and penalties. We call this the “what.”
• Add-on courses, customized and tailored to the various functions and groups in the institution addressing the risks posed to the institution by customer types, products/services, and geographies, and with each group’s role in meeting the requirements of BSA/AML. These courses should include customized instructions for how to report potentially suspicious activity or behavior to the AML Officer. We call this the “how.”

Risk assessments, policies, procedures, and training are important elements of an institution’s AML Program. By aligning them with the unique aspects of the financial institution, an AML Officer will be able to demonstrate that the AML Program is reflective of the institution’s risk profile and effective in terms of identifying and reporting suspicious activity.

Bates Group offers comprehensive advisory services to a wide range of financial institutions, MSBs, and Fintechs. We provide AML/CFT compliance program support, including Independent Reviews and Risk Assessments, Exam Preparation and Remediation, and Custom Compliance Training.

Contact Bates Group today to learn more.