The first elements deal with the Anti-Money Laundering policies and procedures. Almost all regulators require this now, so it is a matter of finding it in your plans.
1.) For our customers, you find this in your QC Plan.
Some customers ONLY purchase the AML/BSA plan as a stand-alone. If this is you, then you have what you need.
2.) An Independent Review of the AML Plan. Some take independent to mean "3rd Party." This is not necessarily the case, if you have an independent audit function in your firm, that does not report to the AML Officer, then you can have that function conduct the audit. Otherwise you do need a 3rd party audit, such as the one we show here:
Your QC Plan contains an audit checklist that your independent reviewer can use to validate the components of your plan and its implementation.
When a regulator asks for a business plan, it's not asking for one in the SBA sense. It asks specific questions about how you plan to do business in the state.
Just put a document as if you were answering these five questions. We did this here:
IT/Cyber Security and Physical Plant Security
There is a difference between physical security and IT/Cyber Security. One is the locked office; the other is the locked network. We see these as one component, not two. However, you can separate them if necessary.
1.) Physical security includes locked doors and clean desks
2.) Information/Cybersecurity includes all the ways your customer's data can be compromised and should be protected.