There are 4 (sometimes 5) pillars of an AML Plan:
- AML/BSA Written Plan
- AML Compliance Officer
- AML/BSA Training - All employees and additional training for managers
- Periodic Reviews of the plan and implementation
- Monitoring Transactions
The training can be provided as part of the continuing education provider's training, except for the manager, who must take additional training (up to 4 hours) annually. You cannot just have a certificate that says 8 hours of CE. You must provide a syllabus showing substance.
The periodic independent reviews, sometimes interpreted as annual, cannot be completed by someone under the supervision of the AML officer. They must be independent.
The biggest problems we see in AML Plans:
- Wordy, jargon-filled, legal-eze that no one (even us) can understand. Disclosure by obfuscation, like regulatory citations
- No risk assessment
- Incorrect business form - e.g., not mortgage industry-specific
- No process engineering, maps, checklists, etc.
- Not implemented; e.g.; board of directors, IT department, etc when one doesn't exist
- Separate CIP Program when PATRIOT Act already covers CIP.