Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Looking for TPG Software? You are in the right place!

TPG Software is now part of Abrigo. You can continue to count on the world-class Investment Accounting software and services you’ve come to expect, plus all that Abrigo has to offer.

Make yourself at home – we hope you enjoy being part of our community.

AML/CFT AML Software AML Training BSA Rules and Regulation Customer Due Diligence Financial Crime

Building AML Programs: The 5 BSA Pillars

Terri Luttrell, CAMS-Audit, CFCS
July 19, 2024
Read Time: 0 min

The 5 pillars of BSA: Does the new AML/CFT program rule add a sixth pillar?

The task of building a robust AML program may seem overwhelming, but there is no better place to start than with the five pillars of the Bank Secrecy Act (BSA).

This article covers these key topics: 

Understanding the pillars to build a strong AML program

This post updates a 2022 blog to include information on AML pillars from newer rules.

The task of building a robust AML/CFT program may seem overwhelming for Anti-money Laundering/Combating the Financing of Terrorism (AML/CFT) Officers. Knowing where to begin is the key to a successful project plan when developing a new program or revamping an outdated or inefficient program. Historically, there has been no better place to start than with the foundation of an AML/CFT program, the five pillars of the Bank Secrecy Act (BSA).

An interesting question to pose now is whether there are still only five pillars of an AML program.

The 5 Pillars of BSA/AML Compliance

  1. Internal Controls: Develop and maintain robust policies, procedures, and processes designed to mitigate and manage risks associated with money laundering and terrorist financing.​
  2. Designation of an AML/CFT Officer: Appoint a qualified individual responsible for overseeing the AML program, ensuring compliance with BSA regulations, and serving as a liaison with regulatory bodies.​
  3. Ongoing Employee Training: Implement regular training programs tailored to employees' specific roles, ensuring they understand AML obligations and can recognize suspicious activities.​
  4. Independent Testing and Review: Conduct periodic independent audits of the AML program to assess its effectiveness and identify areas for improvement.​
  5. Customer Due Diligence (CDD): Establish procedures to identify and verify customers' identities, understand the nature and purpose of customer relationships, and monitor transactions for suspicious activity.

Is there a 6th pillar?

With FinCEN’s new Proposed Rule to Strengthen and Modernize Financial Institutions’ AML/CFT Programs (AML/CFT proposed rule), we might argue that there are now six pillars of BSA. The Financial Crimes Enforcement Network’s AML/CFT program rule codifies a risk assessment process as part of BSA and AML compliance. Perhaps the risk assessment mandate will become the primary BSA pillar once the Federal Financial Institution Examination Council (FFIEC) updates its examination manual.

Pillars for AML compliance from the FFIEC

Fortunately for AML/CFT Officers, regardless of experience level, the FFIEC BSA Examination Manual already provides guidance for you to build or restructure your AML/CFT program. However, copying and pasting the recommendations into your policies and procedures will not be enough to ensure a solid program. You must understand each of the pillars to manage accordingly and educate those on the front line about the role they will play in bringing it to life. You must also instill a strong culture of compliance at your institution to ensure long-term success.

Let's examine the key takeaways for each of the current five pillars of BSA and AML compliance. Then, we’ll examine what might become the sixth AML pillar.

1. Internal controls

Many factors make the internal control pillar critical to your AML/CFT program. Not only is this a required part of BSA compliance, but controls also ensure that things are running smoothly and that you won't be caught off guard during a regulatory examination. Critical internal controls include:

  • Developing policies, procedures, and processes designed to mitigate and manage money laundering and terror financing.
  • Providing timely updates in response to changes in regulations to keep your AML/CFT program aligned with regulatory expectations.
  • Incorporating dual controls and the segregation of duties to ensure an essential second management layer.
  • Managing technological and staffing resources strictly will enable you to ensure that all AML responsibilities are met. Or, at the minimum, allow you to make your business case to senior management if resources are deficient.
  • Providing for program continuity despite changes in operations, management, or employee structure to ensure that no surprises occur from issues such as a pandemic or other natural disaster.

2. Designation of an AML/CFT Officer (formerly BSA Officer)

The AML/CFT Officer pillar seems intuitive; all successful programs must have a competent leader. A well-sought-out appointment is critical. Remember these important key factors when appointing your AML/CFT Officer:

  • The designated AML/CFT Officer must be approved by the board of directors and recorded in meeting minutes.
  • The AML/CFT Officer must have the appropriate background and level of experience for the position. Promoting the head teller of the institution, no matter how great a staff member they may be, will probably not pass regulatory scrutiny.
  • The AML/CFT Officer must have the necessary authority, independence, and access to resources to administer an adequate AML compliance program. Independence means that the reporting structure should be outside of the compliance area, and the AML/CFT Officer should be the decision maker in all matters relating to BSA. The title of this position is unimportant from a regulatory perspective, but the authority, independence, and access to resources are critical.

3. Periodic BSA training

Despite sounding straightforward, BSA training is often not implemented properly and is a common examiner finding. Ongoing training is at the heart of a solid AML compliance program. Be sure to take these steps to fulfill the BSA training requirements:

  • Avoid one-size-fits all training. BSA training  must be tailored to each employee's roles and responsibilities. The front-line staff is your ultimate line of defense and must have detailed BSA training. However, lenders need to know what is relevant to their job functions, and the board of directors requires high-level training to cover their fiduciary duties.
  • Conduct BSA training at least annually and more often if you experience deficiencies in implementing policies and procedures. An effective AML/CFT program cannot be achieved without all team members having the necessary knowledge.
  • Document training modules and dates for every staff member, including the board of directors. If one stubborn executive misses training, you will receive regulatory criticism. Remember to stress a culture of compliance if you run into this situation.

4. Independent testing

The term independent testing is used interchangeably with an audit function. This pillar is designed to assess a financial institution's compliance with AML requirements and the overall adequacy of the AML compliance program. An independent audit before an exam, either internal or by a third party, gives you the ability to shore up any gaps in your program before a regulatory exam. Takeaways for financial institutions from this pillar include:

  • Independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties.
  • Those conducting the audit must have sufficient knowledge and experience with AML compliance.
  • Audits should consider the entire AML/CFT program, including AML and OFAC monitoring technical resources. Periodic AML model validations will also be required to ensure that AML software is working as intended and that all critical data sources feeding into each model are identified.

5. Ongoing customer due diligence (CDD)

A cornerstone of a robust AML compliance program is adopting and implementing risk-based CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of ongoing customer due diligence is to understand the nature and purpose of customer relationships, which may include understanding the types of transactions in which a customer is likely to engage. These processes assist financial institutions in determining when transactions are potentially suspicious. Below are important factors to assess when developing your CDD program:

  • Each CDD program should begin with a Customer Identification Program (CIP) as outlined in the USA PATRIOT Act.
  • CDD should be risk-focused. Not all customers in a higher-risk category have equal risk within an institution. Rely on your institution's unique risk assessment to determine how much due diligence is required for each customer type.
  • As part of CDD, financial institutions must identify and verify beneficial owners of legal entities with an ownership interest of 25% or more. Beneficial ownership is determined under both a control prong and an ownership prong. Under the control prong, the beneficial owner is a single individual with significant responsibility to control, manage, or direct a legal entity customer. For each legal entity, the customer must identify one beneficial owner under the control prong.
  • It's worth noting that the Anti-Money Laundering Act of 2020 has required FinCEN to analyze any changes needed to the CDD legislation once FinCEN establishes the beneficial ownership registry. Although details for this requirement are very late in coming to fruition, you should keep your eyes open for future updates on CDD and beneficial ownership changes.

A possible sixth pillar for AML compliance: Risk assessment requirement

The risk assessment process has been a regulatory expectation for AML/CFT programs for a long time but has never been codified until mentioned in the AML/CFT proposed rule. If the rule is finalized as currently written, a financial institution would be mandated to establish a risk assessment process to serve as the basis of the AML/CFT program. FinCEN intends for financial institutions to utilize a dynamic and recurrent risk assessment process not only to assess and understand a financial institution's money laundering and terrorist financing risks but also to manage and mitigate those risks reasonably. Once the final rule is published, the FFIEC will likely incorporate this requirement as the primary pillar of an AML/CFT program.

Essential Guides

The five, or six, pillars of BSA are essential guidelines for all AML/CFT programs, and regulators look for the implementation and results of each during an examination. Of course, it is crucial to have a successful regulatory examination, but why is adherence to the pillars important for financial institutions? Remember the underlying reasons for following these guidelines. 

The critical components of AML/CFT:

  • Detecting and reporting unusual or suspicious activity
  • Avoiding criminal exposure from persons using your institution for illicit purposes
  • Adhering to safe and sound banking practices.

Federal regulators have issued several recent enforcement actions involving BSA pillar violations, such as one issued by the FDIC to a California bank in October 2023. Findings include:

  • Inadequate written BSA compliance program
  • Insufficient internal controls
  • AML/CFT Officer not qualified
  • BSA training was not tailored to specific job duties
  • Unacceptable CDD program
  • Insufficient suspicious activity monitoring

Remembering these BSA pillars, including a robust risk assessment process, is essential for a successful examination, which will confirm your institution's safety and soundness. These pillars must be understood and cannot be missed for a successful AML/CFT program.

Key Reports Required Under the Bank Secrecy Act

In addition to building a strong AML program through the five BSA pillars, financial institutions are required to submit specific reports that help regulatory agencies identify and prevent financial crimes. These reports are essential tools in uncovering patterns of money laundering, fraud, and other illicit activities.

Suspicious Activity Reports (SARs)

SARs are filed when a financial institution detects known or suspected violations of law or suspicious activity related to potential money laundering or fraud. Institutions are required to report any transaction or pattern of transactions that appear unusual or lack an apparent lawful purpose. SARs must be filed within 30 calendar days of detecting suspicious activity.

Common reasons for filing a SAR include:

  • Structuring transactions to avoid reporting thresholds
  • Sudden changes in transaction patterns
  • Use of multiple accounts without a clear business reason
  • Inconsistencies in customer information or behavior

Currency Transaction Reports (CTRs)

CTRs must be filed for each transaction (or group of related transactions) that involves more than $10,000 in cash within a single business day. These reports help track large volumes of physical currency entering or leaving the financial system, which can be a red flag for money laundering or criminal enterprise activity.

To remain compliant:

  • CTRs must include details about the individual or entity conducting the transaction
  • Transactions must be reported even if they seem legitimate, as long as they meet the threshold
  • Institutions must not inform customers when a CTR is filed, to avoid "tipping off"

Other BSA Reports

  • Foreign Bank and Financial Accounts Report (FBAR): Required for U.S. persons with a financial interest in or authority over foreign financial accounts exceeding $10,000 in aggregate value.
  • Designation of Exempt Person (DOEP): Filed to exempt certain customers (like established businesses) from CTR filings, reducing compliance burden.
  • Report of International Transportation of Currency or Monetary Instruments (CMIR): Required when transporting more than $10,000 in currency or monetary instruments into or out of the U.S.

These reporting obligations, alongside the BSA’s five foundational pillars, help establish a comprehensive and proactive compliance posture that protects both institutions and the broader financial system from abuse.

About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.