Fixing What Is Not Broken: Should you make changes to a satisfactory AML program?

An anti-money laundering (AML) program that has been deemed acceptable by regulators has reached the pinnacle and there is nowhere to go but down. So, why change anything? Changing controls in a program that has been called satisfactory is risky. Change could lead to uncontrolled risks and uncontrolled risks could lead to an unsatisfactory rating. What, then, is the impetus to make a good AML program better and why do compliance officers reevaluate or continue to monitor existing controls when those controls have been found to be effective?

The primary reason that Bank Secrecy Act (BSA) officers change otherwise static compliance programs is because the world does not stay the same. Thus, maintaining a static AML compliance program is a risk in and of itself. By changing existing controls to move an AML program forward, something better may be gained—a more comprehensive risk-rating methodology, an efficient customer due diligence process, etc. There are other, equally important, reasons to consider changing an AML program.

Changing Priorities

In addition to protecting company and customer assets, a goal for any quality compliance program is to meet regulatory expectations in an efficient manner. When regulatory or cultural priorities shift, an AML program must be fungible enough to shift with the changing priorities. Take banking marijuana-related businesses (MRBs) as an example. Not long ago, providing financial services to state-sanctioned MRBs was not on any compliance officer’s radar because state-sanctioned marijuana businesses were not viable under existing laws. Today, compliance officers must not only determine the risk tolerance for servicing MRBs, but also document the decision and put appropriate controls in place to support the decision.

Any financial institution that is not reevaluating its existing controls in light of the changing socioeconomic environment is taking on regulatory risk it has not even identified.

Similarly, the Fourth EU Directive1 (4MLD) has quietly eliminated the requirement of a politically exposed person (PEP) to be foreign. According to Nina Kerkez, senior product manager at Accuity, “So far we have considered foreign PEPs, senior political, military and judicial figures as well as their families as higher risk customers when money laundering risks are looked at. With the inclusion of domestic PEPs, 4MLD also insists that enhanced due diligence is performed on these individuals by reviewing their source of wealth and funds.”2 Furthermore, Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act3 was also amended to expand the concept of PEPs to include domestic PEPs and heads of international organizations (HI-Os), in addition to foreign PEPs. As a result of these changes, which came into effect on June 17, 2017, financial firms will be required to take “reasonable measures” to determine whether a customer is a domestic or foreign PEP or an HIO, or a “close associate” or family member of these types of persons. BSA officers will want to reevaluate current controls involving PEP identification and monitoring to get ahead of impending regulatory change to include domestic PEPs and/or HIO’s in their programs.

Another example is the New York State Department of Financial Services (DFS) change. The DFS recently issued Part 504, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications,4 which became effective on January 1, 2017. The rule’s beginnings lie in NY’s DFS examination work, which identified problems with financial institutions’ transaction monitoring and filtering systems and processes. The rule imposes governance type measures over transaction monitoring tools, ranging from periodic reviews, testing, supporting documentation for detection scenarios/thresholds, oversight and an annual board resolution tantamount to certifying compliance to the new 504 rule. The monitoring and filtering program must be based on an enterprise-wide BSA/AML risk assessment. While this is a NY state law, other states are closely watching the implementation and may intend to pass similar laws.

One final example is the renewed emphasis on reporting fraud-related money laundering offenses. With the expectation that financial institutions will be monitoring for elder financial exploitation, cybercrimes, grandparent schemes, romance schemes, lottery scams and tax return frauds, suspicious activity monitoring requirements have rapidly increased. Manual reports, automated transaction monitoring systems and investigator training must be enhanced to support the “FRAML” (fraud + AML) BSA environment. Gone are the days when an AML program could get by with monitoring solely for excessive cash or unusual international wire activity indicative of drug offenses or tax evasion.

The dirty little secret in the financial services industry is that AML programs operate under a budget

Change in Staff

The dirty little secret in the financial services industry is that AML programs operate under a budget. If they did not, the financial institution could not survive. “With the increased intensity of regulation, and the threat of fines and sanctions constantly looming over businesses, some institutions have been hindered in terms of their potential growth outside of the compliance department. Financial institutions must now attempt to find a way to optimize their efficiency and cost-effectiveness at the same time.”5 Staffing models may (and should) change when processes are made efficient; however, the BSA officer must ensure no control gaps are created as a result of staff movement or downsizing.

Change in staff that supports an institution’s AML program introduces risk to a program previously deemed satisfactory. It does not need to be changes in “key positions” that lead to risk. Consider losing the person most experienced in Office of Foreign Assets Control (OFAC) sanctions in a wire transfer department.

The BSA officer must ensure the existing controls are comprehensive enough to sustain the program in light of the loss of the person with expertise.

Change in Leadership

An incoming experienced BSA officer will also, undoubtedly, reevaluate existing controls in a satisfactory program. The skilled BSA officer brings with him/her knowledge gained from prior examinations and information gained from networking and industry training along with a keen understanding of risk-based controls. A new set of eyes on a successful program may highlight potential risks not previously identified. With the current emphasis on personal liability, a BSA officer taking leadership over an existing program must have complete understanding and faith that the existing controls adequately cover identified risks and that residual risk falls within the risk tolerance for the organization. NY DFS Part 504 essentially requires a BSA officer new to an organization to very quickly comprehend the program and systems and have faith in those same programs and systems to put their reputations and personal finances on the line.

Mergers and Acquisitions

A significant change in the size, geographic footprint, product offering and/or customer base due to a merger or acquisition should result in a reevaluation of current controls. “Identify the specific risk categories (i.e., products, services, customers, entities, transactions and geographic locations) unique to the bank”6 is the recommended first step to a comprehensive risk assessment as outlined in the Federal Financial Institutions Examination Council’s BSA/AML Examination Manual. Knowledge of the specific AML risks posed by a merger or acquisition is a critical step in performing a gap analysis. The BSA officer will map the current controls to any newly identified risk to identify gaps in the program. The BSA officer will then determine if the gap is acceptable or must be mitigated with new or enhanced controls. Failure to reevaluate the control in light of risks from a merger or acquisition leaves the financial institution open for regulatory criticism.

The art of being a BSA officer is the ability to balance the need for technological change in a program, the desire to reap the benefits of improved technology and the cost of implementing and maintaining advanced technology

Change in Technology

The pace of technological change has accelerated in the last two decades. AML programs are not immune from advancing technology. In addition, “with the rise of regulatory practices becoming strictly enforced at both the national and international level, financial institutions are faced with the fact that AML software that was once viewed as an unnecessary luxury for the company has shifted to an essential component in everyday operations.”7 The art of being a BSA officer is the ability to balance the need for technological change in a program, the desire to reap the benefits of improved technology and the cost of implementing and maintaining advanced technology. It becomes easy to justify the need for new or improved technology when an examiner points out deficiencies in an AML program. When an AML program is operating effectively, separating the need for enhanced technology from the desire to have enhanced technology becomes much more difficult.

In theory, improved technology equals better controls. Enhanced screening capability should translate to fewer false positives or fewer missed positives, which should result in more focused reviews. Advanced monitoring capability should equate to an increased alert to SAR ratio. The operative word in the prior scenarios is “should.” Oftentimes changing technology opens an AML program to increased risks from incorrect or incomplete data ingestion. Optimal tuning is critical to achieving desired output. In addition, to minimize the risk of regulatory scrutiny, all decisions and rationale regarding changing technology must be well-documented. “With the vast amounts of information available to decision-makers, ‘gut feel’ business decisions are not sufficient to satisfy internal auditors or examiners.

Decisions must be supported with well-documented rationale and evidence and tracked to evaluate whether assumptions hold true initially and over time.”8

That being said, there are certainly times when a financial institution with a solid AML program should consider investing in improved technology for the AML program such as when there is potential for an acquisition or the technology comes with additional controls (e.g., systemic checks of the required fields in suspicious activity reports or currency transaction reports to reduce errors).

Industry-led Change

Enforcement Actions

Enforcement actions can be change agents. They are public documents available for study by BSA officers. Fines for program failures have increased over the last several years as has the reach of FinCEN’s enforcement activity. Financial institutions, casinos, MSBs and even a precious metals dealer have felt the effect of these actions. The content of enforcement actions can be a rich learning ground for BSA officers who may use them to modify their already satisfactory AML programs.

ACAMS Initiatives

ACAMS and other trade and industry groups can influence change through their initiatives, classes and products that they offer. For example, some BSA officers have adopted the ACAMS risk assessment tool to use to create their risk assessments. Others have attended ACAMS conferences and learning events where they hear of tips and tricks of the trade, which becomes the impetus for change.

Industry Best Practices

Some contemplate changes to AML programs based on industry best practices. Take FinCEN’s new customer due diligence/beneficial ownership rule for which compliance is required by May 11, 2018. BSA officers are talking to each other and developing best practices surrounding the rule. As a specific example, although not required, some banks have included information on their websites to prepare their prospective customers for the ownership questions they may get starting on May 11.

Changes in Regulation/Regulatory Scrutiny

While obvious, we would be remiss if we did not point out a critical reason for changing an AML program and that is changes to the statute and/or other regulatory guidance. The aforementioned customer due diligence/beneficial ownership rule is a perfect example of a reason to change an AML program. FinCEN advisories, OFAC sanctions programs updates and special measures are also all reasons for BSA officers to consider changing their BSA compliance program.

In addition to specific changes to the BSA, just in general, BSA/AML regulations receive seemingly constant scrutiny from a plethora of regulatory bodies. Some reviewers question whether BSA/AML is working to prevent money laundering; others believe BSA compliance to be burdensome—particularly so on smaller organizations.

No matter the reason for the review, it is important for BSA officers to be aware of the reviews should they influence change on the current regulation.


A static program is a program at risk

The reasons to change a satisfactory AML program run the gamut and are important considerations for BSA officers. The risk of maintaining the status quo is that additional or other risks will have presented themselves since the program was evaluated. A static program is a program at risk. To paraphrase a quote from an unknown author: BSA officers must not be afraid of change—good controls may be eliminated, but better controls may be gained.

Amy Wotapka, CAMS, BSA officer, First American Bank, Vernon Hills, IL, USA,

Elaine Yancey, CAMS, MBA, managing examiner, Federal Reserve Bank of Richmond, Richmond, VA, USA,

The views and opinions expressed here are those of the author and do not represent an official position of the Federal Reserve Bank of Richmond or the Federal Reserve System.

  1. “Directive (ED) 2015/849 of the European Parliament and of the Council,” Official Journal of the European Union, May 20, 2015,
  2. Nina Kerkez, “Fourth Anti-Money Laundering Directive—How does it affect you?,” Accuity, March 21, 2016,
  3. “Politically Exposed Persons and Heads of International Organizations—Life Insurance Companies, Brokers and Agents,” FINTRAC, June 2017,
  4. “Part 504,” Department of Financial Services,
  5. Christopher J. Pelaez, “AML Compliance Costs—How much is enough?,” Global Radar, August 25, 2016,
  6. “Bank Secrecy Act/Anti-Money Laundering Examination Manual,” FFIEC, 2014,
  7. Christopher J. Pelaez, “AML Compliance Costs—How much is enough?,” Global Radar, August 25, 2016,
  8. “AML Model Risk Management and Validation,” EY, 2013,$FILE/EY-AML_model_risk_management_and_validation.pdf

Leave a Reply