One of the critical components of an anti-money laundering program is written policies and procedures, also referred to as a BSA/AML compliance manual. 

While generic policies and procedures may be available online or from various vendors, companies must ensure that their compliance manual has company-specific procedures.  Regulatory examiners will not accept generic policies and procedures and will list the lack of a company-specific compliance manual as a critical finding. 

Policies and procedures must include or address:

• Designation of a compliance officer
• A training program addressing money laundering issues specific to the MSB's products and services
• Transaction monitoring specific to the MSB's products and services
• Suspicious activity specific to the MSB's products and services
• Document filing and retention
• Customer identification specific to the MSB's products and services
• Law enforcement inquiries
• An independent review process

All AML policies and procedures must be based on an assessment of the risk that the company faces regarding its products and services.  The risk assessment should include products, customers and geographic areas served.   

While regulations do not require MSBs to have a written risk assessment, the company should be able to articulate the process that it conducted to identify its risks. Policies and procedures should be drafted to address the identified risk.

MSBs must ensure that all processes and procedures written in the compliance manual are, in fact, followed in day-to-day business activities.  Failure to follow written procedures will result in a significant finding by regulators.  Company policies and procedures should be realistic and the company must have adequate resources to comply with those stated policies.

Management must insure that the compliance department is staffed to address the risks identified in the AML risk assessment.  Additionally, the compliance officer must be given appropriate authority to manage the compliance function of the MSB.  Ideally, the compliance officer should report directly to the board of directors, or the CEO of the MSB.

While regulations do not specifically list qualifications an MSB compliance officer must have, the compliance officer is expected to have sufficient background and training to lead the AML compliance program. Failure to have a qualified compliance officer will result in a significant finding by regulators.  Additionally, executive management must ensure the compliance officer has adequate authority and resources to manage the AML program.

A critical element of an MSB’s AML program is training for all employees who are involved in the regulated financial service.  Training must be documented, including name of employee, date trained, training subject and trainer's name. MSBs are expected to provide periodic refresher training to employees.  Refresher training must be also be documented in the same manner.

 Regulations require licensed MSBs to have oversight and control over their authorized delegates or agents.  It is expected that the licensed MSB provide an agent compliance manual, conduct agent training, monitor transactions and conduct examinations of their agents. 

If licensed MSBs identify discrepancies in an agent's AML controls, it must take appropriate action.  All oversight activity must be fully documented.  Regulators hold licensed MSBs responsible for their agent activity and will issue fines and penalties to the primary MSB if its agents are non-compliant.

 A key component of an AML program is the periodic review of the company’s AML policies and procedures by an independent party.  The review must be conducted by an individual or company who has sufficient background and knowledge of the MSB industry as well as current AML laws and requirements. 

The review must include an assessment of the primary requirements of AML compliance programs as well as a test to confirm that the MSB is following the procedures listed in the MSB's AML compliance manual.  The frequency of the review is based on the company’s product and services risk.

An MSB's senior management and board of advisers or directors must be fully aware of the AML laws and regulations governing the MSB.  They must also review the MSB's AML policies and procedures. The approval of any AML policy must be documented in writing. 

Executive management should be briefed on significant AML issues on a periodic basis or as the issues dictate.  Briefings should include regulatory examination indings, numbers of government forms filed, law enforcement requests for information, training updates and AML trends and patterns that affect the MSB industry.