Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

The 5 pillars of BSA: Does the new AML/CFT program rule add a sixth pillar?

Terri Luttrell, CAMS-Audit, CFCS
July 19, 2024
Read Time: 0 min

Tips for a strong AML program that will lead to a successful exam

The task of building a robust AML program may seem overwhelming, but there is no better place to start than with the five pillars of the Bank Secrecy Act (BSA).

You might also like this checklist to prepare your AML program for changes tied to AMLA and national priorities.


The 5 pillars of BSA

Understanding the pillars to build a strong AML program

This post updates a 2022 blog to include information on AML pillars from newer rules.

The task of building a robust AML/CFT program may seem overwhelming for Anti-money Laundering/Combating the Financing of Terrorism (AML/CFT) Officers. Knowing where to begin is the key to a successful project plan when developing a new program or revamping an outdated or inefficient program. Historically, there has been no better place to start than with the foundation of an AML/CFT program, the five pillars of the Bank Secrecy Act (BSA).

An interesting question to pose now is whether there are still only five pillars of an AML program.

With FinCEN’s new Proposed Rule to Strengthen and Modernize Financial Institutions’ AML/CFT Programs (AML/CFT proposed rule), we might argue that there are now six pillars of BSA. The Financial Crimes Enforcement Network’s AML/CFT program rule codifies a risk assessment process as part of BSA and AML compliance. Perhaps the risk assessment mandate will become the primary BSA pillar once the Federal Financial Institution Examination Council (FFIEC) updates its examination manual.

BSA Exam Manual takeaways

Pillars for AML compliance from the FFIEC

Fortunately for AML/CFT Officers, regardless of experience level, the FFIEC BSA Examination Manual already provides guidance for you to build or restructure your AML/CFT program. However, copying and pasting the recommendations into your policies and procedures will not be enough to ensure a solid program. You must understand each of the pillars to manage accordingly and educate those on the front line about the role they will play in bringing it to life. You must also instill a strong culture of compliance at your institution to ensure long-term success.

Let's examine the key takeaways for each of the current five pillars of BSA and AML compliance. Then, we’ll examine what might become the sixth AML pillar.

1. Internal controls

Many factors make the internal control pillar critical to your AML/CFT program. Not only is this a required part of BSA compliance, but controls also ensure that things are running smoothly and that you won't be caught off guard during a regulatory examination. Critical internal controls include:

  • Developing policies, procedures, and processes designed to mitigate and manage money laundering and terror financing.
  • Providing timely updates in response to changes in regulations to keep your AML/CFT program aligned with regulatory expectations.
  • Incorporating dual controls and the segregation of duties to ensure an essential second management layer.
  • Managing technological and staffing resources strictly will enable you to ensure that all AML responsibilities are met. Or, at the minimum, allow you to make your business case to senior management if resources are deficient.
  • Providing for program continuity despite changes in operations, management, or employee structure to ensure that no surprises occur from issues such as a pandemic or other natural disaster.

2. Designation of an AML/CFT Officer (formerly BSA Officer)

The AML/CFT Officer pillar seems intuitive; all successful programs must have a competent leader. A well-sought-out appointment is critical. Remember these important key factors when appointing your AML/CFT Officer:

  • The designated AML/CFT Officer must be approved by the board of directors and recorded in meeting minutes.
  • The AML/CFT Officer must have the appropriate background and level of experience for the position. Promoting the head teller of the institution, no matter how great a staff member they may be, will probably not pass regulatory scrutiny.
  • The AML/CFT Officer must have the necessary authority, independence, and access to resources to administer an adequate AML compliance program. Independence means that the reporting structure should be outside of the compliance area, and the AML/CFT Officer should be the decision maker in all matters relating to BSA. The title of this position is unimportant from a regulatory perspective, but the authority, independence, and access to resources are critical.

3. Periodic BSA training

Despite sounding straightforward, BSA training is often not implemented properly and is a common examiner finding. Ongoing training is at the heart of a solid AML compliance program. Be sure to take these steps to fulfill the BSA training requirements:

  • Avoid one-size-fits all training. BSA training  must be tailored to each employee's roles and responsibilities. The front-line staff is your ultimate line of defense and must have detailed BSA training. However, lenders need to know what is relevant to their job functions, and the board of directors requires high-level training to cover their fiduciary duties.
  • Conduct BSA training at least annually and more often if you experience deficiencies in implementing policies and procedures. An effective AML/CFT program cannot be achieved without all team members having the necessary knowledge.
  • Document training modules and dates for every staff member, including the board of directors. If one stubborn executive misses training, you will receive regulatory criticism. Remember to stress a culture of compliance if you run into this situation.

4. Independent testing

The term independent testing is used interchangeably with an audit function. This pillar is designed to assess a financial institution's compliance with AML requirements and the overall adequacy of the AML compliance program. An independent audit before an exam, either internal or by a third party, gives you the ability to shore up any gaps in your program before a regulatory exam. Takeaways for financial institutions from this pillar include:

  • Independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties.
  • Those conducting the audit must have sufficient knowledge and experience with AML compliance.
  • Audits should consider the entire AML/CFT program, including AML and OFAC monitoring technical resources. Periodic AML model validations will also be required to ensure that AML software is working as intended and that all critical data sources feeding into each model are identified.

5. Ongoing customer due diligence (CDD)

A cornerstone of a robust AML compliance program is adopting and implementing risk-based CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of ongoing customer due diligence is to understand the nature and purpose of customer relationships, which may include understanding the types of transactions in which a customer is likely to engage. These processes assist financial institutions in determining when transactions are potentially suspicious. Below are important factors to assess when developing your CDD program:

  • Each CDD program should begin with a Customer Identification Program (CIP) as outlined in the USA PATRIOT Act.
  • CDD should be risk-focused. Not all customers in a higher-risk category have equal risk within an institution. Rely on your institution's unique risk assessment to determine how much due diligence is required for each customer type.
  • As part of CDD, financial institutions must identify and verify beneficial owners of legal entities with an ownership interest of 25% or more. Beneficial ownership is determined under both a control prong and an ownership prong. Under the control prong, the beneficial owner is a single individual with significant responsibility to control, manage, or direct a legal entity customer. For each legal entity, the customer must identify one beneficial owner under the control prong.
  • It's worth noting that the Anti-Money Laundering Act of 2020 has required FinCEN to analyze any changes needed to the CDD legislation once FinCEN establishes the beneficial ownership registry. Although details for this requirement are very late in coming to fruition, you should keep your eyes open for future updates on CDD and beneficial ownership changes.

Risk assessment requirement

A possible sixth pillar for AML compliance

The risk assessment process has been a regulatory expectation for AML/CFT programs for a long time but has never been codified until mentioned in the AML/CFT proposed rule. If the rule is finalized as currently written, a financial institution would be mandated to establish a risk assessment process to serve as the basis of the AML/CFT program. FinCEN intends for financial institutions to utilize a dynamic and recurrent risk assessment process not only to assess and understand a financial institution's money laundering and terrorist financing risks but also to manage and mitigate those risks reasonably. Once the final rule is published, the FFIEC will likely incorporate this requirement as the primary pillar of an AML/CFT program.

Essential guides

Adherence to the pillars is crucial for institutions

The five, or six, pillars of BSA are essential guidelines for all AML/CFT programs, and regulators look for the implementation and results of each during an examination. Of course, it is crucial to have a successful regulatory examination, but why is adherence to the pillars important for financial institutions? Remember the underlying reasons for following these guidelines — the critical components of AML/CFT: 

  • Detecting and reporting unusual or suspicious activity
  • Avoiding criminal exposure from persons using your institution for illicit purposes
  • Adhering to safe and sound banking practices. 

Federal regulators have issued several recent enforcement actions involving BSA pillar violations, such as one issued by the FDIC to a California bank in October 2023. Findings include:

  • Inadequate written BSA compliance program
  • Insufficient internal controls
  • AML/CFT Officer not qualified
  • BSA training was not tailored to specific job duties
  • Unacceptable CDD program
  • Insufficient suspicious activity monitoring

Remembering these BSA pillars, including a robust risk assessment process, is essential for a successful examination, which will confirm your institution's safety and soundness. These pillars must be understood and cannot be missed for a successful AML/CFT program.

Want to be ready for your next regulatory exam? We can help.

Learn More
About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.