Building the BSA/AML Program

Article By: Gregg Oberg, Spillane Consulting Associates, Inc.

When regulatory requirements impact strategic or management action, our goal is to help business leaders make well-informed decisions.

Many of us are, at least in passing, familiar with the “Four Pillars” of an effective BSA/AML compliance program. But are we ready (or even aware) of the FIFTH Pillar; which becomes effective in May of this year? May 11, 2018 to be exact. If you’re less familiar, or want a simple way to describe money laundering in real world terms, skip to the bottom first.

Briefly, the “Four Pillars” include:

  • Implementation of a system of internal controls

  • Independent testing of compliance

  • Designation of a BSA officer

  • Risk and role specific training

The “Fifth Pillar” adds enhanced requirements to Know Your Customer (KYC), explicitly requiring—through the USA PATRIOT Act—diligence requirements that should have been at the heart of your BSA program previously.

What to Know about Knowing your Customer

Briefly, the requirements of KYC demand we first identify our customers at account opening through Customer Identification Procedures (policies, programs, etc.)—known as CIP. This requires policy and procedure for how customer identify is verified—and includes risk-based escalation procedures for high risk interactions and situations where the bank cannot form a reasonable belief of the customer’s true identity.

KYC makes clear that the diligence due in a BSA context is payable not only on account opening, but on a continuing basis throughout the duration of the banking relationship. Customer Due Diligence (CDD) requires continued monitoring of customers after onboarding. What is their business or personal banking pattern? How much do you expect to go in or out of the accounts on a periodic basis? Are there multiple cash transactions? Do they typically send money abroad? Etc. Knowing your customer requires a baseline of “what is normal” for the account, and diligent identification of red flag transactions that vary (degree of significance of variance is debatable) from this baseline.

In line with CDD and CIP, Enhanced Due Diligence (EDD) is a risk-based escalation of customer monitoring for those customers we deem to be “high risk” due to the nature of their banking business. Essentially, what this requires is that we pay extra special attention to those customers we identified as “questionable” at the CIP process, or those that subsequently are deemed high risk as part of ongoing CDD.

You Know What Really Grinds My Gears…

On a technical note, we need a new term to encompass the requirements of BSA/AML. Who’s ever heard of a five-legged stool? Pillars make me think Greek architecture. I’m no architect, but I’m struggling to understand how 5 pillars is more stable than 4. Ted Mosby, if you’re reading this…please explain.

Building the Temple of Compliance 

Number of pillars aside, a four- (or five)-pronged approach largely misses the point. The requirement is to “develop, implement, and maintain an effective BSA program.” (I’m not sure effective is literally in that quote, but who intends to develop ineffective programs?) This implicitly includes a circular timeline of actions that must be taken, which include more than simply erecting the four pillars and hoping they’ll stand as long as the Temple of Zeus. In reality, it is this directive to “develop, implement, and maintain” that holds the columns together; the brick and mortar, if you will.


Seems pretty obvious; but step one in building the columns to support the roof is planning. Continuing the architecture metaphor, we don’t just place columns randomly and assume they’ll support the load (or liability in our case). We plan. How do we know what design to use for our support columns in the Temple of Compliance? The same way we know what type of support is necessary for an actual building. We plan, we assess needs, risks, and costs. This is done through Risk Assessment in the BSA context; and should be step one in implementing any policy or procedure—whether this is the first time you’ll be setting up BSA compliance, or whether you’re simply performing annual updates to account for business and regulatory conditions.

Once we identify the needs for our structure, we don’t simply send out the workers to start building as they see fit. We document a cohesive building plan and blueprints; which take the form of policies, procedures, and corresponding internal controls in our case.

One final note on development—the complexity of the system of internal controls is relative to the sophistication of the project. Just as the materials available for the Colosseum were (presumably) of higher quality than the materials for an open-air market, not all institutions will use the same complexity of internal controls. Consider factors evaluated in the risk assessment, such as customer types, geographic location, product types, and third-party relationships in setting the appropriate level of internal controls, policies, procedures, and other resources committed to BSA compliance.


Once we’ve designed the temple and decided what stone to use, we need to actually build. Most of us will not be building a temple from the ground up; instead maybe just performing renovations (if the temple secures that home improvement loan, would it be reported for HDMA?). This phase of the BSA compliance building process includes both pillar One, Three, and Four (arguably all four, but I’ll punt).

An early step in the construction phase is probably to hire the foreman, project manager, contractor, etc. In the BSA Compliance Temple, this is the BSA officer. Although the board ultimately must retain authority and oversight of the BSA compliance program, the BSA officer will be the conduit through with relevant information passes from management and operations to the board. s

As with an actual construction project; we should hire a qualified individual. Who is “qualified” also resides on a sliding scale, similar to the complexity of controls discussion above. Generally speaking, you should be looking for somebody you (and your board) believe they can place their trust in and expect that they will do the job properly. I wish I could quantify this in years of experience, degrees, or certifications, but the best way I can find to answer this question is “can I sleep well at night knowing this individual is in charge of our BSA compliance?”

But getting the qualified individual is only step one. You also have to empower the individual to exercise control and oversight of BSA functions. Proper resources and autonomy are key to ensuring the BSA officer is more than just a title. Don’t try to cut costs (and corners). You can have the finest marble finish on the temple, but if the guts are made of paper mache, it’s not going to hold up to the flames the regulators will rain down on it (dramatic, I know).

Finally, now that we know what the plan is, and who is the leader of the project, we need to push the information developed in policy and procedure (or blueprints for our analogy) to the appropriate individuals. Like any job, this is done with training and job aids. While training is obviously essential to the implementation of a BSA compliance program; I’d prefer to discuss that point in the “maintenance” phase, below, as more often than not you’ll be training employees with some pre-existing knowledge and procedure in which they work.

I will say one thing about training, as I think the analogy here really brings it home. Do you inform the carpenter or mason of the entire scope of the project? No, it’s just too much information that isn’t pertinent to their jobs. The laborer who lays the bricks does not need to know what window dressings you plan to use. Training at the bank should be approached in the same way. There is only so much information an individual can process—you can have breadth or depth. Just as you wouldn’t train the board how to physically open an account; you don’t need to teach tellers information that they will never need to use. Tailor your training to the actual functions and transactions the individual is likely to interact with.


Once we enter the maintenance period, we’ve built the temple, and we’re now making sure it withstands the test of time. There are two key elements of this: making sure the building itself is sound and performing as the architect intended (namely, not falling over); and making sure building staff are well informed on the routine upkeep steps needed to mitigate the ruins of time.

I’m somewhat ignoring new hires in this statement, as I think it’s a complete no brainer. You CANNOT have employees on your front lines who are completely ignorant of bank policy and procedure; that’s just a business reality. So, I make the assumption that baseline training is provided as part of onboarding as a whole. What is more important, in my mind, is adapting the training to changing conditions and risks.

How do you make sure our piece of architectural history does not crumble to the ground? Well, first you pay attention to the structure. Are we checking to see if the foundation is cracking or shifting? Is the roof leaking? Are we even performing the maintenance inspections and upkeep we designed in the initial plan?

This monitoring closes the loop back to development and risk assessment. In addition to our initial risk assessment performed as a part of implementing controls; we must also continue to assess risks on at least an annual basis. This is because regulations change, risk profiles change, and business models change. While I would definitely recommend incorporating an updated risk assessment any time a new significant business opportunity is evaluated; it isn’t always possible at smaller institutions to approach these business decisions with a full understanding of BSA implications. At the least, we need to be prepared to reassess our BSA risk after the new business opportunity is initiated and implement controls as necessary.

Another reason we may modify our training or procedural elements of the BSA program would be in response to the ongoing external testing we should be performing annually. We don’t want to construct a temple that meets today’s demand and will crumble under the weight of additional patrons. (sounds like the big dig to me…) We should embrace this testing and use it to uncover issues we didn’t see. It is impossible to evaluate every possible way a criminal could victimize our bank by laundering money; but much easier to evaluate a set of procedures created to prevent laundering for cracks and end-arounds.

As we identify these flaws, we reassess our risks, implement new policy and procedure, and create training programs to ensure our employees are capable of preventing criminal activity. You can think of this simply as security guards walking around the monument to ensure nobody pulls an Ozzy Osbourne at the Alamo (look it up if you need, I’ll wait).

The Bottom Line

This is clearly a gross oversimplification of BSA/AML requirements. BSA compliance is a key part of federal regulation of banking activities and serves a vital national security role. As such, it is wholly appropriate that criminal and civil penalties can be applied to actual people within the institution for failures.

At SCA and in my work with clients, I try my best to simplify these complex topics into fun (and I’d hope, somewhat funny) easily digestible articles. If you’re having trouble understanding the basics of money laundering (or explaining it in training), s’all good, man—Jimmy McGill Esq. provides an excellent description in about 1:45 seconds, below.

 Thanks so much for reading our weekly newsletters. We’re not always going to be perfect, but because we always do our best and try not to overpromise, we hope that we’re always going to be trustworthy. Your calls and e-mails are very helpful – please keep contributing.
**These are our opinions. We’re not authorized, or willing, to express those of others.**

Thank you to Gregg Oberg, Spillane Consulting Associates, Inc., who with the support of other experts at SCA have put together this newsletter.