The AML compliance checklist: best practices, tools, and processes
Compliance with anti-money laundering (AML) regulations developed under Financial Industry Regulatory Authority (FINRA) and Financial Crimes Enforcement Network (FICEN) frameworks is mandatory for any institution that handles financial transactions.
The challenge? While these AML regulations aim to reduce money laundering and the financing of terrorism, they also often increase complexity for organizations that need to achieve and maintain compliance without impeding their operations.
In this AML checklist, we’ll start with a quick refresher of the five AML pillars before diving into four processes that can help improve AML compliance.
The five pillars of AML
Compliant AML programs are built on five pillars. Let’s take a quick look at each component of this process.
1. Designate a compliance officer
First, you’ll need to designate a compliance officer to oversee your institution’s AML compliance and ensure your processes align with regulatory expectations. You’re looking for someone with experience in your specific industry. Ideally, they should have knowledge of your industry and the types of risk your business is exposed to. They should also have experience managing a compliance team.
2. Develop written internal policies
As you design and implement your AML program, the policies guiding it must be thoroughly documented. This gives your employees a central piece of documentation to refer back to when they have AML-related questions, and also helps them understand the how and why behind your institution’s AML practices. This document also provides regulators and auditors with a blueprint of your AML program.
3. Educate employees
If your employees don’t understand how your AML policies work or receive regular training on the compliance requirements specific to their jobs, your documented policies won’t do anything. A comprehensive AML employee training program will increase their understanding of what they need to do such that your company achieves and maintains compliance. Employees should receive training during onboarding and in an ongoing manner — typically once per year, or any time your AML process changes or your business’s risk profile changes.
4. Schedule an independent third-party review
AML regulations require financial institutions to hire third-party auditors to regularly evaluate their AML programs for potential weaknesses. In addition to offering a more unbiased evaluation compared to internal auditors, they also bring valuable experience and insight from previous audits conducted for other institutions.
5. Deploy risk-based procedures for conducting customer due diligence
As of 2018, financial institutions must comply with FinCEN’s customer due diligence (CDD) rule. This rule requires you to implement a risk-based approach to your customer identification program (CIP), transaction monitoring, and suspicious activity reporting.
Looking for a more in-depth analysis of the five pillars? We’ve got you covered.
Processes to improve AML compliance
Now that you have a basic understanding of the five AML pillars, it’s time to familiarize yourself with a few steps you can take to address anti-money laundering expectations as they apply in the real world rather than as part of FINRA or FinCEN regulations.
1. Start with an AML risk assessment
In order to embrace a risk-based approach to AML, you must first complete an AML risk assessment to understand the unique money laundering risks that your business is exposed to. Your risk profile can then be used to inform your AML processes.
Some factors to consider during your assessment include:
Locations of operation
Where your company operates and where your customers are located can impact how much money laundering risk you may face. If you serve customers in areas deemed by the Financial Action Task Force (FATF) to have “strategic deficiencies in their regimes to counter money laundering, terrorist financing, and proliferation financing,” you may want to introduce more friction in your identity verification processes if users in those countries start to exhibit risk signals during onboarding.
Product associated risk
Not all products and services carry the same level of money laundering risk. As such, it’s important to understand the exploitation risk of each of the products and services you offer. Cryptocurrency, for example, has long been linked to money laundering activities due to the non-reversible nature of crypto transactions and high degree of anonymity.
Shifting risk factors
Risk isn’t a static quality. As geopolitical forces shift over time, countries that were once relative safe havens may become more risky. Criminals may develop new means of exploiting services and products that previously exhibited a low risk of being used for money laundering. Work from home policies may increase the chances of transaction data to be intercepted or modified by malicious actors. Understanding how your risk profile changes over time is an important part of staying compliant.
2. Set up an AML verification process
As noted above, financial institutions are required to perform customer due diligence on all customers seeking to open an account. This means that all customers must have their identities verified in a way that is commensurate with the risk they pose.
This screening process should include some combination of the following, depending on the assessed risk level:
Obtaining full name and date of birth.
Checking these details against current financial sanctions and watchlists to ensure individuals are not high-risk.
Verifying age and ID documentation to ensure individuals are who they say they are.
Regularly reevaluating these details to remain in compliance with AML regulations.
Likewise, it is important to screen your employees during the hiring process for money laundering risk as well, to ensure that you are not inadvertently hiring someone who will act as an insider or mole for criminals to exploit in the future.
3. Recognize the signs of money laundering
To better assess money laundering risk, you should also have systems in place to recognize and flag suspicious activities that could indicate money laundering activities. Some of these activities include:
Large-volume transactions from countries known for money laundering.
Multiple new account creation requests over a short period of time that lack verifiable ID.
Sudden upticks in transaction rates over a short period of time.
Strange user behavior such as access from multiple new locations or repeated failed login attempts.
4. Implement AML monitoring
While verification processes represent the starting point for AML compliance, continuous transaction monitoring is also critical to ensure due diligence.
In practice, monitoring customer profiles against current watchlists and sanctions lists helps you identify suspicious behavior as it occurs. If these activities are detected, you can have your team investigate further, report them to the appropriate authorities, and temporarily suspend customer transaction privileges if necessary.
Need help? Try AML software
While it’s possible to build and implement an AML compliance program from scratch, the amount of time and effort required to manually evaluate and report potentially fraudulent activities — especially as transaction volumes expand exponentially — can cause your team to spend more time on compliance processes than line-of-business operations.
AML software tools can help streamline this effort. By automating key tasks such as data collection, identity verification, and watchlist screenings, companies gain the benefit of compliance without the complexity that often accompanies this due diligence.
At Persona, we make AML compliance easy. Automatically screen new users, continually monitor them throughout their lifecycle, act on new insights, maintain an audit trail, and more with our trusted identity infrastructure. Plus, maximize conversions by designing an identity experience that’s native to your platform and dynamically adjusting friction based on users' unique risk levels.
Ready to meet constantly evolving compliance standards and regulation changes? Get started for free or contact us to learn more.
The AML process consists of a number of discrete steps aimed at preventing criminals from using a bank to launder money. These include:
Identity verification: Involves the collection and verification of key pieces of information (name, address, date of birth, and SSN) to ensure a customer is who they say they are.
Customer due diligence: Involves the analysis of customer risk, including the identification and verification of beneficial owners (for business customers).
AML screening: Involves cross-checking a customer against watchlists, sanctions lists, PEP databases, etc. to gain a more thorough understanding of customer risk.
Transaction monitoring: Involves monitoring customer transactions for suspicious activity which may be indicative of money laundering.
While banks often get a lot of attention when it comes to anti-money laundering, many different types of businesses are subject to AML requirements. With this in mind, the below stages of the AML cycle are generally applicable to the myriad companies that must comply with AML regulations:
Verifying a customer’s identity during onboarding
Assessing the customer’s risk level via AML screenings
Moving through the appropriate due diligence flow (standard, simplified, or enhanced), once risk level is assessed
Approving or rejecting the account
Continuously monitoring approved customers’ activities and transactions
Customer due diligence is an important part of the AML process. Broadly, it involves assessing customer risk and carries requirements that a financial organization:
Verify the identity of customers
Identify and verify the identity of a company’s beneficial owners
Develop customer risk profiles based on the nature and purpose of customer relationships
Conduct ongoing transaction/activity monitoring
There are three levels of customer due diligence:
Standard due diligence, for customers considered to carry the “standard” level of risk
Simplified due diligence, for customers considered to carry less risk
Enhanced due diligence, for customers considered to carry more risk
When you uncover money laundering on your platform, it’s important to understand that it may not be an isolated case. Bad actors often work together to launder money, passing funds between multiple accounts in order to muddy the waters about that money’s origins. And even if a money launderer is working alone, they may be using several fraudulent accounts to launder their funds.
If you have identified a fraudulent account on your platform, you can and should analyze the connections that that account shares with others on your platform to determine whether or not any of those other accounts may also be fraudulent. This can be done using a data science technique known as link analysis.