The Basics of an AML Policy, Standards, and Procedures Framework
Here’s a short guide for not “writing” your bank into policy traps with audit and exam teams. Let’s start with the title of this story — notice it reads Policy vs. Policies. Most of the organizations that I have been inside of overthink the written (documented) aspects of an effective Anti-Money Laundering (AML) program — the policies for everything and anything approach.
An alternative framework can breakdown policy vs. standards vs. procedures.
AML Policy
This is a statement — a statement that articulates the Board of Director’s and Management’s position on intent. Articulated intent should be precisely mapped to two (2) aspects of the bank’s position: (1) complying with AML laws and regulations and (2) mitigating risk associated with illicit activities/money laundering conduct. The policy statement is not how something will be done — it is simply an intention to recognize the obligations and requirements at a governing level (BOD/Management).
A meaningful and highly effective policy statement can equate to a one-pager and should 100% at least pass through the review of counsel. It does not have to be drafted by a lawyer, but needs a legal stamp of approval (aside from the ultimate approval of the full BOD).
Remember, even if you live and die by the FFIEC exam manual (how examiners conduct an exam, not to be confused with law or regulation), it (along with actual law and regulation) is clear on the obligation of “establishing and maintaining procedures reasonably designed o assure and monitor compliance with BSA regulatory requirements (BSA/AML compliance program)” — how it gets done is where it really matters.
AML Standards
Standards are the tailored layer beyond the policy statement. Tailored means taking your policy statement and assigning ownership and accountability across business units and functions within the banking enterprise. Standards unlike policy statements get the added language (customization) of where a business unit or function fits into the overall intent of complying and mitigating risk.
Roles and responsibilities are a major customization factor within AML standards. Roles are easily articulable, but responsibilities can often start to encroach on procedural territory — don’t fall into that trap.
Standards, like the policy statement, set the tone and overarching expectation (follow the linear linkage). This framework is easily applied to all of the conventional frameworks like 1–3LOD; IRM; legal entities; divisions; etc. that are found in overly complex global financial institutions or very basic domestic banking organizations. Moreover, the framework fits into the more contemporary FinTech structures that include more expansive engineering/ and product teams (arguably where standards should begin anyway).
AML Procedures
As eluded to in the last sentence of the AML Policy section — there is not a more important part of AML than execution. Execution, while guided by policy and standards, is what produces outcomes. Outcomes are the single most important aspect of an AML program (hence why the global AML community has finally refocused its efforts on effectiveness). Outcomes are the results of operationalized processes. Processes are executed in accordance with procedures.
Processes can only be measured, monitored, tested, examined, and optimized if they have clear and “reasonably designed” procedures. Clarity is as simple as — who is doing what. Who is doing what — that’s it. Conflating procedures with policy language and/or standards not only confuses the who trying to do the what, but it also gives a third party too much to test and question. The former represents inefficiencies and the latter represents unnecessary risk.
Stringing the Framework Together
The Chief AML Officer is best positioned to draft, articulate, and champion a policy statement of intent to the BOD and Management team. The BOD and Management puts the weight and authority behind the adopted policy and entrusts the CAMLO to further champion the statement throughout the enterprise.
Business leaders across the banking enterprise are lock and step with the policy statement and in furtherance of that intent develop (with advice from the CAMLO and/or designee(s)) standards customized to their business/function.
Middle to line management then are trained on the standards and operationalize them with procedures that are deployed across the day-to-day activities of the business and functions across the banking enterprise.
Avoiding the nuances of questions and requests like — what’s your policy for (fill in the blank) or we found that 45% of the time you don’t collect (fill in the blank) or document (fill in the blank) and it’s in your policy to do so — can be done with a policy, standards, and procedures framework.
