HOW TO BUILD AN AML

COMPLIANCE PROGRAM
IN 3 SIMPLE STEPS
 The 3 Step Approach to Building an
Effective AML program

Creating, implementing, and maintaining and Usually, an AML compliance program is based
effective AML compliance program is key for upon some important factors that determine the
organizations to prevent money laundering and to size and scope of the program. This is important
assure compliance with applicable AML regulation. because, before creating a compliance program to
Now, there is definitely no single approach that fits battle money laundering, an organization has to
all organization just alike, but there are some analyze and draw up its potential risks and legal
general elements to consider. These elements are obligations.
most commonly the foundational building blocks
❶ First of all, the organizations needs to
for an effective AML compliance program.
determine the risks it is exposed to.

But first things first. You might wonder what an ❷ Secondly, it needs to consider the applicable
AML compliance program actually is. Basically, an AML laws in their jurisdiction and fines for
AML compliance program is everything an non-compliance
organisation does related to money laundering ❸ Lastly, it needs to have a rough idea of how
prevention. This can include things such as possible suspicious activities could look like
processing policies, accounts monitoring and that indicate potential money laundering.
detection, and reporting of money laundering
incidents. The aim of an AML compliance program These are at least the very basic considerations for
is to expose and correctly react to the inherent and building an effective AML program.
residual money laundering risk.

3 Step Approach

If this yet sounds a little bit too overwhelming, don’t worry. In the following, we will go through something
which can be called a step-by-step guide to build and implement and effective AML program. It comprises
of three simple steps that will guide you towards the development of an effective AML compliance program.

Step 3: The third step is to implement

Step 1: The first step is to create the right organizational measures to encounter the risks that
organizational environment, where you should you have identified for your organization.
consider the corporate culture, have the senior
management to support AML compliance, and
make it a strategic priority.
3
2
Organizational
measures

1
AML Risk
Assessment
Organizational
environment

Step 2: The second step is to conduct an AML risk

assessment. This is done to get a holistic overview of the
money laundering risks the organization is exposed to and
that it can act upon.

2 HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS

 Step 1:
Creating the right organizational environment
The first step in building an effective AML Compliance program is to have or create the right organizational
environment. This organizational environment requires three important elements, which are organizational
culture, strategic priorities, and management support. Let’s go through them individually.

Corporate
Culture
Tone at the top
Corporate
Strategy
Business Strategy or
Risk Strategy

Management Support
Show and tell

Corporate Culture

Firstly, we should always be aware of the fact that What has this to do with corporate culture you
people are at the center of it all. Nearly all cases of might ask? The short answer is that behavior
money laundering scandals and misconduct have determines culture, and behavior can be adjusted
one thing in common: it is usually individuals or a to be in line with the company’s risk appetite.
group of individuals who failed in their function, or
at least did not act as resolutely as they should To build a sound AML compliance culture and
have. In most cases, the likely motivation is the incorporate it into the daily business, the leadership
sales culture of the institute on which targets and of the organization must clearly and transparently
ultimately monetary compensation are based. No communicate corporate culture and expected
one is denying that an organization must make behavior. This is also commonly referred to as the
money in order to remain in the market. What is tone at the top. The leadership needs to deal with
more difficult is the decision whether or not to deal money laundering on a regular basis and significant
with existing or potential clients with a high risk cases of non-compliance in terms of money
profile. The conflict of interests between laundering violations should be brought to its
economical and regulatory aspects is obvious: let’s attention.
call this the organization’s risk appetite.

HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS 3

Corporate Strategy Management Support

The second element is to bring AML to paper as The third element to create the right organizational
part of the organization’s business or risk strategy, environment is management support. This is
because everything holds up on paper. The important, because the managers of the
strategy needs to clearly articulate the strategic risk organization need to implement the tone from the
appetite of the organization as well as the top in daily business and to make sure that the tone
corporate culture and behavior that is expected is adhered to. Messages from the management
towards achieving this risk appetite. It is also should be unambiguous and pitched at a level
important to remember that this document must be understood by all – not corporate jargon that
available at a place that is accessible for all people baffles and bemuses the worker bees. Most of all,
that are part of the organization. management needs to practice what they preach.
In terms of visibility, this means attending training
with the troops and be seen to be engaged.

Step 2:

Conducting an AML risk assessment

The second step in building an effective AML program is to conduct a money laundering risk assessment. This
is important, because an organization have an overview of the specific AML risks it may be exposed to and it
needs to be aware of potential deficiencies. But let’s be more precise.

The AML risk assessment serves three objectives:

Objective 1: The first objective is very obvious; it is

identifying the general and specific money Risk of the Internal control
laundering risks an organization is facing. organization environment

Objective 2: The second objective is determining

how these risks are mitigated by the organization’s
AML program controls. Having said this, this would
obviously require to already have some sort of
AML controls in place. If your organization does
not have any controls in place yet, this would 01 02
basically mean that the degree of AML risk
mitigation is zero and that is about time to get
cracking.

03
Objective 3: The third objective is establishing the
residual risk that remains for the organization. Now
what’s the residual risk? You have the AML risk,
you have certain measures that mitigate that risk
to some degree, and what remains after applying
the measures is the residual risk.
Remaining
organizational risk

4 HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS

3 Steps to perform an AML Risk Assessment

So how do you perform an AML risk assessment. There are numerous ways of how to do this, which differs
across organizations and across industries. However, there is a conventional logic behind them and we will
look at a general approach that can be used to conduct a money laundering risk assessment. As a general
rule, the money laundering risk assessment should cover the entirety of the organization’s business, but it may
be conducted in parts, or as part of a rolling cycle with a particular focus.

Now the AML risk assessment is performed in 3 phase. Phase 1 is to determine the inherent risk, phase 2 is
assessing the internal measures, and phase 3 is to derive the residual risk.

Step 1: Identifying the inherent risk assigned a risk category. For example, low money
laundering risk, moderate money laundering risk, or
Let’s explore about determining the inherent risk. high money laundering risk. This data can then be
utilized to determine what percentage of each
The inherent Risk represents the exposure to money product type are rated according to the risk
laundering risk in the absence of any control classification. You might for example see that 25% of
environment being applied. your products have a moderate money laundering
risk.
In order to identify the inherent risk, assessments
across numerous risk categories are commonly Delivery Channels
undertaken, depending on the organization. Then we have channels: Some delivery channels can
Common categories include Clients, Products and increase money laundering risk because they increase
services offered, Distribution channels, Geographies the risk that the identity and activities of the clients can
of doing business in, and something that is usually be disguised. Consequently, it should be assessed
called other qualitative risk factors whether, and to what extent, the method of account
origination or account servicing could increase the
Let’s spend a word or two on these exemplary risk inherent money laundering risk.
factors that might be assessed.
Geographies
Clients
Next up are geographies: Identifying geographic
Let’s start with Clients: For the purposes of assessing locations that may pose a higher risk is a core
the inherent money laundering risk of a business component of any inherent risk assessment. Doing
division, unit or business line, the client base and business in certain geographic locations can be
business relationship should be assessed. A number associated with a higher risk of money laundering. For
of Client types, industries, activities, professions and the geographic risk evaluation, you can use lists from
businesses, alongside other factors can increase or the FATF or other organizations.
decrease money laundering risks. The following
categories can be used to stratify the client base and Additional Risk Factors
to identify aspects of client risk: client type,
ownership, industry, activity, profession and business. Last but not least, additional risk factors can have an
impact on operational risks and contribute to an
Products and Services increasing or decreasing likelihood of breakdowns in
key AML controls. Qualitative risk factors directly or
Next up are Products and services: The volume of indirectly affect inherent risk factors. For example,
product types offered by the business and significant strategy and operational changes, or
associated KPIs should be determined or estimated. opening in a new location may affect the inherent risk.
The product types should then be

HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS 5

 The results for each control category are
Step 2: Evaluating the internal measures
associated with a score, which reflects the relative
strength of that control. Each category can then be
Let’s move on to phase 2 of the money laundering assigned a weighting based on the importance that
risk assessment. Once the inherent risks have been the institution places on that control. What comes
identified and assessed, internal controls must be out at the bottom will be used in Phase 3.
evaluated to determine how effectively they offset
the overall risks. Controls are programs, policies or
activities put in place by the organization to protect Step 3: Determining the residual risk
against the materialization of a money laundering
risk. These controls are also used to maintain Okay, so once both the inherent risk and the
compliance with applicable AML regulation. AML effectiveness of the internal control environment
controls are usually assessed across different have been considered, the residual risk can be
control categories. Typical categories may include determined. Residual risk is the risk that remains
Corporate Governance, Policies and Procedures, after controls are applied to the inherent risk. It is
Monitoring and Controls, Employee Training, as determined by balancing the level of inherent risk
well as Detection and SAR filing. Each of these with the overall strength of the risk management
areas is assessed for overall design and operating controls. The residual risk rating is used to indicate
effectiveness. whether the money laundering risks within the
organization are being adequately managed.
There may be both a positive or negative indicator It is general practice to apply a 3 tier rating scale, to
of control execution and these should be clearly evaluate the Residual Risk on a scale of High,
documented in order to assess the operating Moderate and Low. Any rating scale could also be
effectiveness of each control. used, for example a 5 point scale of Low, Low to
Moderate, Moderate, Moderate to High, and High.
Let us make an example: For Training, there will be But a 3-tier rating scale is really the most common.
a number of elements required to be present within
an effective training framework. As such, the
control assessment will focus on each of these
elements, such as whether staff training needs
have been assessed, whether specialist training is
provided for key roles, or whether training is being
completed on time. These elements require the
organization to assess whether each element
operates satisfactorily, needs improvement or is
deficient.

3
Organizational
2 measures

AML Risk
1 Assessment

Organizational
environment

6 HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS

Using the AML Risk Assessment Results

Now that you have performed an AML risk assessment

and have the results, what do you do with them? They
can be used in an organization in many different ways.
Here are the top 5:

❶ First of all, they can be used to identify gaps or

opportunities for improvement in AML policies,
procedures and processes.

❷ Second, they can be used to develop risk mitigation

strategies including applicable internal controls and
therefore lower the residual risk exposure.

❸ Third, they can be used to make informed decisions

about risk appetite and implementation of control
efforts, the allocation of resources, and technology
spend.

❹ Next, they can be used to ensure senior

management are made aware of the key risks,
control gaps and remediation efforts.

❺ And last, they can be used to ensure regulators are

made aware of the key risks, control gaps and
remediation efforts across the organization.

HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS 7

 Step 3:

Implement organizational measures

Now the third and last step to build an effective AML compliance program is to implement organizational
measures. And hereby, we make use of the results of step 2. We use the results of the money laundering risk
assessment to identify gaps or opportunities for building and improving organizational measures.

In practice, it is very much an iterative process. If your

organization is just starting out with building an initial AML
program, or has had one in place for many years there are
four basic pillars that should be considered. These are internal Policies, Procedures, 1
policies, procedures, and controls; a designated compliance Controls
function; an independent audit function; and ongoing
employee training program;
Compliance AML Function 2
We will explore about each of
these pillars a little bit more
detailed, so that you have the Independent Audit 3
basic knowledge to design an
effective AML compliance
program.
Employee Training Program 4

Pillar 1: Policies, Procedures, and Controls

Let’s start with internal policies, procedures, and controls. The establishment and development of an
organization’s policies, procedures and controls are really the foundation to a successful AML program.
Together, these three parts define and support the entire AML program, and at the same time, act as a
blueprint that outlines how an organization is fulfilling its regulatory requirements.

All three parts should be designed to mitigate the identified AML risks and should take into account the
applicable AML laws and regulations that the organization must comply with.

Policies

First of all, an overall AML policy should be formalized in a written document and validated by the
organization’s leadership. The policy should contain a chapter dedicated to money laundering risk
management. This chapter should outline three points: The maximum money laundering risk tolerance; the
guidelines to be followed when defining the money laundering risk management procedures; and the internal
counter measures and controls.

8 HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS

 Procedures

Secondly, the internal procedures should be in line with the AML policy.
It is recommendable that the procedures cover basically all the
essential money laundering procedures.

The top 5 areas that you will see covered in the organizations’
procedures are

❶ How to conduct the Money laundering risk assessment

❷ Customer and transaction due diligence measures

❸ Analysis of atypical customer behavior and reporting requirements

❹ Embargoes, sanctions, and trade

❺ Internal whistleblowing

Controls

Lastly, organizations should implement an internal control system to monitor compliance with AML
procedures. This internal control system should be proportionate to the nature and extent of the organization’s
activities. This system, which may take multiple forms, should also be adapted to the risk classification
established by the organization. The internal control system should cover all activities that could potentially
expose the organization to money laundering risks and should apply to the entire AML system. It should
contain at least the following three elements:

● Checks relating to the activities of the operational services and departments

● Checks relating to the activities of the compliance or AML function

● And Checks relating to third-party business introducers or subcontractors

Pillar 2: Compliance AML Function

This actually brings us right to the second pillar of an effective AML program, which is the compliance or AML
function.

AML programs should appoint a designated principal compliance function including a mainly responsible
compliance officer. This compliance officer must be responsible for overseeing the general implementation of
AML policy within their organization.

AML Compliance Officers should have sufficient experience and authority within their organization to ensure
they can perform their duties effectively. Those duties include communicating with authorities and auditors,
briefing senior management, and making AML policy recommendations based on audits and reports. It goes
without saying that AML compliance officers should be experts in the legislative requirements of their local
environment.

HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS 9

 Pillar 3: Independent Audit

Now the third pillar of an effective AML program

is somewhat related to this: An independent audit
function. An effective AML compliance program
should build in a schedule of independent
testing and auditing. Independent testing should
be mandated to take place every 12-18 months,
although organizations working in particularly
high-risk areas might consider a more frequent
schedule than that. The audit function can either
be internally or externally, but whatever is
chosen to test AML compliance, it must be
qualified to conduct a risk-based audit that is
appropriate to the organization.

Excursus: The 3 Lines of Defense

Before we move on to the last pillar, this is actually a good time to briefly explore about the three lines of
defense. The three lines of defense is a concept used in the wider field of corporate governance, compliance
and risk management. So in order for an organization to design an efficient risk management system, the
processes used to control the company risks should be interconnected in a holistic system. This three lines of
defense model does exactly that; it integrates the main roles and responsibilities of the internal control system
of the company in a consistent system. Because money laundering is a risk, the three lines of defense concept
is also commonly applied here.

The 1st Line of Defense

In the first line of defense the operative management is confronted with risks in daily business operations
which have to be controlled. This line is responsible for the identification and assessment of these risks as
early as possible and the setting up of effective control measures to prevent the risks from occurring.

The 2nd Line of Defense

The second line of defense is a function which primarily monitors the control activities of the first line of
defense. In most organizations, this is the Compliance unit and this is also where the AML function should be.

The 3rd Line of Defense

The third line of defense is the function that is carrying out internal audits. They ensure the reduction of risk
based on the highest level of independence and objectivity within the company.

Pillar 4: Employee Training Program

The fourth pillar to consider for an effective AML compliance program is employee training. While every
employee within an organization should have a working knowledge of AML procedure, specific employees
will bear greater responsibility for the implementation of its AML compliance program. It may be appropriate
for an organization to implement a base level of training for all employees, and add further, targeted training to
those with more AML-specific responsibilities. Therefore, in a manner similar to creating an audit and testing
schedule, an AML compliance program should ensure that those employees receive regular training, and
know how to perform assigned duties.

10 HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS

Checklist: Building an effective AML
Compliance Program

Establish a strong tone at the top and commitment to compliance

Appoint a compliance officer to ensure that you have adequate resources

Prepare risk assessments for customers, products and services

Develop policies and procedures that outline roles and responsibilities

Conduct training and communicate frequently about risks

Establish regulatory change management program to track new regulations (coordinate with
industry groups such as DATA and Bitcoin Foundation)

Audit programs at least annually (further testing may be needed)

Create procedures for exceptions and escalating risk incidents

Develop relationships with regulators, prepare for examinations.

Provide ongoing reports to management, boards, and investors.

Example: Designing an AML Risk

Assessment Matrix
Impact

Negligible Minor Moderate Significant Severe

Very Likely Low Med Medium Med Hi High High

Likely Low Low Med Medium Med Hi High

Likelihooh

Possible Low Low Med Medium Med Hi Med Hi

Unlikely Low Low Med Low Med Medium Med Hi

Very
Low Low Low Med Medium Medium
Unlikely

HOW TO BUILD AN AML COMPLIANCE PROGRAM IN 3 SIMPLE STEPS 11