How to Build an AML Program That Passes Examination
A complete guide to building a BSA/AML compliance program, covering who needs one, what FinCEN requires, the five pillars, and how to get audit-ready without a $500/hour consultant.
Is Your Business Required to Have an AML Program?
Under the Bank Secrecy Act (BSA), any business classified as a "financial institution" by FinCEN is required to have a written AML compliance program. This covers a much broader range of businesses than most people realize.
The BSA defines "financial institution" to include not just banks, but also money services businesses, mortgage lenders, casinos, insurance companies, investment advisers, fintech companies, and dealers in high-value goods, among others.
If your business handles cash transactions, processes payments, extends credit, or facilitates the transfer of funds, there is a strong likelihood you are required to have a BSA/AML compliance program. Failure to maintain an adequate program can result in civil money penalties, criminal prosecution, and loss of operating licenses.
FinCEN Penalty Range
$25,000 – $1,000,000+ per violation for failure to maintain an adequate AML program
Money Services Businesses (MSBs)
Check cashers, money transmitters, currency exchangers, prepaid card issuers
Mortgage Lenders & Brokers
Residential and commercial mortgage originators, brokers, servicers
Fintech Companies
Payment processors, digital wallets, lending platforms, neobanks
Casinos & Gaming
Commercial casinos, card clubs, tribal gaming operations
Cryptocurrency Businesses
Crypto exchanges, virtual asset service providers (VASPs)
Title & Escrow Companies
Title insurance companies, escrow agents, settlement agents
Investment Advisers
RIAs, broker-dealers, investment companies
Insurance Companies
Life insurance companies, annuity providers
Dealers in Precious Metals/Stones
Jewelry dealers, coin dealers, gem dealers (transactions over $50,000)
What Is Required for BSA Compliance?
FinCEN requires regulated businesses to maintain a BSA/AML compliance program built on five core pillars. Here is what each pillar requires and how Soflo helps you meet it.
Written Policies & Procedures
A documented AML policy manual that describes your compliance program, customer risk rating methodology, transaction monitoring procedures, and recordkeeping requirements. This is the foundation of your BSA program.
AML Policy Creation Service →Designated BSA Compliance Officer
A named individual responsible for managing and overseeing the AML program. This person must have sufficient authority, resources, and knowledge to implement and maintain the program. This is a regulatory requirement, it cannot be outsourced.
Annual Employee Training
All employees who handle transactions or interact with customers must receive annual AML/BSA training. Training must be documented with completion records and certificates. FinCEN requires training to be relevant to each employee's role.
AML Training Certification Online →Independent Program Review
An independent review (also called a BSA audit or independent test) must be conducted at least annually to evaluate the effectiveness of your AML program. The reviewer must be independent, meaning they cannot review their own work.
BSA Independent Review Service →Customer Due Diligence (CDD)
Procedures for identifying and verifying customers, understanding the nature of customer relationships, and conducting ongoing monitoring. Banks must also identify beneficial owners of legal entity customers (the "fifth pillar" added by FinCEN in 2018).
How to Build an AML Program: 7 Steps
Follow these seven steps to build a BSA/AML compliance program that meets FinCEN requirements and passes regulatory examination.
Determine Your Regulatory Requirements
Identify which federal and state regulators oversee your business. FinCEN regulates most financial institutions under the BSA. Your state may have additional requirements. The specific pillars required depend on your business type.
Conduct a BSA Risk Assessment
Assess your business's money laundering risk across products, services, customers, and geographies. This risk assessment drives the design of your entire AML program. Higher-risk businesses need more robust controls.
Write Your AML Policy Manual
Document your AML policies, procedures, and controls in a written policy manual. This should cover customer identification, transaction monitoring, SAR/CTR filing, recordkeeping, and employee responsibilities.
Designate a BSA Compliance Officer
Appoint a named individual as your BSA compliance officer. This person is responsible for day-to-day program management, regulatory filings, and keeping the program current with regulatory changes.
Train All Relevant Employees
Deliver annual AML/BSA training to all employees who handle transactions or interact with customers. Document completion with certificates. Training must be role-specific and cover red flags relevant to your business.
Implement an Independent Review
Arrange for an independent review of your AML program at least annually. The reviewer evaluates whether your program is adequate, effective, and compliant with current FinCEN requirements.
Maintain Records & File Required Reports
Keep records of all training, risk assessments, and policy documents for at least 5 years. File SARs and CTRs as required. Maintain customer identification records per your CIP procedures.
Build Your AML Program Without a $500/Hour Consultant
Soflo is a BSA/AML Compliance-as-a-Service platform that delivers everything you need to build and maintain a complete AML program, at a fixed annual price, with no sales calls and no hourly billing.
Our compliance experts build your AML policy manual and BSA risk assessment from scratch, tailored to your specific business type and regulatory requirements. Your employees complete annual training online and receive auto-generated certificates. You get an audit-ready compliance portal with exportable documentation.
Custom AML policy manual built by compliance experts
BSA risk assessment tailored to your business type
Annual employee training with auto-generated certificates
Independent program review included
Audit-ready compliance portal with exportable reports
2–4 weeks
Program build time
From $4,500
Annual cost
4.9/5
Client satisfaction
15+
Industry Specific Training
AML Program Questions Answered
Who needs a BSA AML program?
Any business classified as a "financial institution" under the Bank Secrecy Act must have a written BSA/AML compliance program. This includes money services businesses (MSBs), mortgage lenders, banks, credit unions, casinos, insurance companies, investment advisers, fintech companies, and dealers in precious metals, stones, or jewels. FinCEN also requires AML programs for certain real estate professionals and cryptocurrency businesses.
What are the five pillars of a BSA AML program?
The five pillars of a BSA/AML compliance program are: (1) Written policies and procedures, (2) A designated BSA compliance officer, (3) Annual employee training, (4) Independent testing/review of the program, and (5) Customer Due Diligence (CDD) procedures. Banks and credit unions must meet all five pillars. MSBs and other non-bank financial institutions must meet the first four pillars at minimum.
What is required for BSA compliance?
BSA compliance requires a written AML policy manual, a designated BSA compliance officer, annual employee training with documented completion records, an independent review of the program at least annually, and Customer Due Diligence (CDD) procedures. Depending on your business type, you may also need to file Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs), and maintain records of certain transactions.
How long does it take to build an AML program?
Building an AML program from scratch typically takes 4–12 weeks if done manually with a consultant. With Soflo, you can have a complete, audit-ready AML BSA compliance program, including written policies, risk assessment, and employee training, within 2–4 weeks of subscribing. The training component is available immediately after purchase.
How much does it cost to build an AML program?
Traditional AML consultants charge $150 to $500/hour, making a full program build cost $5,000 to $25,000+. Soflo offers a fixed-price alternative: Training + Creation plans start at $4,500/year and include a custom AML policy manual, BSA risk assessment, and annual employee training, with no hourly billing and no surprise invoices.
Can I build my own AML program without a consultant?
Yes, but it requires significant knowledge of FinCEN regulations, your industry-specific requirements, and current examination standards. Most small businesses use a compliance service like Soflo to ensure their program meets regulatory standards without the cost of a traditional consultant. Soflo's compliance experts build your AML policy and risk assessment, while you manage the day-to-day program.
Ready to Build Your AML Program?
Soflo builds your complete BSA/AML compliance program: policy manual, risk assessment, and annual training, at a fixed annual price. No consultants. No hourly billing. Instant access.