Building an AML program from scratch sounds more complicated than it is — but not building one is considerably more complicated than most business owners realize. If your business has BSA obligations and you don't yet have a formal written program, this is your framework for building one that passes examination.
Step 1 is a business risk assessment, and it's non-negotiable as the starting point. Before you write a single policy, you need to understand what you're defending against. A risk assessment identifies the specific ways your business model, product mix, customer base, and geographic location create money laundering exposure — and it provides the documented foundation that justifies every other element of your program. Examiners who find a program without a current risk assessment often assume the worst about what else is missing.
Step 2 is your written AML policy. This document describes your internal controls — the specific procedures your staff follows to prevent, detect, and report suspicious activity. It should cover customer identification, transaction monitoring, suspicious activity reporting, recordkeeping, and employee training. Write it to describe what your team actually does, not what you aspire to do. Regulators have an excellent instinct for policies that have never been read by the employees who are supposed to follow them.
Step 3 is designating your BSA compliance officer and building your training curriculum. The BSA officer must have actual authority, actual knowledge, and actual time allocated to the role — not just a title on an org chart. For most small businesses, this means either investing in a senior staff member's compliance education or engaging an external compliance professional on a consulting basis. Your training program must cover every employee who could encounter BSA-relevant activity, and every training session must be documented with content, date, and attendees.
Step 4 is building your customer due diligence and transaction monitoring procedures. These are the operational core of your program — the everyday activities that make your internal controls real rather than theoretical. Your CDD procedures define what information you collect before doing business with a customer. Your transaction monitoring procedures define how you identify and respond to unusual activity. Both must be specific, practical, and linked to the risks identified in your risk assessment.
Step 5 is independent testing and program maintenance. Schedule your first external program review within 12 months of implementation, and use the findings to improve before regulators arrive. Then build maintenance into your operating rhythm: annual risk assessment updates, regular training cycles, monthly monitoring reviews, and quarterly reporting to senior management. An AML program is not a document — it's a practice, and practices require maintenance.
Tags
Elena Vargas
BSA/AML Principal Consultant Soflo Consulting
Specializes in BSA/AML program development and compliance training for regulated businesses nationwide from community banks and fintech startups to real estate professionals and money services businesses.
Key Takeaways
- 1Start with the risk assessment — every other program element flows from it
- 2Written policies must describe actual practices — regulators can identify aspirational documents
- 3The BSA officer role requires real authority, real knowledge, and dedicated time
- 4CDD and transaction monitoring procedures must be specific and linked to identified risks
- 5Schedule independent testing within 12 months of program launch — don't let the examiner be first
Need Expert Guidance?
Put these insights into action. Schedule a free consultation with a Soflo Consulting compliance specialist.
Stay Ahead of Compliance
Get FinCEN updates, BSA/AML guidance, and federal compliance news delivered to your inbox no fluff.
