Most Mortgage Companies Don't Realize They're Already Required to Have AML/BSA Compliance.
Are you one of them? Find out in 30 seconds and get a free personalized action plan sent to your inbox.
2012
Rule in effect since
$1M+
Max penalty per violation
100%
Of RMLOs are covered
Which best describes your role in mortgage transactions?
The Rule: 31 CFR § 1029.210
FinCEN's AML rule for residential mortgage lenders and originators has been in effect since April 16, 2012.
If you fund or originate residential mortgage loans, you are a covered financial institution. No exceptions.
What Your Program Must Include
Written AML policies & procedures
Designated BSA compliance officer
Annual employee training + certificates
Independent annual program review
The Cost of Non-Compliance
FinCEN civil penalties range from $25,000 to $1,000,000+ per violation. State regulators can also suspend or revoke your mortgage license.
Why Mortgage Companies Are Covered and Most Don't Know It
In 2012, FinCEN issued a final rule under the Bank Secrecy Act requiring all residential mortgage lenders and originators (RMLOs) to establish and maintain written AML programs. The rule is codified at 31 CFR § 1029.210.
Unlike banks, which have dedicated compliance departments and regular examiners, mortgage companies often operate without any formal AML infrastructure, unaware that the same federal law applies to them. FinCEN has made clear that size is not an exemption.
Applies to all non-bank RMLOs regardless of size
In effect since April 16, 2012, no grace period
Enforced by FinCEN and state mortgage regulators
Penalties apply even without a money laundering incident
31 CFR § 1029.210
Anti-Money Laundering Programs for Residential Mortgage Lenders and Originators
The 4 Pillars of Mortgage AML Compliance
FinCEN requires every covered mortgage company to maintain a written AML program with four core elements. Missing any one is a regulatory finding.
Written Policies & Procedures
A formal AML policy manual covering your loan products, customer types, SAR/CTR procedures, and recordkeeping requirements. Must be updated annually and tailored to your specific business.
Designated BSA Officer
A named individual responsible for day-to-day AML program management. Must be a company employee and cannot be fully outsourced, though external consultants can support.
Annual Employee Training
All relevant employees must complete role-specific AML training annually. Completion certificates must be retained for 5 years. Online training with certificates is acceptable.
Independent Annual Review
An annual review by a qualified, independent party. The BSA officer cannot review their own program. This is the #1 audit finding for mortgage companies and the easiest to fix.
The 5 Most Common AML Compliance Gaps in Mortgage Companies
No Written AML Policy
The most common finding. Many mortgage companies have never created a formal written AML policy, or are using a generic template that doesn't reflect their actual loan products and customer base.
Overdue Independent Review
FinCEN requires an independent review at least annually. The reviewer cannot be the BSA officer. Many companies skip this entirely or have the BSA officer review their own program.
Missing Training Records
Annual training must be documented with completion certificates retained for 5 years. Verbal training or informal sessions without records don't satisfy the requirement.
No Designated BSA Officer
The BSA officer must be a named employee, not a job title shared across the company. Many small mortgage companies have never formally designated one.
Outdated Risk Assessment
Your written risk assessment must reflect your current loan products, geographic markets, and customer types. A risk assessment from 3+ years ago is a regulatory finding.
No SAR Filing Procedures
Mortgage companies must have documented procedures for identifying and reporting suspicious activity. Many have no SAR process at all, or don't know they're required to file.
Everything Your Mortgage Company Needs to Be Compliant at a Fixed Annual Price
Soflo delivers a complete, FinCEN-compliant AML program for residential mortgage lenders and originators. No hourly billing. No consultants. No surprises.
Written AML Policy Manual
Custom-drafted for your loan products, customer base, and geographic markets.
Written Risk Assessment
Identifies your specific money laundering risks and documents your controls.
Annual Training + Certificates
Online AML training for all employees, with completion certificates retained for 5 years.
Independent Annual Review
Conducted by our team, fully independent, fully documented, fully compliant.
Mortgage AML Compliance: Common Questions
Are mortgage companies required to have AML compliance?
Yes. Mortgage lenders and originators are required to maintain a written AML/BSA compliance program under 31 CFR § 1029.210. This regulation has been in effect since 2012 and applies to all non-bank residential mortgage lenders and originators (RMLOs). The program must include written policies, a designated BSA officer, annual employee training, and an independent review.
Does the AML requirement apply to mortgage brokers?
The current FinCEN rule (31 CFR § 1029) applies to residential mortgage lenders and originators, meaning companies that fund or originate loans. Pure mortgage brokers who do not fund loans are not currently covered under this specific rule, but FinCEN has proposed expanding coverage. If you originate or fund any loans, you are covered.
What does a mortgage company AML program need to include?
A compliant mortgage AML program must include: (1) written policies and procedures tailored to your loan products and customer base, (2) a designated BSA/AML compliance officer, (3) annual employee training with documented completion records, and (4) an independent review of the program at least annually. The reviewer cannot be the BSA officer.
What are the penalties for a mortgage company without AML compliance?
FinCEN can assess civil money penalties of $25,000 to $1,000,000 or more per violation against mortgage companies that fail to maintain an adequate AML program. State regulators may also take action, including license suspension or revocation. FinCEN has assessed penalties against mortgage companies of all sizes.
How much does AML compliance cost for a mortgage company?
Traditional AML compliance consulting for mortgage companies can cost $5,000 to $30,000+ per year in hourly fees. Soflo offers a fixed annual price that includes written policies, risk assessment, annual training with certificates, and independent review, designed specifically for residential mortgage lenders and originators.
Get Your Mortgage Company Compliant Today
Soflo delivers everything FinCEN requires for residential mortgage lenders and originators: written policies, annual training, risk assessment, and independent review, at a fixed annual price.