Auditing the AML Pillars and the Fifth Pillar (CDD/BO)

The AML program rests on pillars, and the exam expects you to test each one. The four longstanding pillars are internal controls, a designated BSA slash AML compliance officer, ongoing training, and independent testing, which is you. In twenty-eighteen, FinCEN's Customer Due Diligence Rule, codified at thirty-one CFR ten-ten point two-three-zero, added the fifth pillar: risk-based customer due diligence, including the requirement to identify and verify the beneficial owners of legal-entity customers.

So an AML program now stands on five pillars, and a thorough audit tests each one and the way they connect, because a weak pillar undermines the whole structure.

Start with internal controls and the compliance officer. For controls, you test whether the policies, procedures, and processes are not just written but actually working, the design-versus-operating distinction from our last lectures applied across the program. For the BSA officer, the regulation requires a designated, qualified individual, but audit goes further and asks whether that person is genuinely empowered.

Do they have sufficient authority, resources, and direct access to the board to do the job? Can they escalate a problem the business doesn't want to hear? A BSA officer who exists on the org chart but can't get resources or be heard is a figurehead, and that's a real control weakness, not a paperwork formality.

Next, training and independent testing. For training, check that the right people get the right content: tellers, relationship managers, and the board need different material, and the training should reflect the institution's actual risks, not a generic slideshow. Verify that completion is tracked and that high-risk roles are covered.

The fourth pillar, independent testing, is interesting because it includes the audit function itself. A mature program subjects its own independent testing to review, through quality assurance, peer review, or external assessment, to confirm it's truly independent, adequately resourced, and competent. So yes, the audit function can and should be assessed; an independent test that isn't actually independent fails the pillar it's supposed to satisfy.

The fifth pillar, customer due diligence, deserves its own focus because it's both heavily tested and operationally hard. Under the CDD Rule, covered institutions must identify and verify the beneficial owners of legal-entity customers, both the ownership prong, individuals owning twenty-five percent or more, and the control prong, the individual with significant control. The rule also requires risk-based ongoing monitoring to keep customer profiles current.

In fieldwork you test all of it: was beneficial ownership actually collected and verified at onboarding, are profiles updated when triggers occur, and does ongoing monitoring really feed back into the customer's risk rating? Missing or stale beneficial-ownership data is a classic finding.

A mature audit doesn't just test each pillar in its own silo; it tests how the pillars work together, because they're interconnected and a weakness in one strains the others. Weak training produces poor first-line CDD, which floods monitoring with bad data, which buries real alerts, which leads to missed SARs. So a powerful technique is to trace a single risk all the way through the program: pick a high-risk customer type and follow it from onboarding and CDD, through risk rating, into monitoring coverage, alert handling, and SAR decisioning, watching for where it breaks down.

The gaps that hurt most often fall between pillar owners, the seam where the first line assumes the system caught something and the second line assumes the first line did. Evaluating program effectiveness means assessing the whole machine, not just confirming each part exists. The exam rewards the auditor who sees the connections rather than ticking pillars off a checklist.

Recapping: the AML program stands on five pillars, internal controls, the BSA compliance officer, training, independent testing, and the fifth pillar of customer due diligence including beneficial ownership under thirty-one CFR ten-ten point two-three-zero. Audit tests each pillar for both design and operation, and looks past mere designation to whether the officer is truly empowered and the independent test truly independent. And test the pillars as a connected system rather than in silos, tracing a single risk end to end to find the gaps that fall between pillar owners.

Next, we go deeper into the fifth pillar with a hands-on look at CDD, enhanced due diligence, and KYC file reviews. Test yourself on the pillars first.