The Pillars of an AML Program *(OUTLINE + BULLET BODY)*

Welcome to Domain 3 — building the compliance program. This is the heaviest-weighted domain on the CAMS® exam, and it's where the questions stop asking "what's the rule?" and start asking "what would you do?" Everything in this domain rests on a single structure: the pillars of an AML program. If a regulator walked into your institution tomorrow, this is the checklist they'd run. Miss a pillar, and the whole program is deficient — no matter how good the others are. So let's build the structure, pillar by pillar, the way an examiner expects to see it.

- US law (BSA, as implemented for banks at **31 CFR 1020.210**) requires every covered financial institution to maintain a **written, risk-based AML program** approved by the board and reasonably designed to ensure compliance. - The program is conventionally described as resting on **pillars** — each a minimum required element. They are tested together: a program is only as strong as its weakest pillar. - Originally **four pillars**; the **2018 CDD Rule added a fifth** (risk-based CDD, including beneficial ownership). Be ready to recite all five.

- The institution must **designate a qualified individual** responsible for coordinating and monitoring day-to-day BSA/AML compliance. - The officer must have **sufficient authority, autonomy, independence, and resources** to do the job — and a reporting line that reaches the **board/senior management**. - Responsibilities: oversee the program, ensure filings (SARs/CTRs) are made, keep the program current with regulatory change, and escalate issues. - Exam cue: "one designated, empowered person with board access." Lacking authority/resources is a classic deficiency.

- **Written policies, procedures, and internal controls** reasonably designed to ensure ongoing compliance and to **identify and report** suspicious activity. - Should be **risk-based** — calibrated to the institution's products, customers, and geographies (tied to the risk assessment, next lecture). - Covers CIP/CDD, transaction monitoring, sanctions screening, SAR/CTR filing, recordkeeping, and red-flag escalation. - Internal controls also include **dual controls, segregation of duties**, and management information/reporting so leadership can oversee the program. - Exam cue: "controls reasonably designed to assure compliance and detect/report suspicious activity."

- **Independent testing** of the program's effectiveness, conducted by **internal audit, an external party, or qualified independent staff** — independent of the functions being tested (i.e., **not** the compliance officer auditing their own work). - Frequency is **risk-based**, commonly **every 12–18 months**; higher-risk institutions test more often. - Scope: assess the adequacy of the program, test transaction-monitoring/sanctions systems, sample SAR/CTR filings, review training and CDD — and report findings to the **board/audit committee**, with tracked remediation. - Exam cue: "independent," "scope and frequency commensurate with risk," "reports to the board."

- **Ongoing AML/CFT training** for appropriate personnel — tailored to roles (tellers vs. relationship managers vs. compliance), covering red flags, reporting obligations, and policies. - Should be **periodic and current** (updated for new regulations, typologies, and the institution's own risks), **documented** (who was trained, when, on what), and extended to the **board/senior management** as appropriate. - Exam cue: "role-based, recurring, documented." Untrained front-line staff is a recurring exam scenario.

- Added by the **FinCEN CDD Rule (effective 2018, 31 CFR 1010.230)**; formalizes **Customer Due Diligence** as a program requirement. - Incorporates the rule's elements: **identify/verify customers (CIP), identify/verify beneficial owners of legal entity customers, understand the nature and purpose of relationships, and conduct ongoing monitoring** with risk-based information updates. - This pillar links the program to **Know Your Customer** — you can't monitor or report effectively if you don't know who the customer (and their owners) are. - Exam cue: the **fifth pillar = CDD/beneficial ownership**; don't confuse it with internal controls.

- Mnemonic for the five: **"A CIT-C"** — **A**ML Officer, **C**ontrols, **I**ndependent testing, **T**raining, **C**DD. (Or recall them as Officer / Controls / Audit / Training / CDD.) - The pillars are **mutually reinforcing**: the risk assessment (next lecture) drives the controls; controls generate alerts; CDD informs monitoring; training enables the front line; independent testing verifies it all; the officer owns it. - A program can be **technically present but deficient** if a pillar lacks substance (e.g., training that never updates, an officer without authority, audit that never tests systems). - Senior management/board **approval and oversight** sit above the pillars — covered fully in the governance lecture.

Those are the five pillars, the spine of every AML program: a designated and empowered compliance officer; written, risk-based internal controls; independent testing that reports to the board; ongoing, role-based training; and risk-based customer due diligence — the fifth pillar that brought beneficial ownership into the program. Remember, examiners test these as a set, and the weakest pillar defines the program. Next, we go to the foundation beneath the pillars — the document that tells you how big each pillar needs to be: the enterprise-wide risk assessment, where we'll rate customer, product, geography, and channel risk and separate inherent risk from residual risk.