FinCEN's Five Pillars of an AML Program And What Most Small Businesses Get Wrong

FinCEN's AML program requirements for most regulated businesses are built around five core elements: (1) internal policies, procedures, and controls; (2) a designated compliance officer; (3) ongoing employee training; (4) independent testing; and (5) customer due diligence (CDD).

These pillars are well-documented in FinCEN guidance and the BSA Examination Manual. Most compliance officers can recite them. The problem is not awareness it is implementation.

The most common failure here is not the absence of a policy it is a policy that does not match the business. Generic, template-based AML policies that are not tailored to the institution's specific products, customers, and risk profile are a consistent examination finding.

Policies must be updated when the business changes. A fintech that adds a new payment product needs to update its AML policy before the product launches, not after the examination.

Of the five pillars, training is the one most frequently cited in FinCEN enforcement actions against small and mid-size regulated businesses. The specific findings are consistent: training that is not role-appropriate, training that is not documented, and training that has not been updated to reflect current regulatory expectations.

Annual training is a floor, not a ceiling. Businesses with high staff turnover, new products, or elevated risk profiles should train more frequently. And every training completion needs to be documented in a way that an examiner can verify which is exactly what NAMLC certification provides.

Independent testing means testing by someone who is not responsible for the AML program. For small businesses, this is often the hardest pillar to satisfy the BSA officer cannot independently test their own program.

Third-party AML program reviews, like those offered by Soflo Consulting, satisfy the independent testing requirement. The key is documentation: the testing must be recorded, findings must be addressed, and the process must be repeatable.

The most common mistake small regulated businesses make is treating the five pillars as a checklist rather than a system. Having a policy does not mean the policy is followed. Having a BSA officer does not mean the officer has the authority and resources to do the job. Having annual training does not mean the training is verifiable.

Examiners look for evidence that the program actually functions not just that it exists on paper. The difference between a passing examination and a finding is usually documentation.