QUESTION
In implementing our AML program, we recognize there are the basic
requirements of the law. However, what is the difference between what is
required by law and what are best practices for an AML compliance program?
ANSWER
Frankly, the law is very general, even vague at times, with respect to
distinguishing it and best practices. The result often leaves those who must
implement an AML compliance program with little practical guidance as to what should
be done.
Over time, industry participants develop ways to comply with the legal
requirements for compliance programs. As methods are adopted within the
industry, they may be referred to as “industry standards.”
When clearly better ways to comply emerge, they may be referred to as “best
practices.” But not all industry standards or best practices will be legally
compliant. Therefore, compliance with an industry standard or even a best
practice may not satisfy the legal requirements.
At minimum, an organization should consider having a basic set of
policies and procedures for assessing its risks for money laundering and terrorist
financing. The institution should also have policies and procedures for conducting
due diligence on its customers, clients, employees and agents, vendors and
third-part service providers. In addition, the policies and procedures should
cover how the organization deters, detects and monitors for suspicious
activity. Other policies and procedures should be included to address training
and how the organization handles legal process, reports suspicious activity and
otherwise cooperates with law enforcement and other entities. [FFIEC Exam Manual,
33]
An organization that is affiliated with other types of entities should
also consider adopting policies and procedures that apply on an enterprise-wide
or institution-wide basis. Such procedures should permit organization within
the enterprise to view their customers’ activity across multiply business lines
and geographies. [FFIEC Exam Manual, 160]
Jonathan Foxx
President & Managing Director
Lenders
Compliance Group
