AML Compliance Program

An AML compliance program is the set of policies, controls, and people a firm uses to detect and prevent money laundering. In the United States it must cover five pillars: internal controls, a compliance officer, training, independent testing, and customer due diligence.

Key takeaways

  • An AML compliance program is a legal requirement for regulated firms, not an optional policy.
  • US programs rest on five pillars, with customer due diligence added in 2018.
  • A written risk assessment sits underneath and shapes the whole program.
  • A named compliance officer owns the program and answers to the board and regulator.
  • Weak programs are costly: TD Bank paid about $3 billion in 2024 after monitoring gaps.
  • The FATF standard, set in 1989, shapes AML rules in more than 200 jurisdictions.

$3B

Paid by TD Bank in 2024 after AML program failures

Source: US Department of Justice

1989

Year the FATF set the standard programs follow

Source: FATF

$800B to $2T

Laundered worldwide each year that programs aim to stop

Source: UNODC

What is an AML compliance program?

An AML compliance program is how a firm turns anti-money laundering rules into daily practice. It brings together the policies, controls, people, and records needed to spot laundering and report it.

The program is written down, approved at a senior level, and tested. A regulator expects to see not just a document, but evidence that the controls run and that someone acts on what they find.

Every regulated business needs one, from a global bank to a small payments startup. Read more: our step-by-step guide to building an AML program covers the practical setup.

Why firms need an AML compliance program

Firms need a program for two reasons: the law requires it, and the cost of failure is severe. Regulators can fine a firm, restrict its license, and hold its officers personally responsible.

The financial cost is real and growing. In 2024, TD Bank agreed to pay about $3 billion to US authorities after leaving large categories of transactions out of monitoring, which let criminal networks move funds (US Department of Justice, 2024).

Beyond fines, a weak program lets the money behind trafficking, fraud, and corruption pass through the firm. That is the harm the rules exist to prevent.

Start your AML policy in minutes

Answer a short set of questions and generate a tailored AML policy draft you can adapt and keep for your records.

Open the AML Policy Generator →

The five pillars of an AML compliance program

US regulators judge a program against five pillars. The first four come from the Bank Secrecy Act, and the fifth, customer due diligence, was added by FinCEN’s 2018 rule.

  1. Internal controls. Written policies and procedures that set how the firm prevents, detects, and reports laundering.
  2. A designated compliance officer. A named, senior person, often the BSA or AML officer, who owns the program.
  3. Ongoing training. Regular, role-specific training so staff can recognize and escalate warning signs.
  4. Independent testing. A periodic audit, run by someone outside the compliance team, that checks the controls actually work.
  5. Customer due diligence. Verifying customers, understanding their activity, and identifying beneficial owners.
Worth knowing. A written risk assessment is not one of the five pillars, but every examiner expects it, because it justifies the rest of the program. Without a risk assessment, a firm cannot show why its controls are set the way they are, and that gap is one of the most common findings.

How to build an AML compliance program

Building a program follows a clear order. Each step depends on the one before it.

  1. Run a risk assessment. Rate your laundering risk across customers, products, geographies, and channels. Our AML risk assessment gives an indicative starting point.
  2. Write the policies. Set out how you handle onboarding, monitoring, reporting, and record-keeping.
  3. Appoint a compliance officer. Give a senior person clear authority and direct access to the board.
  4. Set up customer due diligence. Define how you verify identity, rate risk, and apply enhanced due diligence.
  5. Turn on monitoring and screening. Watch transactions and check names against sanctions and PEP data.
  6. Train staff and test the program. Deliver training, then have an independent party audit the controls.

Use the tool: screen customers against sanctions, PEP, and adverse media data with Combined AML Screening as part of onboarding.

Screen customers as part of onboarding

Run one search across sanctions, PEP, and adverse media data and see each result with its source and date.

Try Combined AML Screening →

Roles and responsibilities

A program only works if responsibility is clear. Three groups carry the weight.

  • The board and senior management. They approve the program, fund it, and set the tone. Regulators hold them accountable for its failures.
  • The compliance officer. They run the program day to day, receive internal reports, decide on filings, and report to the board.
  • All staff. Front-line teams apply the checks, spot warning signs, and escalate concerns.

Larger firms often describe this split as the three lines of defense. The business is the first line and owns the risk it creates. Compliance is the second line and sets the rules and checks. Internal audit is the third line and tests that both are working.

When one of these groups treats the program as someone else’s job, gaps appear. Clear ownership is what regulators look for first.

Key laws and regulators

A US program must satisfy several laws and the agencies that enforce them. The shape is similar in other countries, because most follow the same global standard.

  • The Bank Secrecy Act (1970). The foundation of US AML law, which sets reporting and record-keeping duties.
  • The USA PATRIOT Act (2001). Expanded customer identification and information-sharing rules.
  • FinCEN. The Treasury bureau that administers the rules and receives reports. What FinCEN does.
  • OFAC. Runs US sanctions programs that screening must respect.
  • The FATF. Sets the 40 Recommendations that shape AML rules in more than 200 jurisdictions.

A firm that operates across borders has to meet each local regime while keeping one coherent program. Read more: our guide to AML regulations in the US covers the detail.

Common weaknesses and how to avoid them

Most enforcement cases trace back to a handful of avoidable weaknesses. Knowing them is the fastest way to strengthen a program.

  • A tool nobody watches. Monitoring software with no one reviewing the alerts is a finding, not a control.
  • A stale risk assessment. A program that no longer matches the firm’s real risks drifts out of compliance.
  • Gaps in monitoring coverage. Leaving whole transaction types unwatched is what sank TD Bank.
  • Weak escalation. Warning signs that never reach the compliance officer might as well not exist.

Check how ready your AML program is

Get an indicative read on your money laundering exposure across customers, products, channels, and geographies.

Try the AML Risk Assessment →

Frequently asked questions

What is an AML compliance program?

An AML compliance program is the set of policies, controls, and people a firm uses to detect and prevent money laundering. It includes written procedures, a designated compliance officer, training, independent testing, and customer due diligence. Regulators expect the program to run in practice, not just exist as a document.

What are the five pillars of an AML program?

The five pillars are internal controls, a designated compliance officer, ongoing training, independent testing, and customer due diligence. The first four come from the Bank Secrecy Act. The fifth, customer due diligence including beneficial ownership, was added by a FinCEN rule that took effect in 2018.

Is an AML compliance program legally required?

Yes. In the United States, the Bank Secrecy Act requires regulated firms to maintain an AML compliance program. Similar duties apply in the UK, the EU, and most other countries that follow the FATF standard. Failing to maintain an effective program can bring fines, license restrictions, and personal liability for officers.

Who is responsible for the AML compliance program?

A named compliance officer runs the program day to day, but the board and senior management own it. They approve the program, fund it, and answer to the regulator for its failures. Front-line staff also carry responsibility, because they apply the checks and escalate concerns.

What is the difference between an AML program and an AML policy?

An AML policy is the written document that sets the firm’s rules. An AML compliance program is the wider system that puts those rules into practice, including the risk assessment, monitoring, training, testing, and the people who run it. The policy is one part of the program.

What should an AML compliance program include?

It should include a written risk assessment, internal controls and policies, a designated compliance officer, customer due diligence, transaction monitoring, sanctions and PEP screening, staff training, independent testing, and clear reporting to the board. Each element should be documented and reviewed as the firm’s risk changes.

How do you build an AML compliance program?

Start with a risk assessment, then write policies that match those risks. Appoint a compliance officer, set up customer due diligence, and turn on monitoring and screening. Train staff, then have an independent party test the controls. Review the whole program regularly as the business and its risks change.

What is a risk assessment in an AML program?

A risk assessment rates where a firm’s money laundering risk is highest, across customers, products, geographies, and channels. It is not one of the five pillars, but examiners expect it, because it justifies how the rest of the program is set up. A stale or missing risk assessment is a common finding.

What happens if a firm has a weak AML program?

A firm with a weak program can face large fines, restrictions on its license, remediation orders, and personal liability for its officers. In 2024, TD Bank agreed to about $3 billion in penalties after leaving transaction types out of monitoring. A weak program also lets criminal money pass through the firm.

Who regulates AML compliance programs in the United States?

FinCEN, part of the US Treasury, administers the Bank Secrecy Act and receives reports. Banking regulators such as the OCC and the Federal Reserve examine firms for compliance, and OFAC runs sanctions programs. The FATF sets the international standard that US rules follow.

How often should an AML program be reviewed?

An AML program should be reviewed regularly and whenever the firm’s risk changes, such as a new product, market, or customer type. The independent test is usually annual for many firms, though the right frequency depends on size and risk. The risk assessment should be refreshed on the same basis.

What is the fifth pillar of AML compliance?

The fifth pillar is customer due diligence, added by a FinCEN rule that took effect in 2018. It requires firms to verify customers, understand the nature of their activity, and identify the beneficial owners behind legal-entity customers. It joined the four original pillars from the Bank Secrecy Act.

Read more: our ultimate guides, whitepapers and templates

Related guides and resources to help you act on what you just read.

Last reviewed July 12, 2026 · 11 min read · Written for compliance and risk professionals · By the WhoWiki editorial team

Key takeaway: an AML compliance program is the required set of controls that stops laundering, built on five pillars that US regulators expect to see.

About this guide: WhoWiki provides free compliance resources and business verification tools built on trusted primary sources, including OFAC, the EU Consolidated Sanctions List, GLEIF, and official government registries. Every guide is researched and reviewed by the WhoWiki editorial team. Content is for informational purposes only and does not constitute legal advice. Tool results are indicative and should be supplemented with appropriate regulatory screening where required.

Share:

Picture of avikbal.tech@gmail.com

avikbal.tech@gmail.com

WhoWiki tools sidebar

A detailed guide to TPRM and a downloadable checklist to implement the TPRM Framework in 2026

WhoWiki content blocks
Learn & stay current

A compliance reference that keeps up with the regulators and the latest data sources

Plain-English explainers, country rules, and data you can cite, updated as the landscape moves.

Comparing tools before you commit?

See how WhoWiki lines up against the platforms you already know, and which free tools fit which job.

See how current your screening could be more effective & efficient

Book a walkthrough with our team, or start with the tools today. No account needed to run your first check.