Compliance Documentation¶

# Policy: Anti-Money Laundering (AML)
# Document Number: POL-AML-001
# Version: 3.0

## 1. Purpose

This policy establishes [Company's] requirements for
preventing money laundering and terrorist financing in
accordance with the Bank Secrecy Act and related regulations.

## 2. Scope

This policy applies to:
- All employees
- All business units
- All products and services
- All customer relationships

## 3. Policy Statement

[Company] is committed to preventing the use of its
products and services for money laundering or terrorist
financing. We will:

- Implement a risk-based customer due diligence program
- Monitor transactions for suspicious activity
- Report suspicious activity to FinCEN
- Maintain required records
- Train employees on AML requirements

## 4. Key Requirements

### 4.1 Customer Identification Program (CIP)

We must verify the identity of each customer before
opening an account. Required information includes:
- Name
- Date of birth
- Address
- Identification number (SSN or TIN)

### 4.2 Customer Due Diligence (CDD)

We must understand the nature and purpose of each
customer relationship and develop a risk profile.
Enhanced due diligence is required for higher-risk customers.

### 4.3 Transaction Monitoring

We must monitor customer transactions and report
suspicious activity that may indicate money laundering
or terrorist financing.

### 4.4 Suspicious Activity Reporting

Suspicious Activity Reports (SARs) must be filed within
30 days of detecting suspicious activity. The AML Officer
is responsible for SAR filing decisions.

## 5. Roles and Responsibilities

### AML Officer
- Oversee AML compliance program
- File SARs with FinCEN
- Report to Board on AML matters
- Coordinate regulatory examinations

### Business Units
- Implement CIP and CDD requirements
- Escalate suspicious activity
- Maintain required records

### All Employees
- Complete AML training
- Know your customer
- Report suspicious activity

## 6. Training

All employees must complete AML training:
- Within 30 days of hire
- Annually thereafter
- Additional training for high-risk roles

## 7. Record Retention

Maintain AML records for minimum five years after
account closure or transaction date.

## 8. Enforcement

Violations of this policy may result in disciplinary
action up to and including termination of employment.

## 9. Related Documents

- Procedure: Customer Identification (PRO-AML-001)
- Procedure: Suspicious Activity Reporting (PRO-AML-002)
- Procedure: Enhanced Due Diligence (PRO-AML-003)

## 10. Approval and Review

| Role | Name | Date |
|------|------|------|
| Author | [Name] | [Date] |
| Compliance Review | [Name] | [Date] |
| Approved By | [Name] | [Date] |

**Next Review Date**: [One year from approval]

# Procedure: Suspicious Activity Reporting
# Document Number: PRO-AML-002
# Version: 2.0

## 1. Purpose

This procedure provides detailed instructions for
identifying, escalating, and reporting suspicious activity.

## 2. Scope

This procedure applies to all employees who may
encounter suspicious activity in customer interactions
or transaction monitoring.

## 3. Definitions

| Term | Definition |
|------|------------|
| SAR | Suspicious Activity Report filed with FinCEN |
| STR | Suspicious Transaction Report (internal) |
| AML Officer | [Title] designated as AML compliance officer |

## 4. Procedure

### 4.1 Identifying Suspicious Activity

#### Red Flags

Watch for these indicators:
- Transactions inconsistent with customer's stated activity
- Large cash transactions without clear business purpose
- Frequent structuring to avoid reporting thresholds
- Unusual wire transfer patterns
- Reluctance to provide information
- Third-party transactions without clear relationship

### 4.2 Internal Reporting

**Step 1**: Document Observations

When you observe potential suspicious activity:
1. Document what you observed
2. Include dates, times, and amounts
3. Note customer behavior or statements
4. Do not alert the customer

**Step 2**: Complete Internal STR

1. Access the STR form in [System]
2. Complete all required fields
3. Attach supporting documentation
4. Submit to your supervisor

**Step 3**: Supervisor Review

Supervisor must within 24 hours:
1. Review the STR
2. Add additional context
3. Forward to AML Unit or return for more information

### 4.3 AML Unit Review

**Step 1**: Initial Assessment

AML Analyst reviews STR within 2 business days:
1. Review submitted information
2. Request additional information if needed
3. Conduct additional research
4. Document findings

**Step 2**: SAR Decision

AML Officer reviews analysis and determines:
- File SAR
- No SAR required (with documented rationale)
- Request additional investigation

### 4.4 SAR Filing

If SAR required:

**Step 1**: Prepare SAR

1. Complete FinCEN SAR form
2. Include all required fields
3. Write clear narrative explaining suspicious activity
4. Review for accuracy and completeness

**Step 2**: File SAR

1. Submit through BSA E-Filing system
2. Maintain copy of filed SAR
3. Record filing date and confirmation

**Timeline**: File within 30 calendar days of detection

### 4.5 Post-Filing Actions

After SAR filing:
1. Continue monitoring the account
2. Document any additional suspicious activity
3. File continuing activity SAR if warranted
4. Maintain SAR confidentiality

## 5. Documentation Requirements

Maintain for each SAR decision:
- Internal STR and supporting documents
- Analysis workpapers
- SAR (if filed) or documented rationale for not filing
- Any related correspondence

## 6. Confidentiality

**IMPORTANT**: Never disclose to the customer or any
unauthorized person that:
- An STR has been filed
- A SAR has been filed or is being considered
- The customer's activity is being monitored

Violation of SAR confidentiality is a federal crime.

## 7. Escalation

Escalate immediately to AML Officer if:
- Activity involves potential terrorist financing
- Activity appears to involve bank employees
- Customer threatens employees
- Regulatory urgency requires immediate action

## 8. Quality Assurance

Monthly review of:
- STR volume and processing times
- SAR filing statistics
- Quality of SAR narratives
- Timeliness of filings

## 9. References

- Bank Secrecy Act (31 U.S.C. § 5311 et seq.)
- FinCEN SAR Instructions
- Policy POL-AML-001

## 10. Revision History

| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2022-01-01 | Initial release |
| 2.0 | 2024-01-01 | Updated for new SAR form |

# Control: Customer Identification Verification

## Control ID: CIP-001

## Control Objective
Verify the identity of all customers before opening accounts.

## Control Description

Before account opening, employees verify customer identity by:

1. Collecting required identification information
2. Obtaining copy of government-issued ID
3. Verifying information against ID document
4. Screening against OFAC sanctions list
5. Documenting verification in customer record

## Control Type
- [x] Preventive
- [ ] Detective

## Control Frequency
Each new account opening

## Control Owner
Customer Onboarding Manager

## Evidence of Control Operation
- Completed account opening checklist
- Copy of ID document in customer file
- OFAC screening results
- Supervisor approval in system

## Related Risks
- Failure to identify customers
- Account opened for prohibited person
- Regulatory violations

## Testing Approach
Select sample of new accounts and verify:
- All required information collected
- ID document on file
- OFAC screening completed
- Supervisor approval obtained

# Control Testing Workpaper

## Control: CIP-001 - Customer Identification Verification

## Testing Period: Q4 2024

## Test Objective
Verify that customer identification is properly verified
before accounts are opened.

## Testing Approach
- Population: All new accounts opened in Q4 2024 (N=450)
- Sample: 45 accounts (10% sample)
- Selection: Random selection using random number generator

## Test Procedures

| # | Procedure | Pass/Fail |
|---|-----------|-----------|
| 1 | Verify all required information collected | |
| 2 | Verify government ID on file | |
| 3 | Verify information matches ID | |
| 4 | Verify OFAC screening completed | |
| 5 | Verify supervisor approval obtained | |

## Test Results

| Sample | #1 | #2 | #3 | #4 | #5 | Overall |
|--------|----|----|----|----|----|----|
| 1 | ✓ | ✓ | ✓ | ✓ | ✓ | Pass |
| 2 | ✓ | ✓ | ✓ | ✓ | ✓ | Pass |
| ... | | | | | | |
| 45 | ✓ | ✓ | ✓ | ✓ | ✓ | Pass |

## Summary

| Result | Count | Percentage |
|--------|-------|------------|
| Pass | 44 | 97.8% |
| Fail | 1 | 2.2% |

## Exceptions

| Sample | Issue | Root Cause | Remediation |
|--------|-------|------------|-------------|
| 23 | OFAC screening not documented | System error | Re-screened; system issue fixed |

## Conclusion

Control is operating effectively with one minor exception
that has been remediated.

## Prepared By: [Name] Date: [Date]

## Reviewed By: [Name] Date: [Date]

# Audit Finding

## Finding ID: 2024-AML-001

## Finding Title
Incomplete Enhanced Due Diligence for High-Risk Customers

## Risk Rating: Medium

## Background
Policy POL-AML-001 requires enhanced due diligence (EDD)
for customers classified as high-risk. EDD includes
additional documentation of source of funds and expected
account activity.

## Condition
Testing of 30 high-risk customer files identified 8 (27%)
with incomplete EDD documentation:
- 5 files missing source of funds documentation
- 3 files missing expected activity documentation

## Criteria
Policy POL-AML-001, Section 4.2: "Enhanced due diligence
is required for higher-risk customers, including documentation
of source of funds and expected account activity."

## Cause
- Lack of clear guidance on acceptable source of funds documentation
- EDD checklist not consistently used
- Insufficient supervisory review

## Effect
- Increased risk of money laundering
- Potential regulatory criticism
- Gaps in customer risk profiles

## Recommendation
1. Issue guidance on acceptable source of funds documentation
2. Implement mandatory EDD checklist in account opening system
3. Enhance supervisory review of high-risk account openings

## Management Response

**Response**: Management concurs with the finding.

**Action Plan**:
1. EDD guidance to be issued by [Date]
2. System checklist to be implemented by [Date]
3. Supervisory review process to be enhanced by [Date]

**Responsible Party**: AML Officer

**Target Date**: [Date]