ANTI-MONEY LAUNDERING: The Criminal and Regulatory Framework, and Anti-Money Laundering Compliance Programs (Part 6)

By October 6, 2018 No Comments

This article is a continuation of our most recent corporate governance series. If you missed part 5, you can read it online here: Anti-Money Laundering Part 5


Any business that is a “financial institution” under the Bank Secrecy Act and which is required to implement an Anti-Money Laundering Compliance Program must care, because failure to implement the Program could expose the business to criminal, civil and administrative penalties. For such businesses, it is equally important to monitor changes in or additions to that requirement (for example, a requirement to report “suspicious transactions” or maintain certain types of records may be added to an already-existing Compliance Program requirement). Failure to comply with the applicable Treasury regulations can be punished both civilly and criminally under the Bank Secrecy Act, and may also subject regulated “financial institutions” to severe administrative penalties imposed by their federal regulatory agency for failure to comply, or even for failure to fully and sufficiently comply.

Any other business that is a “financial institution” under the Bank Secrecy Act should closely monitor the Federal Register in order to determine whether the Treasury Department intends to issues regulations removing it from the exemption in 31 C.F.R. 103.170. In such cases, Treasury normally will issue a Notice of Proposed Rule Making in the Federal Register, explaining and stating the proposed regulations and inviting public comment. A Notice of Proposed Rule Making is a clear indication that an exempted “financial institution’s” status is about to change, although a substantial amount of time may elapse before a Proposed Rules made a Final Rule.

Further, for all businesses, the best defense against becoming unwittingly involved in a possible violation of the Money Laundering Control Act is to have an effective Anti-Money Laundering Compliance Program. Such a Program can be used to demonstrate that the business is a “good corporate citizen” that took reasonable steps to avoid involvement (through willful blindness or otherwise) in criminal money laundering activity.

Finally, the senior management of every corporation, regardless of whether it is a Bank Secrecy Act “financial institution,” arguably has a duty to include anti-money laundering policies and procedures as part of the overall compliance program which the Delaware Chancery Court, in the leading Caremark decision, has held that corporate management is duty-bound to have under Delaware law in light of the Sentencing Guidelines.


As noted in Section 3.3(c) above, the minimal requirements for a mandatory Anti-Money Laundering Program are: (i) the Program must be in writing; (ii) the Program must have a formally appointed Anti-Money Laundering Compliance Officer; (ii) periodic training of appropriate employees about the institution’s anti-money laundering policies and procedures; and (iv) the periodic independent audit of the implemented and is being followed.

Anti-Money Laundering Programs must be “risk based.” This means that each institution must Anti-Money Laundering Program to ensure it has been carefully consider its customer base, products and market in order to determine the degree of money laundering risk the institution faces. As a practical matter, this involves the preparation of a written “Risk Assessment” covering each of the factors just noted. Then, based upon that assessment, the institution must develop written policies and procedures. Those policies and procedures must be specifically designed to address the degree of risk to which the business is exposed, and to then detect, deter and report money laundering or terrorist financing activity based upon that risk level.

A key element for the prevention and detection of money laundering and terrorist financing is to develop effective “Know Your Customer” procedures. In every transaction, each business should be diligent in knowing who it is dealing with, and have reasonable grounds to believe that each customer is entirely legitimate. This includes confirming an individual customer’s true identity and, for customers that are businesses, ensuring that every entity with which one does business is, in fact, a legally established entity.

For individual customers, this normally means verifying identity through a government-issued photo identification, and in appropriate cases determining the customer’s source of funds or wealth. For business customers, it normally means securing a copy of articles of incorporation, government-issued licenses, government tax identification numbers, trust documents, partnership registrations or the like. It can also include procedures to verify business information by telephone or through publicly available information. For some businesses, it is neither possible nor practical, from a cost or customer relations point of view, to secure such documentation for every customer. This is where the risk assessment comes into play. Depending upon the degree and type of risk, a business should determine when to require identification, what type of identification to secure, and what follow-up procedures are appropriate. The point to keep in mind is that, depending on the degree of risk and the volume of business being done, each business should attempt to establish, as effectively and efficiently as it can, that the individual or business it is doing business with is who it claims to be, is engaged in legitimate business activities, is using funds derived from legitimate business legitimate or sources of wealth and income.

(i) The Anti-Money Laundering Compliance Officer: The Compliance Officer should be appointed by the Board of Directors or Senior Management. The actual title is not important, although the Compliance Officer must have a level of authority and responsibility in the company sufficient to implement, supervise and enforce the Compliance Program on a daily basis, and sufficient resources (budgetary and personnel) to perform his or her function.
The Compliance Officer must be a qualified person who is knowledgeable about money laundering and the Money Laundering Control Act. For “financial institutions,” it is critical that the Compliance Officer be fully knowledgeable about the Bank Secrecy Act and the implementing regulations that apply to the particular business. The Compliance Officer should also have a full knowledge of the business, its products, services, operations, general customer base and money laundering risk assessment.

Finally, it is imperative that the Compliance Officer be of the highest integrity. Bad actors must be kept out of the position, and out of the overall supervision and operation of the Compliance Program. The Board and Senior Management must take reasonable steps to screen out persons whom the company knows, or should know through the exercise of due diligence, have a history of engaging in illegal activity or other misconduct;

(ii) Employee Training: For all Bank Secrecy Act “financial institutions” that are required to maintain Anti-Money Laundering Programs, periodic employee training is mandatory. Periodic employee training is necessary for any other business with an Anti-Money Laundering Compliance Program, because the failure to conduct periodic training will render the Program ineffective.
All appropriate employees should be trained on money laundering in general and on the company’s anti-money laundering policies and procedures. Who the “appropriate” employees are will vary from business to business and also depend on the company’s risk assessment, but at a minimum should include all employees whose duties could expose them to money laundering. Generally this will include management, sales, finance and accounting personnel. Training should be tailored to the person’s specific responsibilities. In addition, new staff should be given an overview of the Compliance Program during employee orientation. For “financial institutions,” it is critical that employees be trained about the Bank Secrecy Act and the implementing regulations that apply to the particular business.

Training should be periodic (generally, annually) and include not only training on basic policies and procedures, but also current anti-money laundering developments and changes to any company policies and procedures. Important developments and changes should be disseminated on an ongoing basis, as needed.

The company should document its training program and keep accurate records of the dates of the periodic employee training, the content of the training, training and testing materials, and attendance records.

(iii) Independent Audit: An Anti-Money Laundering Compliance program should be periodically tested independently to ensure it has been implemented, followed and enforced. For all Bank Secrecy Act “financial institutions” that are required to maintain Anti-Money Laundering Programs, periodic independent auditing of the Program is mandatory.
While the frequency of the independent audit is not prescribed, even for “financial institutions,” it is generally a sound practice to conduct independent testing annually.

The periodic audit must be “independent” in the sense that it is conducted by persons who are not involved in or responsible for the Program’s operation. Thus, it may be conducted by the internal audit department, outside auditors, consultants or other qualified persons. The persons conducting the independent audit should be knowledgeable about the Program, the policies and procedures included in the Program, the business and its operations, and the company’s money laundering risk assessment. For all Bank Secrecy Act “financial institutions” that are required to maintain Anti-Money Laundering Programs, they should also be knowledgeable about the Bank Secrecy Act and the regulations applicable to the company. They audit should also be familiar with the company’s money laundering risk assessment, because the audit should be “risk based” and evaluate the quality of risk management for all operations and departments involved in applying the Program’s policies and procedures.

The persons conducting the independent audit should report directly to the company board of directors or a designated board committee. Deficiencies and corrective recommendations should then be conveyed to senior management and the Compliance Officer for correction and follow-up. Senior management should ensure, through the Compliance Officer, that identified deficiencies are promptly addressed and corrective recommendations implemented.

Anti-Money Laundering – Part 7

Our thanks to this article’s author, Greg Baldwin of Holland & Knight.

Holland & Knight is a global law firm with more than 1,150 lawyers in 17 U.S. offices. Other offices around the world are located in Beijing and Mexico City, with representative offices in Caracas and Tel Aviv. Holland & Knight is among the world’s 18 largest firms, providing representation in litigation, business, real estate and governmental law. Our interdisciplinary practice groups and industry-based teams ensure clients have access to attorneys throughout the firm, regardless of location.

Greg Baldwin practices in the areas of complex commercial litigation and white collar criminal defense. He specializes in the Foreign Corrupt Practices Act, U.S.A. Patriot Act, the Bank Secrecy Act, the Money Laundering Control Act, and OFAC regulations, as well as anti-money laundering and OFAC compliance program development and implementation. Mr. Baldwin is a Certified Anti-Money Laundering Specialist.

DISCLAIMER: This Corporate Governance article is provided as an informational resource and does not constitute legal advice. The information provided in this article is based on the laws in effect at the time the article was published. Laws related to this article’s topics may change over the course of time. Visitors to this website should not rely upon or act upon this information without seeking professional legal counsel.
9 April 2007 Quarterly Report, Stuart W. Bowen, Jr., Inspector General (April 30, 2007), available at
10 See id.
11 Id.
12 Hurricane Katrina Fraud Task Force, First Year Report to the Attorney General, September 2006, page 4.
13 See DOJ Press Releases available at http://trina/Katrina_Fraud/pr/press_releases/http://trina/Katrina_Fraud/pr/press_releases/; Thousands Suspected of Katrina Fraud, CBS News (April 2, 2007).
14 Thousands Suspected of Katrina Fraud, CBS News (April 2, 2007).
15 Hurricane Katrina Fraud Task Force, First Year Report to the Attorney General, September 2006, pages 5, 14.
16 Id.