BSA/AML/OFAC Sample Policy

Note

This is a sample policy template. Replace “COMPANY NAME” with your company name and customize to fit your program. A copyable version is available as a Google Doc.

Thank you to Mark Kallal at Maquette Advisors for providing this sample document.

Table of Contents

1. Overview and Purpose
2. Policy Statement
3. Key Definitions
4. Roles and Responsibilities
5. Policy Requirements
6. Use of Third Parties
7. Penalties for Non-Compliance
8. Reporting
9. Record Retention and Recordkeeping
10. Policy History

I. Overview and Purpose

This Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) / Office of Foreign Assets Control (OFAC) Policy governs COMPANY NAME’s program to combat money laundering, terrorist financing, fraud, and other improper conduct. The policy addresses requirements from the BSA, USA PATRIOT Act Title III, OFAC rules, FDIC regulations, and other relevant AML/Counter-Terrorist Financing (CTF) regulations.

II. Policy Statement

The company commits to protecting customer funds, sponsor bank integrity, employee welfare, and organizational reputation. The policy aims to detect, prevent, and remediate money laundering, financial crimes, and terrorist financing while maintaining BSA/AML legal compliance and mitigating financial crime risks.

Questions about conflicts between this policy and other bank policies should be escalated to the Chief Compliance Officer (CCO).

III. Key Definitions

Account: A formal relationship providing financial services, including deposit accounts, transaction accounts, credit accounts, or extensions of credit.

Bank: A regulated financial institution with whom Company has service agreements.

Beneficial Owner: Any entity owning 25% or more of a legal entity’s equity interests, or a single individual with significant control/management responsibility (executive officer, senior manager, or equivalent).

Customer: Any natural or legal person opening or maintaining an account, including individuals, corporations, partnerships, trusts, estates, joint stock companies, associations, syndicates, joint ventures, and Indian Tribes.

Money Laundering: The process of concealing proceeds from illegal activities to appear legitimate, typically hiding true source, disguising disposition, eliminating audit trails, and evading taxes.

OFAC: Office of Foreign Assets Control administers economic/trade sanctions based on U.S. foreign policy and national security goals targeting foreign countries, regimes, terrorists, narcotics traffickers, and weapons proliferation threats.

Specially Designated Nationals and Blocked Persons (SDNs): Individuals and entities owned/controlled by or acting on behalf of targeted countries, plus designated terrorists and narcotics traffickers whose assets are blocked.

Terrorist Financing: The process funding terrorist operations using legitimate sources (donations, business profits, charities) and criminal sources (drug trafficking, weapons smuggling, fraud, kidnapping, extortion).

Willful Blindness: Deliberate avoidance of knowledge regarding suspicious transactions or money laundering, carrying both civil and criminal penalties under the BSA.

IV. Roles and Responsibilities

Policy Approver: The Board of Directors approves this policy and substantive revisions annually, documented in Board minutes. The CCO approves non-substantive revisions.

Policy Sponsor: The CCO reviews underlying policy rationale, substantive revisions, and policy retirement.

Policy Owner: The CCO monitors and reports on policy compliance, with authority to delegate implementation and reporting responsibilities.

All Employees: Responsible for understanding and complying with applicable laws, completing required training, and promptly reporting suspected violations. Third-party service providers and vendors must likewise comply.

V. Policy Requirements

The BSA/AML and OFAC compliance program must be fully implemented with practices coinciding with written policies and procedures, commensurate with company risk profile.

A. Risk Assessment Framework

Compliance risk is identified as a principal operational risk, with AML/CTF compliance included in the broader compliance risk category. The assessment identifies inherent customer, geographic, product/service, and channel money laundering and terrorist financing risk, evaluating mitigating control effectiveness.

The CCO performs annual enterprise-wide money laundering and terrorist financing risk assessments. OFAC risk assessments occur concurrently as part of the BSA/AML process.

B. Designated BSA Compliance Officer

The company’s Board designates the CCO to coordinate and monitor day-to-day compliance responsibilities.

C. Monitoring and Testing

The company conducts risk-based compliance testing and monitoring commensurate with activities and risk profile, providing regular testing of policies, procedures, and processes.

Compliance Monitoring

Ongoing monitoring ensures adherence to company policies and processes, enabling timely identification of BSA/AML and OFAC program deficiencies.

Compliance Testing

Periodic testing evaluates company adherence to established BSA/AML and OFAC policies, procedures, and processes. The scope and testing level depends on risk assessment results, monitoring outcomes, and management discussions. At minimum, CIP, OFAC screening, and SAR investigation/filing processes are tested annually.

D. System of Internal Controls

The Board and Executive Management create a compliance culture ensuring staff adherence to BSA/AML and OFAC policies. Internal controls — policies, procedures, and processes limiting/controlling risks — should be sophisticated commensurate with company size, structure, risks, and complexity.

1. Customer Identification Program (CIP)

Under USA PATRIOT Act Section 326, the company implements a written CIP confirming customer identity at account opening. Section 326 requires:

• Verifying identity to extent reasonable and practicable
• Maintaining records of verification information (name, address, identifying information)
• Determining whether applicants appear on known/suspected terrorist lists

The CIP governs customer identification requirements, identity verification methods, customer due diligence, and record retention. Applicants not providing required information or identification will not receive service or account establishment.

Customer Verification Requirements for Individuals

Required customer identification information maintained on file includes:

• Full name (including prior names/aliases if known)
• Date of birth
• Address (or permanent foreign residence if applicable)
• Identification number
• Individual’s country of origin/citizenship (if foreign)

Customer Verification Requirements for Existing Customers

For existing customers opening new accounts, the company verifies current file information is accurate and updates as required.

Taxpayer Identification Requirement

U.S. person account relationships require SSN/TIN or EIN information before establishment. Applicants without SSN/TIN must provide evidence of Tax ID application. The company does not open accounts for individuals lacking SSN/TIN.

Acceptable Methods of Customer Identification

Documentary Methods of Verification: Primary identification must evidence nationality/residence and bear photographs or similar safeguards (e.g., driver’s license, passport). For entities (corporations, partnerships, trusts), documentation showing legal existence is required (certified articles of incorporation, government-issued business license, partnership agreement, trust instrument).

Non-Documentary Methods of Verification: Methods include customer contact, independent identity verification through consumer reporting agencies or public databases, checking references with other financial institutions, and obtaining financial statements. Electronic credentials must comply with FFIEC “Authentication in an Electronic Banking Environment” guidance.

Combination of Documentary and Non-Documentary Methods: Staff may use both methods when unable to verify identity through standard methods, including legitimate cases where customary identification cannot be presented. Staff must document in the customer profile why standard CIP requirements weren’t followed and what alternative verification steps were taken, requiring CCO or designee exception approval.

CIP Customer Notice

Prior to account opening, applicants receive notice that identity-verifying information will be requested through account applications, website postings, or oral notification for phone applications. For joint accounts, notice to one owner for delivery to others is permitted. The required sample language states:

“IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT: To help the government fight terrorism and money laundering funding, Federal law requires all financial institutions to obtain, verify, and record information identifying each account-opening person. When you open an account, we request your name, address, date of birth, and other identifying information. We may also request driver’s license or other identifying documents.”

CIP Third-Party Reliance

The CIP rule permits using third parties (agents, service providers) to perform account application services on the company’s behalf, including identity verification and record maintenance. Third parties are legally obligated to adhere to CIP requirements.

2. Customer Due Diligence (CDD)

The CDD program — a policy cornerstone — applies to all customers. Understanding customer business/professional activities, income sources, wealth/assets, and fund sources is paramount. Comprehending how company products/services fit customer objectives develops an accurate customer risk profile.

A customer risk profile encompasses information gathered at account opening forming a baseline for assessing customer activity regarding suspicious activity reporting. The profile may include account type, service/product type, and risk ratings or customer categories (not required).

Risk profiles consider:

• Account purpose (consumer transaction accounts)
• Actual/anticipated account activity
• Customer business/occupation nature relative to high-risk identifications
• Customer location
• Product and service types used

CDD includes ongoing monitoring identifying and reporting suspicious transactions and, on a risk basis, maintaining/updating customer information.

3. Beneficial Ownership

FinCEN established beneficial ownership identification rules via 31 C.F.R. § 1010.230 and 1020.210(b)(5), effective May 11, 2018. Banks, credit unions, securities brokers/dealers, mutual funds, futures commission merchants, and introducing brokers must enhance due diligence when opening legal entity customer accounts (Corporations, Partnerships, Non-Profits, Sole Proprietorships, Trusts, etc.) by obtaining and maintaining beneficial ownership identification information.

4. Adverse Media

The CCO recommends existing customer account closure where permitted when convicted of:

• Money Laundering or Bank Secrecy Act Violations
• Terrorism and/or Terrorist Financing
• Drug Trafficking
• Human Trafficking and/or Human Smuggling
• Bank, Mail, Securities, Check, or Wire Fraud
• Identity Theft
• Forgery
• Embezzlement
• Tax Evasion
• Bank Robbery
• Grand Larceny
• Political Corruption or Bribery (U.S. or foreign law)
• Organized Crime

5. Prohibited Customers

The company prohibits relationships outside risk tolerance, including:

• SDNs or parties on OFAC Consolidated Sanctions Lists
• Individuals whose identities cannot be verified during customer verification

6. Suspicious Activity Reporting (SAR)

Financial institutions must monitor suspicious activity and file SARs reporting known/suspected federal law violations or suspicious transactions related to criminal activity, money laundering, and terrorist financing.

Potentially suspicious activity meeting these criteria is referred to the company’s partner Bank:

• Transactions appearing to involve illegal-activity-derived funds or designed to hide/disguise such funds/assets, hiding ownership, nature, source, location, or control to violate/evade law or avoid federal transaction reporting
• Transactions designed to evade BSA regulations
• Transactions lacking business/apparent lawful purpose or inconsistent with expected customer behavior, with no reasonable explanation after examining available facts, background, and transaction purpose

The partner Bank files SARs on transactions meeting certain thresholds. Company refers suspicious activity to its partner Bank when involving:

• Insider abuse in any amount
• Aggregating $5,000+ with identifiable suspects
• Aggregating $25,000+ regardless of suspect identification

SARs are highly confidential with safeguards preventing disclosure to anyone except the partner Bank and FinCEN.

7. Methods of Transaction Monitoring

Financial institutions must implement systems identifying suspicious activity. Based on implemented methods, the company immediately escalates identified suspicious activity to its partner Bank for SAR filing. Monitoring levels are dictated by risk assessment with emphasis on product, customer, and geographic risk.

Automated Methods: The company identifies appropriate “red flags” and develops transaction monitoring surveillance scenarios identifying unusual activity using risk-based approaches reflecting risk profiles, products, services, customer base, geographic factors, and transaction purposes. Automated methodology is consistent with regulatory guidance for model risk management.

Manual Methods: The company uses manual transaction monitoring methods as needed, including transaction report review based on due diligence reviews, adverse information, and employee referrals.

8. Sanctions and Watchlist Screening

The company commits to full OFAC sanctions program compliance and other applicable economic sanctions programs. Reasonable procedures determine whether applicants/existing customers appear on known/suspected terrorist lists provided by government agencies.

The company ensures no unauthorized business or relationships with persons on sanctions lists maintained by government agencies administering applicable sanctions programs or in jurisdictions targeted by comprehensive sanctions programs. Regular screening of applicants, customers, and beneficial owners occurs against OFAC’s SDN List and other applicable sanctions lists.

If a true “hit” on Sanctions Lists is identified, the CCO (or designee) thoroughly reviews the account, determining appropriate escalation steps to the partner Bank for FinCEN and OFAC reporting.

9. Information Sharing/Information Requests

Law Enforcement Inquiries and Requests

The company responds to Section 314(a) requests, law enforcement inquiries, grand jury subpoenas, and National Security Letters (NSLs).

Section 314(a) of the USA PATRIOT Act requires financial institutions comply with FinCEN requests regarding individuals suspected of terrorism or money laundering. Upon receiving Section 314(a) requests, the company searches for accounts maintained by named subjects during preceding 12 months or transactions involving named subjects conducted within previous 6 months. Positive matches are reported to FinCEN within 14 days. When law enforcement request subjects are identified, transactional activity is reviewed identifying common relationships/suspicious activity. Any unusual/suspicious activity identified requires SAR filing referral to the company’s partner Bank(s). SARs based on law enforcement inquiries may not refer to the request itself but rather to supporting facts and activities.

314(a) Information Requests and subject lists are highly confidential; financial institutions cannot disclose FinCEN information requests to account holders.

Certain law enforcement requests are highly confidential and processed/maintained by the company’s CCO only, with limited-access electronic file maintenance.

Point of Contact

The company designates a point of contact for Section 314(a) information sharing and does not participate in 314(b) information sharing.

E. Testing (Audit)

The company conducts independent BSA/AML obligation compliance testing every 12-18 months, commensurate with risk profile, size, complexity, activity scope, control function quality, geographic diversity, and technology use. Independent testing uses outside auditors, consultants, or other qualified independent parties not involved in tested functions. No outside auditors performing independent testing participate in other BSA/AML or OFAC functions presenting conflicts or independence lacks. Independent audit findings are reported directly to the Board and company executive management.

The scope includes:

• Overall BSA/AML compliance program adequacy/effectiveness evaluation, including policies, procedures, and processes
• Company risk assessment reasonableness review given risk profile — customers, products, services, channels, geographies
• Risk-based transaction testing verifying BSA recordkeeping/reporting requirement adherence
• Management efforts to resolve violations/deficiencies in previous audits and regulatory examinations, including outstanding supervisory action progress
• Staff training adequacy, accuracy, and completeness review
• Suspicious activity monitoring reports and KYC systems (manual, automated, or combined) review to extent executed by company
• Overall suspicious activity identification and reporting process assessment, including when/where to refer observed activity to partner Bank
• Overall OFAC match identification and escalation process assessment to partner Bank
• Management information integrity and accuracy assessment used in BSA/AML compliance programs

F. Training

The CCO determines compliance training needs for all employees commensurate with job levels/responsibilities. All employees receive appropriate training at least annually. BSA, AML, and OFAC training is included in mandatory new-hire training, completed within 30 days of employment start.

The training schedule is annually reviewed and approved by the CCO, who ensures all applicable personnel (Board, employees, contractors) receive required BSA, AML, and OFAC training and documentation. Training/testing materials, training session dates, and attendance records are maintained. Periodic reporting of training progress, update initiatives, and training issues occurs to the company’s Board.

The company may rely on third parties approved by its partner Bank for certain BSA/AML functions involving customers, including CIP, CDD, and OFAC screening.

VI. Use of Third Parties

The company may engage third-party service providers and vendors to assist with BSA/AML and OFAC compliance functions. All third parties must comply with applicable laws, regulations, and company policies.

VII. Penalties for Non-Compliance

Money laundering and terrorist financing penalties are severe, among the highest criminal/civil penalties of any banking laws/regulations. BSA/AML regulation non-compliance may subject the company to federal regulatory agency supervisory action and civil/criminal prosecution. Violations include unauthorized SAR filing disclosures.

Penalties include large monetary fines, property forfeiture, and imprisonment.

As employment conditions, company employees must adhere to applicable laws/regulations including BSA/AML mandates. Employees must promptly report concerns or possible law, rule, regulation breaches, and applicable sanctions-related policies/procedures including this policy.

VIII. Reporting

On an annual basis or more frequently as circumstances dictate, the CCO presents reports to the Board including:

• Ongoing compliance initiatives insights
• Noted deficiencies/corrective actions
• SAR filings/referrals relating to financial crimes compliance
• Key risk indicators (KRIs) and key performance indicators (KPIs) enabling informed BSA, AML, and Sanctions decisions

IX. Record Retention and Recordkeeping

CIP Records

The BSA and USA PATRIOT Act Section 326 require institutions create/obtain and preserve customer information and transaction records for potential regulatory, law enforcement, and government agency examination.

The CIP requires identifying information obtained at account opening (name, date of birth, address, tax identification number) be retained per regulatory requirements.

Company procedures require the following data retention according to the Record Retention Policy after creation:

• Customer identifying information (name, address, DOB, TIN/SSN)
• Description of document type reviewed for verification (Driver’s license, Passport, etc.)
• Identification number on document
• Place of issuance
• Issuance date, if any
• Expiration date, if any
• Description of non-documentary methods used and results
• Description of how substantial discrepancies were resolved

For credit extensions exceeding $10,000 (not secured by real property), the following shall be obtained, recorded, and kept on file for minimum five (5) years post-account closure:

• Borrower name
• Borrower address
• Extended credit amount
• Loan nature/purpose
• Loan date

All applicable records (electronic and physical) are retained for compliance with company record retention policy requirements. Generally, all records are retained at least five years.

Funds Transfers

Funds transfer recordkeeping requirements stipulate each bank involved in funds transfers greater than $3,000 must collect/retain certain information. Required information depends on the bank’s funds transfer role (originator’s bank, intermediary bank, or beneficiary’s bank) and whether originators/beneficiaries are established customers and whether payment orders are made in-person or otherwise.

The company maintains internal ledgers documenting funds transfer information (in/out of company accounts) and retains information indefinitely.

Suspicious Activity Reporting Referrals

All SAR filing potential referral records to the partner Bank are maintained for at least five (5) years.

Sanctions List Escalation Referrals

All records pertaining to partner Bank referrals regarding “true hits” identified in sanctions list screening (including OFAC) are maintained for at least five (5) years.

314(a) Requests

All records pertaining to law enforcement requests under USA PATRIOT Act Section 314(a) are maintained for at least five (5) years.

X. Policy History

Date of Action	Responsible Party	Description of Policy Action
PLACEHOLDER	PLACEHOLDER	Version 1.0