How to Write an AML Policy for Your Fintech (With Everything to Include)

How to Write an AML Policy for Your Fintech (With Everything to Include)

Your AML policy is the governing document of your compliance program. It is the single written record that shows FinCEN, your sponsor bank, investors, and any examiner that your business has thought seriously and specifically about anti-money laundering risk — and has put a real, operational system in place to manage it.

A strong AML policy does not need to be hundreds of pages long. It needs to be accurate, specific to your actual business, approved by senior management, and consistently reflected in how your operations actually run every day. A generic template downloaded from the internet — filled with language that does not match your products, your customers, or your real-world processes — is not compliant, and experienced FinCEN examiners and sponsor bank compliance teams can identify one immediately.

This article walks through exactly what an AML policy must cover, how to structure it correctly, what regulators and sponsor banks focus on when they review it, and the specific mistakes that create the greatest examination risk.

What Is an AML Policy and Why Is It Required?

An AML policy is a formal written document that describes your company's complete approach to preventing, detecting, and reporting money laundering and other financial crimes. It is the primary governing document of your BSA/AML program — the written foundation that all your day-to-day compliance operations are built on.

The policy does not run your compliance program by itself. It documents how the program is designed to run — the roles, the procedures, the controls, the standards, and the expectations your entire organization is held to. Actual compliance comes from consistently executing what the policy describes.

Under the Bank Secrecy Act, FinCEN requires that a covered financial institution's AML program be written and formally documented, approved by senior management on the record, tailored to the institution's specific business model, products, customers, and risk profile — not copied from a generic template, and implemented and operational — actively functioning inside the business, not stored in a filing cabinet.

Failure to have a written, adequate AML policy is itself a BSA violation, independent of any other compliance gaps that may exist.

The Complete AML Policy — Section by Section

Company Overview and Scope of the Policy

Begin with a concise but specific description of your company — what products and services you offer, who your customers are, what markets you serve, and what your core business activities involve. This context frames every subsequent section and tells examiners immediately whether the policy was written for your specific business or is a generic document with your name on the cover page.

The scope section must clearly state that the policy applies to all employees of the company regardless of role or location, all contractors and third-party service providers performing covered functions on behalf of the company, and all products and services offered by the company that are subject to BSA requirements.

Regulatory Framework and Legal Basis

Identify specifically — not generically — the laws and regulations your company is subject to. For most fintechs, this section should identify the Bank Secrecy Act, FinCEN's implementing regulations for your specific institution type, the applicable MSB registration requirements, state-level money transmitter licensing requirements where applicable, OFAC sanctions regulations, and any other federal or state regulations specifically applicable to your products and business model.

This section tells examiners that your company has conducted a genuine analysis of its regulatory obligations rather than assuming what applies.

Roles and Responsibilities

This section must name your BSA Officer — the specific individual accountable for overseeing the AML program — and define their responsibilities in concrete terms. It must also describe the compliance responsibilities of senior management and the board of directors or equivalent governing body, the compliance team or staff supporting the BSA Officer, operational and technology teams involved in compliance functions, and customer-facing employees who may encounter suspicious activity or compliance concerns.

Senior management accountability must be explicit, specific, and genuine — not a paragraph asserting general support for compliance. FinCEN examiners look for evidence that senior management exercises real oversight of the AML program and receives regular reporting on program performance.

The BSA Officer designation must reflect the actual person currently in that role. If your BSA Officer changes, the policy must be updated immediately.

AML Risk Assessment

Describe how your company conducts its AML risk assessment — the methodology used, the specific categories of risk assessed (customers, products, geographies, and delivery channels at minimum), the frequency of review, who is responsible for conducting the assessment, and how the results of the risk assessment drive the design and calibration of your AML controls.

Reference your current risk assessment by date and summarize its key conclusions. The policy should make explicit that your controls are designed to address the specific risks identified in the most recent assessment — not generic industry risks.

Customer Identification Program (CIP)

Describe with specificity your procedures for verifying the identity of customers at onboarding:

— The specific information collected from individual customers and the legal basis for each element

— The specific information collected from business customers including beneficial ownership

— The documentary and non-documentary verification methods used and the circumstances in which each applies

— The identity verification technology or service providers used and how they are integrated into your onboarding flow

— The process and timeline for completing verification relative to account opening and first transaction

— What happens when verification cannot be completed — account restrictions, relationship exit procedures

— Recordkeeping requirements for CIP documentation including retention periods

Customer Due Diligence (CDD) Program and Risk Rating

Describe your complete CDD program:

— How customer risk ratings are assigned at onboarding — the specific criteria that place a customer in low, medium, or high risk tiers

— The different monitoring and review treatment applied to each risk tier

— The process for ongoing monitoring of customer activity against established expected behavior profiles

— How and when customer risk ratings are updated in response to monitoring alerts or other risk-relevant information

— The schedule for periodic CDD reviews by risk tier

— Procedures for updating customer information when circumstances change

Enhanced Due Diligence (EDD) Procedures

Define precisely which customer characteristics or relationship circumstances trigger EDD. Common EDD triggers to address specifically:

— Politically Exposed Person status — how PEPs are identified, what EDD involves, and what approval is required

— High-risk geographic associations — which jurisdictions trigger EDD and what it requires

— High-risk industry sectors — which industries require EDD and the additional documentation collected

— Complex or opaque beneficial ownership structures — how complexity is defined and what additional steps are required

— Customers flagged by adverse media screening or third-party risk databases

For each EDD category, describe what the enhanced due diligence involves — what additional documentation is collected, what senior management approval is required, how more frequent monitoring is implemented, and how more frequent periodic reviews are scheduled.

Beneficial Ownership Procedures

Describe your specific procedures for identifying and verifying the beneficial owners of legal entity customers:

— The ownership threshold at which individuals must be identified (25% under FinCEN's CDD Rule)

— The control prong requirement — identifying one individual with significant management control

— The specific information collected and verified for each beneficial owner

— The verification methods used for beneficial owner identity documentation

— How you handle complex ownership structures where tracing to ultimate beneficial owners requires multiple levels of review

— What happens when a business customer refuses to provide required beneficial ownership information

Transaction Monitoring Program

Describe your transaction monitoring program with sufficient specificity that an examiner can understand how it actually operates:

— The technology platform or systems used for transaction monitoring

— How monitoring rules are configured and the process for initial calibration to your risk profile

— The types of rules implemented — threshold rules, velocity rules, pattern rules, geographic rules, behavioral rules

— How alerts are generated, prioritized, and assigned for review

— The defined SLA for alert review — the maximum time from alert generation to disposition decision

— The documentation required for each alert review and disposition

— The escalation process for alerts that require further investigation

— How the alert review process connects to the SAR filing workflow

— The process for reviewing and tuning monitoring rules over time

Suspicious Activity Reporting (SAR) Procedures

Describe your SAR program with complete specificity:

— The legal obligation and the suspicion standard that triggers a filing requirement

— The specific dollar thresholds applicable to your institution type

— The step-by-step investigation process required before a filing decision is made

— Who makes the final filing decision and what approval authority they hold

— The SAR narrative preparation process and quality standards

— The 30-day filing deadline and the process for tracking compliance with it

— How SARs are filed through FinCEN's BSA E-Filing System

— Recordkeeping requirements for SAR documentation and supporting investigation files

— The SAR confidentiality obligation — explicitly prohibiting disclosure to subjects, customers, or outside parties

— Procedures for continuing activity SARs for ongoing suspicious activity requiring repeated filings

Currency Transaction Report (CTR) Procedures

Describe your CTR program:

— The $10,000 cash transaction threshold triggering CTR filing

— The 15-business-day filing deadline

— The aggregation requirement — how to identify and aggregate multiple related cash transactions

— Who is responsible for identifying CTR-triggering transactions and completing the filing

— Procedures for lawful CTR exemptions where applicable to your business model

If your business model does not involve cash transactions, note this explicitly and explain the basis for that determination.

OFAC Sanctions Screening Program

Describe your complete sanctions screening program:

— The technology or platform used for sanctions screening

— Which lists are screened against — SDN List, consolidated lists, other applicable lists

— When screening occurs — at onboarding, at transaction processing, upon list updates

— The fuzzy matching capability and how it is configured

— The hit review process — how potential matches are evaluated, by whom, within what timeframe

— How true match determinations are made and what actions are required — blocking, account freezing

— How false positive clearances are documented

— OFAC reporting procedures — reporting blocked transactions and rejected transactions within 10 business days

— Recordkeeping requirements for all screening events and outcomes

Recordkeeping Program

Describe your recordkeeping program:

— What records must be maintained under BSA requirements

— Retention periods — generally five years from the date of the record or the closing of the account

— How records are stored — the systems, format, and security requirements

— How records are retrieved in response to examination or law enforcement requests

— Who is responsible for recordkeeping compliance

Employee Training Program

Describe your AML training program:

— Which employees are required to receive AML training and why

— The content covered in training — BSA requirements, red flags, internal reporting procedures, SAR confidentiality

— Training frequency — annual at minimum for all required employees, plus new hire training before employees begin performing covered functions

— How training completion is documented and retained

— How training content is reviewed and updated when regulations or internal policies change

— Any role-specific training requirements for higher-risk functions

Independent Testing Program

Describe your independent testing program:

— The frequency of independent testing — at minimum annually, more frequently for higher-risk operations

— Who conducts independent testing and how independence is established

— The scope of the independent review — what elements of the AML program are tested

— How findings are documented and reported to senior management

— How findings are tracked to remediation and verified as resolved

Policy Review and Maintenance

State explicitly that this policy will be reviewed at minimum annually, that updates require senior management approval, that the policy will be updated when the company launches new products, enters new markets, significantly changes its customer base, or when material regulatory changes affect applicable requirements, and that all prior versions of the policy will be retained.

Common Mistakes That Create the Greatest Examination Risk

Using a generic template. This is the most common and most consequential mistake. A policy that describes products you do not offer, customers you do not serve, or processes you do not follow is evidence that your compliance program exists primarily on paper. It signals to examiners that leadership has not genuinely engaged with compliance program design.

Vague operational descriptions. "We will conduct appropriate due diligence on our customers" tells an examiner nothing about your actual program. Policies must describe specifically how each function operates — who does it, how they do it, within what timeframe, using what technology, and producing what documentation.

Missing senior management approval. The BSA explicitly requires senior management approval of the AML program. This must be documented — a signature page signed by the CEO or board-level approval, a board resolution, or an equivalent documented approval process. Undocumented approval is insufficient.

Failing to update the policy as the business changes. A policy written at launch that has not been updated through two years of business growth, product launches, and geographic expansion does not reflect your current program and will not satisfy examiners. The policy must evolve with the business.

Policy-practice inconsistency. The most serious operational finding. If your policy states that alert reviews are completed within 5 business days but examination of your alert logs shows routine review timelines of 30+ days, that inconsistency is a significant finding. Policies must describe how the business actually operates — not aspirationally how it should operate.

No clear ownership of policy sections. Every operational element of the policy should have a clear owner — a role or individual accountable for executing it. Policies that describe processes without assigning ownership create accountability gaps that become compliance failures.

Frequently Asked Questions

How long should an AML policy be?

There is no required length. The policy must be comprehensive enough to cover all required elements with sufficient specificity to guide operational execution. For a simple, single-product fintech with a narrow customer base, a well-written 20-30 page policy may be sufficient. A complex multi-product platform serving diverse customer types may require a more extensive document. Length is secondary to specificity, accuracy, and operational relevance.

Does the AML policy need to be approved by the board of directors?

For most fintechs, formal board approval of the AML policy is not explicitly required by the BSA, though it is best practice and is required for bank-chartered institutions. What is required is approval by "senior management" — which typically means the CEO, president, or equivalent executive leadership. Documentation of that approval must exist.

How often does the AML policy need to be updated?

The BSA requires annual review at minimum, and update whenever material changes to the business, regulatory environment, or risk profile occur. In practice, most growing fintechs should expect to update their AML policy at least annually and whenever they launch a new product, enter a new state or market, or make significant changes to their customer base or transaction volumes.

What is the difference between an AML policy and an AML program?

Your AML policy is the governing document that describes your AML program. Your AML program is the complete operational reality — the technology, the people, the processes, the controls, and the daily activities that implement what the policy describes. A policy without an operational program behind it is a compliance fiction. An operational program without a written policy is a BSA violation.

How ComplyOne Helps

Writing an AML policy that is compliant, specific to your business, examination-ready, and operationally accurate requires both deep regulatory expertise and a thorough understanding of how fintechs actually operate. ComplyOne helps fintechs draft, review, and maintain AML policies that satisfy FinCEN requirements and sponsor bank expectations — whether you need advisory support, a technology-powered compliance program, or both.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Compliance requirements vary based on your business model, jurisdiction, and regulatory relationships. Consult a qualified compliance professional for guidance specific to your situation.