Introduction
This checklist is intended to assist managers, in-house counsel, and private practitioners at financial institutions who are responsible for ensuring their organization’s compliance with staff awareness and training requirements to prevent money laundering (ML) and terrorist financing (TF). These requirements are found in the Currency and Foreign Transactions Reporting Act of 1970 (commonly referred to as the Bank Secrecy Act (BSA)) and related anti-money laundering (AML) laws and regulations. The checklist provides an overview of the key considerations for staff awareness and training regarding BSA and AML requirements.
This checklist includes the following steps:
- Provide appropriate and up-to-date training
- Identify staff who require training
- Provide initial and ongoing training
- Maintain adequate documentation of training
The checklist is presented as a list of steps and suggestions that you can check off as they are addressed. At the end of the document, there are explanatory notes corresponding with each item in the checklist.
This checklist can be used in conjunction with the following How-to guides: How to assess your organization for money laundering and terrorist financing risk, and How to monitor Bank Secrecy Act (BSA) compliance and Checklists: Initial response to a report of suspicious activity and Screening employees for roles in AML compliance.
The checklist provides generally applicable guidance. Each organization should check whether the BSA and related AML laws and regulations contain additional, sector-specific requirements for staff awareness and training.
Step 1 – Provide appropriate and up-to-date training
| No. | Requirement |
| 1.1 | Cover basic training requirements |
| 1.2 | Address current issues, areas of risk and enforcement priorities in training |
Step 2 – Identify staff who require training
| No. | Requirement |
| 2.1 | Meet minimum staff training needs |
| 2.2 | Give training appropriate to the needs of different roles |
| 2.3 | Provide special training, if required |
Step 3 –Provide initial and ongoing training
| No. | Requirement |
| 3.1 | Conduct training at initial hire stage |
| 3.2 | Ensure ongoing training requirements are being met |
Step 4 – Maintain adequate documentation of training
| No. | Requirement |
| 4.1 | Document training |
| 4.2 | Ensure the training records contain the required information |
Explanatory notes
Overview
Under the BSA, financial institutions must establish an ‘ongoing employee training program’ to guard against ML and TF. See, 31 USC section 5318(h)(1). See also, 12 CFR sections 208.63(c)(4), 326.8(c)(4), 748.2(c)(4), and 21.21(d)(4).
Training is one of the five pillars of BSA compliance listed below which every organization, at a minimum, must have in place:
- internal compliance policies and controls for detecting and preventing ML, TF, and other illicit financial activity;
- independent compliance testing to be conducted by the financial institution or an outside party;
- personnel responsible for coordinating and monitoring day-to-day compliance;
- an employee training program; and
- a Customer Identification Program (CIP) that includes risk-based procedures that ensure the financial institution can maintain a reasonable expectation that it knows the identity of its customers.
See, 31 CFR sections 1010.210, 1023.210, 1024.210, 1026.210; 12 CFR sections 208.63(c), 326.8(c), 748.2(c), and 21.21(d).
Staff that know the risks of ML, TF, and other illicit financial activity, and are trained to identify unusual or suspicious activities or transactions, are vital to an organization’s BSA and AML compliance program. Even the best-designed compliance program can fail if the organization’s staff are inadequately trained. Organizations should train staff, management, and governors (eg, the board of directors) to ensure that they are aware of and keep up to date with BSA and AML compliance requirements. A comprehensive training program should include both basic and ongoing education.
Step 1 – Provide appropriate and up-to-date training
1.1 Cover basic training requirements
You should devise training that is relevant to the organization’s particular risk profile, but you should ensure that the following key elements are covered:
- regulatory requirements and how they apply to the organization’s products, services, customers, and locations;
- the organization’s internal policies, procedures, and processes for complying with the BSA’s requirements;
- the IT systems used in BSA and AML compliance at the organization;
- the various forms of ML, TF, and other illicit financial activity risks faced by the organization;
- how to identify and report suspicious activity, including examples; and
- the consequences for the individual staff member and the organization of non-compliance with internal policies and regulatory requirements.
Failure to comply with training requirements may result in significant financial penalties.
Example
In early 2024, the Federal Reserve issued an enforcement order that required the Industrial and Commercial Bank of China, Ltd. to pay $ 2,431,956 based in part on the bank’s failure to have any formal policies, procedures, training, or other internal controls designed to instruct employees regarding how to properly handle confidential supervisory information (CSI) or how to prevent the unauthorized dissemination and use of CSI. The order also required the Bank to develop a plan that included enhanced policies, procedures, internal controls, and training thereon, governing the identification, receipt, management, and proper use of CSI.
1.2 Address current issues, areas of risk and enforcement priorities in training
It is important to keep up to date on regulatory priorities when determining training needs. Training should reflect the current issues, risks, and priorities identified by regulators.
For instance, the Anti-Money Laundering Act of 2020 (AMLA) calls for the Secretary of the Treasury to create a list of public priorities, to be updated every four years. The AMLA requires financial institutions to review and incorporate these priorities into their BSA and AML programs. In June 2021, the Financial Crimes Enforcement Network (FinCEN) issued its first list of Priorities (together Priorities, each a Priority) identifying the most significant ML and FT threats facing the United States:
- corruption;
- cybercrime;
- domestic and international terrorist financing;
- fraud;
- transnational criminal organizations;
- drug-trafficking organizations;
- human trafficking and human smuggling; and
- proliferation financing.
As noted in a FinCEN press release, each institution should ‘review and incorporate, as appropriate, each Priority based on the institution’s broader risk-based AML program.’ In addition, FinCEN has provided statements of guidance for financial institutions to use when determining which of the Priorities apply to their particular institution.
On July 3, 2024 FinCEN announced a proposed rule (Anti-Money Laundering and Countering the Financing of Terrorism Programs) intended to strengthen and modernize financial institutions’ AML and countering the financing of terrorism (CFT) programs and amend existing regulations. Section IV.D.4 of the proposed rule relates to training, and provides that training requirements ‘would be based on a financial institution's risk assessment process, and the content of the training and frequency with which it would occur would depend on the financial institution's risk profile and the roles and responsibilities of the persons receiving the training.’ A training program ‘should be sufficiently targeted to the roles and responsibilities of employees.’
Step 2 – Identify staff who require training
2.1 Meet minimum staff training needs
At a minimum, the training program should specifically include employees whose duties require BSA and AML knowledge. These employees should be identified by looking at each employee’s role and risk factors. These will vary between organizations. Tailor training protocols to each relevant employee’s responsibilities, including targeted training unique to certain business lines or units.
2.2 Give training appropriate to the needs of different roles
Additionally, certain roles have unique training needs. For example, BSA compliance staff are responsible for day-to-day compliance monitoring and compliance program management. Compliance staff will typically require more extensive training than other staff, senior management, or the board of directors. Therefore, it is crucial to ensure that the BSA and AML compliance program implemented for compliance staff is comprehensive and provides staff with adequate training to perform their duties.
BSA compliance staff should also receive periodic training to ensure they are aware of, and knowledgeable about, changes in both of the following areas:
- the BSA and AML laws and regulations governing the organization’s activities; and
- the organization’s risk profile, based on its products, services, customers, and locations served.
Senior management should receive training in the fundamentals of BSA compliance, and guidance on their supervising responsibilities in the context of BSA compliance. In addition, the board of directors should also receive periodic training on changes and new developments in the BSA in order to perform the following functions:
- provide approval for the institution’s written BSA and AML compliance program;
- oversee the institution’s compliance program;
- establish an appropriate level of authority and independence for the compliance program, officers, and authorized staff; and
- anticipate and provide the resources necessary for compliance personnel to perform their duties.
2.3 Provide special training, if required
Special training may be necessary for certain types of organizations and business lines. For instance, the Customer Due Diligence (CDD) rules apply to the following:
- banks and other types of depository institutions;
- brokers or dealers in securities;
- money transmitters;
- currency exchangers;
- check cashers;
- issuers and sellers of traveler’s checks and money orders; and
- certain casinos and card clubs.
See, 31 CFR parts 1010, 1020, 1023, 1024, and 1026.
Under these rules, the institutions concerned must provide staff with CDD training, including, for example:
- how to verify the identity of customers, including the beneficial owner if the customer is a legal entity;
- how to conduct ongoing monitoring to identify suspicious transactions; and
- how to report suspicious transactions.
For further detail refer to Checklist: Currency transaction reporting requirements.
Step 3 – Provide initial and ongoing training
3.1 Conduct training at initial hire stage
New employees whose job duties require BSA and AML knowledge should receive initial training during orientation. At a minimum, initial training should include the basic requirements outlined above in Step 1.
3.2 Ensure ongoing training requirements are being met
The BSA legal framework is designed to ensure that compliance is ongoing. Special training for all staff will be necessary when regulatory changes occur, or when changes in the organization’s risk profile affect staff work responsibilities.
Additionally, a tailored training cycle might require more frequent training for high-risk and critical management roles, and one-time or annual training for other staff. For these high-risk and critical roles, periodic testing may also be appropriate to ensure the personnel in these roles maintain proper knowledge and skills.
Step 4 – Maintain adequate documentation of training
4.1. Document training
The financial institution must document all training and testing (if testing is used). Financial regulators reviewing the financial institution’s compliance with BSA requirements will review records to ensure that staff awareness and training are adequate. In addition to periodic training, as described above, the institution may also consider post-training assessments to ensure the effectiveness of the training and keep these records to document compliance.
See further Checklist: Being prepared for a visit by a financial regulator.
4.2. Ensure the training records contain the required information
The financial institution must be able to produce its training and testing records if asked to do so by an agency examiner or auditor. The training records should show the following:
- the dates of training sessions;
- the staff who attended;
- the training materials used;
- the training assessment or testing results; and
- any corrective action taken for staff who failed to complete the training in a timely manner.
Agency examiners and auditors will analyze whether all staff and personnel whose responsibilities require BSA comprehension have been trained on the BSA and its rules, regulations, and related requirements.
Additional resources
IMF, Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT)
U.S. Department of the Treasury, National Strategy for Combating Terrorist and Other Illicit Financing
Related Lexology Pro content
How-to guides:
How to assess your organization for money laundering and terrorist financing risk
How to monitor Bank Secrecy Act (BSA) compliance
How to appoint a Bank Secrecy Act (BSA) compliance officer
How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern
How to identify suspicious activity and make a Suspicious Activity Report (SAR)
How to identify relevant sanctions regimes and deal with conflicting obligations
How to ensure sanctions screening and sanctions due diligence is effective
Checklists:
Being prepared for a visit by a financial regulator
Currency transaction reporting requirements
Initial response to a report of suspicious activity
Screening employees for roles in AML compliance
Reliance on information posted:
While we use reasonable endeavors to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.