Anti-Money Laundering Program

To meet the anti-money laundering program requirement, a broker-dealer must maintain a written AML program approved by senior management that covers the four required pillars: risk-based policies and controls, an appointed AML Compliance Officer, ongoing training, and independent testing. Your job is to turn this into owned workflows for onboarding, monitoring, escalation, and SAR/CTR readiness, backed by audit-ready evidence. (31 CFR § 1023.210)

Key takeaways:

• Your written AML program must be “reasonably designed” for your actual products, customers, and channels, not a generic template. (31 CFR § 1023.210)
• Examiners look for operational proof: approvals, training logs, testing reports, and case documentation tied to escalation and filing decisions. (31 CFR § 1023.210)
• The fastest path to readiness is mapping each pillar to an owner, a workflow, and a set of artifacts you can produce on demand. (31 CFR § 1023.210)

“Have an AML program” is not a policy-writing exercise. For a CCO or GRC lead at a broker-dealer, the AML program requirement becomes real when you can show (1) governance and accountability, (2) risk-based controls embedded in client onboarding and activity review, (3) staff who know what to do, and (4) independent testing that actually challenges the program.

The regulatory expectation is explicit: each broker-dealer must develop and implement a written AML program approved by senior management. (31 CFR § 1023.210) “Implement” is the word that drives exam outcomes. It means your procedures are followed, your alerts and escalations have documented dispositions, and your program produces consistent decisions about suspicious activity reporting obligations under the Bank Secrecy Act.

This page translates the requirement into an operator’s checklist: who it applies to, what to build, how to run it day-to-day, what evidence to retain, and where exams typically get stuck. If you need to operationalize quickly, treat this as a build plan for a defensible AML operating model that you can evidence under time pressure.

Regulatory text

Regulatory requirement (excerpt): “Each broker-dealer must develop and implement a written anti-money laundering program approved by senior management.” (31 CFR § 1023.210)

What the operator must do with this text

This line drives three non-negotiables:

1. Written program: A documented AML program exists as a controlled document (versioned, reviewed, and accessible). (31 CFR § 1023.210)
2. Implemented program: Procedures are not aspirational. They are embedded into onboarding, transaction/activity review, escalation, and reporting readiness, with records showing execution. (31 CFR § 1023.210)
3. Senior management approval: You can produce evidence that senior management approved the program (initially and after material changes). (31 CFR § 1023.210)

The program must include the classic “four pillars” (policies/controls, AML officer, training, independent testing) and be reasonably designed to detect and report suspicious activity and support BSA reporting obligations (including SARs and CTRs). (31 CFR § 1023.210)

Plain-English interpretation (what the requirement means in practice)

You need an AML program that matches how your broker-dealer actually operates: who you onboard, what products you sell, how you accept and move funds, what third parties you rely on, and what activity could indicate money laundering or other illicit finance.

A working interpretation that holds up in exams:

• Controls must be risk-based and repeatable. If onboarding identifies higher-risk customers, your program must show what happens next (enhanced review, added monitoring, tighter escalation). (31 CFR § 1023.210)
• Someone must own the program. The AML Compliance Officer role must be clear, empowered, and able to evidence oversight. (31 CFR § 1023.210)
• Employees must be trained for their jobs. Training must fit role responsibilities, not just a generic annual module. (31 CFR § 1023.210)
• Independent testing must challenge reality. Testing should validate design and execution, including sampling of cases and evidence. (31 CFR § 1023.210)

Who it applies to (entity and operational context)

Applies to: Broker-dealers subject to the AML program rule. (31 CFR § 1023.210)

Operational scope (where you feel it):

• Client onboarding / account opening: collecting information, identifying risk indicators, documenting decisions, and triggering enhanced handling for elevated risk. (31 CFR § 1023.210)
• Ongoing review of activity: monitoring for suspicious patterns and documenting alert/case dispositions. (31 CFR § 1023.210)
• Escalation and reporting readiness: defined steps for internal escalation to the AML Compliance Officer (or delegate) and documenting SAR/CTR decisioning. (31 CFR § 1023.210)
• Third parties: clearing firms, introducing arrangements, technology providers, and outsourced ops. Your AML program must still work end-to-end, with responsibilities clearly allocated and evidenced. (31 CFR § 1023.210)

What you actually need to do (step-by-step)

Use this as an implementation runbook. Each step produces an artifact that supports exam readiness.

1) Define your AML program scope and risk assumptions

• Inventory your products/services, customer types, geographies, delivery channels, and key third parties that touch onboarding and movement of funds/securities.
• Write down your AML risk factors and how they change your controls (for example: what triggers enhanced review).
• Convert assumptions into decision rules that front-line teams can follow without improvising.
  Output: AML risk assessment summary and control mapping to onboarding and surveillance. (31 CFR § 1023.210)

2) Draft (or fix) the written AML program document

Minimum content to include:

• Governance (senior management approval, review cadence, change control). (31 CFR § 1023.210)
• The four pillars: internal controls; designated AML officer; training; independent testing. (31 CFR § 1023.210)
• How suspicious activity is identified, escalated, investigated, and documented, including SAR/CTR readiness processes. (31 CFR § 1023.210)
  Output: Controlled AML Program document with versioning and approval section. (31 CFR § 1023.210)

3) Assign accountable owners (RACI) and empower the AML Compliance Officer

• Name the AML Compliance Officer in writing; define authority, delegation, and escalation paths. (31 CFR § 1023.210)
• Create a RACI for onboarding reviews, monitoring alerts, investigations, and filing decisions.
• Document what the AMLCO reviews (metrics, significant cases, exceptions, training completion, testing outcomes).
  Output: AMLCO appointment memo; AML governance chart; escalation matrix. (31 CFR § 1023.210)

4) Implement internal policies, procedures, and controls in daily workflows

Build the “control spine” across core workflows:

Onboarding controls

• Standardize what information is collected and how exceptions are handled.
• Define risk-rating logic and required follow-ups for elevated risk.
• Add a documented approval gate for high-risk onboarding.
  Evidence: completed onboarding checklists; risk-rating output; approval records. (31 CFR § 1023.210)

Monitoring and investigations

• Define what generates an alert (manual, automated, or both) and how alerts become cases.
• Require documented dispositions with rationale and supporting documentation.
• Track aging and escalation for stalled cases.
  Evidence: alert/case logs; investigation notes; disposition rationale; escalation records. (31 CFR § 1023.210)

SAR/CTR readiness

• Document how staff raise concerns, how the AMLCO decides, and what gets retained to support decisions.
• Align recordkeeping to your internal procedures so you can show consistency over time.
  Evidence: SAR/CTR decision memos or case narratives; internal referrals; supporting documentation. (31 CFR § 1023.210)

5) Stand up ongoing employee training (role-based)

• Define training by role (registered reps, onboarding ops, supervisors, AML investigators, leadership). (31 CFR § 1023.210)
• Include: red flags relevant to your business model, escalation steps, documentation standards, and consequences for bypassing controls.
• Track completion and follow up on non-completions.
  Output: training curriculum, attendance/completion logs, quiz attestations where used. (31 CFR § 1023.210)

6) Plan and execute independent testing

• Set a testing plan that samples real onboarding files, alerts/cases, and escalations; verify documentation quality and timeliness. (31 CFR § 1023.210)
• Ensure tester independence (internal audit, qualified external party, or an independent function). (31 CFR § 1023.210)
• Track findings to closure with corrective actions and retesting where appropriate.
  Output: independent testing report, management responses, remediation tracker, closure evidence. (31 CFR § 1023.210)

7) Build an evidence system so you can answer exam requests fast

Most AML exam stress comes from scattered artifacts. Use a single system of record (GRC tool, controlled repository, or a structured ticketing system) that ties:

• policy version + approval,
• training completion,
• testing results,
• case records and decisions,
• remediation closure.

Daydream can help by turning the requirement into a control-and-evidence checklist, assigning owners, and keeping artifacts linked to the control they prove, so exams become retrieval instead of reconstruction. (31 CFR § 1023.210)

Required evidence and artifacts to retain

Keep artifacts in a way that you can produce them by date range and by control.

Governance

• AML program document (version history, change log) (31 CFR § 1023.210)
• Senior management approval evidence (minutes, signed approval page, or equivalent) (31 CFR § 1023.210)
• AMLCO designation letter and role description (31 CFR § 1023.210)

Controls in operation

• Onboarding files with risk rating, approvals, and exception handling records (31 CFR § 1023.210)
• Alert and case management records, including dispositions and escalation trails (31 CFR § 1023.210)
• SAR/CTR decisioning documentation aligned to your procedures (31 CFR § 1023.210)

Training and testing

• Training materials by role and completion tracking (31 CFR § 1023.210)
• Independent testing plan, workpapers (if available), final report, and remediation evidence (31 CFR § 1023.210)

Common exam/audit questions and hangups

Expect examiners and auditors to probe for “proof of implementation”:

• Show me senior management approval. Produce the approval record tied to the current program version. (31 CFR § 1023.210)
• How did you tailor controls to your risk? Walk through risk factors and how they change onboarding and review steps. (31 CFR § 1023.210)
• Who is the AMLCO and what do they do day-to-day? Show oversight routines, escalations, and decisions. (31 CFR § 1023.210)
• How do you know the program works? Present independent testing results, findings, and corrective actions closed. (31 CFR § 1023.210)
• Are people trained for their role? Show role-based training completion and content. (31 CFR § 1023.210)

Typical hangup: firms can describe the process verbally but cannot produce consistent case documentation, approvals, and testing follow-through.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Copying a generic AML template	“Reasonably designed” becomes indefensible if procedures don’t match actual operations. (31 CFR § 1023.210)	Tie procedures to products, onboarding steps, and escalation paths you actually use. (31 CFR § 1023.210)
Naming an AMLCO without authority	AMLCO becomes symbolic; decisions drift to business owners. (31 CFR § 1023.210)	Document decision rights, escalation routes, and review routines. (31 CFR § 1023.210)
Training that is generic and untracked	You cannot prove coverage or effectiveness by role. (31 CFR § 1023.210)	Role-based curriculum + completion tracking + follow-up. (31 CFR § 1023.210)
Independent testing that checks the box	Testing misses real failure modes like poor case notes or inconsistent escalation. (31 CFR § 1023.210)	Sample real files and cases; track findings through remediation closure. (31 CFR § 1023.210)
Weak evidence discipline	Exams become a scavenger hunt; gaps look like non-implementation. (31 CFR § 1023.210)	Centralize evidence and link it to controls in a system like Daydream. (31 CFR § 1023.210)

Enforcement context and risk implications

No public enforcement case sources were provided in the source catalog for this page, so this section stays focused on exam risk.

Operationally, AML program failures create three predictable exposures:

• Regulatory findings for inadequate design or implementation if your written program is not approved, not followed, or not supported by evidence. (31 CFR § 1023.210)
• Reporting breakdowns if escalation and decisioning are inconsistent or undocumented for suspicious activity and required filings. (31 CFR § 1023.210)
• Third-party dependency risk if you rely on clearing or outsourced functions but cannot demonstrate end-to-end control and oversight. (31 CFR § 1023.210)

Practical execution plan (30/60/90-day)

You asked to operationalize quickly, so this is organized by phases with clear deliverables.

First 30 days (stabilize and evidence)

• Confirm the legal entity scope (broker-dealer) and inventory AML-touching workflows: onboarding, monitoring, escalation, reporting readiness. (31 CFR § 1023.210)
• Appoint or reconfirm the AML Compliance Officer in writing; publish escalation paths. (31 CFR § 1023.210)
• Collect and centralize current artifacts: program document, approvals, training records, testing reports, case logs. (31 CFR § 1023.210)
• Identify the top evidence gaps (commonly: missing approval record, thin case narratives, incomplete training logs). (31 CFR § 1023.210)

Days 31–60 (implement control spine)

• Rewrite procedures so they mirror real workflows, including risk-rating, approvals, exceptions, and escalations. (31 CFR § 1023.210)
• Put documentation standards in writing: what must be captured in onboarding files and in case dispositions. (31 CFR § 1023.210)
• Launch role-based training and start completion tracking. (31 CFR § 1023.210)
• Build a remediation tracker for any known gaps and assign owners and due dates.

Days 61–90 (prove effectiveness)

• Execute independent testing with real sample selection across onboarding and investigations; document findings and management responses. (31 CFR § 1023.210)
• Close high-risk findings with evidence and retest targeted fixes. (31 CFR § 1023.210)
• Move evidence capture into “business as usual” using a structured repository or Daydream control/evidence mapping so you can answer exam requests reliably. (31 CFR § 1023.210)

Frequently Asked Questions

Does the AML program have to be approved by senior management, or is CCO approval enough?

The rule excerpt specifies approval by senior management for the written AML program. Keep a clear approval record tied to the effective version of the program. (31 CFR § 1023.210)

What are the “four pillars” I must cover in the written program?

The program must include internal policies/procedures/controls, a designated AML Compliance Officer, ongoing employee training, and independent testing. Treat each pillar as a set of owned workflows plus evidence. (31 CFR § 1023.210)

What does “reasonably designed” mean for implementation?

It means your controls align to your actual risks and operating model, and you can show consistent execution through records. Examiners will compare what you say you do to what your files and case logs show. (31 CFR § 1023.210)

Can independent testing be done by internal staff?

Independent testing must be performed by a person or function that is independent of the AML function being tested. Document independence, scope, sampling approach, findings, and remediation follow-through. (31 CFR § 1023.210)

What evidence should I expect to produce first in an exam?

Common first asks are the current AML program with senior management approval, AMLCO designation, training completion records, and the most recent independent testing report with remediation status. (31 CFR § 1023.210)

How do I manage AML responsibilities when third parties perform key functions (e.g., clearing or outsourced operations)?

Document responsibilities and handoffs, then verify performance through oversight and evidence collection. Your AML program should show end-to-end control, not a gap where a third party sits. (31 CFR § 1023.210)