← Blog · KYC Basics
Five Pillars of a BSA/AML Compliance Program

Every US financial institution—banks, credit unions, money services businesses, and many fintechs—must build a written BSA AML compliance program that satisfies the Bank Secrecy Act (31 U.S.C. 5311 et seq.) and its implementing regulations at 31 CFR Chapter X. The Financial Crimes Enforcement Network (FinCEN) enforces these rules, and regulators such as the OCC, FDIC, Federal Reserve, and NCUA examine institutions against the FFIEC BSA/AML Examination Manual. This article explains the framework in general terms; it is not legal advice.
What the AML Program Requirements Cover
The core AML program requirements derive from 31 U.S.C. 5318(h) and the USA PATRIOT Act of 2001. Originally four components, the framework expanded to a fifth in 2018 when FinCEN's Customer Due Diligence (CDD) Rule took effect. Together these are commonly called the five pillars AML obligations. A program must be written, board-approved where applicable, and reasonably designed for the institution's risk profile. There is no one-size-fits-all template: a de novo neobank and a regional lender face different exposure and should calibrate controls accordingly.
The Five Pillars AML Framework
- Pillar 1 — Internal controls and written policies. Documented procedures for customer identification, transaction monitoring, recordkeeping, and OFAC sanctions screening. Controls should map to a formal risk assessment covering products, customers, geographies, and delivery channels.
- Pillar 2 — Designated BSA/AML compliance officer. A named individual with sufficient authority, independence, and resources to run the program and report to senior management or the board.
- Pillar 3 — Ongoing training. Role-based training for staff who touch onboarding, monitoring, and reporting, refreshed as regulations and typologies change.
- Pillar 4 — Independent testing. Periodic audits by qualified internal or external parties who did not build the controls they review. Scope and frequency scale with risk.
- Pillar 5 — Customer due diligence. The CDD Rule (31 CFR 1010.230) requires identifying and verifying beneficial owners of legal entity customers, understanding the nature and purpose of relationships, and conducting ongoing monitoring to update customer profiles and flag anomalies.
Building a KYC Program in the USA
A workable KYC program USA operators can defend starts with a Customer Identification Program (CIP) under 31 CFR 1020.220, then layers CDD and enhanced due diligence for higher-risk relationships. Practical execution matters: collecting name, date of birth, address, and a government identification number is only the first step, followed by verification, sanctions and PEP screening, and risk scoring. Chat-based onboarding on channels customers already use—Telegram and WhatsApp—can shorten time-to-verify while keeping data collection scoped to what the rule actually requires. Applying data minimization here reduces breach exposure and simplifies audit scope, and configurable retention periods help align storage with your jurisdiction's records rules.
Suspicious Activity Report and SAR Filing Obligations
Detection is only useful if it triggers reporting. Under 31 CFR 1020.320 (and parallel sections for other institution types), a covered institution must file a suspicious activity report when it identifies a transaction of $5,000 or more that it knows, suspects, or has reason to suspect involves illicit funds, is designed to evade the BSA, or has no apparent lawful purpose. The general deadline for SAR filing is 30 calendar days from initial detection, extendable to 60 days if no suspect is identified. SARs are filed through the FinCEN BSA E-Filing System, and confidentiality rules prohibit disclosing that a SAR was filed. Separately, Currency Transaction Reports (CTRs) apply to cash transactions exceeding $10,000 in a business day.
Meeting FinCEN Requirements Over Time
Satisfying FinCEN requirements is not a one-time project. The Anti-Money Laundering Act of 2020 signaled a shift toward risk-based, outcomes-focused examination and introduced beneficial ownership reporting under the Corporate Transparency Act, administered through FinCEN. Institutions should refresh their risk assessment as products and customer bases change, retain records for the periods specified by regulation (generally five years), and keep independent testing findings and remediation documented. A program that maps controls to each of the five pillars, evidences ongoing monitoring, and demonstrates timely SAR filing gives examiners the audit trail they expect—and gives your team a defensible foundation as the rules evolve.
General information, not legal advice. Talk to your compliance counsel for guidance on your specific obligations.