A BSA/AML program rests on five pillars: a system of internal controls, a designated BSA officer, training, independent testing, and customer due diligence with beneficial-ownership identification. Four of them have defined the program for decades. The fifth, CDD, was formalized by FinCEN's 2018 rule. An examiner grades each pillar on whether it genuinely exists and operates in practice. A policy saying it should is not enough.
Ask three compliance officers to define a good program and you will get three answers. Ask an examiner and you get one framework: the pillars. They are the shared vocabulary for what a BSA/AML program must contain, and an exam, a sponsor-bank review, and a gap analysis all organize themselves around them. Know them cold and the rest of the program has something to sit on.
This guide walks each pillar in plain language: what it requires, what good looks like, and how an examiner grades it.
What the pillars are, and why five
For most of the BSA's history the program rested on four pillars. FinCEN's Customer Due Diligence rule, effective in 2018, added a fifth by formalizing risk-based CDD and the requirement to identify the beneficial owners of legal-entity customers. Today most practitioners describe the program as five pillars.
| Pillar | In one line |
|---|---|
| 1. Internal controls | Written policies, procedures, and processes that run the program. |
| 2. Designated BSA officer | A named, accountable person who owns the program day to day. |
| 3. Training | Role-specific education for the people who operate the controls. |
| 4. Independent testing | Periodic review by someone independent of the program. |
| 5. Customer due diligence | Risk-based CDD plus beneficial-ownership identification (the fifth pillar). |
Pillar 1: Internal controls
Internal controls are the written policies, procedures, and processes that make the program run: how you assess risk, how you onboard customers, how you monitor activity, how you escalate, and how you file. Good controls are specific to your institution and your products, with named owners and real thresholds. An examiner reads them to judge one thing: whether the program was designed for your actual risk or lifted from a template.
Pillar 2: Designated BSA officer
The program needs a named individual accountable for its day-to-day operation, with the authority and resources to do the job. This is a person, not a shared inbox. The board and senior management remain ultimately responsible, but the BSA officer is the one an examiner expects to know the program cold and answer for it.
Pillar 3: Training
Training has to reach the people who actually operate the controls, in language that fits their role. Onboarding staff, support, operations, and leadership each need training scoped to what they do. Examiners look for evidence: who was trained, on what, and when. Generic annual training that nobody can recall is a finding waiting to happen.
Pillar 4: Independent testing
The program must be reviewed periodically by a party independent of the people who run it, scoped to the institution's risk. For many institutions this is the FFIEC Pillar-3 independent test: control walkthroughs, sample testing, a findings register, and an opinion. The word that carries weight is independent. Open findings from the last test are the first thing an examiner reads. (See the exam-prep guide.)
Pillar 5: Customer due diligence and beneficial ownership
The fifth pillar requires risk-based customer due diligence: identifying and verifying customers, understanding the nature and purpose of the relationship, and conducting ongoing monitoring to maintain and update customer information. For legal-entity customers it adds beneficial-ownership identification, the requirement to know the natural persons behind a company. CDD is where a program turns "who is this customer" into a risk rating that drives everything downstream.
How examiners grade the pillars
Across all five, an examiner asks the same question: does this exist and operate, or does it only exist on paper? A pillar passes when the institution can show it works, with evidence, against the institution's real risk. A handful of failure patterns show up again and again:
- Paper-only controls that describe a program nobody follows.
- A BSA officer without the authority or resources to act.
- Training with no record of who completed it.
- Independent testing that is not actually independent, or whose findings were never closed.
- CDD that collects information but never risk-rates or refreshes it.
The pillars are simple to list and hard to run well. Treat them as the standing structure of the program and keep each one genuine and evidenced. Then an exam is a review of work you already did, not a scramble to assemble it the week before.
What is coming: the proposed program rule
FinCEN has proposed a rule, RIN 1506-AB72, that would change how these components are judged. It would add an explicit effective, risk-based, and reasonably designed standard and make a documented risk assessment a named program component tied to FinCEN's national priorities. It is a proposal, not yet law, with the comment period closed as of June 2026. The proposed AML/CFT program rule guide walks what it would change and what to do now.