The 5 Pillars of an AML Compliance Program: Complete 2026 Guide

In 2024, TD Bank paid a $3.09 billion settlement — one of the largest AML enforcement actions in US banking history — after regulators found systematic failures across multiple components of its AML compliance program. It was not a single breakdown. It was the cumulative collapse of policies, internal controls, transaction monitoring, and customer due diligence — the core pillars of a well-designed AML program.

This is why the five pillars of AML compliance, codified under the Bank Secrecy Act (BSA) and enforced by FinCEN, are not just regulatory boxes to tick. They are the load-bearing architecture of e very effective financial crime program. When one pillar weakens, the entire framework becomes vulnerable — and regulators have demonstrated they will impose billion-dollar consequences when that happens.

In 2026, the landscape around these pillars is shifting faster than ever. FinCEN issued a landmark proposed rule on April 7, 2026 that fundamentally reforms how AML programs are evaluated — moving from "check-the-box" compliance toward effectiveness-based assessment. The EU's AMLR takes full effect on July 10, 2027. And industry discussion has intensified around whether risk assessment should become a formally recognized sixth pillar.

This guide explains each of the five pillars in depth, covers the latest 2026 regulatory updates, and outlines how compliance teams can strengthen every component of their AML framework.

What are the 5 pillars of AML and why do they matter?

The five pillars framework originated under the Bank Secrecy Act of 1970 and has evolved with each major regulatory update. The original framework established four pillars focused on internal controls, independent testing, a designated compliance officer, and ongoing training. In May 2018, FinCEN's Customer Due Diligence (CDD) Rule formally added the fifth pillar, addressing a critical gap in beneficial ownership transparency and risk-based customer verification.

Together, these pillars define the minimum architecture of a BSA-compliant AML program. They are not independent checkboxes — they are interconnected controls that reinforce one another. A strong risk assessment (Pillar 2) informs the policies you write (Pillar 3), which your compliance officer (Pillar 1) enforces through monitoring (Pillar 4) and customer due diligence (Pillar 5).

The 5 Pillars at a Glance

Is there a sixth pillar emerging?

Yes — and it is one of the most discussed developments in 2026. FinCEN's April 7, 2026 proposed rule would formally codify risk assessment as a mandatory, standalone legal obligation rather than an expected practice embedded within internal controls. While it is already practically treated as foundational by regulators, elevating it to formal pillar status would require institutions to align their risk profiles with FinCEN's National AML/CFT Priorities and update them whenever the institution's risk profile materially changes.

Comments on the proposed rule are due by June 9, 2026. If finalized, the framework may evolve from five pillars to six — making this a critical moment for compliance teams to audit their risk assessment practices.

#1. Appoint a compliance officer

The first pillar is also the most personally consequential — designating a qualified individual, typically titled the BSA/AML Compliance Officer or Money Laundering Reporting Officer (MLRO), who holds day-to-day responsibility for the AML program.

This is not a ceremonial role. Regulators expect the officer to have real authority, adequate resources, and direct access to senior management and the board. Under FinCEN's April 2026 proposed rule, the compliance officer must be US-based — closing a practical loophole where multinational institutions occasionally placed AML oversight offshore.

What should a BSA/AML Compliance Officer do?

An effective compliance officer's responsibilities extend well beyond document review. Core functions include:

• Designing and maintaining the AML program in line with regulatory requirements
• Overseeing the risk assessment process and ensuring findings drive control decisions
• Approving and filing Suspicious Activity Reports (SARs) with FinCEN
• Serving as the primary point of contact with FinCEN, federal banking regulators, and law enforcement
• Reporting regularly to the board or senior management on program performance
• Coordinating employee training and ensuring ongoing professional development
• Triggering updates to policies and controls in response to regulatory changes

For a deeper look at which institutions are legally required to have an AML program and compliance officer, Signzy's guide on who is required to have an AML program covers the regulatory triggers.

Common failures and personal liability risks

Compliance officer failures are among the most frequently cited root causes in 2024–2026 AML enforcement actions. Typical deficiencies include:

• Insufficient authority — officers unable to unilaterally file SARs or halt high-risk business
• Inadequate resources — staffing disproportionate to risk profile, or budget cuts during risk-growth periods
• Reporting through business lines — compliance reporting to revenue-generating function heads rather than the board
• Compensation conflicts — a 2024 enforcement action noted a compensation system that disincentivized compliance cost investment
• Inexperience — designating officers without sufficient AML or industry expertise

The risk is not only institutional. In one of the most widely cited personal liability cases, FinCEN pursued MoneyGram's former Chief Compliance Officer for $1 million in personal fines (eventually settled for $250,000) for failing to terminate high-risk agent outlets and implement fraud policies. In 2025, a compliance officer was separately charged with willful BSA violations tied to fraud concealment. The message from regulators is clear: compliance officers can — and do — face personal accountability.

#2. Complete risk assessments

Risk assessments are the operational brain of an AML program. They determine where the institution is most vulnerable, what controls need the most attention, and how resources should be allocated. Without a current, data-driven risk assessment, every other pillar operates on assumption rather than evidence.

Robust internal controls, well-defined protocols, and clearly outlined procedures make an AML compliance program robust. Measures such as verification of the identity of customers and reporting of any unusual transactions to the relevant authority must be in place. A risk-based approach must be followed — mitigation measures depend upon the level of risk.

Therefore, risk assessments cannot be static. Controls should be frequently reviewed and updated so that changes in the business operations, regulatory landscape, and exposed risks can be taken into consideration.

What does a robust risk assessment include?

FFIEC guidance and industry practice converge on a standard set of risk dimensions that every AML risk assessment should evaluate:

• Customer risk — customer types, PEP exposure, geographic distribution, industry concentrations, and onboarding channels
• Product and service risk — products with higher inherent laundering risk (e.g., wire transfers, prepaid cards, correspondent banking, private banking, crypto services)
• Geographic risk — exposure to FATF grey-list or black-list jurisdictions (Iran, North Korea, Myanmar plus 20+ grey-listed countries as of February 2026)
• Channel risk — remote onboarding, third-party introducers, agent networks, digital-only relationships
• Transaction risk — volume, velocity, size anomalies, cross-border activity, cash intensity

Signzy's guide on the levels of due diligence covers how risk assessment findings translate into tiered CDD and EDD workflows.

FinCEN's 2026 proposal — is risk assessment becoming a separate pillar?

Under FinCEN's April 7, 2026 proposed rule, risk assessment becomes a formal, codified legal obligation — not merely an expected practice embedded within internal controls. The proposed framework would require institutions to:

• Document a structured risk assessment aligned with FinCEN's National AML/CFT Priorities
• Update the risk assessment whenever the institution's risk profile materially changes
• Use the risk assessment to drive program design rather than treating it as an after-the-fact justification
• Retain risk assessment documentation sufficient for regulator review

This shift reflects a broader regulatory move from compliance as a documented process to compliance as a measurable outcome. Institutions that currently treat risk assessment as an annual exercise will need to adapt to continuous, evidence-driven assessment models.

#3. Prepare anti-money laundering policies

AML policies are where regulatory requirements become operational reality. They define how employees should behave, what thresholds trigger escalation, and how the institution will respond to specific risk events. A program with strong pillars 1, 2, 4, and 5 will still fail if the policies are poorly written, inconsistently applied, or out of date.

It is important to constitute a dedicated team for compliance in the organisation. Why? Because policies are only as effective as the people who implement them. Training must relate to the tools and technologies for fraud detection and should be focused on the protocols for disclosing fraudulent activities. Identification of suspicious activity, reporting responsibilities, and the repercussions of non-compliance should form part of the training program. Through vigilance, employees can be encouraged to identify and report suspected activities promptly.

What should AML policies cover?

A comprehensive AML policy framework typically includes:

• Governance and oversight — roles and responsibilities, escalation paths, board reporting cadence
• Customer onboarding policy — KYC/CDD requirements by customer type and risk tier
• Transaction monitoring policy — scenarios, thresholds, alert handling, disposition workflows
• Sanctions and PEP screening policy — list sources, match thresholds, escalation procedures
• SAR filing policy — triggers, timelines (typically 30 days), confidentiality requirements, quality standards
• Record-keeping policy — retention periods, data integrity, audit trail requirements
• Training policy — frequency, role-based content, competency verification
• Policy maintenance — review cadence, change management, regulatory monitoring

For practitioners, Signzy's KYC-AML check best practices offers implementation guidance that complements policy design.

Role-based vs generic training programs

One of the most common policy-related compliance gaps is treating training as a one-size-fits-all annual exercise. Regulators expect training programs to be:

• Role-specific — a frontline onboarding agent needs different training than a transaction monitoring analyst or a senior compliance officer
• Ongoing — regular reinforcement, not a single yearly session
• Updated — reflecting regulatory changes, new typologies, and lessons from internal investigations
• Measured — competency assessments to verify learning, not just attendance

Generic training that doesn't reflect the specific financial crime risks an employee will actually encounter is one of the easiest deficiencies for regulators to identify — and one of the most consistently cited in enforcement actions.

#4. Monitor and maintain your AML program

An AML program is a living system. Regulations change, threats evolve, business models expand, and what was adequate last year may be dangerously outdated today. Pillar 4 is about ensuring your program continues to work — not just when it was designed, but every day it operates.

Routine testing and frequent audits of the organisation's AML program validate the performance of the program. Review from external sources ensures the adequacy of your internal controls, the effectiveness of AML policies and procedures, and the compliance of applicable laws and regulations. For any identified gaps or flaws during the review, corrective actions need to be taken, and that too quickly.

What does independent testing require?

The "independent" in independent testing is not cosmetic. Regulators expect the testing function to be truly separate from the management responsible for running the program — either through an internal audit function that reports to the board, or through qualified external auditors.

An independent AML audit typically evaluates:

• Program adequacy — does the program address all BSA/AML requirements applicable to the institution?
• Policy implementation — are written policies consistently applied in practice?
• Transaction monitoring effectiveness — are alerts generating real insights, or producing noise?
• SAR quality and timeliness — are SARs filed within required windows, with sufficient detail?
• Training effectiveness — are employees genuinely competent, not just "trained"?
• Corrective action tracking — were prior findings addressed? Are open items resolved?

Signzy's Governance, Risk and Compliance (GRC) Suite provides the audit-ready dashboards and workflows that make independent testing more efficient and less disruptive to operations.

How often should you test your AML program?

The answer depends on risk profile, institution size, and regulatory expectations. General industry practice:

• Annual testing minimum for most regulated institutions
• Semi-annual or more frequent testing for high-risk business lines (correspondent banking, crypto, international remittance)
• Event-triggered testing following major events (new product launches, M&A activity, significant regulatory changes, enforcement actions at peer institutions)
• Continuous monitoring of key metrics — even between formal audits, dashboards should flag anomalies in SAR volumes, alert rates, and backlog trends

It's also worth noting that modern transaction monitoring systems generate alert rates where 90%+ are false positives, overwhelming compliance teams. One of the most valuable monitoring investments in 2026 is false-positive reduction — through machine learning, contextual risk scoring, and dynamic thresholds.

#5. Implement Customer Due Diligence

The CDD rule — i.e. Customer Due Diligence rule — was introduced in May 2018 by the Financial Crimes Enforcement Network (FinCEN). Today, it is one of the five fundamental pillars of the AML compliance program.

What's the CDD rule? It mandates organisations to check and verify their customer's identity and to observe closely their affairs and dealings in order to spot and report any questionable transactions. The following four core elements must be taken care of while carrying out CDD:

• Confirming the identity of customers and determining their degree of risk
• Identifying the ultimate beneficiaries of legal entities
• Maintaining good relationships with the clients
• Monitoring transactions to flag any unusual behaviours or trends

The CDD rule is based upon the risk game, where organisations need to evaluate both the clients and transaction requests based on their level of risk. Due diligence procedures must be tailored as per the risk associated with each customer and transaction. Also, enhanced due diligence (EDD) measures must be implemented, wherever necessary — like in the case of transactions made by clients who pose a greater risk.

Beneficial ownership requirements

The CDD Rule specifically requires covered financial institutions to identify and verify, for legal entity customers:

• Each individual who owns 25% or more of the equity interests of the legal entity
• At least one individual with significant responsibility to control, manage, or direct the legal entity (such as a CEO, CFO, COO, or managing member)

This requirement exists because shell companies have historically been one of the most effective tools for disguising illicit financial flows. By requiring institutions to identify the natural person behind the corporate veil, the CDD rule closed a major AML gap.

FinCEN's April 2026 proposed rule provides relief from certain burdensome account-by-account verification models — responding to industry feedback that some previous requirements created operational burden without improving AML effectiveness.

CDD vs EDD: Risk-based tiering

Not every customer requires the same level of scrutiny. Under a risk-based approach, customers fall into tiers:

• Standard CDD — applied to most low-to-medium risk customers. Includes identity verification, beneficial ownership identification (for legal entities), and ongoing transaction monitoring.
• Enhanced Due Diligence (EDD) — applied to higher-risk customers. Includes source-of-funds verification, source-of-wealth checks for high-net-worth individuals, senior management approval before onboarding, and more frequent profile reviews.

High-risk triggers include: Politically Exposed Persons (PEPs), customers from high-risk jurisdictions (including FATF grey-listed countries), complex corporate ownership structures, and correspondent banking relationships.

For a deeper understanding of how KYC and AML interrelate in practice, Signzy's AML vs KYC guide explains the framework relationship, and the end-to-end KYC process guide covers implementation detail.

What common compliance gaps break AML programs?

Enforcement actions from 2024–2026 reveal consistent patterns. The institutions facing the largest penalties did not fail on exotic edge cases — they failed on fundamentals. Understanding these common gaps helps compliance teams prioritize their improvement efforts.

Common Compliance Gaps by Pillar

A pattern emerges across enforcement: the largest penalties arise when multiple pillars fail simultaneously. A weak compliance officer allows poor policies; poor policies produce inadequate monitoring; inadequate monitoring misses CDD failures that then compound into SAR filing failures. The pillars are interconnected — and so are their failures.

How is AML compliance evolving in 2026?

Three major developments are reshaping AML expectations this year — and compliance teams need to understand each one.

FinCEN's April 2026 Proposed Rule: From "Check-the-Box" to Effectiveness

The most significant regulatory development of 2026 is FinCEN's proposed rule issued on April 7, 2026. The rule fundamentally changes how AML programs are evaluated:

• Effectiveness-based evaluation — moving away from mechanical adherence to process and documentation, toward assessing how well the program captures and proactively reports what law enforcement needs
• Two-pronged framework — separate evaluation of program "establishment" versus "implementation," with reduced scrutiny for non-material or de minimis implementation deficiencies
• Enforcement threshold — banks would only face enforcement or significant supervisory action for implementation failures that are "significant or systemic"
• Codified risk assessment — risk assessment becomes a mandatory legal obligation aligned with FinCEN's National AML/CFT Priorities
• Standardized four-pillar framework — internal policies/procedures/controls (incorporating risk assessment and CDD), independent testing, US-based compliance officer, and ongoing training

Comments are due by June 9, 2026. Finalized rules are expected to take effect through late 2026 into 2027.

The EU's AMLR 2027 Deadline

On the European side, the EU AML Regulation (AMLR) applies from July 10, 2027, creating a single EU rulebook that supersedes national interpretations. Key implications for multinational institutions:

• Harmonized CDD rules across all 27 member states
• Centralized beneficial ownership registers with expanded access
• Risk-variable CDD with technical standards issued by AMLA throughout 2026
• EU Digital Identity Wallet integration for onboarding

Institutions with European operations need to be actively preparing, not waiting. For institutions operating in India, Signzy's guide on FIU-IND 2026 AML/CFT compliance for VDA Service Providers covers the parallel Indian regulatory evolution.

AI and Perpetual Monitoring

The third major shift is technological. AI-driven compliance systems are projected to save regulated firms $183 billion annually through false-positive reduction, dynamic risk scoring, and event-driven KYC refresh. Regulators are not only permitting AI adoption — increasingly, they expect it, particularly for institutions operating at scale.

How Signzy strengthens each AML program pillar

Building and maintaining an effective AML program across all five pillars is operationally complex — especially as 2026 regulations push toward effectiveness-based evaluation and perpetual monitoring. Signzy provides API-first infrastructure that strengthens each pillar of the framework.

Pillar 1: Compliance Officer Support

While the compliance officer role requires human judgment, Signzy's audit-ready reporting, dashboard views, and configurable alerting give officers the operational visibility and authority tools they need — with clear escalation paths, case management, and regulator-facing documentation.

Pillar 2: Risk Assessment Enablement

Signzy's risk scoring engine integrates hundreds of signals — customer profile, jurisdiction, transaction patterns, adverse media, device data — into continuously updated risk ratings. This supports the shift from static annual risk assessments to the continuous risk assessment model that FinCEN's 2026 proposed rule codifies.

Pillar 3: Policy Implementation via No-Code Workflows

Signzy's no-code platform lets compliance teams translate written policies directly into configured verification journeys, escalation paths, and approval workflows — without engineering resources. When policies change, workflows update in days, not quarters.

Pillar 4: Monitoring and Testing

AI/ML-powered transaction monitoring, real-time sanctions screening against OFAC/EU/UN/HMT lists, Mule Shield fraud detection analyzing 200+ risk signals, and audit-ready dashboards for independent testing. The AML screening capability covers continuous screening, adverse media monitoring, and PEP lists.

Pillar 5: Customer Due Diligence

One Touch KYC bundles document OCR, biometric face matching, active and passive liveness detection (anti-deepfake), AML screening, and consent capture into a single API call — verifying customers in 5–12 seconds. Beneficial ownership verification and corporate KYB round out the CDD workflow for legal entity customers.

Across all pillars, Signzy's KYC/AML screening platform enables compliance teams to build programs that meet both US BSA requirements and emerging global standards like EU AMLR and India's FIU-IND guidelines — through one unified infrastructure rather than stitched-together vendor tools.