AML Program Charter Template

What is the AML Program Charter?

An AML Program Charter is the foundational governance document for a financial institution's anti-money laundering compliance program. It's not a policy manual. It's not a procedures guide. It's the document that states, on the record: here is what our AML program is, who owns it, what it covers, and how the board has authorized it to operate.

FinCEN's Bank Secrecy Act regulations (31 CFR § 1020.210 for banks, with parallel requirements for broker-dealers, money services businesses, and other covered persons) require a written, board-approved AML program. When OCC, Fed, or FDIC examiners arrive, the charter is often the first document they request. The FFIEC BSA/AML Examination Manual treats the written program as a program baseline; its absence is itself a finding.

FATF Recommendation 1 requires institutions to demonstrate that their AML controls are calibrated to their specific risk profile. The charter is where that demonstration starts. It states risk appetite, defines scope, and documents the accountability structure that keeps the program running consistently as the institution changes over time.

Two things go wrong without a charter. First, an examiner finding no formal program document is a BSA compliance failure, or at minimum a significant finding with remediation consequences. Second, without documented ownership and scope, programs drift. An MLRO leaves, a business unit launches a new product, and nobody updates the risk assessment or the transaction monitoring thresholds because nobody wrote down whose job that is.

This template aligns with FFIEC examination expectations, FATF Recommendation 1 requirements, and the governance anchor that customer due diligence and monitoring programs need to operate with clear ownership and defined scope.

Who needs the AML Program Charter?

The primary users are the BSA Officer or MLRO (whoever holds statutory accountability for AML compliance at the institution), their compliance analysts, and the Chief Compliance Officer who signs off on the final document. The board's risk or audit committee is the approval body. They don't fill it in, but they must ratify it, and that ratification needs to appear in board minutes.

Every licensed financial institution needs one: banks, credit unions, broker-dealers, money services businesses, fintech companies with banking licenses, payment processors, and virtual asset service providers operating under local AML frameworks. The document structure is consistent across institution types; the substance changes based on risk profile, product mix, and customer base.

The trigger moments are predictable. Exam preparation: the charter should be current and board-approved before day one of fieldwork, not updated in response to a draft report. Licensing: new institutions must demonstrate a written AML program as part of the approval process. Material business change: a new product line, a new customer segment, a merger, or expansion into a new geography each require a charter review and update. Periodic review: most institutions commit in the charter itself to an annual review cycle, and the BSA Officer owns that calendar.

The CCO managing false positive reduction across a mature monitoring program will use this charter to anchor what the monitoring program is supposed to accomplish and what the acceptable error rate is. The MLRO clearing a SAR filing backlog will use it to justify headcount and tooling in front of senior management.

What's inside the AML Program Charter

The template is a single Word document with eight core sections. Here's what each contains.

1. Program Identification

• Institution name, legal entity, and jurisdiction
• Effective date and version number
• Document owner (by role, not individual name, so the charter survives personnel changes)
• Approving authority (Board Risk Committee or equivalent)

2. Regulatory Framework

• Applicable statutes: Bank Secrecy Act for US institutions; POCA 2002 and the Money Laundering Regulations 2017 for UK firms; the relevant AMLD transposition for EU entities
• Applicable guidance: FFIEC BSA/AML Examination Manual, FATF Recommendation 10 on customer due diligence, FATF Recommendation 11 on record-keeping
• Regulatory bodies with examination authority over this program

3. Risk Appetite Statement

• A specific, brief statement of the institution's tolerance for AML risk (not a generic "we take AML seriously" placeholder)
• Scope of covered products, services, channels, and geographies
• High-risk categories the institution has identified and either accepted with controls or explicitly excluded from scope

4. Program Governance

• Reporting line for the BSA Officer or MLRO: to whom, with what frequency, in what format
• Board and senior management oversight commitments
• Escalation path for material issues, including the threshold that triggers board notification

5. Roles and Responsibilities

• First-line business units: what they own in the customer lifecycle
• Second-line compliance: what the AML function owns directly
• Third-line audit: independence requirement and testing frequency
• Specific responsibilities for sanctions screening, PEP screening, customer due diligence, and SAR filing

6. Program Components

• Customer identification and CDD procedures (by reference to the standalone CDD policy)
• Enhanced due diligence triggers and escalation path
• Ongoing transaction monitoring approach and the systems supporting it
• Record-keeping standards and retention periods
• Staff training requirements and frequency
• Independent testing and internal audit cycle

7. Resource Commitments

• Headcount, technology, and budget commitments formally approved by management

8. Approval and Version History

• Board or senior management sign-off block with date
• Version history table: date, version number, summary of changes, approver name and role

How to use the AML Program Charter

Step 1: Establish your regulatory baseline. Before filling in a single field, confirm which statutes and guidance documents govern your program. A US bank under OCC supervision works from the FFIEC BSA/AML Examination Manual. A UK firm works from the Money Laundering Regulations 2017 and FCA guidance. An EU institution references the applicable AMLD transposition. The regulatory framework section names these explicitly; you need to know them before you can complete it accurately.

Step 2: Pull your most recent institution-wide risk assessment. The charter's risk appetite statement and scope section should directly reflect that assessment's findings. If you don't have a current risk assessment, that document comes first. A charter with a risk appetite statement that doesn't match the actual risk profile is worse than no charter, because it tells examiners you don't understand your own program.

Step 3: Complete the institution profile and governance sections. These are the easiest fields and the ones examiners check first. Get the legal entity name right. Document the BSA Officer's actual reporting line. If the charter says the MLRO reports to the General Counsel but she reports to the CFO, that's a finding.

Step 4: Draft the roles and responsibilities section with first-line input. Business unit heads need to acknowledge their ownership of AML controls in their processes, from onboarding through enhanced due diligence for high-risk customers to ongoing monitoring. Don't write this section alone in compliance. If the first line hasn't acknowledged their responsibilities in writing, you'll have a control gap that surfaces in the next exam.

Step 5: Map each program component to a referenced policy or procedure. The charter doesn't contain the full procedure; it points to where the procedure lives. This cross-reference table turns the charter into a navigation document for the broader program.

Step 6: Route for approval in the correct order. Compliance team review first, then legal, then senior management, then board (or board committee). Each approver signs and dates. This audit trail matters when an examiner asks who knew about the program and when.

Step 7: File, distribute, and schedule the next review. Store the signed document in a location examiners can access on request. Distribute to the head of each first-line function. For teams focused on staying continuously exam-ready, this charter is the first document in the examination binder. Set the calendar reminder for the annual review, or immediately if a material change event occurs first.

Common mistakes to avoid

1. Generic language that could describe any institution. A charter that says "we will monitor transactions for suspicious activity" tells an examiner nothing. What thresholds? What systems? What escalation path? What's the SAR decision authority? The charter should be specific enough that a new BSA officer could read it and understand how the program actually works.

2. Missing board approval. This is the most common BSA finding. "Senior management reviewed it" doesn't meet the standard. The board must formally approve the AML program, and that approval must appear in board minutes or a board resolution. The sign-off block in the template exists for exactly this reason.

3. Role assignments that name titles but not functions. "The Compliance Team is responsible for SAR filing" creates ambiguity. Who specifically? What's the escalation path if that person is unavailable? Name the function, the decision authority, and the backup.

4. Letting the charter go stale after a material change. Launching a new product, entering a new geography, or completing an acquisition each materially change the risk profile the charter is supposed to describe. The charter should include a trigger list: these events require a review and update within 30 or 60 days.

5. Confusing charter with policy. The charter is the governance document. It says what the program is and who owns it. Individual policies (CDD policy, SAR policy, model risk management policy) describe how each component works. Putting procedure-level detail in the charter makes it unmaintainable and inconsistent with examination expectations.

6. No version history. Examiners sometimes ask for the charter version in effect during a specific review period. If you can't produce it, that's a problem. Maintain a version history table and archive each superseded version with its approval date.

How FluxForce automates this

The work this charter describes: running CDD, monitoring transactions, screening for sanctions and PEPs, drafting SAR narratives, maintaining audit-ready evidence, is what FluxForce's AI agents handle in real time. Automated screening fires continuously against the thresholds your program defines. Every decision carries a full evidence trail for examiners. The charter sets the governance framework; FluxForce runs the controls inside it. Request a demo to see how regulated institutions are deploying this in practice.