BSA/AML Policies and Procedures – What Can We Learn From Mary Berra and the Founding Fathers?

According to a Quartz At Work article from July 2022, in 2015 General Motors’ Chair and CEO Mary Berra replaced GM’s 10-page dress code manual with a two-word statement:

Dress appropriately.

The article included an interesting observation by the CEO: “What I realized is that you really need to make sure your managers are empowered—because if they cannot handle ‘dress appropriately,’ what other decisions can they handle? And I realized that often, if you have a lot of overly prescriptive policies and procedures, people will live down to them.”

Overly prescriptive policies and procedures. Does that sound familiar?

Goldman Sachs went a bit further with its dress code, but not by much. Goldman looked at the issue from the perspective of its “broad and diverse client base around the world”.  Goldman’s intent was to have its clients “feel comfortable with and confident in our team”, and then it directed the team to “please dress in a manner that is consistent with your clients’ expectations”. But then the Goldman lawyers and HR consultants must have stepped in, with reminders that “of course, casual dress is not appropriate every day for every interaction” and “all of us know what is and is not appropriate for the workplace” before ending with the scooshy, dress-code version of “have a nice day!”: “we hope this approach will provide flexibility for our people and create a welcoming environment for all.”

BSA/AML Policies and Procedures – What Can We Learn From Mary Berra?

The FFIEC’s BSA/AML Exam Manual (2014, revised 2020, 2021) is the blueprint, or roadmap, for building and maintaining a BSA/AML program. And the core of that program, or one of the required pillars of a program, is a system of internal controls. As the FFIEC explains, “Internal controls are the bank’s policies, procedures, and processes designed to mitigate and manage money laundering, terrorist financing, and other illicit financial activity risks and to achieve compliance with BSA regulatory requirements.”

We should pause here and level-set on what we mean by policies, and how policies differ from procedures.

Policies are the overarching tenets or principles of a company. Policies are broad, and should change infrequently. Policies state who does what, and why. Policies establish a framework and provide guard-rails. And, in the context of BSA/AML, policies are written by, and the responsibility of, the BSA Officer: this person is, after all, responsible for the integrity of the overall BSA/AML (or AML/CFT) compliance program.

With policies in hand, group- or business-level compliance and operations staff can then write and implement procedures. Very simply, procedures allow policies to be operationalized: they provide the how and when for the policies’ who, what, and why. Procedures offer a detailed, often step-by-step description of the procedures needed to achieve the policy goals. And as a reminder, the BSA Officer or their delegate must approve all line of business procedures.

Too Detailed, Too Prescriptive

Over three decades of being a BSA Officer, I’ve written and approved hundreds of policies. Digging back through some notes, I found the following:

  • Customer Identification Program (CIP) Policy – 20 pages
  • Customer Due Diligence (CDD) Policy – 55 pages
  • Currency Transaction Reports (CTR) Policy – 18 pages
  • 314(a) Information Sharing Policy – 11 pages
  • 314(b) Information Sharing Policy – 6 pages
  • Unusual Activity Referral (UAR) and Suspicious Activity Reporting (SAR) Policy – 13 pages
  • Model Risk Management (MRM) Policy – 33 pages

And there were nineteen more BSA/AML, or AML/CFT policies. We didn’t start with 26 policies that totaled more than 400 pages: the half-dozen or so, five or six page policies, metastasized over the years into the tremendously detailed, horribly wordy, way-too-prescriptive policies that thrilled their authors and flummoxed everyone that tried to implement them.

And the resulting procedures picked up on that way-over-done theme, and ended up being even more detailed and prescriptive.

The result, other than employing legions of compliance officers, quality assurance folks, and lawyers, was processes that were impossible to adhere to on a day-to-day basis, and, even worse, invariably ignored in times of stress.

So take a critical look at your current policies and procedures. But … how to judge them?

The Declaration of Independence/Constitution Standard

The US Declaration of Independence can be thought of as the overarching policy for the United States. It describes what needed to happen, by whom, and why. It was drafted to tell the American colonists (who) that they needed to unite against King George and Britain to fight for their rights (what) and why their actions were justified. It was written in five distinct parts. The introduction gives the reasons why it was necessary to seek independence. The preamble states the principles that the drafters believed were inalienable rights. Next is a recital of the grievances that the colonists had against the King, and the mostly failed efforts to have those grievances addressed. And the conclusion provides for the dissolution of the relationship between the colonies from Britain.

And the drafters did all of that in 1,337 words.

That was their policy statement. Eleven years later, in 1787 after defeating the British in the American Revolution, the founders got together to draft a second document on how they would govern their new country. The US Constitution – essentially the procedures on how they would implement their policy of independence – is organized into 21 sections in 7 articles. It is 4,508 words.

Two years after the Constitution was written, Congress decided to amend it by adding the Bill of Rights. The preamble and the first ten amendments of the Bill of Rights total 541 pages. The eleventh through twenty-seventh amendments (the 27th Amendment was ratified in 1992) total another 2,647 words. So for the purposes of our policy and procedure standard, we’ll say that the United States of America policy (the Declaration of Independence) is 1,350 words, and the United States of America procedures (the Constitution, Bill of Rights, and all Amendments) is 7,150 words.

Here’s the standard: any policy you have cannot exceed the length of the Declaration of Independence, or 1,350 words; and any procedure you have cannot exceed the length of the Constitution (as amended), or 7,150 words.

You should be able to describe who does what, why, and how to onboard customers in your bank in fewer words than the founders of the United States did for all Americans.

Testing the Standard

But don’t trust me. Instead, trust the people you work with, the people that are writing the business line procedures, and the tellers and bankers and wire room operators who are implementing the procedures. A common policy drafting mistake is to assume that the theory of the policy will translate into sound practice in the front line units. As the great philosopher Yogi Berra said, “in theory there is no difference between theory and practice: in practice there is.”

So give your existing policies and procedures to those people in your organization that are supposed to be following them, and have them tell you (and show you) whether the practice of implementation meets the theory of compliance.

Then, after you’ve found out that much of your 25-page Customer Due Diligence policy, and resulting 100-page procedures, is being ignored, redraft everything using the Declaration/Constitution Standard. You’ll likely find that fewer words are better.

Warning – Watch Out For the Dreaded Policedures

One of the main reasons why your policies are lengthy, convoluted, and hard to operationalize, is that they drift into the “how” something is to be done, which is best left to business-level procedures. These hybrid policies, or policedures, need to be avoided at all costs.

Ditch the FAQs, R&Rs, and SLAs

On a related note, if your program is replete with policy FAQs, “Roles & Responsibilities” documents, and intra-company service level agreements, take another look at your corporate policies and line of business procedures: FAQs, R&Rs, and SLAs are often manifestations of the failure to write policies and procedures that can actually be understood and followed.

Conclusion – Mary Berra’s “Dress Appropriately”

Much can be learned from Mary Berra, even Goldman Sachs, when it comes to writing clear, concise BSA/AML policies (what you must do) and procedures (how you must do it). Two words may be cutting it a little tight, and being as eloquent and precise as the American Founding Fathers may be asking too much. But at least take away the spirit of this essay, and take another look at those 20+ page policies, those 50+ page procedures, even the possible 30+ page policedures. It’s likely that your current policies aren’t translating into sound practice in the front line units.