Policies Standards and Procedures

Policies, Standards, and Procedures

An AFC program lives or dies on its documentation. Examiners and the third line test programs against written policies, standards, and procedures (PSPs) — and a program is only as good as its ability to show that what it does matches what it says. CAMS routinely tests the hierarchy among these documents and the controls that keep them current.

The document hierarchy

The three layers descend from principle to action, and candidates often blur them.

A policy that contains keystroke-level instructions, or a procedure that sets strategy, is mis-leveled. A CAMS distractor may swap these — for example, expecting the board to approve every procedural step (it approves the policy; owners maintain procedures).

Approval, version control, and review cycle

Every PSP must be:

• Approved at the right level (policies by the board or a board committee).
• Version-controlled with dates, owners, and a change history.
• Reviewed on a defined cycle (commonly annually) and updated for regulatory change or new typologies.

An out-of-date procedure that still references a repealed rule is an audit finding. "Policy exists but staff cannot locate or follow it" is also a failure — accessibility and training are part of the control.

Governance committees and escalation

PSPs must define who decides and how issues escalate. A financial-crime / AML committee typically provides oversight, reviews metrics and key risk indicators, approves standards, and receives escalations the MLRO cannot resolve at the line level. The escalation path should be explicit so that a difficult onboarding or a contested alert reaches the right authority and is documented.

Record-keeping and reporting embedded in procedures

Procedures operationalize legal duties. Under FATF standards (and most national regimes, including the US BSA and EU directives), institutions must retain CDD and transaction records for at least five years. Suspicious-activity reporting procedures must reflect filing deadlines (US SARs within 30 days, extendable to 60 with no identified suspect) and tipping-off confidentiality. A scenario describing a bank that discards onboarding records after two years is testing the five-year retention rule.

Scenario workflow

For a documentation scenario, ask:

• Is the document correctly leveled (policy vs. standard vs. procedure)?
• Was it approved at the right authority and is it current?
• Does the escalation path / committee handle the issue, or is someone acting outside governance?
• Do the procedures honor record-keeping (five-year) and reporting/confidentiality rules?

The best answer aligns the document to its proper level, keeps approval and version control intact, routes hard calls through the governance committee, and preserves required records. Watch the trap where an institution "has a policy" but no procedure to execute it — a stated commitment without an operational step is not an effective control.

Worked example

During an exam, a regulator asks how the bank screens new customers against sanctions lists. Staff produce a one-line policy statement ("we comply with all sanctions obligations") but no procedure describing which lists, how often screening runs, who reviews hits, and the escalation timeline. The policy exists; the operational control does not. The exam-preferred remediation is to build a documented, version-controlled procedure with named owners and clear escalation SLAs, train staff on it, and have the AML committee approve the supporting standard. "Has a policy but no procedure" is a recurring finding pattern.

Mapping documents to obligations

Procedures are where abstract legal duties become daily steps. Each major obligation should trace to a written procedure.

Governance ties it together: the financial-crime committee approves standards, reviews key risk indicators, and is the documented destination for escalations the line cannot resolve. A robust program can demonstrate the full chain — board-approved policy, management-approved standards, owner-maintained procedures, evidence of training, and an audit trail showing the documents are current and followed.

When a scenario shows a procedure citing a repealed rule, records destroyed early, or escalation handled informally by an individual outside the committee, the defect is documentary control, and the correct answer restores proper leveling, approval, version control, and retention rather than treating the lapse as harmless.

Why documentation drives examinations

Regulators and the third line cannot watch every transaction, so they test the system: do the written PSPs describe an adequate program, and does evidence show staff follow them? This is why "show me the procedure" and "show me the version history" are standard examination requests. Two failure modes recur on the exam. First, the gap between policy and practice — a strong policy that the front line never operationalizes. Second, the stale document — a procedure that survived a regulatory change unrevised. Both are control deficiencies even if no laundering occurred, because the program cannot demonstrate it would catch wrongdoing.

A practical discipline ties it together: every PSP carries an owner, an approval date and authority, a next-review date, and a change log. New typologies (for example, a virtual-asset laundering method) or new sanctions programs should trigger an out-of-cycle update. Training reinforces the procedures so staff actually execute them, and the AML committee receives metrics confirming the cycle runs.

The section's unifying rule: keep documents correctly leveled, current, approved, accessible, and supported by retained records — a stated commitment without an executable, evidenced procedure behind it is not an effective control, no matter how well it reads.