How to Build an AML Compliance Program for Your Title Company or Closing Practice

Why a Written Program Is Non-Negotiable

The FinCEN Residential Real Estate Rule — before its vacatur — explicitly required "reporting persons" to establish and implement a written AML program. But the obligation to have one extends beyond any single regulation. It reflects a fundamental principle in BSA enforcement: a documented, systematic approach to compliance is the difference between a penalty action that ends in a warning and one that results in a multi-million dollar assessment.

FinCEN and federal prosecutors look for evidence of intent. A firm with a written AML program — even an imperfect one — demonstrates good-faith effort. A firm with no program, no documented policies, and no training records presents a very different picture to an examiner, regardless of whether any specific transaction was suspicious.

A complete BSA/AML compliance program for a real estate closing practice has six core elements:

Your written AML policy is the governing document of your compliance program. It establishes what your firm will do, who is responsible for doing it, and how compliance activities will be documented. Without a written policy, nothing else in your program has a foundation.

At minimum, your written policies should address: the scope of transactions covered by your AML program, the specific due diligence steps required for each transaction type, the procedure for identifying and escalating red flags, the firm's SAR filing process, record retention requirements, and the identity and responsibilities of the designated compliance officer.

Your procedures document goes deeper: it translates policy into step-by-step instructions that your paralegals and agents actually follow at each closing. A good procedures document is specific enough to serve as a training guide and detailed enough that a newly hired employee could use it to process a reportable transaction correctly.

Common gaps in title company AML policies: failure to address trust beneficiary identification (not just trustees), absence of a procedure for transactions where the buyer refuses to provide beneficial ownership information, and lack of a policy governing how the firm handles disagreements between the reporting person and the buyer about what information must be provided.

Every compliance program needs a named individual who owns it. The designated compliance officer is the person responsible for implementing the program, staying current on regulatory developments, training staff, reviewing flagged transactions, and making SAR filing decisions.

For a boutique closing practice, this is typically the principal attorney or managing title agent. For a multi-office firm, the compliance officer may be a dedicated senior employee with staff support. The title does not matter — the authority and accountability do.

A critical and often overlooked requirement: the compliance officer must have genuine independence from the business pressure to close transactions. An officer who is also the rainmaker for the firm — and whose compensation depends on transaction volume — has an inherent conflict when deciding whether to flag or decline a deal. Your program documentation should reflect how this tension is managed.

An AML program that lives only in the compliance officer's head is not a program. Every employee who touches a reportable transaction — including paralegals, escrow officers, title examiners, and administrative staff — must receive training appropriate to their role.

Training requirements under the BSA are not specifically prescriptive about format, duration, or frequency — but they must be documented. "We told everyone verbally" will not hold up in a regulatory examination. You need records showing who was trained, when, on what content, and with what demonstrated understanding.

Customer due diligence (CDD) is the operational heart of your AML program. For real estate closing professionals, CDD means: identifying the parties to the transaction, verifying that identification, understanding the source of funds, and determining the beneficial ownership of any entity buyer.

Your CDD procedures should distinguish between standard due diligence — applied to all qualifying transactions — and enhanced due diligence (EDD), triggered by the presence of one or more red flags.

Standard Due Diligence: Every Qualifying Transaction

Enhanced Due Diligence: Red Flag Transactions

When a transaction presents one or more red flags — unusual funding sources, entity opacity, geographic disconnection, urgency to close, or others identified in your risk assessment — your EDD procedures kick in. EDD means doing more: requesting additional documentation, seeking independent verification, consulting your compliance officer, and documenting every additional step.

EDD is not a binary decision. It is a spectrum of additional scrutiny that is proportional to the level of risk identified. A single minor flag might warrant one additional verification step and a brief note to the file. Multiple concurrent flags in a high-value transaction might require consultation with legal counsel before proceeding.

A compliance program that is never tested is just paperwork. Independent testing — also called independent audit — is the process of evaluating whether your program is actually working as designed: are procedures being followed, are CDD worksheets complete, are training records maintained, and are red flags being escalated appropriately?

The "independence" requirement means the tester cannot be the same person who implements the program. For small practices, this typically means engaging an outside compliance consultant or attorney with BSA expertise. For larger title companies, an internal audit function that is separate from the compliance team can satisfy this requirement.

For a boutique closing practice with a modest transaction volume, annual independent testing is the typical standard. High-volume practices — or any practice that has identified compliance gaps in a prior review — should consider semi-annual or quarterly testing cycles. Document the scope, findings, and any corrective actions taken.

BSA record retention requirements mandate that AML-related records be maintained for at least five years from the date of the transaction or filing. This includes beneficial ownership documentation, CDD worksheets, SAR filings and the documentation supporting those filings, training records, independent testing reports, and the written AML program itself.

Records must be maintained in a format that is accessible for regulatory examination — meaning they need to be reasonably organized and retrievable on request, not buried in an unindexed archive. They must also be stored securely to prevent unauthorized access or accidental deletion.

Note that the five-year retention period applies to the records themselves — not just the transaction file. A client file that is destroyed after three years must still have its AML-related documents preserved separately. Build your retention workflow to ensure AML records are systematically separated and preserved regardless of your general file retention practices.

Where Technology Fits Into Your Compliance Program

A compliance program built entirely on manual processes — paper worksheets, email chains for escalation, spreadsheet tracking of training completion — will work until it doesn't. Manual systems fail when volume increases, when staff turns over, and when a regulatory examiner requests documentation that was never systematically organized.

Compliance technology serves three functions in a well-designed program: it automates the data collection and reporting process (reducing error and time), it generates an audit trail automatically (documenting compliance without additional effort), and it scales with your transaction volume without proportional increases in staff time.

Technology does not replace the human elements of your compliance program — the compliance officer's judgment, the training that lets staff recognize a red flag, the independent testing that validates the program's operation. It handles the documentation-intensive, error-prone, and time-consuming execution elements so your people can focus on the judgment calls.

Frequently Asked Questions