I was at a multibank holding company of about 1 billion that had a manual system with no AML software. I thought the organization was crazy, but they didn't see the need to pay for it. When I took over the BSA Officer position, I trippled the size of my policy and created workflow charts for every high and moderate risk area. I had the process as air tight as possible but knew the day would come when the examiners would want an automated system. Frankly, I would have felt better with an automated system but I would have needed another employee to manage the program, which I couldn't get either.
However, the examiners liked my processes and they did prove to be air tight. We were in a fairly low risk area with a very stable customer base, so it never became an issue, though it will at some point.
The answer to your question has to be risk-based and there really can't be a standard for this, though I think it is good to have for any sized organization if the organization can afford it.
Frankly, once you start having any kind of BSA issues, the examiners start to say that you need to get an automated AML system.
_________________________
Adam Witmer, CRCM
All statements are my opinion, not those of my employer, and should not be taken as legal advice.
www.compliancecohort.com