John makes a very good point. I have seen more and more BSA "Policies" which try to incorporate way too much, and you wind up with a 75 to 100 page tome with far too much detailed procedure - and the whole thing is approved by the Board. What this means is, everytime you need to "niggle" a procedure, you're supposed to go back to the Board for approval. Frankly - that's nuts!
I would prefer to see more of a separation of policy and procedure - as an example:
The policy can state that the Bank will monitor high risk customers to determine if the legitimacy of transactions, determie the frequency of review, and determine if the customer should remain on the high risk list.
The procedures then state HOW this will be done - i.e. what reports will be reviewed, any thresholds that are to be set, what factors can be considered, etc.
To me - Policy states WHAT the bank will do (Bank will comply with the requirements of BSA) - and Procedures spell out HOW the bank will do it.
Regulations are a poor substitute for ethics.