BSA/AML Compliance Checklist for Community Banks (2026)

Community banks face the same BSA/AML examination scrutiny as institutions ten times their size—but with a fraction of the compliance resources. This checklist covers what examiners actually evaluate during BSA/AML examinations, organized by the five pillars of an effective AML program as defined in the FFIEC BSA/AML Examination Manual.

Key Takeaways:

• BSA/AML programs require documented evidence across five pillars, not just policies
• CDD and beneficial ownership requirements under 31 CFR § 1010.230 are examination hot spots
• SAR filing decisions must be documented within 30 days of detection—examiners check timestamps
• Independent testing must cover all program elements, not just transaction monitoring

The Five Pillars: What Your BSA/AML Program Must Include

The Bank Secrecy Act (31 U.S.C. § 5311 et seq.) requires financial institutions to maintain programs with five core components. Examiners evaluate each independently—weakness in one pillar can result in a Matter Requiring Attention (MRA) regardless of strength elsewhere.

Pillar 1: Internal Controls

Your internal controls must be documented, not assumed. Examiners look for:

• Written policies and procedures that address your specific products, services, customers, and geographic locations
• Clear assignment of BSA Officer responsibilities under 12 CFR § 21.21
• Dual control over SAR filing decisions
• Documented approval workflows for high-risk customers and transactions
• Evidence that controls are actually executed (attestations, completion records, audit trails)

A common examination finding: policies exist but no evidence demonstrates they're followed. If your policy says "high-risk customers are reviewed quarterly," examiners will ask for the last four quarterly reviews.

Pillar 2: Independent Testing

Independent testing under 12 CFR § 21.21 must cover the entire BSA/AML program—not just transaction monitoring effectiveness. Testing scope should include:

• Customer Identification Program (CIP) compliance
• Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures
• SAR and CTR filing accuracy and timeliness
• OFAC screening procedures
• Training program effectiveness
• Board and management oversight

Testing frequency depends on your risk profile, but annual testing is the minimum expectation. For community banks with limited internal audit resources, outsourced testing is acceptable—but management must review findings and track remediation.

Pillar 3: BSA Officer Designation

The BSA Officer must have sufficient authority, resources, and access to information. Examiners evaluate:

• Board-approved designation with clear reporting lines
• Direct access to the board or board committee
• Authority to file SARs without business line interference
• Adequate staffing relative to transaction volume and risk
• Documented time allocation (examiners flag BSA Officers who also run lending departments)

For community banks, the BSA Officer often wears multiple hats. Document how BSA responsibilities are prioritized and what backup coverage exists.

Pillar 4: Training

Training requirements vary by role. Examiners check that:

• All employees receive general BSA/AML awareness training at onboarding
• Customer-facing staff receive enhanced training on red flags and escalation procedures
• BSA staff receive specialized training on regulatory updates and examination findings
• Board members receive training appropriate to their oversight responsibilities
• Training completion is documented with dates and attendee names

Training must be updated when regulations change. The 2024 FinCEN beneficial ownership registry changes, for example, should have triggered training updates within 90 days.

Pillar 5: Customer Due Diligence (CDD)

CDD requirements under 31 CFR § 1010.230 represent the most common examination deficiency for community banks. Your program must address:

• Customer Identification Program (CIP): Verification of identity for all customers using documentary or non-documentary methods (31 CFR § 1020.220)
• Beneficial Ownership: Collection and verification of 25%+ owners and one controlling person for legal entity customers
• Customer Risk Rating: Risk-based categorization at onboarding with documented rationale
• Ongoing Monitoring: Procedures to update customer information and risk ratings based on activity
• Enhanced Due Diligence (EDD): Additional procedures for high-risk customers, PEPs, and correspondent accounts

The beneficial ownership requirement trips up many community banks. You must collect beneficial ownership information at account opening—retroactive collection is a compliance failure.

SAR Filing Requirements: The 30-Day Rule

Suspicious Activity Reports (SARs) under 31 CFR § 1020.320 must be filed within 30 calendar days of initial detection of suspicious activity. Examiners verify compliance by checking:

• The date suspicious activity was first identified (often from transaction monitoring alerts)
• The date the SAR was filed with FinCEN
• Documentation of the investigation and filing decision

If your transaction monitoring system generates an alert on January 1 and you file the SAR on February 15, you've violated the 30-day requirement—even if you only started investigating on January 20. Detection means when the activity was flagged, not when someone reviewed the flag.

SAR Documentation Requirements:

• Narrative must include the five W's: who, what, when, where, why
• Supporting documentation must be retained for five years from filing date
• Filing decisions (including decisions NOT to file) must be documented
• Dollar amounts must be accurate—examiners cross-reference to source records

Common examination finding: SAR narratives that are too brief. "Customer made suspicious cash deposits" won't pass examination scrutiny. Explain why the deposits were suspicious, what investigation was conducted, and what conclusions were drawn.

CTR Filing: The $10,000 Threshold

Currency Transaction Reports (CTRs) under 31 CFR § 1010.311 are required for cash transactions exceeding $10,000 in a single business day. While CTR filing is more mechanical than SAR filing, examiners still identify deficiencies:

• Aggregation failures: Multiple transactions by the same customer in the same business day must be aggregated. If a customer deposits $6,000 at one branch and $5,000 at another, a CTR is required.
• Structuring detection: Your monitoring must identify potential structuring—customers who consistently transact just below $10,000.
• Exemption documentation: Phase II exemptions for eligible customers require documented risk assessments and annual reviews.
• Accuracy: CTRs with incorrect customer information or transaction amounts trigger examination criticism.

Filing deadline: CTRs must be filed within 15 calendar days of the transaction. Late filings are tracked.

OFAC Compliance: Screening Requirements

OFAC screening isn't technically part of BSA, but examiners evaluate it alongside your BSA/AML program. Requirements include:

• Screening all customers and beneficial owners against the SDN list at onboarding
• Screening transactions against OFAC lists (especially international wires)
• Documented procedures for handling potential matches
• Evidence of list update implementation within 24 hours of OFAC updates
• Blocked property reporting within 10 business days

For community banks, the key examination focus is demonstrating that screening actually occurs and that potential matches are investigated rather than auto-cleared.

Board Oversight Documentation

Examiners review board meeting minutes for evidence of BSA/AML oversight. At minimum, the board should:

• Approve the BSA/AML policy annually
• Receive quarterly reports on SAR filing activity, examination findings, and program status
• Review and approve the independent testing scope and findings
• Document discussion of BSA/AML matters in meeting minutes

A single agenda item reading "BSA Report—No Issues" doesn't demonstrate oversight. Minutes should reflect that reports were presented, questions were asked, and the board understood material risks.

BSA/AML Exam Preparation Checklist

Use this checklist to prepare for your next BSA/AML examination:

Documentation Ready:

• Current BSA/AML policy approved by board (with approval date)
• BSA Officer designation letter with board approval
• CIP procedures with verification methods documented
• CDD procedures including beneficial ownership collection
• Risk rating methodology with sample risk assessments
• SAR investigation and filing procedures
• CTR procedures including aggregation rules
• OFAC screening procedures and match handling
• Training materials and completion records
• Independent testing reports (last two years)

Evidence of Execution:

• Sample CIP verifications across account types
• Beneficial ownership certifications for recent legal entity accounts
• High-risk customer EDD documentation
• SAR filing log with investigation timelines
• CTR filing accuracy testing results
• OFAC screening logs showing list update dates
• Training completion reports by employee
• Audit finding remediation tracking

Board and Management:

• Board minutes showing BSA/AML discussion (last four quarters)
• Management reports provided to board
• Evidence of BSA Officer authority and reporting line

How Modern Compliance Teams Handle BSA/AML

The challenge for community banks isn't knowing what's required—it's proving compliance happened. When examiners ask for evidence of your quarterly high-risk customer reviews, you need to produce timestamps, approvals, and documentation, not recreate the work from memory.

Canarie transforms BSA/AML requirements into automated workflows with built-in evidence capture. CDD reviews generate on schedule with assigned owners. SAR investigation timelines are tracked automatically. Training completion is recorded with attestations. When examination time comes, evidence packages export in minutes instead of weeks.

See how compliance teams stay exam-ready year-round →

Frequently Asked Questions

What triggers a BSA/AML examination?

BSA/AML examinations typically occur as part of your regular safety and soundness examination cycle—annually for most community banks. However, FinCEN enforcement actions, SAR filing anomalies, or peer comparison outliers can trigger targeted BSA examinations outside the normal cycle.

How often must we update our BSA/AML risk assessment?

The FFIEC BSA/AML Examination Manual expects risk assessments to be updated when products, services, customer base, or geographic footprint change materially. At minimum, annual review is expected. Document the review date even if no changes are made.

Do we need independent testing every year?

Yes. The frequency may vary based on risk profile, but annual independent testing is the baseline expectation. For banks with higher BSA/AML risk or prior examination findings, more frequent testing may be required.

What's the difference between CDD and EDD?

Customer Due Diligence (CDD) applies to all customers—verifying identity, understanding the nature of the relationship, and assigning a risk rating. Enhanced Due Diligence (EDD) applies to higher-risk customers and requires additional procedures: more frequent reviews, deeper investigation of source of funds, and closer transaction monitoring.

How long must we retain SAR documentation?

Five years from the date of SAR filing. The SAR itself, supporting documentation, and records of the investigation decision must all be retained. This applies to decisions not to file as well—document why you determined a SAR wasn't warranted.