BSA/AML examinations are among the highest-stakes regulatory reviews a community bank faces. A weak BSA program can result in consent orders, civil money penalties, criminal referrals, and, in extreme cases, charter revocation. The FFIEC BSA/AML Examination Manual structures the examination around five pillars, and your preparation should mirror that structure. This checklist gives you a systematic approach to staging documents, self-auditing your program, and closing gaps before examiners arrive.
Key Takeaways:
- BSA/AML examinations evaluate five pillars: internal controls, independent testing, designated BSA officer, training, and CDD/EDD
- Self-auditing your SAR decision documentation and CDD files before the exam catches the most common deficiencies
- The most damaging findings aren't missed SARs, they're systemic failures in the program's design or execution
- Examiners use the FFIEC BSA/AML Examination Manual's core examination procedures and expanded procedures based on your risk profile
The Five Pillars: Your Exam Preparation Framework
The Bank Secrecy Act (31 U.S.C. § 5311 et seq.) and its implementing regulations (31 CFR Chapter X) require every financial institution to maintain a BSA/AML compliance program. The FFIEC examination manual structures the evaluation around five pillars established by regulation at 31 CFR § 1010.210.
Pillar 1: System of Internal Controls
Internal controls are the policies, procedures, and processes that ensure BSA compliance. This pillar is the broadest and typically receives the most examiner attention.
Pre-exam checklist:
- BSA/AML policies and procedures are current, board-approved, and cover all applicable requirements (CTR filing, SAR filing, CDD/EDD, OFAC screening, 314(a) processing, recordkeeping)
- Risk-based CDD procedures exist for customer onboarding, ongoing monitoring, and event-driven reviews
- Beneficial ownership procedures comply with 31 CFR § 1010.230 (the CDD Rule), including identification and verification of 25%+ equity owners and one individual with significant responsibility
- Transaction monitoring system/process is documented, including parameters, thresholds, alert disposition procedures, and escalation protocols
- CTR filing procedures ensure timely filing (within 15 calendar days of the reportable transaction per 31 CFR § 1010.311) with accurate information
- SAR filing procedures address the identification, investigation, and decision process for suspicious activity, including the 30-day initial filing deadline and 60-day extension for ongoing investigations per 31 CFR § 1020.320
- OFAC screening procedures cover all required screening points (account opening, wire transfers, loan origination) with documented hit-resolution procedures
- 314(a) search procedures ensure timely response (within 14 days of receiving the request)
- Recordkeeping procedures comply with 31 CFR § 1010.430 (five-year retention for BSA records) and 31 CFR § 1020.410 (recordkeeping for funds transfers of $3,000 or more)
- Currency transaction log procedures for cash transactions between $3,000 and $10,000 (if maintained)
Common deficiency: Policies that restate the regulation without translating it into institution-specific procedures. Your SAR policy should describe your investigation workflow, escalation criteria, and decision-making process, not just restate the regulatory requirements.
Pillar 2: Independent Testing (Audit)
The BSA program must be independently tested at least every 12-18 months. For community banks, this is typically performed by an external audit firm.
Pre-exam checklist:
- Independent BSA/AML audit was completed within the past 12-18 months
- Audit scope included transaction testing (SARs, CTRs, CDD, OFAC, 314(a)), not just a policy review
- Audit scope was risk-based, with higher-risk areas receiving more testing
- Audit identified findings (a zero-finding audit suggests insufficient depth)
- Management responses to audit findings are documented
- Remediation of audit findings is complete, with evidence of corrective actions
- Audit report was presented to the board or audit committee, with documentation in board minutes
- The auditor is independent from the BSA function (the BSA officer should not direct or control the audit)
Common deficiency: BSA audits that review policies but don't test transactions. Examiners expect the audit to include sample testing of SAR decisions (both filed and not-filed), CTR accuracy, CDD file completeness, and OFAC screening effectiveness.
Pillar 3: Designated BSA Officer
The institution must designate an individual responsible for day-to-day BSA/AML compliance.
Pre-exam checklist:
- BSA officer is formally designated (board resolution or written appointment)
- BSA officer has sufficient authority within the organization (can escalate issues to senior management and the board)
- BSA officer's qualifications are documented (training, certifications, experience)
- BSA officer reports directly to the board or a board committee on BSA matters (not filtered exclusively through management)
- BSA officer has adequate staff support for the institution's risk profile and transaction volume
- BSA officer's other responsibilities (if wearing multiple hats) don't create capacity constraints that affect BSA program execution
Common deficiency: At community banks, the BSA officer often holds multiple roles, compliance officer, BSA officer, CRA officer. Examiners don't prohibit this, but they assess whether the combined workload allows adequate attention to BSA responsibilities. If transaction volume has grown but BSA staffing hasn't, expect a finding.
Pillar 4: Training
All appropriate personnel must receive BSA/AML training, with content tailored to their roles.
Pre-exam checklist:
- Annual BSA/AML training was delivered to all applicable employees
- Training content is role-specific: tellers receive cash-handling and CTR training; loan officers receive CDD and SAR awareness training; the BSA team receives detailed investigation and filing training
- Training content covers current typologies, red flags, and recent FinCEN advisories
- New employee BSA training is delivered within a defined timeframe (30-60 days of hire is typical)
- Board members receive BSA/AML training appropriate to their oversight role
- Training records include date, content covered, instructor, and individual completion confirmation
- Training is updated when BSA policies or procedures change
Common deficiency: Generic, vendor-provided training that doesn't address the institution's specific products, customer types, or risk profile. A bank that serves a large number of MSBs or conducts significant international wire activity needs training that addresses those specific risks, not just a general SAR overview.
Pillar 5: Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)
The CDD Rule (31 CFR § 1010.230, effective May 2018) added CDD as the fifth pillar of BSA compliance programs.
Pre-exam checklist:
- CDD procedures address all four core elements: customer identification, beneficial ownership identification, understanding the nature and purpose of customer relationships, and ongoing monitoring
- Beneficial ownership information is collected for all covered legal entity customers, with the required certification
- Risk rating methodology is documented, with clear criteria for low, medium, and high-risk classifications
- Higher-risk customers have enhanced due diligence files with additional information gathering and more frequent monitoring
- Customer risk ratings are reviewed periodically and updated when triggering events occur (unusual activity, change in business, negative news)
- Ongoing monitoring detects changes in customer activity patterns that may warrant risk re-evaluation or SAR filing
- Documentation of CDD and EDD is accessible and organized by customer
Common deficiency: CDD files that were complete at account opening but never updated. The CDD Rule requires ongoing monitoring, a customer's risk rating should reflect current information, not just the initial assessment. Examiners pull customer files and compare account activity to the documented business purpose; mismatches suggest monitoring gaps.
SAR and CTR Filing Self-Audit
Before the exam, conduct a targeted review of your SAR and CTR filing processes:
SAR self-audit:
- Pull a sample of SARs filed during the review period and verify: timeliness of filing, completeness of narratives, accuracy of subject information, and consistency between the investigation file and the filed SAR
- Pull a sample of cases reviewed but not filed and verify: the investigation was adequate, the decision not to file was documented and reasonable, and the decision was approved by an authorized individual
- Review alert disposition statistics: what percentage of alerts result in case investigation versus closure? A very high closure rate may indicate threshold or parameter problems
- Verify that continuing SARs are being filed for ongoing suspicious activity (at least every 90 days per FinCEN guidance)
CTR self-audit:
- Reconcile CTR filings to the bank's large cash transaction log for a sample period
- Verify accuracy of CTR data fields against source documents
- Review CTR exemptions to ensure they comply with 31 CFR § 1020.315 (exempt person procedures), including the annual renewal requirement and Phase I/Phase II eligibility verification
- Check for structuring patterns that may not have been identified by monitoring systems
Document Staging for BSA/AML Exam
Organize the following documents before the pre-exam letter arrives:
Program documents: Current BSA/AML policy, CDD/EDD procedures, OFAC policy, 314(a) procedures, SAR filing procedures, CTR filing procedures, transaction monitoring procedures (including system parameters and thresholds)
Risk assessment: The current institution-wide BSA/AML risk assessment, including product/service, customer, and geographic risk categories
Audit: Most recent independent BSA/AML audit report, management's response, and remediation tracking
Training: Training plan, training materials, and completion records for all applicable personnel
Filing records: SAR filing log, CTR filing log, OFAC screening log, 314(a) search results
CDD files: Sample customer files organized by risk rating (examiners will request specific files during the on-site exam)
Board reporting: All BSA-related board reports from the review period, with corresponding board minutes showing review and discussion
For a broader view of BSA/AML compliance requirements, see our BSA/AML compliance checklist.
How Canarie Helps You Prepare for BSA/AML Exams
BSA exam prep becomes a scramble when SAR documentation lives in one system, training records in another, CDD files in a third, and board reporting in email. Canarie maps each BSA obligation to its required evidence and captures that evidence as BSA work is performed, investigations documented, training completed, monitoring conducted, and board briefings delivered.
When examiners ask for your SAR decision files, CDD documentation, or training records, they're organized, timestamped, and ready.
See how Canarie keeps your BSA program exam-ready year-round →
Frequently Asked Questions
How far back do BSA/AML examiners look during an exam?
Examiners typically review the period since the last BSA/AML examination, which is usually 12-18 months. However, for specific issues, like ongoing SAR subjects, historical transaction patterns, or prior findings, examiners may look back further. The FFIEC BSA/AML Examination Manual instructs examiners to review sufficient data to evaluate the program's effectiveness, which may extend beyond the standard review period if concerns arise.
What's the difference between a BSA finding and a BSA violation?
A finding is an examiner observation of a program weakness, for example, "CDD files for higher-risk customers lack documentation of enhanced due diligence." A violation is a specific regulatory breach, for example, "the institution failed to file a SAR within 30 days of initial detection as required by 31 CFR § 1020.320(b)(3)." Violations are more serious and may trigger enforcement action, civil money penalties, or criminal referral to FinCEN depending on severity and willfulness. Both findings and violations appear in the Report of Examination.
Should the BSA officer attend the entire on-site examination?
The BSA officer should be available throughout the BSA portion of the examination and should attend the entrance and exit conferences. During the on-site period, the BSA officer will receive requests for additional information, clarification on procedures, and specific customer files. Having the BSA officer available (not necessarily in the exam room, but accessible) reduces delays and demonstrates program ownership.
What triggers a standalone BSA/AML examination outside the normal exam cycle?
Several factors can trigger an off-cycle BSA examination: FinCEN referrals, law enforcement inquiries about specific customers or transactions, a significant increase in SAR filing volume, BSA-related findings from the prior exam that remain unresolved, or suspicious activity identified through the FDIC's off-site monitoring. Material changes in the bank's risk profile, such as onboarding a large number of MSB or marijuana-related business customers, may also prompt targeted BSA review.