The Bank Secrecy Act has been the foundation of US anti-money laundering compliance since 1970, but the practical examination standard for BSA/AML programs has changed substantially in recent years. FinCEN's 2020 AML/CFT Program Effectiveness Final Rule, the Anti-Money Laundering Act of 2020, and a series of interagency statements through 2022-2024 have shifted examiner expectations in ways that many BSA compliance programs — particularly at community banks and credit unions — haven't fully absorbed.
This post is about what that shift means in practice: what examiners are looking for during BSA/AML program reviews in 2024, where the most common program gaps live, and how to structure your preparation to address the areas of highest examination risk before the examiner arrives.
The AML Act of 2020 and What It Actually Changed for Program Requirements
The Anti-Money Laundering Act of 2020 (AMLA) made the most significant changes to the BSA framework in decades. For compliance teams doing exam prep, the most practically important changes are: the explicit requirement that BSA/AML programs be "risk-based and reasonably designed" to address the specific risks of the institution, the formal recognition of innovation and technology as tools for AML compliance, and the expanded whistleblower protections and penalties framework.
The "risk-based and reasonably designed" language is not new as a concept — the FFIEC BSA/AML Examination Manual has described risk-based programs for years — but its explicit codification in statute changes the examination conversation. Examiners are no longer evaluating whether your BSA program meets a checklist; they're evaluating whether your program is calibrated to the actual risk profile of your institution and customer base.
For a community bank with a primarily retail deposit base and limited correspondent banking or cross-border activity, a BSA program that looks identical to a program designed for a money services business-heavy portfolio is not a good sign — it suggests the program was designed around regulatory structure rather than institutional risk. The 2024 examination environment rewards programs that can articulate why their controls are calibrated the way they are, not just what the controls are.
The Five BSA Program Elements and Where Current Examination Focus Falls
The five core elements of a BSA/AML compliance program — policies and procedures, internal controls, independent testing, designated compliance officer, and training — are well known. What's less well documented is which elements receive the most examiner attention in the current environment and why.
Policies and procedures currency: This is the element with the highest frequency of examination findings. The specific pattern: BSA procedures that were written against a prior version of the FFIEC Manual or a prior FinCEN guidance framework and haven't been updated after subsequent changes. Examples include procedures that describe CDD requirements in terms that predate the 2018 FinCEN CDD Final Rule, or SAR filing procedures that don't address the 2021 FinCEN SAR filing updates. Examiners look at the last-revised date on your BSA procedures — and when they find a document dated 2017 with no subsequent revision history, the audit timeline question becomes uncomfortable.
Independent testing scope and methodology: The independent BSA audit function is examined not just for whether it exists, but for whether its scope and testing methodology are aligned with the institution's current risk profile. An independent audit that tests the same transaction monitoring scenarios year over year, without adjusting for changes in the customer base or product offerings, raises examiner questions about whether the testing is genuinely independent and risk-driven or a procedural compliance exercise.
Transaction monitoring calibration: Examiner attention to transaction monitoring system calibration has increased substantially. The question is no longer just whether you have a transaction monitoring system, but whether your alert thresholds and scenario rules are appropriate for your customer risk profile, how recently the system was tuned, and what the alert-to-SAR conversion rate looks like. Very low conversion rates (many alerts, few SARs) suggest the system is generating excessive noise; very high conversion rates may suggest insufficient alert coverage. Either pattern generates examiner questions about the effectiveness of the monitoring function.
Where Community Banks Most Commonly Fall Short
Based on the pattern of FinCEN enforcement actions and FFIEC examination manual updates through 2024, the most common program gaps at community banks and credit unions fall into three categories.
Customer risk tiering documentation: The BSA/AML risk assessment must document how the institution has classified its customer base by risk tier, what criteria distinguish high-risk from standard customers, and what enhanced due diligence is applied to high-risk accounts. The gap that examiners find most often: risk assessment documents that categorize customers in broad tiers without documented criteria for tier assignment, and enhanced due diligence procedures that describe what EDD looks like but don't describe when and how EDD is triggered for existing customers when risk factors change.
Beneficial ownership documentation for legal entity customers: The FinCEN CDD Rule's beneficial ownership requirements for legal entity customers have been in effect since May 2018, but examination findings on this topic have remained consistent through 2024. The common gap: account opening procedures that collect beneficial ownership information but don't describe how the information is verified, what documentation is required when verification can't be completed, and how the institution handles existing legal entity accounts opened before the CDD Rule's effective date.
SAR filing decision documentation: When a suspicious activity is identified and a SAR is not filed, the decision not to file should be documented. This is a well-known requirement, but the documentation quality varies widely. Examiners look for a documented rationale — not just "reviewed, no SAR required" — that explains why the activity didn't meet the SAR filing threshold or why the suspicious indicators were resolved. Institutions with weak no-file documentation are at higher examination risk even when their SAR filing rate is appropriate.
Structuring Your Exam Prep: A Practical Timeline
BSA/AML examination preparation that starts when the exam notification arrives is inherently reactive. The more durable approach structures program review as an ongoing process rather than an event-triggered exercise. Here's how we'd structure a rolling prep schedule for a community bank on a 12-18 month exam cycle.
Immediately after each FinCEN guidance publication or interagency statement: Conduct a targeted policy impact screen — which elements of the BSA program does this guidance address, and is your current procedure language consistent with the updated guidance? Document that you conducted the screen and what you found. This documentation is useful in two ways: it demonstrates a proactive program review process, and it generates the revision history that examiners look for when they review your procedures.
Quarterly: Review transaction monitoring alert metrics — alert volume, disposition breakdown, SAR conversion rate, average days from alert to disposition. Tune monitoring scenarios if the metrics suggest coverage gaps or noise issues. Document the tuning decision, the rationale, and the expected outcome. Untouched monitoring systems that haven't been reviewed or adjusted in 18+ months are a consistent examination concern.
Annually: Update the BSA/AML risk assessment against current customer base and product profile. The risk assessment is a living document — an institution that grew its money services business portfolio in year three but still has a risk assessment written when that portfolio was minimal is carrying a material documentation gap.
What to Have Ready When the Examiner Arrives
The documentation package that examiners typically request at the start of a BSA examination is well known: current BSA policies and procedures, risk assessment, independent audit reports, training records, transaction monitoring system documentation, and SAR filing logs. Having these documents ready is necessary but not sufficient.
What distinguishes a strong examination response from an adequate one is the narrative thread connecting the documents: can you explain how the risk assessment informed the transaction monitoring configuration, how the independent audit's findings drove specific procedure updates, and how training was adjusted to address gaps identified in the audit? Examiners are looking for a program that demonstrates consistent, documented thinking — not a collection of documents that happen to exist.
We're not suggesting that the relationship between your risk assessment, monitoring system, and procedures needs to be formally documented in a meta-document. But if the compliance team can't describe that relationship coherently in an examiner interview, the documentation itself will be scrutinized more closely. The program documentation and the program logic should tell the same story.
The FinCEN Priorities and What They Mean for Your Program
FinCEN's 2021 publication of national AML/CFT priorities — the first such publication under the AMLA — formally established eight priority areas: corruption, cybercrime, foreign and domestic terrorist financing, fraud, transnational criminal organization activity, drug trafficking, human trafficking, and proliferation financing. Institutions are now expected to incorporate these priorities into their risk assessments and, where relevant, their BSA program design.
The practical implication for most community banks: the priorities don't require all eight areas to be active program elements. They require a documented analysis of which priorities are relevant to your institution's risk profile and why. A community bank with a locally-focused retail deposit business has minimal transnational criminal organization or proliferation financing exposure — but it needs to document that analysis, not just assert it. Examiner findings in this area are not about whether a bank has an active proliferation financing risk; they're about whether the institution has thought through the priorities matrix and documented its reasoning.