Compliance Audit Checklist: Preparing for FinCEN
Complete BSA/AML compliance audit checklist for US financial institutions. Steps, required documents, and best practices for passing FinCEN, OCC
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokRegulatory examinations by the OCC, FDIC, Federal Reserve, or state banking departments are not random disruptions โ they are structured assessments of whether your institution has built and maintained a compliant Bank Secrecy Act (BSA) and anti-money laundering (AML) program. Failing one carries significant consequences: civil money penalties reaching up to $1 million per violation, consent orders, reputational damage, and in egregious cases, criminal referrals.
For compliance officers at US banks, credit unions, and money services businesses (MSBs), preparation is the single most decisive factor in examination outcomes. This guide provides a comprehensive compliance audit checklist grounded in the FFIEC BSA/AML Examination Manual, the Bank Secrecy Act (31 U.S.C. ยง 5311 et seq.), and current FinCEN regulations (31 C.F.R. Part 1010).
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified compliance professional for guidance specific to your institution.
What Is a Compliance Audit Under BSA/AML?
A BSA/AML compliance audit is a formal, independent review that assesses whether a financial institution's compliance program meets the requirements set by federal law and FinCEN regulations. Examiners evaluate whether the institution's policies, procedures, internal controls, and personnel training are adequate to detect, prevent, and report suspicious financial activity.
The legal foundation rests on the Bank Secrecy Act and its implementing rules, reinforced by the USA PATRIOT Act (31 U.S.C. ยง 5318), which expanded customer identification requirements and correspondent banking controls. The FinCEN CDD Final Rule (31 C.F.R. ยง 1010.230), effective May 2018, added a fifth pillar to the BSA compliance framework: beneficial ownership identification and verification for legal entity customers.
Federal regulators โ OCC for national banks, FDIC for state non-member banks, the Federal Reserve for state member banks and bank holding companies, and NCUA for credit unions โ conduct these examinations using the FFIEC BSA/AML Examination Manual as their primary guide. State-chartered MSBs are additionally subject to state banking department oversight and FinCEN registration requirements.
The Three Phases of a US Bank Examination
US bank examinations follow a structured three-phase process. Understanding each phase allows your compliance team to prepare targeted responses rather than scrambling reactively.
Phase 1 โ Pre-examination planning. Examiners issue a document request list (DRL) weeks before the examination begins. This list typically requests your written BSA/AML policy, risk assessment, training records, independent audit reports, board minutes approving the program, and transaction monitoring system documentation. Institutions that respond completely and promptly signal operational maturity.
Phase 2 โ On-site examination. Examiners conduct transaction testing, review Currency Transaction Report (CTR) filings and Suspicious Activity Report (SAR) narratives, interview compliance staff and senior management, and assess your Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) files. They will test whether your controls match your written policies.
Phase 3 โ Exit meeting and findings. Examiners share preliminary findings. Institutions have an opportunity to provide additional documentation or clarification before the formal examination report is issued. Significant deficiencies may result in Matters Requiring Attention (MRAs), memoranda of understanding, or civil money penalties.
The Compliance Audit Checklist: Core Components
The five pillars of BSA compliance โ each required by regulation โ provide the organizing framework for any examination-ready program. The table below maps each pillar to its primary regulatory citation and the documentation examiners will expect to review.
| Compliance Area | Regulatory Authority | Key Documentation Required |
|---|---|---|
| Internal controls | 31 C.F.R. ยง 1020.210; FFIEC Manual | Written BSA/AML policy; board-approved program; procedures manual |
| Independent audit function | 31 U.S.C. ยง 5318(h) | Annual BSA audit report; auditor qualifications; remediation tracking |
| Designated BSA Officer | 31 C.F.R. ยง 1020.210(a)(1) | Appointment letter; job description; reporting line documentation |
| Ongoing employee training | 31 C.F.R. ยง 1020.210 | Training logs; curriculum materials; new-hire and annual completion records |
| Customer Due Diligence (CDD) | 31 C.F.R. ยง 1010.230 (CDD Final Rule) | CIP procedures; beneficial ownership forms; EDD policies for high-risk customers |
| CTR filing | 31 C.F.R. ยง 1010.311 | CTR filings for cash transactions over $10,000; exemption documentation |
| SAR filing | 31 U.S.C. ยง 5318(g); 31 C.F.R. ยง 1020.320 | SAR filings; 90-day review process; non-disclosure controls |
| OFAC screening | Executive Order 13224; 31 C.F.R. Part 501 | OFAC screening procedures; match disposition records; blocked funds documentation |
| Risk assessment | FFIEC BSA/AML Manual | Enterprise-wide risk assessment; product/service/geography/customer risk scoring |
For institutions using automated document verification platforms, examiners will also review system validation records, vendor due diligence files, and any model risk management documentation associated with your transaction monitoring or CDD tools. CheckFile.ai's solutions support verification workflows that generate the structured audit trails examiners expect at each stage of the CDD and EDD process.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotHow to Prepare for a BSA/AML Examination
Preparation begins not when the DRL arrives, but continuously throughout the examination cycle. The most exam-ready institutions treat internal audit findings as dress rehearsals and remediate deficiencies before examiners discover them.
Step 1 โ Conduct a pre-examination gap analysis. Map your current program against the FFIEC BSA/AML Examination Manual's core review components. Identify where policies have not been updated to reflect regulatory changes (such as the Anti-Money Laundering Act of 2020), where transaction monitoring thresholds have not been tuned, or where CDD files have documentation gaps.
Step 2 โ Update and stress-test your risk assessment. Your enterprise-wide BSA/AML risk assessment must reflect your current product mix, customer segments, geographic footprint, and delivery channels. Examiners scrutinize whether your risk assessment drives your controls โ if you rate MSB customers as high-risk but apply standard CDD, that inconsistency is a finding.
Step 3 โ Audit your CTR and SAR filings. Pull a sample of cash transactions over $10,000 and verify CTR filings were submitted within 15 calendar days (31 C.F.R. ยง 1010.311). Review SAR narratives for completeness โ examiners read the narratives and assess whether they provide actionable information. Ensure 90-day continuing activity reviews are documented for ongoing suspicious activity.
Step 4 โ Verify beneficial ownership files. Since the CDD Final Rule, covered financial institutions must collect and verify the identity of beneficial owners who own 25% or more of a legal entity customer, plus one controlling-person certifier. Pull a random sample of legal entity accounts opened after May 11, 2018, and confirm the required certification forms are on file and that ownership information has been verified.
Step 5 โ Review OFAC screening logs. Your OFAC compliance program must screen customers and transactions against the Specially Designated Nationals (SDN) list and applicable sanctions programs. Confirm your screening system is receiving current list updates, that potential matches are being reviewed and dispositioned within your documented timeframe, and that any blocked transactions are reported to OFAC within ten days.
Step 6 โ Prepare your BSA Officer for examiner interviews. Examiners routinely interview the designated BSA Compliance Officer to assess their authority, resources, and awareness of the program's current risk profile. Your BSA Officer should be prepared to discuss recent exam findings, ongoing monitoring results, SAR filing volumes, and budget and staffing adequacy.
A practical starting point for any gap analysis is our compliance risk assessment guide, which details the methodology for scoring and documenting institutional risk before an examiner arrives.
Document Verification: The Most Common Examination Failure Point
Document verification deficiencies consistently generate examination findings. CheckFile.ai's internal analysis of 2,400 verification files shows that 34% of compliance failures occur at the document verification stage โ expired documents (18%), uncertified copies (9%), and missing documentation (7%).
These are not exotic failures. They stem from manual processes, decentralized file storage, and the absence of automated checks to flag expiring identification or incomplete CDD packages before they become examination findings.
Examiners will pull CDD files for a sample of high-risk customers and test them against your written procedures. Common gaps include:
- Expired government-issued identification โ your procedures may require unexpired ID, but your team accepted a document that expired before or during the review period.
- Missing beneficial ownership certification โ particularly common for accounts opened near the CDD Final Rule implementation date.
- Incomplete EDD documentation โ for PEPs, high-volume cash businesses, or MSB customers, Enhanced Due Diligence must be documented in the file, not just noted in system logs.
- No ongoing monitoring evidence โ CDD is not a one-time event. Examiners look for evidence that you review and refresh customer risk ratings and documentation on a periodic basis.
Platforms like CheckFile.ai automate expiration tracking, flag missing fields in CDD packages, and generate audit logs that directly map to the documentation requirements in the FFIEC BSA/AML Examination Manual. For a broader view of how document verification integrates into your compliance program, see our document verification guide.
Our transparent pricing page outlines the verification volumes and plan options suited to institutions preparing for examination-level documentation standards.
Regulatory Developments 2025โ2026: What Examiners Are Focusing On
The regulatory landscape for BSA/AML compliance has shifted materially since the Anti-Money Laundering Act of 2020 (AMLA 2020) was enacted as part of the National Defense Authorization Act. Examiners are increasingly assessing institutions' alignment with these developments, and the table below summarizes the key changes affecting examination preparation.
| Development | Effective/Status | Examination Impact |
|---|---|---|
| AML Act of 2020 (AMLA 2020) | Enacted January 2021; phased implementation | Requires risk-based, innovation-friendly AML programs; FinCEN priorities must be incorporated |
| FinCEN AML/CFT Priorities | Issued June 2021; FFIEC guidance issued 2022 | Institutions must document how national AML/CFT priorities (corruption, cybercrime, drug trafficking, etc.) are reflected in their risk assessments |
| Corporate Transparency Act (CTA) / BOI Reporting | FinCEN BOI database operational 2024 | Financial institutions may ultimately access BOI database; exam focus on CDD rule alignment |
| OFAC Russia/Belarus sanctions expansion | Ongoing 2022โ2026 | Screening programs must reflect current SDN and sectoral sanctions; examiners testing screening coverage |
| FinCEN SAR Modernization | Rulemaking ongoing | New SAR XML format and FinCEN filing system; institutions must ensure system compatibility |
| FFIEC BSA/AML Manual updates | Updated 2021โ2024 | Examiners applying current manual; prior-cycle programs may contain outdated control language |
The AMLA 2020 introduced a statutory requirement that financial institutions incorporate FinCEN's national AML/CFT priorities into their risk-based programs. The FinCEN priorities document, issued June 30, 2021, identifies eight priority threat areas: corruption, cybercrime, foreign and domestic terrorist financing, fraud, transnational organized crime, drug trafficking, human trafficking, and weapons proliferation financing. Your risk assessment should explicitly reference whether these priorities are relevant to your institution's customer base and product mix.
For OFAC compliance, the OFAC SDN and Consolidated Sanctions List and the OFAC compliance framework guidance published in May 2019 remain the authoritative references for structuring a sanctions compliance program. Examiners assess whether your screening coverage extends beyond the SDN list to include relevant sectoral sanctions, 50% ownership rule analysis, and secondary sanctions risk.
Take action
CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents โ results within 48h.
FAQ
What triggers a BSA/AML examination for a US bank?
Federal regulators conduct BSA/AML examinations on a regular supervisory cycle โ typically every 12 to 18 months for most institutions, or more frequently following a prior adverse finding. Examinations can also be triggered by elevated SAR volumes, CTR filing anomalies detected by FinCEN, consumer complaints, or interagency referrals. The OCC's examination schedule is risk-based, meaning institutions with weaker BSA programs or higher-risk customer profiles will face more frequent and intensive review.
What are the most common BSA examination deficiencies?
Examiners most frequently cite deficiencies in customer due diligence documentation, inadequate SAR narrative quality, transaction monitoring systems that have not been tuned or validated, outdated risk assessments that do not reflect current business lines, and insufficient ongoing employee training. Beneficial ownership documentation gaps remain prevalent, particularly for accounts opened near the CDD Final Rule implementation date. Our anti-money laundering compliance guide covers the control framework in detail.
How much can civil money penalties reach for BSA violations?
Civil money penalties for BSA violations can reach up to $1 million per day per violation under 31 U.S.C. ยง 5321. For willful or pattern violations, penalties are calculated on a per-transaction basis and can aggregate to tens or hundreds of millions of dollars. High-profile enforcement actions โ including those by FinCEN, OCC, and DOJ โ have resulted in penalties exceeding $1 billion for systemic BSA failures at large institutions. Criminal penalties under 31 U.S.C. ยง 5322 can include imprisonment for individuals.
What documents should I have ready before an examination begins?
When the document request list arrives, you should have the following readily accessible: your current written BSA/AML policy and procedures; your enterprise-wide risk assessment (dated within the past 12 months); the most recent independent BSA audit report and remediation tracking; training logs for all BSA-relevant staff; your BSA Officer's appointment and reporting documentation; CDD and EDD procedures including your beneficial ownership process; OFAC screening procedures and match-review logs; and a sample of CTR and SAR filings from the examination period. Organizing these into a structured compliance binder or document repository before the DRL arrives reduces response time and demonstrates program maturity.
Does the CDD Final Rule apply to all financial institutions?
The CDD Final Rule (31 C.F.R. ยง 1010.230) applies to covered financial institutions as defined in 31 C.F.R. ยง 1010.605(e)(1), which includes federally insured banks, federally insured credit unions, mutual savings banks, savings associations, and broker-dealers. It requires these institutions to identify and verify the beneficial owners of legal entity customers at account opening. Money services businesses, certain casinos, and other covered entities have separate FinCEN regulatory requirements but are not subject to the CDD Final Rule's beneficial ownership mandate in the same manner. For the full regulatory text, see the FinCEN CDD Final Rule.
Ready to Examination-Proof Your Document Verification Program?
Regulatory examinations reward institutions that have built compliance programs as permanent infrastructure rather than pre-exam projects. The documentation gaps that generate findings โ expired IDs, missing beneficial ownership forms, incomplete EDD files โ are preventable with the right processes and tools in place.
CheckFile.ai automates the verification and expiration-tracking workflows that directly address the most common BSA examination failure points. Our platform generates structured audit logs, flags documentation gaps before they reach an examiner, and scales to the verification volumes required by institutions at any tier.
Explore our solutions or review our pricing plans to find the right fit for your institution's examination preparation program.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified compliance professional for guidance specific to your institution.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.