I’ve spent more than two decades working inside financial institutions and alongside them—as a banker, a BSA officer, an auditor, and an advisor. I’ve supported institutions preparing for exams, responding to findings, and, in some cases, working under regulatory enforcement.
What I’ve learned is this: Most BSA/AML exam challenges don’t stem from neglect. They stem from assumptions.
Passing the Last Exam Doesn’t Equal Readiness
One of the most common assumptions I encounter is, “We passed our last exam, so our program must be sound.”
Examiners don’t see it that way.
BSA/AML exams evaluate whether your program reflects your current risk profile, not whether it met expectations years ago. Changes in payment channels, fraud patterns, staffing, and technology all matter—and examiners expect your controls to evolve accordingly.
A program that hasn’t materially changed can be just as concerning as one that’s clearly deficient.
Compliance on Paper Is Not the Same as Compliance in Practice
Many institutions rely on independent testing that technically checks the box—but stops short of assessing program effectiveness.
I’ve seen reviews that confirm policies exist but don’t examine:
- Whether alert parameters make sense
- Whether case management is effective
- Whether staffing and technology align with transaction volume and risk
When testing focuses only on whether a requirement is met—not whether it works—institutions are often surprised when examiners dig deeper. They are even more surprised when examiners find concerns.
Board Oversight Requires More Than Metrics
Boards and executive teams are ultimately accountable for BSA/AML oversight. Yet many receive reporting that focuses on activity rather than insight.
Examiners increasingly expect Boards to understand:
- Where the program is strained
- Whether risks are being escalated appropriately
- If manual processes are creating operational or compliance exposure
- How management is addressing known gaps
If the Board cannot clearly explain how leadership knows the program is effective, that gap often becomes an exam issue.
Independent Testing Should Help You See Around Corners
Independent BSA/AML testing is one of the most valuable tools an institution has—if it’s used strategically.
When properly scoped, testing should:
- Identify vulnerabilities before regulators do
- Evaluate staffing, technology, and governance—not just documentation
- Provide clarity on root causes, not surface‑level observations
Too often, institutions treat testing as a cost to minimize rather than a safeguard to leverage. When handled properly, testing is an early warning indicator that prevents smoke from becoming fire.
Exams Don’t Create Problems — They Reveal Them
In my career, I’ve frequently been brought in after regulators identified significant issues. In those cases, the challenges rarely appeared overnight. They developed gradually—through staffing constraints, outdated processes, or a lack of visibility at the leadership level.
The goal isn’t simply to pass the exam. The goal is to understand your risk well enough that the exam holds no surprises.
A Final Thought
If your institution has an upcoming exam—or if it’s been some time since your BSA/AML program was evaluated through a truly risk‑based lens—it may be time to step back and reassess.
A proactive conversation can surface issues early, strengthen governance, and position your institution with confidence before regulators arrive.
If you’d like to talk through your BSA/AML program, exam readiness, or governance structure, I invite you to schedule a strategy call with me.