What triggers a regulatory exam?
Quick answer
Regulatory exams are triggered by three things: scheduled examination cycles, risk-based selection criteria, and event-driven signals from regulators or law enforcement. Community banks typically face routine exams every 12 to 18 months. Banks with CAMELS ratings of 3, 4, or 5 face more frequent examination under the FFIEC framework.
The full answer
Regulatory exams come from three directions: scheduled cycles, risk-based criteria, and specific triggering events. All three operate simultaneously, and any of them can pull the next exam forward.
Scheduled examination cycles
Most community banks face safety and soundness exams at least every 12 months. Those with CAMELS ratings of 1 or 2 may qualify for an 18-month cycle under Dodd-Frank amendments to FDICIA. BSA/AML compliance exams follow the same schedule, governed by the FFIEC BSA/AML Examination Manual.
For large national banks, the OCC maintains continuous on-site presence. The question there isn't when the exam starts; it's when a finding escalates in scope or severity.
Risk-based triggers
CAMELS deterioration. The CAMELS rating system (Capital adequacy, Asset quality, Management, Earnings, Liquidity, Sensitivity to market risk) is the primary scheduling input for all federal bank regulators. A rating of 3 places a bank in the "fair" tier with heightened supervisory attention. Ratings of 4 or 5 trigger near-continuous oversight and frequently precede formal enforcement actions.
Prior exam findings. MRAs don't age out quietly. If the bank's remediation response is inadequate or behind schedule, examiners return before the next routine cycle. A pattern of repeat MRAs on the same issue is one of the most reliable signals that a formal enforcement action is being considered.
Program-scope gaps. Banks that launch new products, enter new markets, or complete acquisitions without updating their AML programs are creating exam risk. Under FATF's risk-based approach, institutions are expected to identify new risks before regulators do. Failing to do so is itself a finding.
Event-driven triggers
SAR and CTR filing anomalies. Regulators see filing data in near real-time through FinCEN's BSA database. A sudden spike, a drop relative to transaction volume, or a pattern of late filings all flag the program for review. The penalties for a missed CTR start at $25,000 per violation, and regulators often identify the pattern before the bank's own compliance team does.
Law enforcement referrals. When the DOJ, FBI, or IRS Criminal Investigation is working a case that touches the bank's customer base, they share intelligence with prudential regulators. There's no mandated timeline, but targeted reviews commonly follow within months of a referral.
FATF grey list exposure. Banks with significant transaction volumes involving customers or counterparties in grey-listed jurisdictions are high-priority targets for BSA reviews. The grey list signals that a country's AML framework has identified deficiencies, which increases examiner expectations for the bank's own compensating controls.
Industry sweeps. A large enforcement action in a specific product or business line often triggers exams across comparable institutions. Following the $1.92 billion HSBC deferred prosecution agreement in 2012, several banks with similar correspondent banking profiles received targeted BSA exams. The OCC's Comptroller's Handbook on Large Bank Supervision describes how examiners scope these risk-based reviews.
Certification failures. New York's Department of Financial Services added a structural trigger through Part 504 (3 NYCRR Part 504): regulated institutions must certify annually that their transaction monitoring and watch-list filtering programs meet specific standards. A material gap in that certification can accelerate an exam independently of the routine schedule.
Negative press. No formal rule requires regulators to respond to media coverage. But significant allegations of misconduct in the Financial Times, Wall Street Journal, or Reuters reliably precede informal supervisory outreach, usually within weeks.
Why this matters
The scheduled cycle is the minimum. Every item in the risk-based and event-driven categories above is a mechanism that can pull the next exam forward by months or years. Most compliance failures aren't about ignoring the routine cycle; they're about missing the signals that accelerate it.
Three things compliance teams can control directly:
Monitor your own filing data. The SAR rates, CTR timeliness, and CDD completeness that examiners will scrutinize are visible to you now. If transaction monitoring is generating an unusually high proportion of alerts that clear without escalation, that's worth investigating internally before examiners raise the question. AI-driven monitoring systems can surface these patterns substantially earlier than manual review processes.
Document prior-findings remediation. Every MRA from the last exam needs a written remediation plan, regular status updates, and a documented close-out with evidence. Examiners who see a well-maintained remediation tracker are far less likely to escalate exam scope. Verbal assurances that something has been "fixed" don't survive an exam.
Get ahead of business changes. If you've launched a new product line or entered a new geography, run an internal AML risk assessment and update the program before the exam arrives. Under the FATF Recommendations, adopted as law or regulatory guidance across more than 200 jurisdictions, the onus is on the institution to identify and mitigate new risks proactively. See Recommendation 1 and Recommendation 11 for the specific record-keeping and risk-assessment obligations.
Related questions
- How long do banks have to file a SAR?
- What is the penalty for a missed CTR?
- What is the FATF Grey List?
- What is the difference between CDD and EDD?
- Can AI be used for AML transaction monitoring?