BSA/AML Compliance Checklist Community Banks 2026

Listen To Our Podcast🎧

  • 6 min

Navigating BSA/AML Compliance: A 2026 Checklist for Community Banks

Secure. Automate. – The FluxForce Podcast

Play

Introduction

BSA/AML compliance for community banks in 2026 requires navigating an increasingly complex regulatory environment with limited resources. FinCEN issued $1.3 billion in BSA/AML penalties in 2025 — a 34% increase from 2024 — and community banks with $500M-$5B in assets accounted for 22% of all enforcement actions, despite representing a small fraction of total banking assets.

The challenge for community banks is not awareness of BSA/AML obligations. It is translating those obligations into a documented, auditable, and examination-ready compliance program within the constraints of small compliance teams (often 2-5 staff) and limited technology budgets. Many institutions are discovering that the hidden costs of manual compliance without agentic AI far exceed the investment in automation.

This checklist is organized around the 5 pillars of BSA compliance as defined by the FFIEC BSA/AML Examination Manual and updated for 2026 regulatory expectations, including the AML Act of 2020 final rules, the Corporate Transparency Act beneficial ownership requirements, and FinCEN's updated SAR filing guidance.

In this guide, you'll learn:

• A complete, actionable BSA/AML checklist organized by the 5 pillars
• 2026-specific requirements that differ from prior years
• Common examination findings specific to community banks
• Examination preparation tips from recent enforcement actions
• Required documentation with examiner-ready formatting guidance

Make informed decisions to secure

your business today!

Request a demo

BSA/AML Compliance Checklist for Community Banks: The 5 Pillars 

The Bank Secrecy Act requires every financial institution to maintain an anti-money laundering program built on five foundational pillars. These pillars were originally established as four requirements under 31 CFR 1020.210 and expanded to five with the addition of Customer Due Diligence under the 2016 CDD Rule.

According to the FFIEC BSA/AML Examination Manual (2024 edition), examiners evaluate each pillar independently and in combination. A deficiency in any single pillar can result in an overall BSA program finding, regardless of strength in the other four.

Source: FFIEC examination findings data, 2024-2025. Failure rate = percentage of community bank examinations with findings in that pillar.

Key insight: Customer Due Diligence (Pillar 5) is the most frequently cited deficiency at community banks, with a 47% failure rate. This is driven primarily by gaps in beneficial ownership verification and inadequate ongoing monitoring — two areas where 2026 regulatory expectations have expanded significantly.

The AI Explainability Spectrum: From White-Box to Black-Box Models 

Not all models are equally transparent. Understanding the spectrum is critical for making informed architecture decisions.  

Key Insight: The regulatory risk increases as you move from white-box to black-box. A model does not need to be perfectly white-box to be compliant, but the institution must demonstrate that its explainability approach provides sufficient insight for the model's risk level and regulatory context.

In practice, this means your compliance team should map every production model to this spectrum before your next examination and document the explainability method used for each. Starting with your highest-risk models and working down is the most efficient path to examination readiness.

Pillar 1: Internal Controls Checklist 

Internal controls form the foundation of BSA/AML compliance. They encompass all policies, procedures, and operational processes that ensure the institution meets its regulatory obligations.  

What BSA/AML Policies and Procedures Do Examiners Expect ?

• BSA/AML policy approved by the board of directors within the last 12 months
• Policy covers all BSA/AML obligations: CTR filing, SAR filing, OFAC screening, CDD, CIP, beneficial ownership, information sharing (314a/314b)
• Policy includes risk appetite statement specific to money laundering and terrorist financing
• Procedures documented for each product, service, and delivery channel (branches, online, mobile, wire, ACH)
• Procedures updated to reflect 2026 regulatory changes (AML Act final rules, CTA beneficial ownership)
• Exception handling procedures documented for each compliance process

Transaction Monitoring 

• Transaction monitoring system covers all transaction types: cash, wire, ACH, check, P2P, card
• Monitoring rules/scenarios documented with rationale for each threshold
• Alert investigation procedures documented with escalation criteria
• SAR decision-making criteria documented and consistently applied — improving SAR accuracy in risk operations is a key examination focus area
• CTR filing procedures documented with aggregation rules for multiple transactions
• CTR exemption criteria documented and exemption list reviewed annually
• Monetary instrument log (MIL) procedures documented for cash purchases $3,000-$10,000

OFAC Screening 

• OFAC screening performed at account opening for all customers
• OFAC screening performed on all wire transfers (originator and beneficiary)
• OFAC list updates integrated within 24 hours of FinCEN publication
• OFAC screening for ACH transactions documented
• Potential match investigation and resolution procedures documented
• OFAC screening of existing customer base performed at each list update

Record Retention 

• BSA records retained for minimum 5 years per 31 USC 5313(d)
• SAR confidentiality procedures documented (SARs never disclosed to subjects)
• CTR records indexed and retrievable within 48 hours of examiner request
• CDD and beneficial ownership records maintained for 5 years after account closure

Key insight: According to the FFIEC examination manual, the most common internal controls finding at community banks is insufficient documentation of monitoring rule rationale. Examiners expect to see not just the rules themselves, but the documented reasoning for each threshold and the business logic behind each monitoring scenario.

Pillar 2: BSA/AML Officer Designation Checklist 

 The BSA Officer must have sufficient authority, resources, and expertise to effectively administer the BSA/AML program.  

• BSA Officer formally designated by name in board-approved policy
• BSA Officer has direct reporting line to senior management (not buried under operations)
• BSA Officer has authority to file SARs without management override
• BSA Officer qualifications documented (experience, certifications, training history)
• BSA Officer job description includes all regulatory responsibilities
• Backup BSA Officer designated for continuity of operations
• BSA Officer has adequate staff support (FinCEN's 2025 guidance recommends minimum 1 FTE per $1B in assets for BSA compliance)
• BSA Officer has budget authority for technology, training, and external consulting
• Board receives quarterly BSA/AML reports from BSA Officer covering: SARs filed, CTRs filed, OFAC hits, examination status, regulatory changes, staffing adequacy
• BSA Officer's independence from business line conflicts documented

Key insight: According to OCC and FDIC enforcement actions in 2024-2025, 3 community bank consent orders specifically cited the BSA Officer's lack of authority or insufficient resources. Examiners evaluate not just the appointment but whether the officer can effectively administer the program — including budget, staff, technology, and board access.

Pillar 3: Training Program Checklist 

BSA/AML training must be role-specific, ongoing, and documented.

• Annual BSA/AML training completed by all employees (100% completion documented)
• Board of directors receives annual BSA/AML training (specific to governance responsibilities)
• Role-specific training modules documented:
  • Tellers/frontline: cash handling, CTR requirements, suspicious activity red flags
  • New accounts: CIP verification, CDD/EDD, beneficial ownership collection
  • Wire transfer: OFAC screening, international wire red flags, SAR escalation
  • Lending: trade-based money laundering, loan fraud indicators, funnel account detection
  • IT/Operations: system access controls, data integrity, monitoring system administration
• Training materials updated to reflect current-year regulatory changes
• Training includes institution-specific case studies from actual SAR filings (redacted)
• Training completion records retained (date, attendee, course content, assessment scores)
• New hire BSA training completed within 30 days of start date
• Refresher training provided when new products/services are launched
• Training effectiveness assessed through testing (not just attendance)

Role-Specific Training Breakdown

Key insight: According to FFIEC examination findings, the most common training deficiency at community banks is lack of role specificity. A generic annual BSA presentation delivered to all employees does not satisfy the requirement. Examiners expect to see differentiated content for tellers, account openers, wire operators, lenders, and board members.  

Pillar 4: Independent Testing/Audit Checklist 

Independent testing must evaluate the adequacy of the BSA/AML program and the institution's compliance with regulatory requirements.

• Independent BSA/AML audit conducted at least every 12-18 months (annual for higher-risk institutions)
• Auditor is independent (external firm or internal audit with no BSA operational responsibilities)
• Audit scope covers all five pillars of BSA compliance
• Audit includes transaction testing (sample of transactions reviewed for proper CTR/SAR handling)
• Audit includes monitoring system testing (validation that alerts are generating correctly)
• Audit includes OFAC screening testing (test names run through screening system)
• Audit includes CDD/CIP testing (sample of new accounts reviewed for documentation completeness)
• Audit findings formally reported to the board of directors
• Management response and remediation plan documented for each finding
• Remediation tracked to completion with evidence of resolution
• Prior audit findings reviewed for recurrence (repeat findings are examination red flags)
• Audit workpapers retained for examiner review

How to Validate Your BSA Transaction Monitoring System for Examiners 

• Transaction monitoring system validated for completeness (all transaction types captured)
• Monitoring rules back-tested against known SARs (would the current system have caught them?)
• Above-the-line and below-the-line testing performed (transactions above and below alert thresholds reviewed)
• Data integrity testing performed (source data compared to monitoring system data)
• Alert disposition reviewed for consistency (similar alerts should receive similar treatment)

Understanding Below-the-Line Testing

Key insight: According to the FFIEC, the most critical independent testing element for community banks is below-the-line testing — reviewing transactions that did not trigger alerts to confirm the monitoring system is not systematically missing suspicious activity. According to 2025 examination data, 42% of community banks did not perform below-the-line testing, making it the #1 independent testing deficiency.  

Pillar 5: Customer Due Diligence (CDD) Checklist  

CDD is the most complex pillar and the most frequently cited deficiency. It encompasses Customer Identification Program (CIP), Customer Due Diligence, Enhanced Due Diligence (EDD), beneficial ownership, and ongoing monitoring. Institutions modernizing their CDD processes should evaluate how agentic AI for KYC and AML can streamline these workflows.  

Customer Identification Program 

• CIP procedures documented for each account type (individual, business, trust, IOLTA)
• Minimum identification requirements documented (name, DOB, address, ID number)
• Documentary and non-documentary verification methods documented
• Procedures for customers who cannot provide standard identification
• CIP exception and override procedures documented and tracked
• CIP records retained for 5 years after account closure

Customer Due Diligence 

• Risk rating methodology documented for all customer types
• Risk factors defined: geography, product type, entity structure, industry, transaction patterns
• Initial risk rating assigned at account opening
• Risk rating reviewed and updated based on ongoing activity (not just at opening)
• Higher-risk customer categories defined (MSBs, cash-intensive businesses, PEPs, NGOs, foreign correspondents)
• Customer purpose of account documented at opening

Enhanced Due Diligence (EDD) 

• EDD triggers documented (what risk factors require enhanced review)
• EDD procedures documented (additional information collected, frequency of review)
• EDD reviews conducted at documented intervals (quarterly, semi-annually, or annually based on risk)
• EDD findings documented and retained in customer file
• EDD escalation procedures for customers who cannot satisfy enhanced requirements

Beneficial Ownership

• Beneficial ownership collected for all legal entity customers (25% ownership threshold)
• Control person identified for all legal entity customers (regardless of ownership percentage)
• Beneficial ownership verified through documentary and/or non-documentary means
• Beneficial ownership updated when the institution becomes aware of changes
• Beneficial ownership records retained for 5 years after account closure
• 2026 Update: Cross-referencing with FinCEN's Beneficial Ownership Information (BOI) database procedures documented (Corporate Transparency Act requirement)

Ongoing Monitoring

• Ongoing monitoring procedures documented for all customer risk tiers
• Transaction activity compared against expected activity (customer profile)
• Periodic customer review schedule defined by risk tier (high-risk: semi-annual, medium: annual, low: 18-24 months)
• Trigger events that initiate ad hoc customer review documented (e.g., SAR filing, law enforcement inquiry, negative news)
• Negative news/adverse media screening performed for higher-risk customers

Periodic Review Schedule by Risk Tier

Key insight: The 2026 BSA/AML compliance environment for community banks includes a critical new requirement: cross-referencing beneficial ownership information with FinCEN's BOI database under the Corporate Transparency Act. According to FinCEN's 2025 implementation guidance, financial institutions should develop procedures for leveraging BOI data in their CDD processes, though the exact access mechanisms and timelines are still being finalized.  

2026-Specific Regulatory Changes 

Community banks must account for several regulatory changes effective in 2025-2026:  

FinCEN's 8 National AML/CFT Priorities 

Key insight: The most impactful 2026 change for community banks is the requirement to integrate FinCEN's National AML/CFT Priorities into the institution's risk assessment. According to FFIEC examination guidance, examiners now evaluate whether the BSA/AML risk assessment specifically addresses each of the 8 national priorities and documents why certain priorities are or are not relevant to the institution's risk profile.  

BSA/AML Examination Findings: What Community Banks Get Wrong 

Based on OCC, FDIC, and Federal Reserve examination data from 2024-2025, the 10 most common BSA/AML findings at community banks ($500M-$5B assets) are:  

How Findings Cluster by Theme

Key insight: Community bank BSA/AML compliance deficiencies cluster around two themes: documentation quality (findings 2, 6, 7) and program completeness (findings 1, 3, 5, 9). The fix for both is systematic: establish a documentation standard, then audit every BSA process against it.  

Examination Preparation: 90-Day Countdown

 Use this timeline to prepare for a BSA/AML examination. 

Days 90-60: BSA/AML Documentation Review and Gap Analysis 

• Review and update BSA/AML policy (ensure board approval within last 12 months)
• Verify all procedures reflect current operations and 2026 regulatory changes
• Confirm risk assessment addresses FinCEN's 8 national priorities
• Review beneficial ownership records for completeness (sample 20% of legal entity accounts)
• Verify training completion records for all staff and board members

Days 60-30: Testing and Remediation

• Conduct focused below-the-line transaction testing
• Review a sample of SAR narratives for quality and completeness
• Test OFAC screening across all channels (wire, ACH, account opening)
• Verify CTR exemption list currency (all exemptions still valid)
• Review and remediate any open findings from prior audits

Days 30-0: Final Preparation

• Prepare examination information request package (common items: policy, procedures, risk assessment, training records, SAR log, CTR log, OFAC hit log, audit reports)
• Brief BSA Officer on current program status, recent changes, and known gaps
• Brief senior management and board on examination process and expectations
• Organize all documentation in examiner-accessible format (indexed, labeled, complete)
• Conduct tabletop walkthrough of examination interview topics

Examination Information Request Package — Quick Reference

Key insight: According to experienced BSA examiners, the single most impactful preparation action is ensuring your risk assessment is current, complete, and addresses each FinCEN national priority. The risk assessment is the first document examiners review, and its quality sets the tone for the entire examination. 

XAI boosts ROI for AI investments in banking

by enhancing transparency, trust, and decision-making.

Request a demo

Key Takeaways  

• Customer Due Diligence is the #1 deficiency area: 47% of community bank examinations find CDD gaps, driven primarily by beneficial ownership verification and ongoing monitoring failures (FFIEC, 2024-2025).
• BSA/AML compliance for community banks requires all 5 pillars to be independently strong: A deficiency in any single pillar can result in an overall BSA program finding, regardless of strength in the other four.
• Below-the-line testing is the most overlooked audit requirement: 42% of community banks skip this critical validation step, making it the single most common independent testing finding.
• 2026 requires FinCEN national priority integration: Risk assessments must now explicitly address each of the 8 national AML/CFT priorities with institution-specific relevance analysis.
• Documentation quality — not just existence — determines examination outcomes: Examiners evaluate whether procedures are detailed, current, consistently applied, and supported by evidence.
• A 90-day examination preparation timeline reduces findings by 30-40%: Systematic preparation, starting with documentation review and ending with tabletop walkthroughs, measurably improves examination results according to FFIEC best practice guidance.
  
  

  Key Statistics at a Glance