What should an AML / Fraud Exam-Readiness Self-Assessment include?

It should cover program governance, enterprise-wide risk assessment currency, CDD and EDD controls, transaction monitoring effectiveness (including alert volume and false positive rate), sanctions and PEP screening, SAR filing timeliness and quality, model risk management, training records, adverse media monitoring, open audit findings, and a Red/Amber/Green scoring summary with evidence references.

Who should fill out the AML / Fraud Exam-Readiness Self-Assessment?

It's a team exercise. The BSA/AML officer or MLRO typically leads, with input from the fraud lead, transaction monitoring analyst, training coordinator, and model risk owner. Each domain tab should be completed by the person accountable for that control area, not a single compliance analyst working from memory.

How often should an AML exam-readiness assessment be completed?

At a minimum, complete it 60 to 90 days before a scheduled examination. For teams aiming at continuous compliance rather than exam sprints, a quarterly cycle is more practical. It converts exam preparation into a standing program discipline and makes gaps visible while there's still time to fix them.

What's the difference between an AML self-assessment and an internal audit?

A self-assessment is completed by the first line (compliance/AML team) and is designed for exam preparation and program management. An internal audit is an independent second-line review. The self-assessment can feed directly into internal audit scope, but it doesn't replace the independent testing function examiners expect to see.

What do examiners actually check during an AML examination?

Examiners follow the FFIEC BSA/AML Examination Manual. They review governance, risk assessment currency, CDD/EDD policies, transaction monitoring rule coverage and alert handling, SAR filing timeliness, sanctions screening, training completion, and management of model risk. They ask for documentation. Verbal assurances don't satisfy a finding.

regulatory xlsx Free

AML / Fraud Exam-Readiness Self-Assessment

Q: Is the AML / Fraud Exam-Readiness Self-Assessment free?

Yes. The template is free to download as an Excel spreadsheet. No sign-up is required. FluxForce provides it for compliance teams to use in exam preparation, program health checks, and internal audit support.

Last updated: Jun 09, 2026

The AML / Fraud Exam-Readiness Self-Assessment is a structured Excel spreadsheet for compliance officers, MLROs, BSA officers, and fraud leads at banks and fintechs. It helps teams score their program maturity across AML and fraud control domains, identify gaps before a regulatory examination, and produce a documented readiness gap analysis they can present to examiners or senior management.

Download the AML / Fraud Exam-Readiness Self-Assessment

Free xlsx. Enter your work email and the download starts instantly.

What is the AML / Fraud Exam-Readiness Self-Assessment?

Examiners don't arrive with secret criteria. The OCC, FDIC, Federal Reserve, and FCA all publish their examination frameworks. The FFIEC BSA/AML Examination Manual describes exactly what examiners review: program governance, risk assessment currency, customer due diligence quality, transaction monitoring system effectiveness, SAR filing timeliness and quality, sanctions compliance, and record-keeping. The AML / Fraud Exam-Readiness Self-Assessment maps your program's current state against every one of those categories before an examiner sets foot on your premises.

The spreadsheet gives compliance teams a structured scoring tool: rate each control domain Red, Amber, or Green; identify gaps; assign remediation owners; and track progress to closure. It covers both AML and fraud controls because examiners increasingly treat them as a connected program. Deficiencies in fraud controls appear in Matters Requiring Attention (MRAs) and Matters Requiring Immediate Attention (MRIAs) alongside classic BSA/AML findings.

Three FATF recommendations anchor the assessment's structure. FATF Recommendation 1 requires a documented, current risk-based approach. FATF Recommendation 10 sets the floor for customer due diligence obligations. FATF Recommendation 11 governs record-keeping. The self-assessment tests your program against all three, and against your own internal policies.

The output is a gap analysis with Red/Amber/Green ratings and evidence references. You walk into the exam with documented proof of where your program is strong, which findings are open, and what you're doing about them. That's a materially different position than walking in and hoping you remembered everything.

Who needs the AML / Fraud Exam-Readiness Self-Assessment?

The primary users are the people who own exam relationships and program accountability:

MLROs and BSA/AML officers who will face examiner interviews and need to know their program's actual condition before the cycle begins
CCOs at mid-market and regional banks who oversee both AML and fraud programs and need a single consolidated view
Fraud leads and financial crime analysts mapping their controls against examiner expectations for the first time
Internal audit teams conducting a pre-examination readiness review or a targeted compliance audit
Model risk managers assessing whether transaction monitoring and fraud detection models are adequately validated and documented

The trigger moments are predictable. An examination is scheduled within 90 days. An internal audit has flagged control gaps. A regulator has issued a consent order or MRA to a peer institution for the same weakness your team has quietly acknowledged internally. A new product line is launching and AML/fraud controls need sign-off. Post-merger integration is underway and you need to assess the acquired entity's program against your own standards.

If you're working toward staying continuously exam-ready rather than sprinting before each examination cycle, this template is also useful as a quarterly program health check. A gap discovered in month one of a quarter is fixable. A gap discovered five days before examiners arrive is not.

What's inside the AML / Fraud Exam-Readiness Self-Assessment?

The spreadsheet has eleven structured tabs:

Tab 1: Program Overview

Institution name, examination authority (OCC, FCA, FDIC, FinCEN), and date of last examination
BSA/AML Officer or MLRO name, title, and board reporting line
AML policy version, board approval date, and next scheduled review date

Tab 2: Risk Assessment Currency

Enterprise-wide risk assessment (EWRA) last update date and scheduled next review
Products, services, customer segments, and geographies covered
Inherent risk and residual risk ratings by category (customer, product, geography, channel)

Tab 3: CDD / EDD Controls

CDD policy version and date; beneficial ownership collection rate (field: percentage of accounts with documented ownership)
EDD trigger criteria (documented: yes/no; criteria listed)
High-risk customer count and percentage of total book
Cross-reference field linking to your EDD Checklist for High-Risk Customers

Tab 4: Transaction Monitoring

TM system vendor and version; number of active rules/scenarios and last rule-set review date
Monthly average alert volume; false positive rate (percentage); SAR conversion rate (alerts that result in a SAR filing)
Alert backlog count and oldest-alert age (in days)

Tab 5: Sanctions and PEP Screening

Lists screened (OFAC SDN, UN consolidated, EU, HMT) with version dates
Sanctions screening and PEP screening vendor and last list-update confirmation
Average match-to-decision time (in hours); override rate with documented justification (percentage)

Tab 6: SAR / STR Filing Quality

Average days from detection to filing decision; average days from filing decision to submission
FinCEN's implementing regulation at 31 CFR 1020.320 requires SAR filing within 30 days of the filing decision (60 with extension). Tab 6 tracks your actual average against that clock.
SAR backlog count with age buckets (0-15 days, 16-30 days, 30+ days)
Narrative completeness checklist: subject, location, method, amount, date range, law enforcement contact note
Cross-reference to your SAR Narrative Template

Tab 7: Adverse Media and Ongoing Monitoring

Adverse media screening sources, frequency, and escalation process owner
Periodic review cycle for high-risk and PEP customers (documented: yes/no; review interval)

Tab 8: Training Records

Annual AML training completion rates by role; board-level AML training date
Specialized training completion: sanctions, fraud typologies, new-product risk

Tab 9: Model Risk Management

TM and fraud detection model inventory; last independent validation date per model
Open model findings, severity, and remediation status

Tab 10: Audit and Regulatory Findings

Open MRAs, MRIAs, and internal audit findings; remediation owner (named individual, not team)
Target remediation date and current status (On Track / At Risk / Overdue)

Tab 11: RAG Scoring Summary

Red/Amber/Green rating per domain; evidence reference (document name and location)
Examiner-ready notes; overall program readiness score

How to use the AML / Fraud Exam-Readiness Self-Assessment

Step 1: Assemble the working group. This isn't a solo exercise. Bring together the BSA/AML officer or MLRO, the fraud lead, the TM analyst, the training coordinator, and the model risk owner. Each person owns the data for their tab. Set a two-week completion window with a kickoff meeting where everyone understands the scoring rubric before they start.

Step 2: Gather the evidence first. Before scoring anything, collect the source documents: your current AML policy, the EWRA, the last TM rule review memo, training completion reports, open audit findings, and the most recent examination report. Score only what you can evidence. If documentation doesn't exist for a control, the rating is Red or Amber. Not Green.

Step 3: Complete each tab using the RAG rubric. Green is "documented, tested, and current." Amber is "in place but untested, overdue for review, or with minor gaps." Red is "missing, expired, or carrying unresolved critical findings." The SAR filing tab is particularly important: regulators treat filing timeliness as a direct proxy for program health. If your average detection-to-filing time consistently runs beyond 30 days, that tab is Red regardless of other program strengths.

Step 4: Address the alert volume problem before examiners do. If Tab 4 shows a false positive rate above 90 percent, that's a finding waiting to be written. It's worth reviewing your TM rule calibration before the exam. Teams working to reduce that number have found useful framing on the false positive reduction page.

Step 5: Review the RAG Summary tab as a team. Every Red or Amber needs a named owner, a specific action, and a target date. "Compliance team" is not an owner. Run this tab in a meeting with the people accountable for each finding.

Step 6: Apply it to exam preparation and ongoing monitoring. The completed assessment is a document you can present to the board risk committee, share with internal audit, and reference during examiner interviews. Run it on a quarterly cycle and it becomes a continuous compliance record, not just an exam sprint tool. The regulatory compliance automation page covers how teams are reducing the manual data collection effort behind each quarterly run.

Common mistakes to avoid

1. Scoring by memory, not evidence. Teams rate themselves Green based on what they believe is true rather than what's documented. If you can't point to a dated document proving a control is working, the rating is Amber at best. Examiners ask for the evidence. "We do that" is not an answer.

2. Treating the SAR tab as a filing-volume log. The SAR section is about process and quality, not just count. Examiners look at narrative completeness, consistent application of the 30-day clock, and whether filings contain enough detail to be useful to law enforcement. Review recent SARs against the narrative checklist in Tab 6. Missing method, location, or date-range fields is a SAR quality problem, and it gets noted.

3. Skipping the model risk tab. Many compliance teams treat model validation as a technology concern. It isn't. If a TM model hasn't been independently validated in two or more years, that's an open examiner finding. The tab forces the question into the open before the exam does.

4. Using last year's assessment without refreshing the data. Alert volumes change. False positive rates change. Personnel change. Remediation timelines slip. An assessment using 18-month-old metrics creates false confidence. Each completion cycle requires fresh data pulled from live systems, not copied from the prior version.

5. Ignoring emerging typology gaps. If your EWRA doesn't address trade-based money laundering, virtual asset exposure, or business email compromise, examiners will ask why. The typology detection gap is one of the more common findings at institutions whose EWRA is more than 18 months old.

6. No named owner on open findings. Tab 10 entries without a named individual as owner don't get fixed before the exam. Shared ownership is no ownership.

How FluxForce automates this

The self-assessment is a point-in-time snapshot. Keeping those scores Green between exam cycles is where manual processes break down.

FluxForce's AI agents run continuous transaction monitoring, automated sanctions and PEP screening, and real-time adverse media alerts, closing the gap between detection and action. The platform generates audit-ready evidence for every decision, so your SAR metrics and screening logs stay current without manual extraction before each quarterly assessment cycle.

To see how this works across a live compliance program, book a demo.

Stop filling this template in by hand

FluxForce AI agents handle the work behind regulatory templates like this one: real-time monitoring, sanctions and PEP screening, and automated, audit-ready reporting.

Explore AI Modules icon

Request a Demo

← Back to Templates

Get the AML / Fraud Exam-Readiness Self-Assessment