BID® Daily Newsletter
Jan 28, 2026

BID® Daily Newsletter

Jan 28, 2026

How the OCC’s Tailored Approach to BSA/AML Exams Works

Summary: The OCC has issued streamlined BSA/AML examination guidelines for CFIs that are at lower risk for money laundering and terrorist financing activities. We detail what the changes are for CFIs that qualify.
In 1970, Congress passed the Bank Secrecy Act (BSA), which established recordkeeping and reporting requirements to help detect and deter money laundering and other financial crimes. In 1986, the Money Laundering Control Act made money laundering a federal crime under 18 U.S.C. 1956 and 1957, and those provisions apply to individuals and financial institutions that knowingly engage in covered transactions. In 1990, the U.S. Department of the Treasury established the Financial Crimes Enforcement Network (FinCEN). In 1992, the Annunzio‑Wylie Anti‑Money Laundering Act amended the BSA to require reporting of suspicious transactions and to provide a statutory framework for suspicious activity reporting. FinCEN and the federal banking agencies implemented standardized Suspicious Activity Report (SAR) requirements and forms in 1996. In 2001, the PATRIOT Act significantly strengthened the BSA by expanding anti-money laundering and counter terrorist financing requirements, making terrorist financing an explicit focus of BSA/AML programs and suspicious activity reporting.
While these changes strengthened AML and BSA compliance expectations, in practice, community financial institutions (CFIs) often faced relatively uniform examination approaches and data collections, regardless of their size and actual risk profile. Previously, low-risk community financial institutions (CFIs) still underwent relatively uniform exam expectations and annual Money Laundering Risk (MLR) System data calls.
Recognizing this disconnect, regulators have taken steps to better align examination expectations with actual institutional risk.
In November, the OCC issued supplemental Community Bank BSA/AML Examination Procedures for examiners to use in conjunction with the “FFIEC BSA/AML Examination Manual” to provide examiners with standardized guidelines on how to tailor their BSA/AML examination scoping and testing to the community bank based on the institution’s risk profile, past supervisory findings, and independent testing.
The primary aim is to make BSA/AML examinations more risk-focused and efficient by allowing examiners to adjust the depth and type of testing — reducing unnecessary procedures at lower risk banks and expanding procedures where higher risks or concerns exist — rather than applying the same level of scrutiny to all community banks.
CFI Requirement Changes
For BSA/AML examinations beginning on or after February 1, 2026, examiners will apply the new Community Bank BSA/AML Examination Procedures and adjust the scope to the CFI’s risk profile. Under these procedures, examiners can determine “whether or to what degree transaction testing should be performed or whether testing should be limited to analytical or other reviews.”
In addition to this change, the OCC will no longer conduct its annual MLR System data collection from community banks and will instead rely on other supervisory data and tools to assess each CFI’s money‑laundering and terrorist‑financing risk.
CFIs that maintain strong risk assessments, internal controls, and independent testing consistent with the OCC’s Community Bank Procedures and the FFIEC BSA/AML Manual help support examiners’ use of a streamlined, risk‑focused examination plan.
Independent Testing Qualifications
OCC examiners will take a close look at the quality of your CFI’s independent testing. The following are ways you can demonstrate that your independent testing will meet regulatory requirements: 
  • The entity is qualified and truly independent. The testing should be performed by a qualified entity that is not involved with the function being tested or other BSA-related functions at your institution. That entity should report directly to your board or a designated board committee, comprised primarily or completely of outside directors.
  • The testing program addresses BSA/AML compliance adequacy. Your independent testing program should address the overall adequacy of your BSA/AML compliance program relative to your CFI’s risk profile. This includes your policies, procedures, and processes for internal controls — especially the processes for suspicious activity monitoring and reporting. 
  • The testing occurs regularly. You should demonstrate that the testing is conducted on a periodic basis that is commensurate with your institution’s risk profile.
Evidence Needed for Low-Risk Determination
Examiners will determine your CFI’s risk profile based on the risk assessment factors outlined in the FFIEC BSA/AML Manual. As such, you should demonstrate that your products, services, customers, and geographic locations are at low risk for money laundering or terrorist financing. 
Any single indicator does not necessarily determine the existence of lower or higher risk, but the evaluation is based on a consideration of all pertinent information that your CFI can provide.
For CFIs that may qualify as lower risk, the following are examples of information examiners may consider when determining a low-risk profile:
  • The average number and dollar amount of domestic and international funds transfers.
  • The nature of private banking customers or foreign correspondent accounts, as well as the existence of payable through accounts.
  • The domestic and international geographic locations where your institution conducts or transacts business.
  • The design and effectiveness of internal controls in place to mitigate any risks if they should occur.
  • How the BSA/AML risk assessment is updated when new products, services, and customer types are introduced or if your institution expands through mergers and acquisitions.
Added Procedures for Higher Risk
If examiners determine that your risk is higher, they will add procedures to their exam. Examiners may assess the implementation of policies, procedures, and processes or evaluate controls, information technology sources, systems, and processes used for BSA compliance.
The information an examiner may want to test includes one or more of the following:
  • Suspicious activity. Examiners may sample suspicious activity alerts, discuss the investigation process with staff at a high level, and review the decision-making process regarding SAR filings.
  • SAR and CTR reports. Examiners will determine whether reports, such as SARs and CTRs, are complete and accurate, as well as conduct a comparison of filed CTRs against reportable transactions that can be identified on your large cash transaction report.
  • Customer data. Examiners will confirm that your CFI has a verified customer identification program and collect customer due diligence data on a sample of new accounts.
  • Legal entity customers. Examiners will determine if your CFI has collected beneficial ownership information by collecting a sample of legal entity customers and comparing internal reports with customer files.
  • Exemption lists. Examiners will determine if eligible Phase II CTR-exempt customers (or non-listed businesses) have been exempted appropriately by reviewing annual reportable cash transactions.
  • Independent testing. Examiners will determine if your independent testing findings have been reported to the board, or a designated board committee, by reviewing the board or committee minutes.
  • Staff training. Examiners will compare staff training records with the standards outlined in your training policy.
Examination Preparation
This more streamlined BSA/AML examination process is designed to ensure that community bank BSA/AML examinations are risk-focused and commensurate with each bank’s money laundering, terrorist financing, and other illicit financial activity risks. 
In order to pass your OCC examination under these risk-focused community bank BSA/AML examination procedures, ensure that your CFI does the following: 
  • Perform an updated risk assessment to determine whether your institution actually has a low risk profile. If it does, update your policies and procedures to reflect the OCC’s new guidelines. 
  • Audit your independent testing program to ensure it adheres to the OCC’s new guidelines.
  • Assess your transaction monitoring system’s ability to detect suspicious activity.
  • Retain robust records of your risk policies, staff compliance training, and other customer data procedures.
For institutions with a low-risk profile, preparing ahead of time can help ensure examiners have the information they need to apply the OCC’s streamlined, risk-focused BSA/AML examination procedures.
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

Faster Federal Payments Mean Rising Demand for Real-Time Banking
Per tradition, we're looking back on our top articles of the year to BID goodbye to 2025. As federal payments shift to faster digital methods, CFIs can support SMB clients by modernizing payment tools, encouraging digital adoption, and delivering real-time capabilities that meet evolving business expectations.