FinCEN AML Program Requirements Explained
A plain-English guide to what FinCEN requires for BSA/AML compliance — including the BSA independent review requirements, annual AML training requirements, and how to meet each one without a $500/hour consultant.
What Does FinCEN Require for AML Compliance?
The Financial Crimes Enforcement Network (FinCEN) is the U.S. Treasury bureau responsible for administering the Bank Secrecy Act (BSA). Under the BSA, regulated financial institutions must maintain a written AML compliance program that meets FinCEN's minimum requirements.
FinCEN's AML program requirements are codified in the Code of Federal Regulations (CFR) and vary slightly by business type. However, all regulated businesses must meet four core requirements — often called the "four pillars" of BSA compliance. Banks and credit unions must also meet a fifth requirement (Customer Due Diligence).
Failure to maintain an adequate AML program can result in civil money penalties, cease and desist orders, and criminal prosecution. FinCEN has assessed penalties against businesses of all sizes — including small MSBs, mortgage companies, and fintech startups.
01
Written Policies
Required pillar
02
BSA Officer
Required pillar
03
Annual Training
Required pillar
04
Independent Review
Required pillar
FinCEN Requirements by Pillar
Written Policies & Procedures
- Written AML policy manual signed by senior management
- Policies must cover all products, services, and customer types
- Must include SAR filing procedures and thresholds
- Must include CTR filing procedures (if applicable)
- Must be reviewed and updated at least annually
- Must reflect current FinCEN guidance and regulatory changes
Designated BSA Compliance Officer
- Must be a named individual (not a title or department)
- Must have sufficient authority to implement the program
- Must have adequate resources and access to information
- Must have knowledge of BSA/AML requirements
- Must be responsible for day-to-day program management
- Must ensure regulatory filings are made timely and accurately
Annual Employee Training
- All relevant employees must complete training annually
- Training must be role-specific and relevant to the business
- Must cover red flags for money laundering and terrorist financing
- Must cover SAR and CTR filing obligations
- Completion must be documented with certificates
- Records must be retained for at least 5 years
- New employees should be trained before handling transactions
Independent Program Review
- Must be conducted at least annually (every 12 months)
- Reviewer must be independent, cannot review their own work
- Must produce a written report with findings and recommendations
- Must evaluate all elements of the AML program
- Prior findings must be tracked and remediated
- Review scope should be risk-based
- Higher-risk businesses may require more frequent reviews
Customer Due Diligence (CDD)
- Customer Identification Program (CIP) must be documented
- Must verify customer identity using reliable documents
- Must understand the nature and purpose of customer relationships
- Must conduct ongoing monitoring for suspicious activity
- Must identify beneficial owners of legal entity customers (25%+ ownership)
- Enhanced Due Diligence (EDD) required for high-risk customers
FinCEN Annual AML Training Requirements
FinCEN requires annual AML/BSA training for all employees who handle transactions or interact with customers. Training must be role-specific, documented, and updated to reflect current regulatory requirements. Here is exactly what FinCEN requires:
Frequency
At least annually (every 12 months)
Who must be trained
All employees handling transactions or interacting with customers
Content requirement
Role-specific, covering red flags relevant to your business type
Documentation
Completion certificates retained for minimum 5 years
New employees
Should be trained before handling transactions
Regulatory basis
31 CFR § 1022.210(d)(3) and industry-specific regulations
BSA Independent Review Requirements
The BSA independent review (also called an independent test or BSA audit) is one of the most frequently cited deficiencies in regulatory examinations. Here is exactly what FinCEN requires — and the most common mistakes businesses make:
Frequency
At least annually, more often for high-risk businesses
Independence
Reviewer cannot have designed or implemented the program
Output
Written report with findings, recommendations, and management response
Scope
Must cover all five pillars of the AML program
Remediation
Prior findings must be tracked and addressed
Regulatory basis
31 CFR § 1022.210(d)(4) and examination procedures
FinCEN Requirements: Common Questions
What are FinCEN's AML program requirements?
FinCEN requires regulated financial institutions to maintain a written AML program with four core elements: (1) written policies and procedures, (2) a designated BSA compliance officer, (3) annual employee training, and (4) independent testing of the program. Banks and credit unions must also implement Customer Due Diligence (CDD) procedures as a fifth element.
What are the BSA independent review requirements?
FinCEN requires that the independent review of a BSA/AML program be conducted by a qualified, independent party, meaning someone who did not design or implement the program being reviewed. The review must be conducted at least annually and must produce a written report with findings and recommendations. The BSA compliance officer cannot conduct their own independent review.
What are the annual AML training requirements under FinCEN?
FinCEN requires annual AML/BSA training for all employees who handle transactions, open accounts, or interact with customers. Training must be: (1) completed at least once per calendar year, (2) relevant to the employee's specific role and the business's risk profile, (3) documented with completion records and certificates that can be produced during examination, and (4) updated to reflect current FinCEN guidance and regulatory changes.
Who qualifies as an independent reviewer for BSA purposes?
An independent reviewer must be someone who did not design, implement, or operate the AML program being reviewed. This can be an internal audit function (if truly independent from the compliance function), an external compliance consultant, or a third-party firm. The BSA compliance officer cannot review their own program. Many small businesses use external compliance firms like Soflo to satisfy the independence requirement.
How often must the BSA independent review be conducted?
FinCEN requires the independent review to be conducted at least annually, meaning at least once every 12 months. Higher-risk businesses may be expected to conduct reviews more frequently. The review must produce a written report, and prior findings must be tracked and remediated.
What happens if my business doesn't meet FinCEN's AML program requirements?
Failure to maintain an adequate AML program can result in civil money penalties ranging from $25,000 to $1,000,000 or more per violation, cease and desist orders, loss of operating licenses, and in serious cases, criminal prosecution. FinCEN has assessed penalties against businesses of all sizes, including small MSBs and mortgage companies, for inadequate AML programs.
Meet Every FinCEN Requirement Without the Consultant Fees
Soflo delivers everything FinCEN requires: written policies, annual training with certificates, BSA risk assessment, and independent program review, at a fixed annual price. No hourly billing. No sales calls.