Do I legally need BSA/AML training?

It depends on your business type. Financial institutions regulated under the Bank Secrecy Act are legally required to maintain a written AML program that includes annual employee training. Other businesses have strong regulatory guidance recommending training. Our onboarding flow identifies exactly what you need based on your industry.

How quickly can we get compliant?

Most businesses complete initial setup and employee enrollment within 1 to 2 business days. Training is typically completed by employees in 45 to 90 minutes. For full compliance programs requiring policy review, plan for 5 to 10 business days for full implementation.

What happens if we get audited or examined?

We have a 98% examiner pass rate. All plans include exportable examination-ready documentation including completion reports, certificates, and training logs. Training + Review clients receive updated examiner-ready documentation. Training + Creation clients receive a fully built BSA/AML program.

Is this an annual subscription or a one-time payment?

Plans are billed annually, which aligns with BSA/AML regulatory requirements that mandate annual training. There are no per-module or per-seat surprise fees. Renewal is handled automatically with 60-day advance notice.

Can I upgrade my plan later?

Absolutely. You can upgrade at any time and we will prorate the difference. Your employee records, training history, and certificates all carry over between plans.

·AML Basics

AML Compliance Checklist for Small Businesses (2026)

Sofia Delgado

Compliance Program Specialist

March 1, 2026

6 min read

Small businesses that fall under the Bank Secrecy Act often assume that AML compliance is for big banks with dedicated compliance departments. That assumption is one of the most expensive mistakes in financial compliance. Regulators apply the exact same five-element framework to a 10-person MSB that they apply to a regional bank.

The five-element BSA framework is the same for a 10-person money services business as it is for a regional bank. Size is not a mitigating factor in enforcement, and "we're a small operation" has never been a successful defense against a civil penalty. Here's the practical checklist that every small business with BSA obligations needs to work through.

Element 1 — Written Policies and Internal Controls: Your program must be written, approved by senior management, and describe your actual practices. A 15-page policy that accurately reflects what your team does every day is more defensible than a 100-page document that sits on a shelf. Write it as if explaining your procedures to a new employee on their first day — specific, step-by-step, and honest about your actual workflow.

Element 2 — Customer Identification: At minimum, collect and verify the name, address, date of birth, and identification number of every customer who opens an account or conducts a reportable transaction. Document everything. "The customer seemed legitimate" is not a CIP record. You need copies of identification documents, verification steps, and a clear log of when they were collected.

Element 3 — Transaction Monitoring: You don't need expensive software at the small business level, but you do need consistent procedures. Your team needs to know what suspicious activity looks like in your specific business context, how to escalate internally, and what filing obligations follow a confirmed suspicion. A written transaction monitoring procedure that is actually followed beats an automated system that generates alerts nobody reviews.

Elements 4 and 5 — Annual Training and Independent Testing: Every employee who could encounter BSA-relevant activity needs annual training, and that training needs to be documented. Independent testing must happen regularly — for most small businesses, this means an annual third-party review of your program. These are the two elements most commonly skipped by small businesses, and the two most commonly cited in examination findings.

Key Takeaways

1Small businesses face the exact same five-element BSA standard as large financial institutions
2Written policies must describe actual practices — not aspirational ones
3Customer identification records require documentation, not just employee recollection
4Transaction monitoring can be manual at smaller scale but must be consistent and documented
5Independent testing and annual training are the two most commonly missing elements

Need Expert Guidance?

Put these insights into action. Schedule a free consultation with a Soflo Consulting compliance specialist.

Stay Ahead of Compliance

Get FinCEN updates, BSA/AML guidance, and federal compliance news delivered to your inbox no fluff.

What Happens If Your Company Fails an AML Audit?

Most business owners think of an AML audit failure as a bureaucratic inconvenience — a findings letter, some corrective actions, a follow-up visit. The reality is considerably more serious, and the consequences can unfold over years. Here's exactly what regulators do when they find a program with serious deficiencies.

AML AuditEnforcement Actions

Elena Vargas

March 25, 2026

9 min read

AML Basics

What Is an AML Program and Who Needs It in 2026?

If you've ever Googled "do I need an AML program," you're already ahead of most. The majority of businesses that face regulatory action for AML deficiencies didn't know they had a problem — because they didn't know they had an obligation. The definition of who's covered is broader than most business owners expect.

AML ProgramBSA Compliance

Marcus Reid

March 12, 2026

7 min read

AML Basics

How to Build an AML Program From Scratch (Step-by-Step Guide)

Building an AML program from scratch sounds more complicated than it is — but not building one is considerably more complicated than most business owners realize. If your business has BSA obligations and you don't yet have a formal written program, this is your framework for building one that passes examination.

Build AML ProgramBSA Compliance

Elena Vargas

November 18, 2025

9 min read