Risk assessments not updated for AMLA national priorities are the most common gap - and an automatic finding

After reviewing AML programs across dozens of businesses in 2022 - spanning MSBs, mortgage lenders, fintech companies, title companies, and other regulated industries - the same gaps appear with remarkable consistency. These aren't obscure technical deficiencies. They're foundational failures that a well-designed program review would catch and that a well-managed program would prevent. Here's what we found most often.

Training programs that don't address national priorities are incomplete under current regulatory standards

Gap #1: Risk assessments that haven't been updated since the AMLA's national priorities were published in June 2021. The AMLA requires covered financial institutions to incorporate the national priorities into their risk assessments and AML programs. More than a year after the priorities were published, a significant majority of the programs we reviewed had not been updated to reflect them. This is an automatic examination finding - and it's entirely preventable.

Beneficial ownership records collected but never verified are not CDD compliance

Gap #2: Training programs that don't address the national priorities. The same programs that hadn't updated their risk assessments also hadn't updated their training content. Staff at these businesses had received annual training that covered the traditional BSA framework but said nothing about corruption, cybercrime, human trafficking, or the other national priority areas. Training that doesn't address the current regulatory priorities is incomplete.

Self-review by the BSA officer is not independent testing - it doesn't satisfy the BSA requirement

Gap #3: Beneficial ownership records that are incomplete or unverified. The CDD rule has been in effect since 2018, but a significant number of the programs we reviewed still had beneficial ownership records that were either missing for some legal entity customers or that had been collected but never verified. Collecting a beneficial ownership form and filing it without verification is not CDD compliance - it's a paper exercise.

Vague SAR narratives are useless to law enforcement and signal a checkbox compliance culture

Gap #4: Independent testing that is either absent or not truly independent. Many of the programs we reviewed had never been independently tested. Others had been "tested" by the BSA officer reviewing their own program - which is not independent testing. The BSA requires that testing be performed by someone who is not responsible for the program being tested. Self-review doesn't satisfy this requirement.

Gap #5: SAR narratives that lack specificity. The SAR filings we reviewed in 2022 showed a consistent pattern: narratives that described suspicious activity in vague, generic terms rather than specific, factual ones. "Customer conducted unusual transactions inconsistent with their stated business purpose" is not a SAR narrative - it's a placeholder. Law enforcement needs specific facts: who, what, when, how much, and why it was suspicious.