A FinCEN gap analysis is one of the most searched compliance terms - and one of the least understood. If you've heard the phrase from a regulator, a banking partner, or a consultant and aren't sure what it actually means or whether you need one, this is the complete explanation.
A FinCEN gap analysis compares your current AML program to regulatory requirements element by element
A FinCEN gap analysis is a structured comparison between your current AML program and the requirements set by the Financial Crimes Enforcement Network (FinCEN) under the Bank Secrecy Act. The "gap" is the distance between where your program is today and where it needs to be to satisfy regulatory examination. A gap analysis identifies those gaps specifically - not in general terms, but element by element, procedure by procedure - so you know exactly what needs to be fixed and in what order.
The output is a prioritized remediation roadmap - specific deficiencies with assigned owners and timelines
The term "FinCEN gap analysis" is sometimes used interchangeably with "AML program review" or "BSA compliance assessment," but there's a meaningful distinction. A gap analysis is specifically diagnostic: its output is a prioritized list of deficiencies, not a general assessment of program quality. A well-executed gap analysis tells you that your customer identification procedures are missing a verification step for non-U.S. persons, that your transaction monitoring thresholds haven't been calibrated since 2021, and that your independent testing hasn't occurred in 18 months. It's specific enough to drive a remediation plan.
Gap analyses are calibrated to your industry - MSB standards differ from mortgage lender standards
FinCEN's regulatory framework for AML programs is built around five mandatory elements: a system of internal controls, independent testing of those controls, a designated BSA compliance officer, annual training for appropriate personnel, and customer due diligence procedures. A gap analysis evaluates each of these elements against the applicable regulatory standard for your industry. The standard for a money services business is different from the standard for a non-bank mortgage lender, which is different from the standard for a casino - so the gap analysis must be calibrated to your specific regulatory environment.
A gap analysis is not the same as independent testing and does not satisfy the BSA requirement
Businesses typically need a gap analysis in one of four situations. First, when they're building an AML program for the first time and need to understand what's required before they start writing policies. Second, when they've received an examination finding or MRA and need to understand the full scope of their deficiencies before responding. Third, when their banking partner has requested evidence of a compliance review as a condition of maintaining the relationship. And fourth, when their business has changed materially - new products, new customer segments, geographic expansion - and they need to confirm their existing program still covers the new risk landscape.
Common triggers: first-time program build, exam finding, banking partner request, or material business change
The output of a gap analysis is a remediation roadmap: a prioritized list of specific actions, assigned to responsible parties, with realistic timelines. The prioritization matters. Not all gaps carry equal regulatory risk - a missing independent testing function is a more serious finding than an outdated policy header. A good gap analysis tells you which gaps to close first, which can be addressed in parallel, and which represent the most significant examination exposure if left open.
One important clarification: a gap analysis is not the same as independent testing, and it doesn't satisfy the BSA's independent testing requirement. Independent testing is an ongoing program element - it evaluates whether your controls are working as designed. A gap analysis is a point-in-time assessment of whether your program structure meets regulatory requirements. Both are necessary; neither substitutes for the other.
At Soflo Consulting, our gap analysis process covers all five BSA program elements, your industry-specific regulatory requirements, your current documentation, and your operational practices. We deliver a written findings report with a prioritized remediation plan - not a generic checklist, but a document specific to your business, your industry, and your current program state. If you're uncertain whether your program meets current FinCEN standards, a gap analysis is the fastest way to find out on your terms rather than a regulator's.
How to Perform an AML Risk Assessment in 2026
The risk assessment is the foundation a gap analysis builds on - here's how to build one that holds up under scrutiny.
What Happens If Your Company Fails an AML Audit?
Understanding the consequences of examination findings makes the case for proactive gap analysis clear.
Tags
BSA/AML Principal Consultant · Soflo Consulting
Elena Vargas is a BSA/AML Principal Consultant at Soflo Consulting with over a decade of experience building and auditing compliance programs for regulated businesses across the United States. She specializes in enforcement action remediation, risk assessment development, and examination preparation for money services businesses, mortgage lenders, and fintech companies.
5 sections
Key Takeaways
- 1A FinCEN gap analysis compares your current AML program to regulatory requirements element by element
- 2The output is a prioritized remediation roadmap - specific deficiencies with assigned owners and timelines
- 3Gap analyses are calibrated to your industry - MSB standards differ from mortgage lender standards
- 4A gap analysis is not the same as independent testing and does not satisfy the BSA requirement
- 5Common triggers: first-time program build, exam finding, banking partner request, or material business change
Need Expert Guidance?
Put these insights into action. Schedule a free consultation with a Soflo Consulting compliance specialist.
Stay Ahead of Compliance
Get FinCEN updates, BSA/AML guidance, and federal compliance news delivered to your inbox - no fluff.
