A real program review evaluates all five mandatory BSA elements - internal controls, independent testing, BSA officer, training, and CDD - against the applicable regulatory standard for your industry

Most businesses that have had an AML program review do not actually know whether it was a good one. They received a document. It had their company name on it. It said their program was reviewed. And they filed it away, assuming the obligation was satisfied. The problem is that the quality of an AML program review varies enormously - from a genuine, structured evaluation that identifies real gaps and drives real remediation, to a cursory document scan that produces a clean-looking report without ever testing whether the program actually works. If you cannot describe what your review covered, there is a real chance it did not cover enough.

Reviewing internal controls means comparing your written policy to your actual operational practices, not just confirming the policy exists

A real AML program review has a defined scope that maps directly to the five mandatory elements of a BSA-compliant program. Those five elements are: a system of internal controls, independent testing of those controls, a designated BSA compliance officer, annual training for appropriate personnel, and customer due diligence procedures. A review that does not evaluate all five elements against the applicable regulatory standard for your industry is not a complete review. It is a partial assessment, and partial assessments leave gaps that examiners will find.

The risk assessment review is critical: it must be current, cover all three dimensions, and show that controls are proportionate to identified risks

The review of your internal controls is the most substantive component, and it is where the most important findings typically emerge. A genuine review of internal controls does not just confirm that a written policy exists. It evaluates whether the policy accurately describes what your business actually does, whether the procedures are specific enough to be followed consistently, whether the controls are calibrated to the risks identified in your risk assessment, and whether there are documented procedures for every BSA obligation your business carries. A reviewer who reads your policy document and confirms it covers the right topics has not reviewed your internal controls. A reviewer who compares your policy to your actual operational practices and identifies the gaps between them has.

The BSA officer review must evaluate authority, knowledge, and time allocation - not just confirm the role is filled

The review of your risk assessment is the second critical component. Your risk assessment is the foundation of your entire program - every other element is supposed to be built on top of it. A genuine review evaluates whether your risk assessment is current (updated within the past 12 months or after any material business change), whether it covers all three required dimensions (products and services, customer base, and geographic footprint), whether the risk ratings assigned are defensible given your actual business profile, and whether the controls described in your policy are actually proportionate to the risks identified in the assessment. A risk assessment that was written once and never updated is not a functioning foundation. A reviewer who does not evaluate the currency and completeness of your risk assessment has missed the most important document in your program.

A complete review also evaluates SAR and CTR filing discipline through a sample review of transaction monitoring records

The review of your independent testing function is the third component. Independent testing is itself a mandatory program element, which creates an interesting dynamic: the program review evaluates whether you have been conducting independent testing, and the independent testing evaluates whether your program is working. A genuine review confirms that independent testing has occurred within the required timeframe (typically annually for most covered institutions), that the testing was conducted by someone with genuine independence from the program being tested, that the testing scope covered all five program elements, and that findings from prior testing have been addressed. A reviewer who confirms that independent testing occurred without evaluating its scope and quality has not assessed this element meaningfully.

The output must be a written findings report with specific gaps, severity ratings, and remediation timelines - not a certificate or a verbal debrief

The review of your BSA compliance officer function is the fourth component, and it is frequently underweighted by lower-quality reviewers. The BSA compliance officer is not just a title on an org chart. The regulatory standard requires that this person have actual authority to implement and enforce the AML program, actual knowledge of BSA requirements applicable to your business, and actual time allocated to compliance activities. A genuine review evaluates all three dimensions: whether the officer has the organizational authority to escalate concerns to senior management and have them addressed, whether their BSA knowledge is current and industry-specific, and whether their time allocation is realistic given the scope of the program they are responsible for managing. A BSA officer who is also the operations manager, the HR director, and the office administrator does not have the time allocation the role requires, and a reviewer who does not flag this has missed a significant finding.

If your last review did not cover all of this, determine what was missed, prioritize by examination risk, remediate, and document every corrective action

The review of your training program is the fifth component. A genuine review evaluates whether training has occurred within the past 12 months for all employees who could encounter BSA-relevant activity, whether the training content is appropriate for the specific responsibilities of each employee category, whether training records are documented with sufficient specificity to satisfy an examiner (course content, date, attendee name and role), and whether the training curriculum reflects current regulatory requirements rather than outdated content. A reviewer who confirms that training happened without evaluating its content, its role-specificity, and its documentation quality has not assessed this element adequately.

The review of your customer due diligence procedures is the sixth component. A genuine review evaluates whether your CDD procedures collect and verify the information required for your customer population, whether beneficial ownership identification is being performed correctly for entity customers, whether your customer risk-rating methodology is documented and consistently applied, and whether ongoing monitoring is actually occurring rather than just described in policy. For businesses with higher-risk customer segments - foreign nationals, politically exposed persons, cash-intensive businesses, or customers with complex ownership structures - the review should specifically evaluate whether enhanced due diligence procedures are in place and being followed.

Beyond the five program elements, a complete review should also evaluate your SAR and CTR filing discipline. This means reviewing a sample of your transaction monitoring records to confirm that alerts are being generated, reviewed, and resolved consistently. It means confirming that SAR filing decisions are documented, that SARs are filed within the required 30-day window, and that SAR narratives contain the specificity law enforcement needs to act on them. It means confirming that CTR filings are accurate, timely, and complete for all cash transactions above the $10,000 threshold. Filing discipline is one of the most common examination findings, and a review that does not evaluate it has left a significant gap.

The output of a genuine program review is a written findings report - not a certificate of completion, not a summary memo, and not a verbal debrief. The findings report should identify each gap discovered during the review, rate each gap by severity (critical, significant, or minor), assign responsibility for remediation, and propose a realistic timeline for each corrective action. This document is your remediation roadmap. It is also the document you would present to a banking partner or a regulator to demonstrate that you have identified your gaps and are actively addressing them. A review that does not produce this document has not given you what you need.

So what do you do if you have had a review and are not sure it covered the right ground? The first step is to evaluate what you actually received against the standard described above. Pull out the report from your last review and ask: does it address all five program elements? Does it evaluate your risk assessment for currency and completeness? Does it include a written findings report with specific gaps, severity ratings, and remediation timelines? If the answer to any of these questions is no, your review was incomplete.

The second step is to determine the severity of the gap. If your last review was recent but incomplete, the most efficient path is to commission a targeted assessment that covers the elements your prior review missed. This is less expensive than a full program review and can be completed more quickly. If your last review was more than 18 months ago, or if it was conducted by someone without genuine independence from your program, you need a full review regardless of what the prior report said.

The third step is to prioritize remediation based on examination risk. Not all gaps are equally dangerous. A missing independent testing function is a more serious finding than an outdated policy header. A BSA officer without adequate authority is a more serious finding than a training record with incomplete documentation. A risk assessment that has not been updated in three years is a more serious finding than a CDD procedure that is missing one verification step. Prioritize the gaps that would generate the most serious examination findings first, and address them before your next examination cycle.

The fourth step is to document everything you do. Remediation that is not documented did not happen, from a regulatory perspective. Every corrective action you take - every policy update, every training session, every risk assessment revision, every independent testing engagement - should be documented with dates, responsible parties, and evidence of completion. This documentation is your defense if a regulator asks what you did after discovering a gap. It is also the evidence that demonstrates your program is actively managed rather than static.

The bottom line is this: an AML program review is only as valuable as the standard it is held to. A review that confirms your program exists is not the same as a review that confirms your program works. If you are not certain that your last review covered all five program elements, evaluated your risk assessment for currency and completeness, assessed your filing discipline, and produced a written findings report with specific remediation guidance, you do not have the assurance you think you have. The time to find that out is now - not when an examiner is sitting across the table from you.