Examiners are not impressed: Why your BSA/AML model needs work

Following our recent Financial Services Group roundtable webinar, this article explores how financial institutions can update their Bank Secrecy Act (BSA) and anti-money laundering (AML) models in light of regulatory changes and emerging risks.

Keeping up with changing regulations can be a challenge with limited resources and staffing. Community banks and credit unions are being asked to do more with less. Examiners expect robust compliance programs, but many institutions are operating with the same staffing levels they had a decade ago. Gaps in oversight and stale risk assessments are frustrating for both sides of the audit table.

Examiners are no longer satisfied with generic, check-the-box style risk assessments. They want data that is quantified, contextualized, and institution-specific. That means clearly stating what your institution does (and doesn’t do), assigning risk accordingly, and explaining how you’re mitigating it. If your institution doesn’t process international wires, say so. If you do, show how you’re managing the risk.

In June 2025, FinCEN issued its first orders under Section 2313a added under the Fentanyl Sanctions Act, naming three Mexico-based financial institutions for laundering money tied to fentanyl trafficking. These orders ban financial institutions from transmitting funds with CIBanco, Intercam, and Vector, including crypto-related transfers, and will remain in effect indefinitely.

The action follows the Trump administration’s designation of cartels as terrorist organizations. U.S. institutions are expected to update compliance systems, block prohibited transactions, and prepare for substantial penalties in case of violations. This development adds urgency to the need for institutions to identify and manage exposure to cartel-linked financial activity.

So, how can community banks, credit unions, and financial institutions strengthen their BSA/AML compliance programs to meet examiner expectations?

SAR Narratives: Write for Law Enforcement, Not Your Auditor

Suspicious Activity Reports (SARs) are a cornerstone of AML compliance, and the narrative section is where your institution tells the story. Examiners, who are compliance professionals, not bankers, rely on these narratives to understand the nature and context of the suspicious activity. Poorly written reports can delay investigations, invite regulatory criticism, and undermine your institution’s credibility. Well-crafted narratives, on the other hand, can trigger major investigations, reveal financial crime trends, and support national security efforts.

To write an effective SAR narrative, use a Bottom Line Up Front (BLUF) approach, where the first two sentences explain why the SAR is being filed. Include who, what, when, where, why, and how, using chronological order and FinCEN keywords. Complete every field, even the ones without asterisks because details matter. Remember, examiners want to understand the nature and context of the activity being reported. The more complete and clear your narrative, the more effective your SAR will be.

Alert Overload, Audit Surprises & Oversight Gaps

Poorly tuned detection models generate excessive alerts, leading to alert fatigue and missed risks. Striking the right balance is key. Too few alerts and you miss threats, while too many overwhelm staff and dilute focus. To improve efficiency and gain leadership buy-in, institutions should regularly tune their models, communicate changes transparently, and prioritize actionable alerts.

Unacknowledged alerts can also resurface during audits, catching leadership off guard. To prevent this, quality control and oversight must be proactive, not reactive. As customer bases grow, especially with high-risk profiles, staffing levels and procedures must scale accordingly. Institutions should clearly document why certain customers are classified as high-risk and adapt workflows in tandem with risk exposure.

Interested in assessing your BSA/AML system? Check out our related article.

Strengthening Your Customer Identification Program (CIP)

CIP, a subset of Know Your Customer (KYC) procedures, is a federally mandated process requiring financial institutions to verify the identity of individuals and entities opening new accounts. Designed to prevent money laundering, terrorist financing, fraud, and other financial crimes, CIP involves collecting and verifying customer information, maintaining detailed records, and screening applicants against government watchlists.

FinCEN, in coordination with other federal agencies, has issued an exemption to the CIP Rule allowing institutions to collect only the last four digits of a Taxpayer Identification Number (TIN) and verify the full number through a trusted third-party source. This exemption is optional and does not override IRS requirements. For accounts subject to IRS reporting, such as those involving interest payments, backup withholding, or requiring Form W-9 or W-8BEN, institutions must still collect the full TIN directly from the customer.

CIP procedures should clearly differentiate between account types and include written protocols to comply with both FinCEN and IRS standards. If your institution partners with an ID verification provider, it’s important to train staff thoroughly, and implement ongoing audits of the onboarding process. Continuous education and awareness are key to managing risk and maintaining compliance.

Considering Partnering with a Fintech?

Regulatory scrutiny around fintech partnerships is intensifying, and financial institutions must be prepared to meet heightened expectations. Before onboarding a fintech partner, banks should verify fintech licenses, monitor data privacy, and treat fintechs as part of their compliance program. This means including them in your risk assessments, conducting vendor due diligence, and reviewing how financial transactions will be managed.

Compliance best practices for banking partners include:

• Implementing a robust Customer Due Diligence (CDD) program
• Maintaining active compliance oversight and conducting regular audits
• Validating models and assessing geographic risks
• Reviewing prohibited business listings and high-risk product offerings
• Evaluating whether the fintech’s customer base poses elevated risks for money laundering or terrorist financing
• Assessing the fintech’s engagement with other banking partners in relation to your institution’s risk tolerance

Not all fintechs are alike. Some offer deposit services, while others focus on small-dollar loans or infrastructure. Risk assessments should reflect these differences. Controls on the fintech’s side, such as cash flow management and licensing, can provide additional assurance. Before going live, understand how accounts will be used and make sure the flow of funds is clearly documented.

Wondering whether fintechs need BSA/AML model validation? Read our related article.

Fintech Onboarding Checklist

When partnering with fintechs, institutions should:

• Create contracts with clear data use parameters, audit rights, and legal protections
• Evaluate the fintech’s business experience, financial condition, and operational resilience
• Confirm compliance with laws, information security standards, and risk controls

Monitoring for Crypto: What Financial Institutions Need to Know

As cryptocurrency adoption grows, financial institutions must adapt their compliance frameworks to monitor crypto-related activity effectively. The foundation of this effort begins with CDD, a regulatory requirement under the BSA.

Start by Defining “Normal”

Before you can detect suspicious crypto activity, you must first understand what “normal” looks like for your institution. This includes identifying whether customers are engaged in crypto mining, using exchanges, generating revenue from digital assets, or funding these activities through specific channels.

Your procedures should address relevant scenarios and follow your institution’s established compliance standards.

Operate Within Your Compliance Framework

To maintain regulatory alignment, financial institutions must function strictly within their approved compliance protocols. This means adhering to written policies and procedures, using only authorized tools and models, and maintaining thorough documentation and audit trails.

Institutions should avoid ad hoc or unvetted practices and instead implement robust quality control checks, interdepartmental communication, and ongoing training to support a culture of compliance and accountability.

Due Diligence for Cryptominer Relationships

Cryptominers can be high-risk, but they shouldn’t be automatically rejected. Institutions should:

• Define acceptable customer types
• Verify state licensing
• Understand intended usage (e.g., operational vs. custodial)
• Document the source of funds
• Assess whether they offer customer-facing services like wallets or custodial accounts, which may shift compliance responsibility to the bank

Institutions should regularly revisit cryptominer relationships to stay on top of changing regulatory expectations and operational risk profiles.

We Can Help

Whether you’re preparing for an audit, onboarding a fintech partner, or tuning your AML models, Elliott Davis offers tailored consulting and audit services to help you meet regulatory expectations. Let’s make sure your story is one examiners want to read.

Watch the full webinar replay below or contact our team today to start the conversation.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.