Key Takeaways
- BSA/AML training is statutorily required under 31 USC 5318(h)(1)(C) and 31 CFR 1020.210, and the FFIEC examination manual sets the periodic refresh expectation most banks operationalize as annual.
- For banks, GLBA security training obligations are set forth in the Interagency Guidelines at 12 CFR Part 30, which require staff training to implement the information security program.
- OFAC’s 2019 Framework states sanctions training “should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually).” Guidance, not statute, but a clear examiner expectation.
- The Senior Safe Act (12 USC §3423) conditions civil immunity on documented training, with new hires trained within 1 year.
- FinCEN reshaped beneficial ownership obligations twice recently: the March 2025 interim final rule narrowed Corporate Transparency Act reporting to foreign companies, and the February 2026 exception relief order (FIN-2026-R001) ended re-verification at every new account opening.
A new banking compliance officer often inherits the annual training calendar 3 weeks before rollout. The previous officer left in a hurry. The current calendar lists 8 courses. The learning management system (LMS) lists 12. The most recent examination report references 15. The compliance manual says “all employees complete annual training as required by applicable law.” Somewhere in there is the actual scope examiners expect, and somewhere else are the gaps that surface during the next exam cycle.
This article walks through what an annual calendar of banking compliance training courses should cover, organized by regulator and risk area, with the specific statutory and regulatory citations. The intent is practical: a compliance officer or training manager should be able to read this end-to-end and have a defensible scope for the next 12 months, with every requirement anchored to a primary source listed in the References.
The Regulators Who Set the Annual Training Scope
A US bank operates under multiple federal regulators, each with its own examination authority and training expectations.
- FinCEN (Financial Crimes Enforcement Network) administers the Bank Secrecy Act and its implementing regulations under 31 CFR Chapter X. BSA/AML training, suspicious activity reporting, and customer due diligence sit here.
- The OCC (Office of the Comptroller of the Currency) supervises national banks and federal savings associations, with its own implementing rules, including 12 CFR Part 21.
- The FDIC (Federal Deposit Insurance Corporation) supervises insured state nonmember banks in accordance with the FFIEC manuals and FDIC-specific issuances.
- The Federal Reserve supervises state member banks and bank holding companies, applying the FFIEC manuals along with its own guidance.
- The CFPB (Consumer Financial Protection Bureau) has primary examination authority over institutions with more than $10 billion in assets and rulemaking authority over consumer financial regulations that apply to all banks, covering UDAAP, Fair Lending, Regulation Z, Regulation E, and the mortgage rules.
- The FFIEC (Federal Financial Institutions Examination Council) is the interagency body whose examination manuals are followed by the OCC, FDIC, Federal Reserve, NCUA, and CFPB. It is not a regulator itself, but the source of much of the examination guidance the calendar has to satisfy.
2 additional federal bodies have specific training touchpoints: OFAC (Office of Foreign Assets Control) at Treasury sets sanctions compliance expectations through guidance, and the SEC and FINRA publish Senior Safe Act guidance for the institutions they supervise (the Act itself covers banks, credit unions, broker-dealers, investment advisers, and transfer agents). The NCUA supervises federally insured credit unions and parallels much of the federal banking guidance.
State regulators add another layer. Banks with operations in New York fall under the New York State Department of Financial Services (NYDFS) and its 23 NYCRR Part 500 cybersecurity rule, which has its own training requirements. State workplace harassment laws also vary, and banks operating across multiple states have to track each one.
The calendar has to satisfy whichever regulators have examination authority. The next 3 sections cover the topics their rules and guidance require.
The Non-Negotiable Core: BSA/AML, OFAC, Fair Lending, GLBA
4 topics show up on every banking compliance training calendar because the underlying authority is unambiguous or the examiner’s expectations are well established.
BSA/AML Training
Statutorily required. 31 USC 5318(h)(1)(C) requires each financial institution to establish anti-money laundering programs that include, at a minimum, an ongoing training program for appropriate personnel. The implementing regulation at 31 CFR 1020.210 carries the training element in the program requirements for banks, and the OCC’s BSA compliance program rule at 12 CFR 21.21(d)(4) requires training for appropriate personnel. The FFIEC BSA/AML Examination Manual states that periodic training should incorporate current developments and changes to BSA regulatory requirements, supervisory guidance, internal policies, and the bank’s products and customer base. The statute says ongoing; examiner expectation is at least annual in practice.
Audience: all staff with customer or transaction exposure. Topics: BSA fundamentals, money laundering red flags, customer due diligence, suspicious activity report (SAR) and currency transaction report (CTR) procedures, the same scope most banks now source through a standing AML compliance training program rather than building each course from scratch.
OFAC Sanctions Training
Not codified as a regulatory mandate, but OFAC’s A Framework for OFAC Compliance Commitments (May 2, 2019) identifies training as 1 of the 5 essential components of an effective sanctions compliance program, stating that training “should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually).”
Audience: anyone touching transactions, payments, or customer onboarding. Topics: sanctions screening, blocked persons lists, country-based sanctions programs, and reporting blocked or rejected transactions.
Fair Lending Training
Shaped by examiner expectation rather than a single mandate. The CFPB’s ECOA (Equal Credit Opportunity Act) Examination Procedures Baseline Review asks examiners to determine how an institution ensures employees are trained on fair lending risks, which employees receive training, how training is tailored by position, how often it is required, and whether the board and senior management receive it.
Audience: lending staff, management, and the board. Topics: protected class discrimination, disparate impact, redlining risk, fair pricing, and application processing.
GLBA Information Security Training
For banks, Gramm-Leach-Bliley Act (GLBA) security obligations are set forth in the Interagency Guidelines Establishing Information Security Standards (12 CFR Part 30, Appendix B for national banks, with parallel appendices at the FDIC and Federal Reserve), which require banks to train staff to implement the information security program. The FTC Safeguards Rule at 16 CFR 314.4(e) contains the explicit security awareness training requirement (amended December 2021 and fully enforceable since June 9, 2023), but it applies to non-bank financial institutions. Many banks use it as a reference standard, and the FFIEC Information Technology Examination Handbook carries the parallel examiner expectation for banks.
Audience: all personnel with access to customer information. Topics: data protection practices, incident response, phishing recognition, and access control.
The full banking calendar, 1 curated catalog. KC Library’s role-based AML/BSA/KYC training, refreshed with new content every month.
The Transaction-Layer Mandates: Reg Z, Reg E, Reg CC, UDAAP, SAR/CTR
The second layer of the calendar covers the regulations that govern day-to-day banking transactions. The regulations at this layer do not always contain explicit training mandates in the regulatory text, but examiner reviews evaluate whether staff have been trained on the substantive requirements.
Regulation Z (Truth in Lending)
12 CFR Part 1026 sets disclosure requirements, APR calculations, rescission notices, and the rules for closed-end and open-end credit. Lending and operations staff have to know what to disclose and when. Examiner reviews assess compliance, which presumes training even when the regulation does not explicitly require it.
Regulation E (Electronic Fund Transfers)
12 CFR Part 1005 covers error resolution procedures, liability rules for unauthorized transfers, and remittance transfer requirements. Frontline staff have to handle Regulation E inquiries correctly within the timelines the regulation specifies.
Regulation CC (Funds Availability)
Regulation CC governs check holds, expedited availability requirements, and exception holds. Tellers and operations staff are the primary audience.
UDAAP
Unfair, deceptive, or abusive acts or practices (UDAAP) sits under the CFPB’s broad authority. The CFPB UDAAP Examination Procedures include a review of the compliance management system and training materials. A March 2022 amendment that addressed discrimination as an unfair practice was vacated by a federal court in September 2023, and the CFPB agreed to dismiss the related appeal in May 2025. The core UDAAP examination scope (unfairness, deception, abuse) remains active. The examiner expects frontline and compliance staff to understand the principles.
SAR and CTR Filing
Grounded in 31 CFR 1020.320 and 31 CFR 1010.311. A bank must file a SAR when a transaction involves or aggregates at least $5,000 in funds or other assets and the bank knows, suspects, or has reason to suspect the activity meets one of the suspicious activity criteria, with no dollar minimum for suspected insider abuse. The SAR filing deadline is 30 calendar days after initial detection, extendable to 60 days if no suspect is identified at the time of detection, under 31 CFR 1020.320(b)(3). CTRs are required for currency transactions exceeding $10,000 under 31 CFR 1010.311.
Audience: tellers, branch staff, BSA officers, and supervisors who approve filings, all covered under the bank’s standing BSA compliance training program.
The Risk-Area Topics Most Banks Miss Until the Examination
These are the topics that show up in examination findings when they have not been refreshed, and they often distinguish a defensible training program from a checklist program.
Senior Safe Act Training
The Senior Safe Act, Public Law 115-174 §303, codified at 12 USC §3423, grants civil immunity to covered financial institutions and their eligible employees for reporting suspected senior financial exploitation, provided training conditions are met. The training must instruct individuals on how to identify and report suspected exploitation, internally and to government officials or law enforcement, including common signs of exploitation, and must discuss protecting customer privacy. It must be appropriate to the job responsibilities. Current covered employees must complete training as soon as reasonably practicable; new employees within 1 year. The institution must maintain records and make them available to the relevant covered agency on request. The SEC, FINRA, and NASAA issued a joint Senior Safe Act Fact Sheet in 2019.
Audience: anyone who may interact with senior customers or review their transactions.
FCRA Training
Fair Credit Reporting Act (FCRA) training covers adverse action notices, furnishers’ accuracy obligations, identity theft red flag programs under the Red Flags Rule, and risk-based pricing notices. Lending staff, collections, and customer service are the primary audience.
HMDA Training
Home Mortgage Disclosure Act (HMDA) training applies to depository institutions that meet the asset and loan origination thresholds. Staff who collect, process, or report HMDA data have to understand the data points, the Loan/Application Register requirements, and the public submission process. CFPB enforcement actions in recent years have focused on HMDA data accuracy, making this an area of examiner attention.
SAFE Act and Mortgage Loan Originator Training
Annual continuing education is required for licensed mortgage loan originators (MLOs), with content set through the Nationwide Multistate Licensing System (NMLS). Banks employing MLOs maintain the training records.
Cybersecurity Awareness Beyond GLBA
Phishing simulations, social engineering recognition, password and multi-factor authentication practices, and incident reporting procedures. NYDFS 23 NYCRR §500.14(a)(3), as amended November 2023, requires at least annual cybersecurity awareness training for all personnel at covered entities, including social engineering content.
State-Specific Harassment Prevention Training
California, New York, Illinois, Connecticut, Delaware, Maine, and Washington each have training mandates with their own frequency and content requirements. Banks operating across state lines track each one.
Beneficial Ownership and CDD Training
The scope has changed significantly since 2024. The next section covers it.
How to Keep the Calendar Current as Regulators Issue New Guidance
A training calendar is not a one-time build. The job is to keep it current as regulators issue new guidance and enforcement actions reveal where examiners’ attention is shifting. 3 recent changes should already be reflected in 2026 calendars, and 1 pending rulemaking deserves a standing watch.
NYDFS Part 500 Amendments (November 2023)
The amendments added specific cybersecurity training requirements at 23 NYCRR §500.14(a)(3), including at least annual training and social engineering content. Covered banks operating in New York should ensure these are reflected in the 2026 cybersecurity training program.
The Corporate Transparency Act Narrowing (March 21, 2025)
FinCEN’s interim final rule removed beneficial ownership information (BOI) reporting requirements under the Corporate Transparency Act for US companies and US persons, revising the definition of “reporting company” to include only entities formed under the law of a foreign country and registered to do business in a US State or Tribal jurisdiction. Banks no longer need to train staff on US-entity BOI reporting under the CTA, but training on the intersection of customer due diligence and foreign-entity reporting remains relevant.
The CDD Exceptive Relief Order (February 13, 2026)
FinCEN’s exceptive relief order FIN-2026-R001 relieves covered financial institutions from the requirement at 31 CFR 1010.230(b) to identify and verify the beneficial owners of a legal entity customer at each new account opening. Banks may now limit beneficial ownership identification and verification to: when a legal entity customer first opens an account; any time the bank has knowledge of facts that reasonably call previously obtained information into question; and as needed under the bank’s risk-based ongoing customer due diligence procedures. Banks must still maintain written procedures to identify and verify beneficial owners as part of the AML program. Training should cover when re-verification is and is not required under the order.
The Watch Item: FinCEN’s AML/CFT Program Proposal (April 2026)
FinCEN’s proposed rule of April 10, 2026, would restructure the AML/CFT program requirements, with training remaining a pillar of the program. The comment period closed in June 2026 and the rulemaking remains pending. When the final rule is issued, the BSA/AML section of the calendar will need a fresh review.
The Quarterly Review Discipline
Beyond these, a productive quarterly review of bank compliance workforce capability covers:
- New FinCEN advisories and statements (terrorist financing typologies, fraud trends, jurisdictional updates)
- CFPB consent orders and enforcement actions that surface UDAAP examples
- OCC, FDIC, and Federal Reserve enforcement actions
- State regulator guidance, especially NYDFS for institutions touching New York
- Updates to the FFIEC BSA/AML Examination Manual
For institutions that buy training content from a curated library, the question is whether the library’s content keeps pace with these sources. KC Library publishes new content every month, so the catalog stays current as guidance changes. Banks evaluating the library should compare the catalog against their specific regulatory footprint during a working session with the KnowledgeCity team. The maintenance burden is real, and the cost of out-of-date training shows up in the next examination cycle.
Build a calendar that holds up at examination. Every course, completion, and recertification on 1 exam-ready record.
Frequently Asked Questions
- Which banking compliance training is statutorily required versus examiner-expected?
BSA/AML training is statutorily required under 31 USC 5318(h)(1)(C) and the implementing regulation at 31 CFR 1020.210. For banks, GLBA information security training obligations run through the Interagency Guidelines at 12 CFR Part 30 (the FTC Safeguards Rule’s explicit training requirement at 16 CFR 314.4(e) applies to non-bank financial institutions). The Senior Safe Act under 12 USC §3423 conditions civil immunity on documented training. OFAC sanctions training is strongly encouraged by the 2019 OFAC Framework but is guidance rather than a codified mandate. Fair Lending, UDAAP, Regulation Z, and Regulation E training are examiner expectations supported by CFPB examination procedures rather than explicit training mandates in the regulatory text.
- How often does FinCEN expect BSA/AML training to be refreshed?
The statute and implementing regulations require an ongoing training program for appropriate personnel. The FFIEC BSA/AML Examination Manual states that periodic training should incorporate current developments and changes to BSA regulatory requirements, supervisory guidance, internal policies, the bank’s products, and its customers. Most banks operationalize this as annual training with interim updates when significant guidance changes are issued.
- What has changed recently that updates the banking compliance training scope?
3 changes plus 1 pending. NYDFS amendments to 23 NYCRR Part 500 (effective November 2023) added annual cybersecurity training with social engineering content under §500.14(a)(3). FinCEN’s March 21, 2025, interim final rule narrowed Corporate Transparency Act BOI reporting to foreign reporting companies. FinCEN’s February 13, 2026 exceptive relief order (FIN-2026-R001) ended the requirement to re-verify beneficial owners at every new account opening for existing legal entity customers. And FinCEN’s April 2026 proposed rule restructuring AML/CFT program requirements remains in rulemaking; the final rule will require a fresh review of the BSA/AML training scope.
- Does KC Library cover the topics on this calendar?
KC Library carries role-based AML/BSA/KYC training with annual recertifications auto-assigned and exam-ready completion records, alongside compliance categories covering regulatory compliance, fraud prevention, retail banking, cybersecurity, and state-specific harassment prevention, with new content published every month. Banks evaluating the library should compare the catalog scope against their specific regulator footprint, including topics like Senior Safe Act, HMDA, and SAFE Act continuing education, during a working session with the KnowledgeCity team.
References
- 31 USC 5318(h), Bank Secrecy Act anti-money laundering program requirements.
- 31 CFR 1020.210, Anti-money laundering program requirements for banks.
- 12 CFR 21.21, OCC procedures for monitoring Bank Secrecy Act compliance.
- Federal Financial Institutions Examination Council. BSA/AML Examination Manual.
- US Treasury, Office of Foreign Assets Control. A Framework for OFAC Compliance Commitments, May 2, 2019.
- 12 CFR Part 30, Appendix B. Interagency Guidelines Establishing Information Security Standards.
- 16 CFR Part 314, FTC Safeguards Rule (Gramm-Leach-Bliley Act), applicable to non-bank financial institutions.
- Public Law 115-174 §303 / 12 USC §3423, Senior Safe Act.
- 31 CFR 1020.320, Reports by banks of suspicious transactions.
- 31 CFR 1010.311, Filing obligations for reports of currency transactions.
- CFPB. ECOA Examination Procedures Baseline Review.
- CFPB. Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs) Examination Procedures.
- FinCEN. Exceptive Relief Order FIN-2026-R001, February 13, 2026.
- FinCEN. Interim final rule removing beneficial ownership reporting requirements for US companies and US persons, March 21, 2025.
- FinCEN. Anti-Money Laundering and Countering the Financing of Terrorism Programs, proposed rule, April 10, 2026.
- NYDFS. 23 NYCRR Part 500, including §500.14(a)(3), as amended November 2023.
- SEC, NASAA, FINRA. Senior Safe Act Fact Sheet, 2019.


