Why Bank Compliance Programs Pass Documentation Audits but Fail Capability Audits

The banking industry spent years building compliance programs around a framework that treated documentation as the primary output, investing in the systems and processes that produced completion records for annual BSA/AML training, designated compliance officer files, results of independent testing, and documented internal controls. That documentation package satisfied the regulatory standard it was designed to meet, and for most of the past two decades, producing that package was the practical definition of compliance program success for a large share of institutions. Congress changed that standard with the Anti-Money Laundering Act of 2020, and many programs built around producing that documentation file have not fully adapted to what the new standard now requires. 

The effectiveness standard introduced by the AML Act shifts the examiner’s inquiry from confirming that required activities occurred to assessing whether the program is reasonably designed to produce BSA/AML compliance outcomes. That shift requires a different category of supporting evidence, produces different examiner inquiries, and exposes vulnerabilities that documentation-focused programs were never designed to address. 

The compliance programs that pass documentation audits and still draw findings under an effectiveness review are programs built to answer one question that are now being evaluated against a different one. CLOs and compliance directors whose training architectures center on completion records are managing a gap between what their programs produce and what the current regulatory standard requires, often without a clear picture of where that gap begins. 

Documentation Compliance and Capability Compliance Measure Different Program Properties 

What the Documentation Standard Asks Examiners to Confirm 

The documentation standard that governed BSA/AML examination for much of the past two decades organized examiner inquiries around four questions. Examiners confirmed that internal controls were in place covering the required policies, procedures, and operational safeguards; that a designated compliance officer held appropriate authority within the organization; that relevant personnel had received training on their BSA/AML obligations, with records showing who was trained on what subject matter and when; and that a qualified auditor had reviewed program compliance within the required timeframe. Together, these four questions produced a file-based examination in which a bank with complete, well-organized records generally satisfied the examiner’s inquiry. 

That standard had a structural quality that compliance programs adapted to over time. Completion records, attendance logs, and certificate archives are administratively tractable, meaning they can be produced, organized, and presented to an examiner with relative precision. The measurability of documentation compliance encouraged programs to invest in the systems that produced documentation, and across many examination cycles, those systems became the operational baseline for compliance infrastructure at a large share of institutions. 

What the Effectiveness Standard Asks Examiners to Assess 

The effectiveness standard introduced by the AML Act of 2020 shifts the examiner’s inquiry from confirming that required activities occurred to assessing whether the program is reasonably designed to produce BSA/AML compliance outcomes. Answering that question requires different evidence than a documentation file contains. An examiner reviewing a program under an effectiveness lens assesses whether training was designed in relation to the institution’s identified risk profile, whether employees in different roles receive training calibrated to their specific AML/CFT obligations, and whether the institution has any basis for concluding that its trained employees can apply what they were taught in the transactions they encounter on the job. 

Documentation compliance produces records of program activity; the evidence it generates answers the question of whether required activities occurred. Capability compliance requires evidence that training translated into the behaviors it was designed to produce, and because those two categories of evidence come from architecturally different program designs, a compliance architecture built around documentation production will not automatically generate capability evidence alongside it. 

The Statutory and Regulatory Framework Behind the Effectiveness Standard 

The AML Act of 2020 and 31 U.S.C. §5318(h) 

The Anti-Money Laundering Act of 2020 amended the Bank Secrecy Act’s program requirement at 31 U.S.C. §5318(h) to require financial institutions to establish and maintain compliance programs that are “effective” and “risk-based.” Before this amendment, the statute described what program elements were required but did not include the word “effective” as a compliance standard. Adding that word moved the statutory floor from structural compliance (does the program have the required components?) to outcome compliance (does the program work?). 

The five-pillar program framework that most banks operate under today reflects subsequent regulatory development on top of the AML Act’s statutory foundation. The original four pillars (internal controls, BSA compliance officer, training, and independent testing) predated the AML Act and described program structure. FinCEN’s 2016 Customer Due Diligence Rule, codified at 31 CFR §1010.230, added a fifth pillar requiring financial institutions to identify and verify the beneficial owners of legal entity customers. The five-pillar framework describes what a compliant program contains; the AML Act effectiveness standard describes what a compliant program must accomplish. 

FinCEN’s April 2026 NPRM and 31 CFR §1010.210 

FinCEN proposed implementing the AML Act’s effectiveness standard in regulation through an NPRM published in the Federal Register on April 10, 2026 (document 2026-07033). The proposed rule would require financial institutions to establish and maintain effective AML/CFT programs under a revised 31 CFR §1010.210, replacing the current regulation’s structural description with a two-pronged framework that distinguishes between program design and program implementation. FinCEN’s accompanying materials describe the problem the rule is designed to address in direct terms, citing institutions that treat compliance as check-the-box activity and build programs that satisfy documentation requirements without being designed around the institution’s actual risk exposures. 

The proposed rule adds an explicit requirement that training programs be risk-based and aligned with the institution’s AML/CFT risk profile. A generic course catalog applied uniformly across all employees does not satisfy that standard, because the standard requires the training design to be explainable in terms of the institution’s identified risks and the roles that face those risks most directly. For CLOs whose training programs are currently designed around broad annual completion, that specificity represents a substantive compliance gap that adding more completion records cannot resolve. 

“The proposed rule is designed to shift away from merely checking whether training occurred and toward whether the training is appropriate to the institution’s risk profile.” 

— FinCEN, Program NPRM Key Changes Fact Sheet, April 2026 

What Examiners Test When They Look Beyond Completion Records 

OCC Bulletin 2025-37 and Risk-Proportionate Examination 

The OCC published Bulletin 2025-37 in November 2025 establishing new minimum BSA/AML examination procedures for community banks, effective for examinations beginning February 1, 2026. Its organizing principle is risk proportionality, meaning examiners can carry forward prior-cycle conclusions for the Training and BSA Compliance Officer pillars when the bank’s risk profile has not materially changed and prior examination findings were satisfactory. For banks with stable risk profiles and clean prior records, this carry-forward provision reduces the depth of training scrutiny in a given examination cycle, allowing examiner attention to concentrate on higher-risk program elements. 

A bank whose risk profile has changed (through new products, new markets, new customer segments, or a material shift in AML/CFT risk concentrations) cannot rely on prior-cycle conclusions being carried forward. In those circumstances, the examiner assesses the training program directly, evaluating whether training design reflects the current risk profile, whether role-specific assignments have been updated to reflect new exposure areas, and whether the institution can produce evidence connecting its training to the risks it now carries. Institutions managing a period of product expansion, new market entry, or customer segment growth can expect the full effectiveness review, including its additional evidence requirements, to apply in the current or immediately following examination cycle. 

The Evidence That Satisfies an Effectiveness Review 

A well-maintained training file establishes that employees were assigned to courses and that those assignments were completed; that is the evidence a documentation review draws on. An effectiveness review starts from that foundation and goes further, asking how the training content was selected in relation to the institution’s BSA/AML risk assessment, what criteria governed which employees received which training, and whether any mechanism exists for the institution to determine whether trained employees can apply what they were taught when handling the transactions and alerts their roles generate. 

The FFIEC BSA/AML Examination Manual sets the training standard in terms of employee responsibility and institutional risk profile, requiring banks to provide training to employees as appropriate based on their responsibilities, to ensure they can carry out their BSA/AML duties effectively and in a manner commensurate with the institution’s risk profile. That framing ties the adequacy of a training program to its outcomes in employees’ actual roles, grounded in the specific risk profile the institution carries. An institution whose program addresses general BSA/AML subject matter, with no documented mapping between training content and the institution’s risk concentrations and role-specific obligations, satisfies the procedural standard and leaves exposed the competency question the manual’s effectiveness-grounded language is specifically designed to test. 

The Operational Areas in Which Capability Gaps Concentrate 

Bank compliance programs that produce documentation records without building capability evidence carry risk in specific operational areas, and those areas are predictable from the structure of BSA/AML compliance obligations. The highest concentration of risk appears where compliance depends on employee judgment that must be exercised in real time against situations the training addressed only at the general level. 

Transaction Monitoring, Alert Escalation, and Analyst Judgment 

Transaction monitoring programs generate alerts automatically, but whether those alerts produce the right compliance outcomes depends entirely on analyst judgment. A completion record establishes only that an analyst attended annual BSA/AML training on transaction monitoring thresholds; it produces no evidence of what that training built in terms of analytical capability. The examiner conducting an effectiveness review is asking whether that analyst can explain the risk logic behind the institution’s monitoring scenarios, identify the typologies those scenarios are designed to detect, and make an independent escalation decision on a complex alert, all competencies that attendance records cannot confirm. 

Banks whose transaction monitoring programs have drawn examiner findings in recent cycles commonly arrive at those examinations with complete training files, independent testing reports covering all required periods, and current BSA compliance officer designations. The examiner’s finding concerns whether the monitoring program is designed to detect the typologies the institution’s risk assessment identified as priorities, and whether the analysts who operate it can demonstrate the escalation judgment their role demands. A documentation file records whether training occurred and cannot show whether the training produced those qualities, which is why adding more completion records to the file would not address what the examiner found. 

Customer Due Diligence, Beneficial Ownership, and Ongoing Risk Monitoring 

FinCEN’s CDD Rule, effective May 2018 and codified at 31 CFR §1010.230, established beneficial ownership identification as a fifth required pillar of BSA/AML compliance, requiring institutions to identify and verify the beneficial owners of legal entity customers at account opening and to maintain updated beneficial ownership information as customer risk profiles evolve. Banks that built training programs to meet this requirement initially concentrated on the mechanics of the beneficial ownership form and on which employees were responsible for completing it. That emphasis on mechanics produced a specific capability gap, surfacing in relationship managers whose training equipped them for straightforward structures without building the analytical skill to accurately identify beneficial owners in the complex legal entity arrangements that present the most risk. 

Ongoing monitoring of customer risk profiles creates a parallel gap. A training program that covers the concept of customer risk reassessment produces completion records for a requirement whose compliance value depends entirely on whether relationship managers can identify the signals that warrant a risk review and escalate them through the right channels. Documentation records confirm that employees attended training on ongoing monitoring obligations. An effectiveness examination goes further, evaluating whether the institution can show monitoring evidence proportionate to its customers’ risk profiles and calibrated to the typologies it has identified as relevant. 

• Alert escalation rates that consistently match system-suggested dispositions without evidence of independent analyst judgment 
• CDD exception rates that exceed peer benchmarks without a documented risk rationale tied to the institution’s customer segment profile 
• Beneficial ownership collection rates that fall below threshold for complex legal entity customers 
• Independent testing findings that cite training design deficiencies rather than attendance documentation gaps 
• Role-specific assessment results that reveal knowledge gaps in the transaction typologies the institution’s BSA/AML risk assessment identifies as high-priority 

 

How a Workforce Development Platform Changes the Evidence a Compliance Program Produces 

Role-Specific Training Assignments Tied to the Institutional Risk Profile 

A compliance training program built to satisfy the effectiveness standard needs to connect training assignments to the institution’s risk profile in a way that an examiner can trace. That means different training paths for tellers, relationship managers, commercial bankers, and operations staff, based on the specific AML/CFT risk exposures each role carries. Updates to the institution’s risk assessment should trigger corresponding updates to training assignments as well, so that a new product line creating a new typology exposure or a new customer segment shifting CDD risk concentrations is reflected in role-specific training before the exposure becomes active. 

KnowledgeCity’s Learning Library includes BSA/AML, CDD, fair lending, and regulatory compliance courses structured for assignment by role and risk category. The platform allows compliance officers to align course assignments directly with the institution’s risk assessment findings, producing a training record that maps to examiner questions about training appropriateness. Completion records generated by the platform include assignment context that supports an effectiveness review alongside the documentation review it also satisfies. 

Assessment Results as Examiner-Usable Evidence 

A platform that generates scenario-based assessment scores, tracks performance across reassessments, and records remediation for employees who score below threshold is producing the category of evidence the effectiveness standard’s analytical requirements are designed to test. The examiner reviewing a program under an effectiveness lens asks whether the institution has evidence that training produced the compliance behaviors it was designed to produce, and assessment records organized by role and tied to the risk categories the institution’s BSA/AML risk assessment identified are what makes that question answerable. 

The completion and assessment records the platform generates are formatted for compliance reporting and organized by role, risk category, and assessment cycle in the format an effectiveness examination draws on. For CLOs building training infrastructure ahead of FinCEN’s April 2026 NPRM implementation cycle, that record architecture is what positions a program to satisfy the effectiveness standard the proposed rule formalizes. 

What Changes When Capability Evidence Becomes Part of the Compliance Architecture 

Documentation requirements remain the foundation of any BSA/AML examination. Banks still need complete, well-organized records showing that all five program pillars are in place, that training covered the required subject matter, and that independent testing was conducted, and the operational discipline required to maintain those records is the prerequisite for passing any examination, whether it focuses on documentation completeness or program effectiveness. A compliance director who reads the FinCEN NPRM’s language about check-the-box compliance as directed at someone else’s program and takes no inventory of their own program’s evidence is making an assumption the regulatory trajectory does not support. 

The compliance director who acts differently after this analysis begins with the documentation review, confirming that training records are complete, independent testing was conducted, and the BSA compliance officer designation is current. From that foundation, the director asks whether the training content maps to the institution’s current risk profile, whether any assessment mechanism exists to show that trained employees can apply what they were taught, and whether the program generates records organized to support an effectiveness review alongside the documentation review it already passes. 

The AML Act effectiveness mandate, the FinCEN April 2026 NPRM, and the OCC’s shift toward risk-proportionate examination are together moving the definition of compliance program success toward one that requires capability evidence alongside documentation records. Banks that build assessment capacity into their training infrastructure before that standard is fully implemented will enter the next examination cycle with both the documentation file and the capability evidence an effectiveness review requires. KnowledgeCity’s training platform gives bank compliance functions the catalog, role-specific assignment tools, and assessment record formats to build that infrastructure within the current examination cycle. 

Frequently Asked Questions 

1. What does “effectiveness” mean under the AML Act of 2020 for bank BSA/AML programs? 

The Anti-Money Laundering Act of 2020 amended 31 U.S.C. §5318(h) to require financial institutions to maintain BSA/AML compliance programs that are “effective” and “risk-based.” The statutory standard shifts the compliance program requirement from structural adequacy to outcome adequacy. Under FinCEN’s April 2026 NPRM implementing this standard, financial institutions must establish and maintain effective AML/CFT programs under a revised 31 CFR §1010.210, with training designed in relation to the institution’s specific AML/CFT risk profile rather than applied uniformly from a generic catalog. 

2. Does OCC Bulletin 2025-37 reduce examination scrutiny of compliance training programs at community banks? 

OCC Bulletin 2025-37, effective February 1, 2026, allows examiners to carry forward prior-cycle conclusions for the Training and BSA Compliance Officer pillars when a bank’s risk profile has not materially changed and prior examination findings were satisfactory. In those cases, the examiner may apply less intensive review of training documentation in a given cycle. When a bank’s risk profile has changed or prior findings were unsatisfactory, the OCC examines training program effectiveness directly, including how training content maps to the updated risk profile and whether role-specific assignments reflect current risk concentrations. 

3. What specific evidence does a BSA/AML examiner expect beyond training completion records under an effectiveness review? 

Under an effectiveness review, examiners assess whether training design can be explained in terms of the institution’s BSA/AML risk profile, whether role-specific training assignments cover the specific typologies each role is likely to encounter, and whether the institution has any mechanism for evaluating whether trained employees can apply their training in realistic scenarios. The FFIEC BSA/AML Examination Manual sets the training standard in terms of employee responsibility and institutional risk profile, requiring banks to provide training as appropriate based on employees’ responsibilities, to ensure they can carry out their BSA/AML duties effectively and in a manner commensurate with the institution’s risk profile. Assessment records, reassessment results, and documentation of training design rationale are categories of evidence that support an effectiveness finding beyond completion records alone. 

4. How does the fifth pillar of BSA/AML compliance (customer due diligence) connect to the capability standard? 

FinCEN’s Customer Due Diligence Rule, effective May 2018 and codified at 31 CFR §1010.230, added beneficial ownership identification as a fifth required element of BSA/AML compliance programs. Under an effectiveness review, examiners assess whether CDD training produced the capability to accurately identify beneficial owners in complex legal entity structures. Completing the training module is the documentation finding; the effectiveness finding concerns whether the training built the analytical skill the requirement demands. A training program that covered the beneficial ownership form-completion process without building the analytical skill to apply it to complex structures produces completion records for a capability requirement that records alone cannot confirm. Assessment data tied to realistic CDD scenarios is the evidence that supports an effectiveness finding on this pillar. 

References 

• FinCEN. “Anti-Money Laundering and Countering the Financing of Terrorism Programs.” Federal Register Vol. 91, No. 69, April 10, 2026. Document 2026-07033. 

• FinCEN. “Program NPRM Key Changes Fact Sheet.” April 2026. 

• Office of the Comptroller of the Currency. “OCC Bulletin 2025-37: Bank Secrecy Act/Anti-Money Laundering — Revised Minimum Examination Procedures for Community Banks.” November 24, 2025. 

• FFIEC. BSA/AML Examination Manual. Federal Financial Institutions Examination Council. 

• FinCEN. “Customer Due Diligence Requirements for Financial Institutions.” Final Rule, 31 CFR §1010.230. Federal Register Vol. 81, No. 91, May 11, 2016. 

• Anti-Money Laundering Act of 2020, Pub. L. 116-283, Div. F (National Defense Authorization Act for Fiscal Year 2021). Amending 31 U.S.C. §5318(h).