Financial institutions need to remain vigilant about managing anti-money laundering and Bank Secrecy Act (AML/BSA) compliance in 2025. As the financial ecosystem becomes increasingly complex, and as transactions increasingly involve parties around the globe, it is imperative that financial institutions do what it takes to ensure ongoing compliance with the Bank Secrecy Act and other federal anti-money laundering laws and regulations.
A key aspect of effective AML/BSA compliance management is periodic auditing and comprehensive risk assessment. Federal regulations mandate that banks and other financial institutions conduct audits (or “independent testing”) as a “minimum” requirement for AML/BSA compliance. While the regulations do not establish specific requirements for AML/BSA auditing, the Federal Financial Institutions Examination Council (FFIEC) states that financial institutions’ AML/BSA auditing programs should:
- “[A]ssess the bank’s compliance with BSA regulatory requirements, relative to its risk profile, and assess the overall adequacy of the BSA/AML compliance program;”
- “[B]e commensurate with the [money laundering/terrorist financing (ML/TF)] and other illicit financial activity risk profile of the bank and the bank’s overall risk management strategy;” and,
- “[B]e risk-based and evaluate the quality of risk management related to ML/TF and other illicit financial activity risks for significant banking operations across the organization.”
The FFIEC has the authority to assess the efficacy of financial institutions’ AML/BSA compliance programs, and it can pursue regulatory or civil enforcement action as warranted. As a result, it is critical that financial institutions not only prioritize AML/BSA compliance and internal audit functions, but that they do so with a specific focus on addressing the FFIEC’s top priorities and concerns.
“Effectively managing AML/BSA compliance remains critical for banks and other financial institutions in 2025—and conducting regular internal audits is a key part of this process. Not only does conducting regular internal audits satisfy financial institutions’ regulatory obligations, but it also allows them to identify AML/BSA-related risks before they lead to bigger problems.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
With this in mind, how can financial institutions conduct effective AML/BSA audits in 2025? Here are 10 tips based on the federal anti-money laundering regulations, the FFIEC’s Examination Manual, and other pertinent sources:
1. Conducting the AML/BSA Audit in a Timely Manner
While the FFIEC notes that, “[t]here is no regulatory requirement establishing BSA/AML independent testing frequency,” it suggests that financial institutions “conduct independent testing over periodic intervals (for example, every 12-18 months) and/or when there are significant changes in the bank’s risk profile, systems, compliance staff, or processes.” An annual AML/BSA auditing schedule will make sense in most cases.
With that said, it is imperative that financial institutions heed the FFIEC’s advice about conducting one-off audits in response to significant changes as well. If a significant change presents new AML/BSA-related risks and/or requires updates to a financial institution’s compliance program, this is a concern that needs to be addressed promptly.
2. Ensuring that the Auditors are “Independent” of the Financial Institution’s Board and Senior Management
The FFIEC also stresses the importance of independence during the AML/BSA auditing process. In the FFIEC’s Examination Manual, its examiners are advised to conduct a “[t]hrough a review of board minutes or other board of directors’ materials, determine whether persons conducting the independent testing reported directly to the board of directors or to a designated board committee comprised primarily, or completely, of outside directors.”
While it is possible to satisfy the “independence” requirement with financial institution personnel, the FFIEC states that these individuals must be, “qualified bank staff who are not involved in the function being tested.” From a compliance management perspective, it is critical that a financial institution’s AML/BSA auditors are up-to-date on the latest legal developments in financial systems, and they must be able to thoroughly document the audit (and any issues uncovered during the audit process) as well. For these reasons, engaging an outside firm to conduct a financial institution’s AML/BSA audits will be advisable in most cases.
3. Assessing the Financial Institution’s AML/BSA Compliance Policies and Procedures
While the primary purpose of an AML/BSA audit is to assess compliance, the process begins (or should begin) with a review of the financial institution’s AML/BSA compliance policies and procedures. If an institution’s compliance policies and procedures and transaction monitoring systems are outdated, incomplete, or insufficient in any other respect, then addressing these deficiencies should be a top priority going forward.
Generally, a financial institution’s AML/BSA compliance policies and procedures should serve as a roadmap for the audit process. Auditors should be able to assess compliance with these policies and procedures—and, if the financial institution’s policies and procedures are being followed, this should signify that the institution is managing its AML/BSA-related risks effectively. However, if a financial institution’s AML/BSA compliance policies and procedures are deficient, then following them will be deficient from a federal compliance and risk management perspective as well.
4. Assessing AML/BSA Compliance
Assuming that the financial institution’s AML/BSA compliance policies and procedures are adequate, then the next step is to assess AML/BSA compliance. While this can be a significant undertaking for large financial institutions with complex business operations and potentially high-risk clientele, taking a systematic approach can streamline the process significantly. Just like compliance itself, assessing compliance should involve executing a documented set of processes and protocols focused on the task at hand.
To be clear, this task is to assess compliance, not confirm it. The purpose of conducting an AML/BSA audit is to obtain an unbiased understanding of the current state of the financial institution’s AML/BSA compliance efforts. If the outcome of the audit process is confirmation of full compliance, this is the best-case scenario. However, if there are issues to address, these issues need to be identified, acknowledged, and dealt with appropriately.
5. Paying Particular Attention to FFIEC Compliance Priorities
While comprehensiveness is (or should be) a key attribute of any AML/BSA audit, it will be worth paying particular attention to the FFIEC’s compliance priorities. As outlined in the Examination Manual and other resources some examples of these priorities include:
- Suspicious Activity Reporting Systems (SARs)
- Currency Transaction Reports (CTRs)
- Customer Information Programs (CIPs) and Customer Due Diligence (CDD)
Knowing that these are likely to be focus areas in the event of an FFIEC examination, it makes sense to ensure that these issues are thoroughly addressed (and that compliance is thoroughly documented) during the audit process. Of course, these are high-risk areas even outside of FFIEC enforcement, so ensuring compliance in these areas is also important from a broader risk management perspective.
6. Assessing the Efficacy of the Financial Institution’s AML/BSA Training Programs (and Its Training Documentation)
All financial institutions should have AML/BSA training programs that are custom-tailored to their specific operations and risks. When conducting an AML/BSA audit, assessing the efficacy of these training programs is critical as well. Likewise, financial institutions need to ensure that they have documentation on hand that demonstrates the successful completion of all relevant training programs by all relevant personnel.
7. Assessing Remedial Measure From Prior AML/BSA Audits
Financial institutions will frequently need to take remedial measures in response to AML/BSA audits. These measures may be necessary due to changes in a financial institution’s operations or risks, changes in the law, or internal control compliance failures. In any case, once an issue has been identified, effective remediation is essential for reestablishing compliance and mitigating the potential risks involved.
As a result, when a financial institution is conducting an AML/BSA audit after taking remedial measures in response to a previous audit, assessing the efficacy of these remedial measures should be a priority as well. If any previously identified compliance failures are continuing, this is a situation that needs to be addressed right away.
8. Thoroughly Documenting the AML/BSA Audit Process
When it comes to managing regulatory risk, thoroughly documenting the AML/BSA audit process is just as important as conducting the audit itself. When facing scrutiny from the FFIEC, financial institutions must be able to affirmatively demonstrate the lengths to which they have gone to meet their federal compliance obligations. If a financial institution’s audit documentation is lacking, this can create more questions than answers, and it can create more risk as a result.
9. Confirming that the AML/BSA Audit was Adequate
When examining financial institutions’ AML/BSA auditing efforts, the FFIEC’s ultimate focus is on “[d]etermin[ing] whether the independent testing performed was adequate, relative to the bank’s risk profile.” With this in mind, after completing an audit, financial institutions should retrospectively assess the audit’s adequacy as well. If there appear to be any gaps in the audit process or any other potential issues of concern, then there is more work to do before the audit should be considered complete.
10. Taking Appropriate Next Steps
Finally, after a comprehensive AML/BSA audit has been completed, the financial institution’s leadership team should review the audit report and make decisions about appropriate next steps. This includes (but is not limited to) making decisions about any remedial measures that are necessary. In many cases, it will include making decisions about what updates to the institution’s AML/BSA compliance policies, procedures, and protocols are necessary as well. Ultimately, whatever next steps are necessary, taking them as quickly and efficiently as possible will be critical for managing the financial institution’s AML/BSA-related risk on an ongoing basis.
