BSA/AML — self-assessment health check
BSA/AML Program Health Check
Walk through this self-assessment to spot gaps in your BSA/AML program before an examiner does. Questions are organized by the five regulatory pillars of 31 CFR § 1020.210 plus the CDD Rule (§ 1010.230). Your scorecard, prioritized gap list, and remediation steps update live as you answer.
Educational tool, not a determination
This tool produces educational triage outputs based on the inputs you provide. It is not a substitute for screening systems, license determinations, professional judgment, or current regulatory guidance. No inputs are stored on Sanctionfy servers.
Not a substitute for independent testing
31 CFR § 1020.210(a)(2)(ii) requires periodic independent testing of your BSA/AML program by qualified personnel outside the BSA function. This tool helps you spot gaps before that testing happens — it is not the test itself, and presenting it as such to an examiner would be a red flag in its own right. Use this scorecard internally; use qualified independent testers for the regulatory requirement.
Overall
—
Not assessed
- Internal controls—
- Independent testing—
- BSA Compliance Officer—
- Ongoing training—
- Customer due diligence (CDD)—
0 of 34 questions answered
Internal controls
Written policies, procedures, and controls reasonably designed to keep the bank in ongoing compliance with the BSA. The foundation pillar — everything else assumes this exists.
0 of 8 answered · 31 CFR § 1020.210(a)(2)(i) →
Not assessed
Internal controls
Written policies, procedures, and controls reasonably designed to keep the bank in ongoing compliance with the BSA. The foundation pillar — everything else assumes this exists.
0 of 8 answered · 31 CFR § 1020.210(a)(2)(i) →
Does your bank have a written BSA/AML compliance program?
Has the Board of Directors formally approved the BSA/AML program?
Is the program risk-based and tailored to your bank’s specific risk profile?
Are BSA/AML policies reviewed and updated at least annually?
Do policies clearly assign roles, responsibilities, and escalation paths?
Is there a documented process for SAR filing decisions and supporting-evidence retention?
Is there a documented process for CTR filings (cash transactions over $10,000)?
Are policies tailored to high-risk products and high-risk customers (correspondent banking, private banking, trade finance, MSBs)?
Independent testing
Periodic testing of the BSA/AML program by qualified personnel who are independent of the BSA function. The pillar this tool explicitly does NOT substitute for.
0 of 6 answered · 31 CFR § 1020.210(a)(2)(ii) →
Not assessed
Independent testing
Periodic testing of the BSA/AML program by qualified personnel who are independent of the BSA function. The pillar this tool explicitly does NOT substitute for.
0 of 6 answered · 31 CFR § 1020.210(a)(2)(ii) →
Has independent BSA/AML testing been completed in the past 12–18 months?
Was the testing performed by qualified personnel independent of the BSA function?
Was the scope of testing risk-based and aligned with your risk profile?
Were testing findings reported in writing to the Board or a designated Board committee?
Has management addressed and tracked remediation of prior findings?
Does the testing scope include sanctions screening (OFAC), CIP, CDD, and SAR/CTR processes?
BSA Compliance Officer
A named individual with day-to-day responsibility for the BSA/AML program, with sufficient authority, autonomy, and resources to do the job.
0 of 6 answered · 31 CFR § 1020.210(a)(2)(iii) →
Not assessed
BSA Compliance Officer
A named individual with day-to-day responsibility for the BSA/AML program, with sufficient authority, autonomy, and resources to do the job.
0 of 6 answered · 31 CFR § 1020.210(a)(2)(iii) →
Has the Board formally designated a BSA Compliance Officer?
Does the BSA Officer have day-to-day responsibility for the BSA/AML program?
Does the BSA Officer have sufficient authority, autonomy, and resources to administer the program?
Does the BSA Officer have direct access to the Board or a Board-designated committee?
Does the BSA Officer’s expertise match the bank’s complexity and risk profile?
Is succession planning in place for the BSA Officer role?
Ongoing training
BSA/AML training for appropriate personnel, refreshed regularly and tailored to job function. Untrained staff cannot execute even a well-written program.
0 of 6 answered · 31 CFR § 1020.210(a)(2)(iv) →
Not assessed
Ongoing training
BSA/AML training for appropriate personnel, refreshed regularly and tailored to job function. Untrained staff cannot execute even a well-written program.
0 of 6 answered · 31 CFR § 1020.210(a)(2)(iv) →
Is BSA/AML training delivered to appropriate personnel at least annually?
Is training tailored to job function (front-line vs. operations vs. management)?
Is training documented (attendance, content, dates)?
Does training cover sanctions screening including the OFAC 50% Rule and Entity List screening?
Is the Board / senior management included in BSA/AML training?
Is training updated to reflect regulatory changes (recent FinCEN guidance, OFAC actions)?
Customer due diligence (CDD)
Know-your-customer at onboarding and ongoing — including beneficial ownership under the 2018 CDD Rule. The fifth pillar added by amendment.
0 of 8 answered · 31 CFR § 1020.210(a)(2)(v); § 1010.230 →
Not assessed
Customer due diligence (CDD)
Know-your-customer at onboarding and ongoing — including beneficial ownership under the 2018 CDD Rule. The fifth pillar added by amendment.
0 of 8 answered · 31 CFR § 1020.210(a)(2)(v); § 1010.230 →
Do you have a written CDD program covering CIP, beneficial ownership, and ongoing monitoring?
Do you collect beneficial ownership information for legal entity customers at account opening?
Do you verify beneficial owner identity using risk-based methods?
Do you understand the nature and purpose of customer relationships sufficiently to develop a risk profile?
Do you conduct ongoing monitoring to identify suspicious transactions and to keep customer information current?
Do you risk-rate customers and apply enhanced due diligence (EDD) to higher-risk relationships?
Do you screen all customers and beneficial owners against the SDN list and other sanctions lists at onboarding and on an ongoing basis?
Do you have a documented exit process for customers whose risk exceeds your appetite?
Self-assessment scorecard. Not legal advice. Does not predict examiner findings. Citation URLs verified against ecfr.gov / bsaaml.ffiec.gov on 2026-05-12.