AML Exam Readiness for Fintechs: A Pre-Examination Checklist

An AML examination for a fintech is not a surprise. Examiners — whether they are from FinCEN, a federal banking regulator like the OCC or FDIC, a state financial services department, or the BSA examination team of a sponsor bank — follow a consistent examination methodology. They request a specific category of documents in advance, they conduct transaction testing against a defined sample, they interview key personnel, and they evaluate program adequacy against published regulatory guidance. The framework is known. What distinguishes institutions that receive clean examinations from those that receive findings is almost always documentation quality and program consistency — not the existence or absence of program components on paper.

This checklist covers the documentation categories that examiners typically request in advance of an examination, what they look for in each category, and the specific evidence gaps most frequently cited in fintech examination findings.

Pre-Examination Document Request: What to Have Ready

Most AML examinations begin with a document request letter issued 30 to 60 days before the examination start date. The categories in that request are predictable. Having the following organized and retrievable within 48 hours of a request is the baseline standard:

BSA/AML Program Documentation

• The current written BSA/AML policy and procedures, with effective dates and version history showing the most recent review and approval date
• The institution's BSA Risk Assessment — covering customer risk, product/service risk, geographic risk, and channel risk — with the date of the most recent update and the methodology used
• The BSA Officer designation documentation — the board or senior management resolution designating the BSA Officer, with the officer's name, title, and date of designation
• Training records for the prior two years — attendance records, training materials, and completion certifications for all personnel with BSA/AML responsibilities
• Independent testing (BSA audit) reports for the prior two examination cycles, with management responses to any findings and evidence of finding remediation

Customer Due Diligence and KYC Records

• The written CIP (Customer Identification Program) procedures, including the verification methods used for individual and legal entity customers
• A sample of customer files — examiners typically request 25 to 50 files representing a cross-section of risk tiers, including a specific request for high-risk accounts and accounts that received EDD
• Beneficial ownership certification forms for a sample of legal entity accounts, with evidence of when they were collected and any subsequent updates
• Documentation of the customer risk rating methodology and evidence that it has been applied consistently to the sample population

Transaction Monitoring and SAR Records

• The transaction monitoring system configuration documentation — including the scenarios or rules deployed, their thresholds, and any tuning changes made in the prior 12 months with the documented rationale for each change
• Alert disposition records — a sample of alerts generated in the prior 12 months, with documentation of the analyst's disposition decision and rationale
• SAR filings from the prior 12 months, with supporting investigation files demonstrating the basis for each SAR decision
• SAR decisions not to file — documentation of cases where investigation concluded that SAR filing was not required, and the reasoning recorded
• CTR filings from the prior 12 months, and any documented structuring investigations

OFAC and Sanctions Program Documentation

OFAC screening is evaluated alongside the BSA/AML program in most examinations. Required documentation includes:

• The written OFAC sanctions policy, including which lists are screened, the screening frequency for ongoing customer screening, and the match review workflow
• Match review records for the prior 12 months — documentation of potential OFAC matches, the analyst's clearance analysis, and the disposition
• Any blocked transaction reports filed with OFAC under 31 CFR 501.603, and the supporting documentation for each blocking event
• Evidence that sanctions list updates triggered re-screening of the existing customer population

314(a) and 314(b) Program Participation

FinCEN's 314(a) program under 31 CFR 1010.520 requires financial institutions to designate a point of contact, search their records upon receipt of a 314(a) request, and report matches to FinCEN within two weeks. Examiners will ask whether the institution has received 314(a) requests, whether it searched and responded within the required timeframe, and whether the designated 314(a) contact is current.

314(b) participation — the voluntary program under 31 CFR 1010.540 that allows financial institutions to share information with each other about suspected money laundering — is not required, but its absence will prompt a question about why the institution has not registered. If there is a legitimate business reason for non-participation (resource constraints at early stage, limited cross-institution transaction volume), that rationale should be documented in the BSA program or risk assessment.

Personnel Interviews: What Examiners Ask

Examiners will interview the BSA Officer and typically one or two front-line compliance analysts. Common questions in a BSA Officer interview include:

• How are new products evaluated for BSA/AML risk before launch?
• How does senior management receive BSA/AML program updates, and how frequently?
• What were the most significant findings from the most recent independent BSA audit, and what remediation has been completed?
• How is the transaction monitoring system tuned, and who has authority to change alert thresholds?
• How are SAR filing decisions made — is there a committee process, or does the BSA Officer make decisions unilaterally?

We are not saying that BSA Officers need to have perfect answers to every question — examiners understand that compliance programs have limitations and that not every possible risk scenario has a programmed response. What examiners are evaluating is whether the BSA Officer has genuine operational knowledge of how the program works, whether they have visibility into program metrics and recent performance, and whether they can speak credibly about how decisions are made. A BSA Officer who answers "I'd have to check the system" for every operational question is a problem. One who can speak from operational knowledge and points to documentation to support their answers is demonstrating a functioning program.

The Thirty-Day Window: What to Actually Do Before an Examination

When an examination is announced, the 30-day preparation window matters. The most effective use of that time, based on where examination findings most commonly originate:

1. Conduct a file pull test. Pull a random sample of 25 customer files and evaluate whether each file has the documentation an examiner would expect: completed CIP, risk rating with documented rationale, EDD documentation for high-risk accounts, and up-to-date beneficial ownership for legal entity accounts. Identify and remediate gaps before the examination, with a documented record of the remediation.
2. Review the last 90 days of SAR and no-SAR decisions. Ensure that each disposition decision has a documented rationale in the case file. Decisions recorded only as "reviewed — no SAR" without explanation are the most common documentation gap examiners cite.
3. Confirm that training records are complete. New hires who joined in the prior 12 months must have completed BSA training. Confirm completion records exist for every relevant employee.
4. Review the BSA risk assessment currency. If the risk assessment has not been updated since a significant product or customer segment change, update it before the examination. An outdated risk assessment that no longer reflects the institution's actual product mix will be noted.

Sponsor Bank BSA Examinations: A Different Dynamic

Fintechs operating under a bank sponsorship model are often examined not by federal banking regulators directly, but by the BSA examination function of the sponsor bank — which is itself responsible for ensuring that its fintech program partners maintain adequate BSA/AML programs. That examination may be less formal than a federal examination, but it carries real consequences: a sponsor bank that identifies a significant program gap in a fintech partner's BSA program may require remediation on a compressed timeline, impose transaction volume restrictions, or in extreme cases terminate the sponsorship agreement.

The documentation standard for a sponsor bank BSA examination is the same as for a federal examination. Neobanks operating under bank sponsor relationships should treat the sponsor BSA officer as having the same examination authority as a federal examiner — because in practical terms, they do. AML screening infrastructure that generates auditable, exportable records for each alert, disposition, and SAR decision is what makes that documentation standard achievable at scale. KYC verification systems that maintain complete, timestamped customer files make the file pull test a 48-hour exercise rather than a five-person remediation project.