BSA/AML Independent Testing: Building a Program That Passes the FFIEC Exam

You got an MRA. Your examiner’s report cites BSA/AML independent testing as “inadequate.” Now you’re rebuilding a program from scratch with a corrective action deadline and a follow-up exam scheduled.

This guide is for the person trying to avoid that scenario — and for the person already in it.

TL;DR

• Independent testing is the second of five BSA/AML program pillars — and one of the most cited in enforcement actions and consent orders.
• The FFIEC requires testing by a qualified, independent party; there is no prescribed frequency, but scope, transaction testing depth, and documentation are all assessed by examiners.
• Common deficiencies: lack of tester independence, insufficient scope (especially SAR quality and transaction monitoring), and process review without actual transaction sampling.
• As of February 2026, OCC examiners may rely heavily on your independent testing report — a strong program reduces your exam burden; a weak one means the examiner does the testing and writes the findings.

BSA/AML independent testing is one of five pillars the FFIEC requires of every bank’s AML compliance program. It’s also one of the most frequently cited deficiencies in examination findings. In 2024, FinCEN and federal banking regulators announced more than three dozen enforcement actions citing failures across multiple program pillars, with independent testing failures appearing in a significant share. In March 2026, FinCEN imposed an $80 million civil money penalty against a global broker-dealer — the largest BSA enforcement action ever against a broker-dealer — citing an inadequate AML program that persisted from 2018 through 2024 without adequate testing to surface or escalate the failures.

Getting independent testing right is not optional.

The Five Pillars and Where Independent Testing Fits

The Bank Secrecy Act requires banks to maintain an effective AML compliance program. The FFIEC BSA/AML Examination Manual defines adequacy through five pillars:

1. A system of internal controls to assure ongoing compliance
2. Independent testing for compliance ← this guide’s focus
3. Designation of a qualified BSA Officer responsible for day-to-day compliance
4. Training for appropriate personnel
5. Risk-based procedures for ongoing Customer Due Diligence (CDD)

Enforcement actions typically cite failures across multiple pillars simultaneously. A 2024 consent order that cites inadequate internal controls and inadequate independent testing is not describing two separate failures — it’s describing a program that wasn’t designed to catch its own gaps. Independent testing is the feedback loop that validates whether pillars one through four and five are actually functioning.

Who Can Conduct Independent Testing?

The FFIEC is explicit: testing must be conducted by personnel with no involvement in the function being tested and no conflict of interest. Acceptable testers include:

• Internal audit — provided the audit function is genuinely independent from BSA/AML operations and the auditors have BSA/AML-specific expertise
• Outside auditors — third-party firms engaged specifically for BSA/AML testing
• Consultants — subject matter experts not otherwise involved in the bank’s BSA/AML program
• Other qualified independent parties — any person or group with the expertise and independence from the function under review

The most common independence failure: BSA staff testing their own processes. If the BSA Officer, compliance manager, or any member of the BSA team conducts the testing and produces the report, that’s self-review — not independent testing. Examiners cite this pattern consistently, and it’s difficult to remediate after the fact because the testing results are inherently compromised.

A secondary independence problem: firms that use the same consulting firm for ongoing BSA/AML advisory work and for independent testing. A consultant who helped design or improve the program cannot objectively assess it. Independence applies to relationships and prior involvement, not just org charts. If your external auditor has been advising on your SAR process and then tests it, that’s a conflict — document why you’ve concluded independence is preserved, or restructure.

Frequency: Risk-Based, Not Prescribed

There is no regulatory requirement specifying how often independent testing must occur. The FFIEC manual states that frequency must be “commensurate with the ML/TF and other illicit financial activity risk profile of the bank and the bank’s overall risk management strategy.”

In practice, most banks test annually. Higher-risk institutions — those with international wire transfer volume, high-volume cash business, crypto-adjacent services, money services businesses as customers, or high-risk geographic exposure — should test more frequently or conduct targeted testing between full cycles on the highest-risk areas.

Lower-risk community banks may test every 12–18 months, but that determination must be documented and traceable to the risk assessment. If your risk assessment identifies significant ML/TF exposure across multiple products or customer segments, your testing frequency must account for that — or you need to document why it doesn’t.

Keep the frequency rationale in your BSA/AML testing policy, and revisit it when risk conditions change: new products, acquisitions, regulatory focus shifts, or customer base changes that alter your ML/TF profile.

What Must Be in Scope

The FFIEC requires independent testing to contain “sufficient information for the reviewer to reach a conclusion about the overall adequacy of the BSA/AML compliance program.” A complete scope covers the following areas:

BSA/AML Risk Assessment

Does the risk assessment accurately reflect the institution’s risk profile across products, services, customers, and geographies? Has it been updated when risk conditions changed? Is it actually being used to set monitoring parameters and CDD thresholds — or does it sit in a drawer?

Customer Due Diligence and Enhanced Due Diligence

Are CDD procedures risk-based and consistently applied at account opening and on an ongoing basis? Is enhanced due diligence (EDD) triggered appropriately for high-risk customer categories? Is beneficial ownership information collected accurately and kept current?

Transaction Monitoring System

Are monitoring thresholds appropriate for the institution’s specific risk profile? Are alerts reviewed timely and dispositioned with documentation that explains the reasoning? Is the alert disposition process consistent, or do similar fact patterns result in wildly different conclusions depending on who reviews them?

Suspicious Activity Reporting

Are SAR filing decisions documented with clear rationale? Do SAR narratives answer the five Ws: who was involved, what happened, when, where, and why it’s suspicious? Are SARs filed within required timeframes — 30 days from detection, or 60 days when no suspect can be identified? Is the 90-day lookback and potential continuing activity SAR process followed?

Currency Transaction Reporting

Are CTRs filed accurately and within the 15-day deadline? Are CTR exemptions properly documented and reviewed at least annually? Are aggregation procedures effective for identifying structuring and coordinated transactions across multiple branches or dates?

OFAC and Sanctions Screening

Is the sanctions list current? Are hits reviewed by qualified personnel who understand the matching methodology? Are false positive dispositions documented? Are true hits properly blocked, escalated, and reported?

BSA Officer Designation and Authority

Does the BSA Officer have sufficient authority, resources, and direct access to the board? Can they escalate concerns without organizational interference? Are they adequately staffed for the institution’s size and risk profile?

Training Program

Is training delivered to all appropriate staff at onboarding and annually? Is content role-appropriate — teller training versus compliance analyst training versus executive training? Is completion documented with names, dates, and content covered?

Prior Testing Findings

Are findings from prior independent testing cycles tracked to closure? Is the board receiving timely reports on open findings and remediation status? Examiners will pull your prior testing report and compare it to current conditions.

Transaction Testing: Where Most Programs Fall Short

Process review without transaction sampling is an incomplete independent test. Examiners look for evidence that you tested actual outputs — not just assessed whether procedures exist.

Transaction testing should be embedded in every major testing area:

Sample sizes should scale with risk and volume. High-volume, high-risk areas warrant larger samples. Community banks with limited transaction volume can test smaller samples — but the methodology for determining sample size (statistical vs. risk-based, confidence level, population size) should be documented in workpapers.

The Documentation Standard

All independent testing must be documented to a standard that survives examiner review. Thin workpapers that summarize conclusions without showing how they were reached invite expanded examiner testing. Complete workpapers include:

• Scope definition: What was tested, what was excluded, and the risk-based rationale for any exclusion
• Procedures performed: Step-by-step description of how each area was tested
• Sample methodology: How samples were selected, from which population, and what sample size was used
• Transaction testing results: What was found for each sampled item, with specific transaction identifiers
• Findings: Each exception, deficiency, violation, and policy deviation — with severity rating and supporting evidence
• Management response: For each finding, the institution’s planned remediation and responsible owner
• Conclusion: An overall adequacy opinion on the BSA/AML compliance program

The report and workpapers must be presented to the board or a designated board committee. Findings must be tracked to documented closure — not just noted and filed.

Why this matters in 2026: Under OCC Community Bank BSA/AML Examination Procedures effective February 1, 2026, examiners may place significant reliance on your independent testing report. If the testing is thorough, well-scoped, and well-documented, examiners may limit or skip their own transaction testing in areas you’ve already covered. Weak documentation has the opposite effect — it signals that independent testing cannot be relied upon, and examiners expand their own scope accordingly.

The Three Deficiencies That Appear Most Often

1. Lack of tester independence. BSA staff reviewing their own work, or a consulting firm testing a program it helped design. Restructure so the tester has genuine independence from the function. Document why they qualify — expertise, relationship to BSA function, and confirmation they haven’t been involved in advisory work on the areas under review.

2. Insufficient scope. High-risk areas excluded without documented justification. SAR narrative quality not assessed. Transaction monitoring thresholds not challenged. OFAC screening not tested. Map your scope against the FFIEC manual categories, document any exclusions with risk-based rationale, and have someone outside the testing team challenge the scope before testing begins.

3. Insufficient transaction testing. Process-only review. Testing assessed whether procedures exist without verifying they’re applied to actual transactions. Add explicit transaction testing to every major area, document the methodology, and ensure workpapers show specific transaction-level findings, not just aggregate conclusions.

A fourth pattern: findings that persist across exam cycles. If your prior independent testing identified a deficiency and the subsequent examination finds the same issue unresolved, that’s an escalated finding — and it tells examiners that your testing program doesn’t have the governance structure to actually drive remediation.

So What Does This Mean in Practice?

If you’re building or rebuilding an independent testing program, start with the structure before touching scope or procedures.

First: Document your independence framework. Who tests what? What is their relationship to the BSA function? What is their BSA/AML expertise? This needs to be in writing before the first testing procedure is run.

Second: Write a testing policy that maps your scope to the FFIEC manual categories. Document your frequency rationale tied to your risk assessment. Document how you determine sample sizes. If your policy can’t answer these questions, your testing can’t either.

Third: Build transaction testing into every area. Define the population, sample methodology, and what you’re looking for before you pull the sample. Document results at the transaction level, not just the conclusion.

Fourth: Make findings traceable to closure. Every finding gets an owner, a remediation plan, and a due date. The board sees the status. The next testing cycle verifies the closure.

The OCC’s shift toward relying on independent testing means a well-built program is worth real exam relief. A weak one means your examiner does the work for you — and writes the report you’ll spend the next 18 months remediating.

For the risk assessment methodology that feeds your independent testing scope, see AML Risk Assessment Template: A Practitioner’s Methodology for Banks and Fintechs. For SAR narrative quality — one of the most common independent testing findings — see SAR Template: Narrative Writing, Filing Triggers, and Common Mistakes. For the KYC and CDD procedures your testing will evaluate, see KYC Policy Template: A Fintech Practitioner’s Guide to Customer Due Diligence.

Sources: FFIEC BSA/AML Examination Manual — Independent Testing | OCC Bulletin 2025-37: Community Bank BSA/AML Examination Procedures | FFIEC BSA/AML Main Manual | K&L Gates: Lessons from 2024 BSA/AML Enforcement Actions | Holland & Knight: FinCEN Record Penalty on Broker-Dealer (March 2026)