Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Regulatory Compliance

BSA/AML KRIs: Transaction Monitoring False Positives, SAR Filing Rates, and the 10 Metrics Examiners Actually Check

Most BSA programs track activity. Few track program health. Here are the 10 BSA/AML KRIs that reveal whether your transaction monitoring, SAR filing, CDD, and independent testing pillars are working — including how to calibrate false positive rates, SAR conversion rates, and CDD completion metrics that hold up in examinations.

By Rebecca Leung · June 3, 2026 ·
Table of Contents

Your BSA program has five pillars. It probably has policies, a compliance officer, training records, and a transaction monitoring system. What it may not have is any systematic way to tell whether those pillars are standing or starting to lean — and that’s what examiners are checking when they pull your BSA/AML program documentation.

TD Bank’s October 2024 guilty plea to money laundering conspiracy — and its $3.09 billion in penalties, the largest BSA fine in history — came down to a monitoring program that hadn’t been substantively updated in eight years and left 92% of the bank’s total transaction volume unmonitored. Not a broken system. An unmeasured one. Nobody was tracking whether the program’s coverage, currency, or calibration was adequate. The metrics that would have surfaced that failure are the same ones most BSA programs still don’t track.

KRIs for BSA programs aren’t about monitoring transaction activity. That’s what your TM system does. BSA/AML KRIs are about monitoring program health: whether alerts are being cleared in time, whether your SAR filing rate indicates a well-tuned system, whether CDD is being updated when customers change, and whether your independent testing is actually independent.

The ten metrics covered here correspond directly to the deficiencies that appear in BSA/AML enforcement actions year after year. They’re also the metrics that, tracked consistently, tell you where your program is weakening before an examiner does.

TL;DR

  • BSA/AML KRIs measure program health, not transaction activity — alert aging, SAR conversion rate, CDD update completion, and independent testing recency are the signal metrics.
  • The FFIEC’s five-pillar framework tells you what to build. KRIs tell you whether what you built is working.
  • FinCEN’s October 2025 SAR FAQ clarifications reduce administrative burden for no-SAR documentation and continuing activity reviews, but don’t reduce the obligation to monitor and calibrate your TM system.
  • Fintech and BaaS program operators need KRIs at the program level — not just consolidated bank-level metrics — because that’s where examiner scrutiny is highest.
  • The gap most often found in BSA exams: activity metrics that look fine while program health is deteriorating (alert backlogs building, SAR filing delays, CDD records aging out).

The Five Pillars and the Metrics That Tell You They’re Working

The FFIEC BSA/AML Examination Manual establishes the five-pillar framework for an effective compliance program: a system of internal controls, independent testing, a designated compliance officer, training, and ongoing customer due diligence. Every BSA exam is structurally an assessment of whether your five-pillar program is functioning as designed.

The problem is that pillar existence and pillar function are different things. You can have a transaction monitoring system (pillar one check mark) that hasn’t had its rules reviewed in two years and is generating a 97% false positive rate. You can have an independent testing program (pillar two check mark) run by someone who reports to the BSA officer — which the FFIEC manual explicitly does not consider independent. You can have a CDD program (pillar five check mark) where beneficial ownership information was collected at onboarding and hasn’t been touched since.

KRIs are the mechanism that converts “pillar exists” to “pillar is functioning.” Each pillar has corresponding health metrics. The ten KRIs below cover each pillar.

Transaction Monitoring KRIs (4)

Transaction monitoring generates the most examiner scrutiny — and the most common program failures. The issues examiners find aren’t usually about having a TM system; they’re about whether the system’s rules are calibrated, alerts are being cleared in time, and the resulting SAR filing rate shows the program is detecting genuine suspicious activity.

KRIWhat It MeasuresThreshold LogicOwner
False positive rateAlerts cleared with no SAR ÷ total alerts generated (monthly)Should decline over time with rule tuning; persistent rate near 100% warrants formal reviewBSA/Compliance
Alert-to-SAR conversion rateSARs filed ÷ total alerts generated (monthly)Inverse of false positive rate; should rise with tuning; declining rate without rule changes is a warning signalBSA/Compliance
Alert aging (time-to-clear)Average days from alert generation to final dispositionAmber: average approaching 30 days; Red: alerts older than 45 days accumulating in queueBSA/Operations
TM rule validation recencyMonths since last formal rule review, back-testing, or threshold adjustmentAmber: >12 months since last review; Red: >18 months, or material customer base change without corresponding reviewBSA/Technology

The false positive rate and SAR conversion rate tell you whether your rules are calibrated to your actual risk population. Industry benchmarks for rules-based TM systems put false positive rates at 90–95% — meaning 90 to 95 out of every 100 alerts generated require no SAR filing. That’s a baseline description of where most programs start, not a compliance target. Active rule tuning should drive the rate down over time. Many institutions see low single-digit SAR conversion rates as a baseline — but the trend matters more than the absolute number. A system showing a declining SAR conversion rate without corresponding rule change documentation is a flag that the program is generating noise without producing useful output.

Alert aging is where program strain becomes visible first. When analyst capacity can’t keep pace with alert queue volume, the first measurable signal is average days-to-clear increasing. By the time SARs start missing the 30-day filing window, the backlog has been accumulating for weeks.

The TM rule validation recency KRI addresses the less-visible failure: a program that hasn’t been updated as the institution’s transaction population changed. TD Bank’s monitoring system excluded all domestic ACH transactions, most check activity, and numerous other transaction types — leaving 92% of transaction volume unmonitored. That wasn’t a sudden failure; it was a program that hadn’t been validated or updated since 2014. A KRI tracking months since last formal rule review would have surfaced that gap long before it became a $3.09 billion enforcement outcome. Transaction type coverage — what percentage of the institution’s risk-relevant transaction types are actually captured by monitoring rules — is worth tracking explicitly, even if it sits outside the core 10 KRIs below.

SAR Filing KRIs (1 — Plus the FinCEN October 2025 Context)

KRIWhat It MeasuresThreshold LogicOwner
SAR filing timeliness% of SARs filed within the 30-day mandatory window from date of detectionAmber: <97% on-time; Red: <95%, or any SAR filed more than 45 days from detectionBSA Officer

A single KRI here by design — because timeliness is the one SAR metric with a hard regulatory deadline and no flexibility. The 30-day window from detection is the standard. Missing it for any SAR is a reportable deficiency.

FinCEN’s October 2025 SAR FAQ guidance clarified two points that affect how programs structure the work around SAR filing. First, there is no requirement to document decisions not to file a SAR — institutions that have been maintaining detailed no-SAR documentation files for every reviewed alert are not required to do so. Second, institutions are not required to conduct a separate review following a SAR filing to determine whether suspicious activity has continued; risk-based internal policies for ongoing monitoring are sufficient.

These clarifications reduce administrative overhead without reducing the core obligation. The filing timeliness KRI remains the non-negotiable metric. What the FAQs changed is the documentation burden around the decisions that don’t result in a filing.

CDD and Customer Risk Rating KRIs (3)

The 2016 FinCEN Customer Due Diligence Rule — covering beneficial ownership collection for legal entity customers — remains among the most frequently cited deficiency areas in BSA examination findings. The failure mode isn’t usually the initial onboarding collection; it’s the failure to update ownership records when corporate structures change after account opening.

KRIWhat It MeasuresThreshold LogicOwner
CDD profile update completion rate% of customer profiles flagged for periodic review that were updated within the review windowAmber: <90% of due reviews completed on schedule; Red: <85%, or any high-risk customer overdueBSA/CDD
High-risk customer EDD timeliness% of customers in the high-risk tier reviewed on the policy-mandated enhanced due diligence scheduleAmber: any high-risk customer with overdue EDD review; Red: >5% of high-risk portfolio past due dateBSA/CDD
CDD-alert linkage rate% of reviewed alerts where the customer’s CDD profile was referenced in the alert disposition recordShould exceed 90% of dispositioned alerts; low rates indicate CDD data isn’t being used in alert investigationsBSA/Operations

The CDD-alert linkage KRI addresses a specific finding pattern from recent exam cycles: CDD information is collected at onboarding and exists in the system, but analysts aren’t referencing or updating it during alert review. The examiner reviewing the alert disposition finds no evidence the analyst looked at the customer’s risk profile. That’s a pillar five failure — the CDD program is running in parallel to transaction monitoring rather than informing it. The 2016 CDD Rule was specifically designed to close that gap, and the KRI is what tells you it’s actually closed.

Independent Testing KRIs (2)

BSA/AML independent testing is the second pillar — and the most technically demanding to execute correctly. The independence requirement means the testing cannot be performed by someone within the compliance or BSA function being tested. Internal audit can satisfy the requirement, but only if it is structurally independent from BSA operations and has adequate BSA subject matter expertise.

KRIWhat It MeasuresThreshold LogicOwner
Testing program recencyMonths since last completed BSA/AML independent test (comprehensive cycle)Amber: >14 months for standard-risk institutions; Red: >18 months, or material program change without targeted testInternal Audit / Risk
Open finding remediation rate% of independent testing findings closed within committed remediation timeframesAmber: <80% of prior-cycle findings closed on time; Red: any high-severity finding past its committed remediation dateBSA Officer / Internal Audit

There is no regulatory minimum for independent testing frequency. The FFIEC manual specifies testing should be commensurate with the institution’s ML/TF risk profile — in practice, every 12 to 18 months for most institutions, with more frequent reviews when errors are found, significant changes occur, or the risk profile elevates.

The OCC’s enforcement action against Community Federal Savings Bank — cited for BSA/AML deficiencies in its fintech partnership operations — specifically described the independent testing as “weak,” noting that the internal auditor failed to identify weaknesses or test high-risk areas of the BSA/AML program. That’s a pillar two failure with a direct KRI signal: testing coverage that doesn’t include the institution’s highest-risk areas isn’t meeting the standard, regardless of how recently it was completed.

The Fintech and BaaS Program Amplifier

Standard BSA KRIs measure program health at the institutional level. For banks operating fintech or Banking-as-a-Service programs — where a third party is originating customer relationships and conducting transactions under the bank’s charter — consolidated metrics aren’t enough.

Examiners reviewing BaaS sponsor banks expect program-level visibility: transaction monitoring performance for the fintech program’s transaction population, SAR filing rates for the fintech’s customer activity, and CDD completion rates for customers onboarded through the fintech’s platform. Consolidated bank-level metrics can mask program-level deterioration when the fintech program represents a small share of total institutional volume.

The OCC’s action against Community Federal Savings Bank identified BSA/AML deficiencies directly tied to the bank’s fintech partnerships, including weak independent testing of the programs operating under its charter. The finding wasn’t that the bank lacked KRIs; it was that the monitoring didn’t give the bank adequate visibility into the programs it was responsible for.

Program-level BSA KRIs for BaaS sponsors should include, at minimum: TM false positive rate per fintech program, SAR filing timeliness per program, CDD completion rate per program, and independent testing coverage of fintech-partner transactions as a percentage of total program volume.

Connecting BSA KRIs to Board and Audit Committee Reporting

BSA/AML KRIs operate at multiple levels. The BSA officer and compliance committee need detailed operational metrics — alert queue depth, daily volumes, SAR timeliness by program. The board and audit committee need signal, not operational dashboards.

Board-level BSA/AML KRI reporting should cover:

  • Current program status across the five pillars (green/amber/red summary for each)
  • SAR filing timeliness — is the program meeting the 30-day window?
  • Independent testing recency and open finding status — when was the last test, and are prior-cycle findings being closed?
  • Any material examiner feedback or MRA status, particularly for institutions with recent BSA exam activity

What the board doesn’t need: raw alert volumes, individual SAR case details, or intraday monitoring data. The board’s question is: is the program functioning, and are there indicators it’s not? The KRI summary answers that at the right level of abstraction.

See KRI Governance: Ownership, Escalation, and Remediation for the governance framework connecting operational BSA KRI monitoring to the board reporting layer.

Common KRI Failures in BSA Programs

Tracking activity, not program health. Alert volume is an activity metric. It tells you how busy your system is, not how well it’s working. False positive rate tells you how well it’s calibrated. Many BSA programs report the former and never compute the latter.

No KRI for independent testing recency. The testing program is the second pillar. The most common failure mode is that testing happened once at program inception or after a prior exam, and then slipped in subsequent years. A KRI that fires when the last independent test is more than 14 months old is the mechanism that prevents this.

CDD KRIs that only cover onboarding. If your CDD KRI tracks initial collection completion but not update completion for existing customers, you’re measuring the easy part. The deficiencies examiners find are in the update process — beneficial ownership changes, business activity changes, customer risk re-rating — not initial collection.

Threshold values set at program inception and never revisited. The false positive rate threshold that was appropriate when your TM system was first configured isn’t necessarily right after a product launch, a BaaS partnership, or a shift in customer mix. KRI thresholds calibrated for last year’s transaction population are wrong for this year’s.

No connection between CDD programs and alert investigations. Collecting and updating CDD information is half the requirement. Using it during alert review is the other half. The 2016 FinCEN CDD Rule was specifically designed to make CDD information actionable — not just collected. The CDD-alert linkage KRI is the signal that tells you whether analysts are actually using it.

Program design treated as a permanent substitute for program performance. FinCEN’s April 2026 proposed rule to reform AML/CFT program requirements introduces a two-prong framework that explicitly separates program design (policies, procedures, structure) from program performance (whether the program is actively maintained and effective). The comment period closes June 9, 2026. The implication for KRI design is clear: a well-documented program structure with no measurement of whether that structure is working will no longer satisfy regulatory expectations under the proposed framework. KRIs are what convert program design into documented program performance.

So What Does This Mean for Your Program?

If you can immediately answer “what’s our current SAR conversion rate, and how has it trended over the last four quarters?” — your TM program is probably in reasonable shape. If the answer requires pulling a report, you have data that hasn’t been converted into a monitoring signal.

Start with the two metrics most directly tied to exam findings: alert aging (how long are alerts sitting before disposition?) and SAR filing timeliness (what percentage of SARs are filed within 30 days?). Set amber and red thresholds, assign owners, and establish a reporting cadence. That’s the minimum viable BSA/AML KRI program.

For institutions with fintech or BaaS programs: run those metrics at the program level, not just consolidated. That’s where examiner scrutiny is concentrated, and that’s where program health deterioration will show up first.

See BSA/AML Independent Testing: FFIEC Requirements and Program Design for how to structure the testing program these KRIs are designed to monitor, and AML Risk Assessment: A Practitioner’s Methodology for Banks and Fintechs for how your underlying risk assessment should calibrate KRI threshold design.


If your compliance program needs pre-built BSA/AML KRIs — covering transaction monitoring performance, SAR filing rates, CDD completion, and independent testing metrics — with green/amber/red thresholds, data source fields, owners, and escalation triggers ready to deploy, the KRI Library (132 Key Risk Indicators) includes 10 BSA/AML-specific KRIs built for financial services institutions. Get the KRI Library →

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What KRIs do BSA/AML examiners check most often?
Examiners focus on KRIs that map to the FFIEC's five-pillar framework: transaction monitoring alert volumes and clearance rates, SAR filing timeliness and conversion rates, CDD completion and update rates, independent testing frequency and finding rates, and BSA officer qualification and resource metrics. The metrics most frequently cited in examination findings are transaction monitoring alert aging (how long alerts sit before resolution), SAR filing timeliness (whether SARs are filed within the 30-day window), and independent testing gaps — particularly at fintech-bank partnerships where the independence requirement is hardest to satisfy.
What is a good SAR conversion rate or alert-to-SAR ratio?
There's no universal regulatory benchmark for SAR conversion rate, but the rate directly measures your program's signal-to-noise ratio — low conversion rates indicate transaction monitoring rules are poorly calibrated. Many institutions see low single-digit SAR conversion rates as a baseline, but what matters is the trend: conversion rates should rise over time as rules are tuned, and a consistently declining rate without corresponding rule changes is a program health signal worth investigating. Examiners don't mandate a specific number, but will ask about your tuning methodology if your rate is very low and not improving.
How often does BSA/AML independent testing need to be conducted?
There's no regulatory requirement for a specific frequency. The FFIEC manual specifies testing should be 'commensurate with the ML/TF and other illicit financial activity risk profile of the bank.' In practice, most institutions target every 12 to 18 months for routine testing cycles. Higher-risk institutions — those with high-volume cash businesses, cross-border transactions, or fintech partnerships — should test more frequently and conduct targeted reviews after material changes to the BSA/AML program, system configurations, or risk profile.
What are the most common BSA/AML KRI design failures?
The most common failures are: tracking activity (transaction volumes, alert counts) rather than program health (alert aging, closure rates, SAR timeliness); having no KRI for independent testing recency or finding rate; failing to track CDD update rates for existing customers; and using threshold values set at program inception that haven't been recalibrated as the institution's risk profile changed. The other common failure is not connecting KRI results to board-level reporting — the BSA officer and compliance committee see the data, but the board risk committee doesn't see signal-level summaries.
What did FinCEN's October 2025 SAR FAQ guidance change for AML monitoring programs?
The October 2025 FinCEN SAR FAQs clarified three things that directly affect how monitoring programs are designed: first, there is no requirement to document decisions not to file a SAR; second, institutions are not required to conduct a separate review following a SAR filing to check for continuing activity — risk-based internal policies for ongoing monitoring are sufficient; and third, institutions are not required to file SARs solely because a transaction is at or near the $10,000 CTR threshold. These clarifications reduce administrative burden without reducing the substantive obligation to detect and report actual suspicious activity.
Do fintechs and BaaS programs need BSA/AML KRIs?
Fintechs operating under bank sponsorship are subject to the bank's BSA/AML program — and the sponsor bank is accountable to regulators for the fintech's AML compliance. This means fintech-specific KRIs are often required to give the sponsor bank visibility into the program health of the programs running under its charter. The OCC's enforcement action against Community Federal Savings Bank specifically cited BSA/AML deficiencies in the bank's fintech partnership monitoring, including weak independent testing. KRIs that track transaction monitoring performance, SAR filing rates, and CDD completion at the fintech-program level — not just the consolidated bank level — are what sponsor banks need.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.