Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Compliance Strategy

Compliance Training Program Requirements: What OCC, FDIC, CFPB, and FINRA Examiners Actually Test

Most financial institutions have a training program. Fewer have one that survives examiner scrutiny. Here's what each regulator actually looks for — and the documentation gaps that turn a training calendar into an exam finding.

Table of Contents

TL;DR

  • Training is a formal pillar of BSA compliance, a CMS evaluation criterion for the CFPB, and a supervision requirement under FINRA — not a soft HR function
  • Examiners don’t just ask whether training happened; they ask for the materials, the completion records, and the mechanism that connects training to identified compliance risks
  • Missing documentation is almost always the problem — not missing training — because institutions run programs but don’t document them at the level regulators expect
  • A Training Needs Analysis that drives your annual calendar, role-specific content for high-risk functions, and a board training log are the three elements most programs lack

The examiner asked for training records on day two of the examination. The compliance officer showed the LMS dashboard — 94% completion rate, every employee who needed BSA training had checked the box. The examiner asked for the actual course content. There was no clean way to export it. Then the examiner asked whether the materials had been updated after the new AML/CFT program modernization rules took effect in 2024. They hadn’t. Then she asked about the board’s BSA training for the prior year and whether that was documented separately from general board orientation.

By the end of day two, training had generated more examiner questions than three other compliance program components combined.

The completion percentage didn’t matter. What mattered was whether the training was current, role-appropriate, and documented at the level required to demonstrate a functioning compliance management system — not just a checkbox exercise.

Most financial institutions have training programs. The ones that fail examination scrutiny are almost always the ones where the program exists but the documentation doesn’t match what examiners expect to see.


Why Compliance Training Is a Regulatory Requirement — Not an HR Function

Across the major regulatory frameworks, compliance training isn’t a best practice. It’s a formal program component with documented requirements, and failing to meet those requirements generates findings.

BSA compliance: Training is one of the five pillars of an adequate BSA program under FinCEN regulations and the FFIEC BSA/AML Examination Manual. An institution without a documented training program — one that covers current BSA/AML requirements and is tailored to employee roles — will receive a deficient BSA program rating regardless of how strong the other four pillars are.

Consumer compliance at banks: The OCC Comptroller’s Handbook on Compliance Management Systems treats training as one of four core CMS components (along with oversight, policies/procedures, and response to consumer complaints). Examination findings for CMS deficiencies are frequently tied to training gaps — either because training doesn’t reflect regulatory changes, or because training records can’t be produced.

CFPB CMS examinations: The CFPB evaluates compliance training as part of every CMS assessment. Its supervisory framework explicitly links the adequacy of training to the effectiveness of the CMS — a program that tests controls but doesn’t use test results to update training misses a required feedback loop.

FINRA broker-dealer supervision: FINRA Rule 1240 establishes mandatory continuing education requirements for registered representatives. Rule 3110 (Supervision) requires firms to maintain written supervisory procedures — which includes adequate training protocols for registered personnel. FINRA’s Firm Element requirements go further, requiring annual training development based on a documented Training Needs Analysis.


What Each Regulator Actually Looks For

BSA/AML Training: FinCEN and the FFIEC Manual

The FFIEC BSA/AML Examination Manual dedicates a full section to training under the BSA Compliance Program pillar. The examiner review covers:

Who must be trained: Not just BSA officers and frontline staff. The manual expects training for all personnel whose duties require BSA/AML knowledge — which, at most banks and credit unions, includes tellers, loan officers, account managers, operations staff, technology personnel with access to customer data, internal audit, and senior management. The BSA officer requires more depth; board members and senior management require awareness-level coverage.

Content requirements: Training must cover current BSA/AML obligations — including the Bank Secrecy Act, the USA PATRIOT Act requirements, FinCEN regulations, and the specific requirements applicable to the institution’s products and services. When FinCEN issues new rules or guidance, training must be updated to reflect them. The 2024 AML/CFT Program Rule changes introduced new risk assessment and program requirements that institutions were expected to incorporate into training within a reasonable time after the rule’s effective date.

Documentation the FFIEC manual expects:

  • Dates of training sessions
  • Identity of attendees (or completion records from an LMS)
  • Description of the training topics covered
  • Name of the trainer or course provider
  • Evidence of board training (typically in board meeting minutes or a separate board training log)

What generates findings: Training records that show only completion percentages with no underlying content documentation. Training that doesn’t cover the institution’s specific high-risk products or customer types. No documentation of how training was updated after FinCEN rule changes. No board training records.

CFPB: Consumer Compliance Training in the CMS Framework

The CFPB evaluates compliance training as part of its Compliance Management System assessment framework. The specific components its examiners evaluate:

Written training plan: Examiners expect a documented training plan — not just a schedule, but a plan that identifies which employees need which training, the basis for that determination (ideally a risk assessment), and how often training is delivered. A one-size-fits-all annual training calendar without differentiation by role or risk exposure is a weakness.

Training needs analysis: The CFPB’s CMS framework expects institutions to identify compliance training needs based on their product mix, consumer base, complaint trends, and findings from compliance monitoring and testing. Training should be responsive to identified risks — not a static package delivered on the same schedule regardless of what’s changed.

Post-finding training: When a compliance test or consumer complaint reveals a knowledge gap, training should be updated to address it. Examiners look for the feedback loop: monitoring → finding → training update → re-test. Programs that don’t close this loop generate CMS findings even when the underlying compliance work is solid.

Content currency: Examiners review whether training reflects current regulatory requirements. Material rule changes — Regulation E amendments, Reg Z updates, fair lending guidance — should trigger training updates, not wait for the next annual cycle.

OCC: Compliance Management System Examinations

The OCC’s Comptroller’s Handbook on Compliance Management Systems provides the framework for how national bank examiners evaluate training. Key examiner focus areas:

Integration with the CMS: Training is evaluated as a function of the overall CMS — whether it’s connected to how compliance risks are identified, whether it’s updated when testing finds gaps, and whether it extends to the board and management level.

Role-specific content: The OCC expects training to be tailored to the duties and responsibilities of different employee groups. A loan officer and a teller don’t need identical training depth on HMDA requirements. A product manager launching a new credit product needs deeper Reg Z training than someone in back-office processing. The OCC evaluates whether training calibration matches the risk profile of each role.

Board training documentation: Board members must receive sufficient training to understand the institution’s compliance obligations and oversee the CMS meaningfully. This is separate from general director orientation. OCC examiners routinely ask for documentation of board training on compliance topics — typically found in board meeting minutes, board education materials, or a separate compliance education log.

FINRA: Regulatory Element and Firm Element Continuing Education

FINRA’s continuing education program under Rule 1240 consists of two distinct components with different administration, content, and documentation requirements.

Regulatory Element: FINRA administers this component directly through its FinPro platform. Registered persons must complete Regulatory Element training annually — a requirement that changed from every three years to annually effective January 1, 2023 (per Regulatory Notice 21-41). Firms don’t develop the Regulatory Element content — FINRA does. But firms must track completion and ensure registered persons remain current. A registered representative whose Regulatory Element is overdue is classified as “CE Inactive” and is prohibited from performing most securities activities until the requirement is met.

Firm Element: Firms must develop and deliver Firm Element training annually to all registered persons. The Firm Element must be based on a Training Needs Analysis — a documented assessment of the firm’s business activities, regulatory developments, and any identified compliance weaknesses. The Training Needs Analysis drives what’s included in the Firm Element for that year.

Firm Element documentation requirements:

  • A written Training Needs Analysis (conducted annually before developing the Firm Element)
  • A written training plan for the year based on the TNA findings
  • Completion records showing which registered persons completed which training
  • Records of the training materials themselves

What FINRA examiners check: Whether the Training Needs Analysis was actually conducted and documented (not just asserted). Whether the Firm Element content was responsive to the TNA findings. Whether Firm Element records are maintained for the required period. FINRA Rule 3110 supervisors are responsible for ensuring compliance — a Firm Element program that runs on autopilot without a documented TNA is a supervision deficiency.


What “Training Documentation” Actually Means to an Examiner

This is where most programs break down. Institutions run training. People attend. Boxes get checked. But when an examiner asks for documentation, the request is more specific than most compliance teams anticipate.

The documentation that examiners actually review:

What Examiners Ask ForWhat They’re Actually Evaluating
Training plan or calendarWhether training is risk-based and role-differentiated, not one-size-fits-all
Training content/materialsWhether the content is current and substantively covers required topics
Completion records with employee namesWhether coverage reached required personnel, including high-risk roles
Board training documentationWhether directors have sufficient awareness to exercise meaningful oversight
Training Needs Analysis (FINRA/CFPB)Whether training is responsive to identified risks, not static
Post-finding training recordsWhether the CMS feedback loop closes from finding to training
Update records when rules changedWhether training was refreshed after material regulatory developments

The single most common examination gap isn’t missing training — it’s missing materials. An LMS shows 90% completion; the examiner asks what the employees were trained on; there’s no way to produce the actual course content in a defensible format. This gap is avoidable: export or archive course content at the time it’s delivered, or store it in a document repository with version control and a delivery date.

The second most common gap is board documentation. Many institutions include a brief compliance update in quarterly board materials but don’t document it as training. Labeling it, retaining the materials, and noting it in minutes or a separate log converts an informal update into documented board training.


Common Training Program Deficiencies That Generate Exam Findings

Based on the pattern of findings across OCC, FDIC, CFPB, and FINRA examinations, these are the deficiencies that consistently surface:

Content that doesn’t reflect current rules. FinCEN’s 2024 AML/CFT Program Modernization Rule, the CFPB’s 2025 open banking rule, Reg E amendments affecting P2P payments — institutions that don’t update training when material rules change fall behind. Examiners check whether training reflects the regulatory environment that exists today, not a year or two ago.

Training that doesn’t reach high-risk roles. BSA training is required for all personnel with BSA/AML duties — but many programs train frontline staff and skip technology teams, product managers, and senior leadership. Examiners cross-reference the institution’s risk profile with the training roster.

No Training Needs Analysis to justify the curriculum. Especially under FINRA’s Firm Element requirements and the CFPB’s CMS framework, training must be grounded in an identified need. A training plan that delivers the same content year after year without a documented review of what’s changed is a finding waiting to happen.

Gaps in board training records. The most common gap. Board training typically happens informally — a presentation, a discussion item in executive materials — but isn’t documented as training with materials retained.

No feedback loop from testing to training. If compliance monitoring or consumer complaints identify a pattern suggesting employees don’t understand a specific requirement, training must be updated and the gap re-tested. Programs without this feedback loop have a structural weakness that examiners identify through reviewing how the institution responded to prior findings.


Building a Defensible Training Program in 5 Steps

Step 1: Conduct a Training Needs Analysis annually. Document what’s changed in your regulatory environment since the prior year (new rules, amendments, exam findings, complaints). Identify which employee groups are affected and what depth of coverage they need. This document becomes the justification for your training calendar and the evidence that your program is risk-based.

Step 2: Build a training calendar with role-based assignments. Not everyone needs the same training at the same depth. Map training requirements to roles: BSA officer, registered representatives, loan officers, tellers, technology staff, senior management, board. Assign content accordingly. Document the mapping so you can show examiners why your calendar looks the way it does.

Step 3: Archive the actual training materials. When training is delivered — whether live, LMS-based, or webinar — export and retain the materials in a document repository. Include the version date. If the content is updated after a regulatory change, retain the prior version as well to show what was current at what time.

Step 4: Maintain completion records at the individual level. A completion percentage is not a training record. Examiners want to see which specific employees completed which specific training by which date — especially for high-risk roles. LMS exports or signed attendance sheets work; a spreadsheet summary without underlying records does not.

Step 5: Document board training separately and specifically. Create a board compliance training log that lists the date, topic, and materials provided. Keep the materials. Reference the log in board meeting minutes. Even informal briefings become defensible training when documented this way.

The Compliance Monitoring and Testing post covers how compliance testing results should feed back into your training program — the mechanism that creates the feedback loop regulators expect to see. The Regulatory Examination Readiness Checklist includes training documentation as one of the pre-examination review items, with specific questions examiners are likely to ask.


So What? A Training Program Audit Checklist

Before your next examination — or before the examiner asks — answer these questions:

  1. Do you have a written Training Needs Analysis for the current year? If not, you don’t have evidence that your training is risk-based.
  2. Is your training content current? Pull the materials for your BSA/AML and consumer compliance modules and check the last update date against recent regulatory changes.
  3. Can you produce the actual training content — not just completion records? If only your LMS knows what was in the course, you have an archiving problem.
  4. Do your records show individual-level completion for high-risk roles? Especially for BSA officers, registered reps, and loan officers.
  5. Is board training documented somewhere other than a general reference in the minutes? A board training log with materials retained is the standard.
  6. Do you have a process that connects compliance test findings to training updates? Can you trace a prior exam finding through to a training curriculum change?

The Compliance Essentials Bundle includes a compliance calendar template (pre-populated with training deadlines), a compliance monitoring and testing plan with a findings-to-training feedback loop, and documentation templates designed to produce the records examiners expect. The training documentation gap is almost always a systems and process problem — the right records aren’t being created at delivery time. Building that habit before the exam is the work.

Training programs that survive examination scrutiny aren’t necessarily more extensive than the ones that generate findings. They’re the ones that run the same activities with better documentation — and a documented process that connects what was taught to why it was taught, who needed it, and what changed since last year.


External references: FFIEC BSA/AML Examination Manual — Training Program; FINRA Rule 1240 — Continuing Education Requirements; OCC Comptroller’s Handbook — Compliance Management Systems; FinCEN BSA Program Requirements; CFPB Supervision and Examination Manual — Compliance Management Review

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What are the BSA/AML training requirements for financial institutions?
Training is one of the five pillars of a BSA compliance program under FinCEN and the FFIEC BSA/AML Examination Manual. Institutions must provide training to all personnel whose duties require BSA/AML knowledge — not just the BSA officer. Training must be documented, cover current requirements (including recent AML/CFT rule changes), and be tailored to the role. Board members and senior management also require awareness-level training. The FFIEC manual does not specify a mandatory frequency, but annual training is the defensible standard — more frequently when rules change materially.
What does the CFPB look for in compliance training during an examination?
The CFPB evaluates compliance training as part of its Compliance Management System (CMS) assessment. Examiners look for: a written training plan tied to identified compliance risks, documentation of completion for all relevant employees, training content that is current (reflects recent regulatory changes), board and senior management participation, and evidence that the training program is updated when the CMS finds gaps. Training records that are not maintained, or training that covers only general ethics rather than specific consumer protection obligations, consistently generate CMS findings.
What are FINRA's continuing education requirements for registered representatives?
FINRA Rule 1240 requires two separate CE components: the Regulatory Element, which FINRA administers through its FinPro platform and must be completed annually (changed from every three years effective January 1, 2023 per Regulatory Notice 21-41); and the Firm Element, which the firm must develop and deliver annually to registered persons based on a Training Needs Analysis. Both components must be documented in the firm's CE records.
What training documentation do bank examiners actually review?
Examiners typically request: (1) a written training plan or training calendar for the year; (2) the actual training materials or course content (not just a log of who completed something); (3) completion records — attendance sheets, LMS screenshots, or signed attestations; (4) evidence of how training needs are identified (a Training Needs Analysis or risk-based gap assessment); (5) documentation that training was updated after regulatory changes, exam findings, or new product launches; and (6) records showing board and management-level training participation. Missing content materials and incomplete board documentation are the two most common gaps.
Is annual compliance training sufficient, or do regulators expect more frequent training?
Annual training is the documented baseline, but regulators expect more frequent updates when material changes occur. Triggers for out-of-cycle training include: a new regulatory rule taking effect, a new product launch, an exam finding that reveals a knowledge gap, a pattern in consumer complaints pointing to a training deficiency, or a significant internal policy change. Most CMS examination frameworks require a mechanism that connects identified compliance failures back to training — if a control failure traces to knowledge gaps, annual training on a fixed calendar isn't enough.
Does the board need compliance training?
Yes. The OCC Comptroller's Handbook on Compliance Management Systems, the FFIEC BSA/AML Examination Manual, and the CFPB's CMS framework all expect board-level awareness training. Directors are not expected to have the same depth as operational compliance staff, but they must have sufficient awareness to exercise meaningful oversight — including understanding key compliance risks, recent regulatory changes, and the results of the institution's compliance testing. Board training is routinely documented in board meeting minutes or a separate training log.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Compliance Essentials

Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.