Feature Compliance Strategy
Compliance Training Program Requirements: What OCC, FDIC, CFPB, and FINRA Examiners Actually Test
Most financial institutions have a training program. Fewer have one that survives examiner scrutiny. Here's what each regulator actually looks for — and the documentation gaps that turn a training calendar into an exam finding.
Table of Contents
TL;DR
- Training is a formal pillar of BSA compliance, a CMS evaluation criterion for the CFPB, and a supervision requirement under FINRA — not a soft HR function
- Examiners don’t just ask whether training happened; they ask for the materials, the completion records, and the mechanism that connects training to identified compliance risks
- Missing documentation is almost always the problem — not missing training — because institutions run programs but don’t document them at the level regulators expect
- A Training Needs Analysis that drives your annual calendar, role-specific content for high-risk functions, and a board training log are the three elements most programs lack
The examiner asked for training records on day two of the examination. The compliance officer showed the LMS dashboard — 94% completion rate, every employee who needed BSA training had checked the box. The examiner asked for the actual course content. There was no clean way to export it. Then the examiner asked whether the materials had been updated after the new AML/CFT program modernization rules took effect in 2024. They hadn’t. Then she asked about the board’s BSA training for the prior year and whether that was documented separately from general board orientation.
By the end of day two, training had generated more examiner questions than three other compliance program components combined.
The completion percentage didn’t matter. What mattered was whether the training was current, role-appropriate, and documented at the level required to demonstrate a functioning compliance management system — not just a checkbox exercise.
Most financial institutions have training programs. The ones that fail examination scrutiny are almost always the ones where the program exists but the documentation doesn’t match what examiners expect to see.
Why Compliance Training Is a Regulatory Requirement — Not an HR Function
Across the major regulatory frameworks, compliance training isn’t a best practice. It’s a formal program component with documented requirements, and failing to meet those requirements generates findings.
BSA compliance: Training is one of the five pillars of an adequate BSA program under FinCEN regulations and the FFIEC BSA/AML Examination Manual. An institution without a documented training program — one that covers current BSA/AML requirements and is tailored to employee roles — will receive a deficient BSA program rating regardless of how strong the other four pillars are.
Consumer compliance at banks: The OCC Comptroller’s Handbook on Compliance Management Systems treats training as one of four core CMS components (along with oversight, policies/procedures, and response to consumer complaints). Examination findings for CMS deficiencies are frequently tied to training gaps — either because training doesn’t reflect regulatory changes, or because training records can’t be produced.
CFPB CMS examinations: The CFPB evaluates compliance training as part of every CMS assessment. Its supervisory framework explicitly links the adequacy of training to the effectiveness of the CMS — a program that tests controls but doesn’t use test results to update training misses a required feedback loop.
FINRA broker-dealer supervision: FINRA Rule 1240 establishes mandatory continuing education requirements for registered representatives. Rule 3110 (Supervision) requires firms to maintain written supervisory procedures — which includes adequate training protocols for registered personnel. FINRA’s Firm Element requirements go further, requiring annual training development based on a documented Training Needs Analysis.
What Each Regulator Actually Looks For
BSA/AML Training: FinCEN and the FFIEC Manual
The FFIEC BSA/AML Examination Manual dedicates a full section to training under the BSA Compliance Program pillar. The examiner review covers:
Who must be trained: Not just BSA officers and frontline staff. The manual expects training for all personnel whose duties require BSA/AML knowledge — which, at most banks and credit unions, includes tellers, loan officers, account managers, operations staff, technology personnel with access to customer data, internal audit, and senior management. The BSA officer requires more depth; board members and senior management require awareness-level coverage.
Content requirements: Training must cover current BSA/AML obligations — including the Bank Secrecy Act, the USA PATRIOT Act requirements, FinCEN regulations, and the specific requirements applicable to the institution’s products and services. When FinCEN issues new rules or guidance, training must be updated to reflect them. The 2024 AML/CFT Program Rule changes introduced new risk assessment and program requirements that institutions were expected to incorporate into training within a reasonable time after the rule’s effective date.
Documentation the FFIEC manual expects:
- Dates of training sessions
- Identity of attendees (or completion records from an LMS)
- Description of the training topics covered
- Name of the trainer or course provider
- Evidence of board training (typically in board meeting minutes or a separate board training log)
What generates findings: Training records that show only completion percentages with no underlying content documentation. Training that doesn’t cover the institution’s specific high-risk products or customer types. No documentation of how training was updated after FinCEN rule changes. No board training records.
CFPB: Consumer Compliance Training in the CMS Framework
The CFPB evaluates compliance training as part of its Compliance Management System assessment framework. The specific components its examiners evaluate:
Written training plan: Examiners expect a documented training plan — not just a schedule, but a plan that identifies which employees need which training, the basis for that determination (ideally a risk assessment), and how often training is delivered. A one-size-fits-all annual training calendar without differentiation by role or risk exposure is a weakness.
Training needs analysis: The CFPB’s CMS framework expects institutions to identify compliance training needs based on their product mix, consumer base, complaint trends, and findings from compliance monitoring and testing. Training should be responsive to identified risks — not a static package delivered on the same schedule regardless of what’s changed.
Post-finding training: When a compliance test or consumer complaint reveals a knowledge gap, training should be updated to address it. Examiners look for the feedback loop: monitoring → finding → training update → re-test. Programs that don’t close this loop generate CMS findings even when the underlying compliance work is solid.
Content currency: Examiners review whether training reflects current regulatory requirements. Material rule changes — Regulation E amendments, Reg Z updates, fair lending guidance — should trigger training updates, not wait for the next annual cycle.
OCC: Compliance Management System Examinations
The OCC’s Comptroller’s Handbook on Compliance Management Systems provides the framework for how national bank examiners evaluate training. Key examiner focus areas:
Integration with the CMS: Training is evaluated as a function of the overall CMS — whether it’s connected to how compliance risks are identified, whether it’s updated when testing finds gaps, and whether it extends to the board and management level.
Role-specific content: The OCC expects training to be tailored to the duties and responsibilities of different employee groups. A loan officer and a teller don’t need identical training depth on HMDA requirements. A product manager launching a new credit product needs deeper Reg Z training than someone in back-office processing. The OCC evaluates whether training calibration matches the risk profile of each role.
Board training documentation: Board members must receive sufficient training to understand the institution’s compliance obligations and oversee the CMS meaningfully. This is separate from general director orientation. OCC examiners routinely ask for documentation of board training on compliance topics — typically found in board meeting minutes, board education materials, or a separate compliance education log.
FINRA: Regulatory Element and Firm Element Continuing Education
FINRA’s continuing education program under Rule 1240 consists of two distinct components with different administration, content, and documentation requirements.
Regulatory Element: FINRA administers this component directly through its FinPro platform. Registered persons must complete Regulatory Element training annually — a requirement that changed from every three years to annually effective January 1, 2023 (per Regulatory Notice 21-41). Firms don’t develop the Regulatory Element content — FINRA does. But firms must track completion and ensure registered persons remain current. A registered representative whose Regulatory Element is overdue is classified as “CE Inactive” and is prohibited from performing most securities activities until the requirement is met.
Firm Element: Firms must develop and deliver Firm Element training annually to all registered persons. The Firm Element must be based on a Training Needs Analysis — a documented assessment of the firm’s business activities, regulatory developments, and any identified compliance weaknesses. The Training Needs Analysis drives what’s included in the Firm Element for that year.
Firm Element documentation requirements:
- A written Training Needs Analysis (conducted annually before developing the Firm Element)
- A written training plan for the year based on the TNA findings
- Completion records showing which registered persons completed which training
- Records of the training materials themselves
What FINRA examiners check: Whether the Training Needs Analysis was actually conducted and documented (not just asserted). Whether the Firm Element content was responsive to the TNA findings. Whether Firm Element records are maintained for the required period. FINRA Rule 3110 supervisors are responsible for ensuring compliance — a Firm Element program that runs on autopilot without a documented TNA is a supervision deficiency.
What “Training Documentation” Actually Means to an Examiner
This is where most programs break down. Institutions run training. People attend. Boxes get checked. But when an examiner asks for documentation, the request is more specific than most compliance teams anticipate.
The documentation that examiners actually review:
| What Examiners Ask For | What They’re Actually Evaluating |
|---|---|
| Training plan or calendar | Whether training is risk-based and role-differentiated, not one-size-fits-all |
| Training content/materials | Whether the content is current and substantively covers required topics |
| Completion records with employee names | Whether coverage reached required personnel, including high-risk roles |
| Board training documentation | Whether directors have sufficient awareness to exercise meaningful oversight |
| Training Needs Analysis (FINRA/CFPB) | Whether training is responsive to identified risks, not static |
| Post-finding training records | Whether the CMS feedback loop closes from finding to training |
| Update records when rules changed | Whether training was refreshed after material regulatory developments |
The single most common examination gap isn’t missing training — it’s missing materials. An LMS shows 90% completion; the examiner asks what the employees were trained on; there’s no way to produce the actual course content in a defensible format. This gap is avoidable: export or archive course content at the time it’s delivered, or store it in a document repository with version control and a delivery date.
The second most common gap is board documentation. Many institutions include a brief compliance update in quarterly board materials but don’t document it as training. Labeling it, retaining the materials, and noting it in minutes or a separate log converts an informal update into documented board training.
Common Training Program Deficiencies That Generate Exam Findings
Based on the pattern of findings across OCC, FDIC, CFPB, and FINRA examinations, these are the deficiencies that consistently surface:
Content that doesn’t reflect current rules. FinCEN’s 2024 AML/CFT Program Modernization Rule, the CFPB’s 2025 open banking rule, Reg E amendments affecting P2P payments — institutions that don’t update training when material rules change fall behind. Examiners check whether training reflects the regulatory environment that exists today, not a year or two ago.
Training that doesn’t reach high-risk roles. BSA training is required for all personnel with BSA/AML duties — but many programs train frontline staff and skip technology teams, product managers, and senior leadership. Examiners cross-reference the institution’s risk profile with the training roster.
No Training Needs Analysis to justify the curriculum. Especially under FINRA’s Firm Element requirements and the CFPB’s CMS framework, training must be grounded in an identified need. A training plan that delivers the same content year after year without a documented review of what’s changed is a finding waiting to happen.
Gaps in board training records. The most common gap. Board training typically happens informally — a presentation, a discussion item in executive materials — but isn’t documented as training with materials retained.
No feedback loop from testing to training. If compliance monitoring or consumer complaints identify a pattern suggesting employees don’t understand a specific requirement, training must be updated and the gap re-tested. Programs without this feedback loop have a structural weakness that examiners identify through reviewing how the institution responded to prior findings.
Building a Defensible Training Program in 5 Steps
Step 1: Conduct a Training Needs Analysis annually. Document what’s changed in your regulatory environment since the prior year (new rules, amendments, exam findings, complaints). Identify which employee groups are affected and what depth of coverage they need. This document becomes the justification for your training calendar and the evidence that your program is risk-based.
Step 2: Build a training calendar with role-based assignments. Not everyone needs the same training at the same depth. Map training requirements to roles: BSA officer, registered representatives, loan officers, tellers, technology staff, senior management, board. Assign content accordingly. Document the mapping so you can show examiners why your calendar looks the way it does.
Step 3: Archive the actual training materials. When training is delivered — whether live, LMS-based, or webinar — export and retain the materials in a document repository. Include the version date. If the content is updated after a regulatory change, retain the prior version as well to show what was current at what time.
Step 4: Maintain completion records at the individual level. A completion percentage is not a training record. Examiners want to see which specific employees completed which specific training by which date — especially for high-risk roles. LMS exports or signed attendance sheets work; a spreadsheet summary without underlying records does not.
Step 5: Document board training separately and specifically. Create a board compliance training log that lists the date, topic, and materials provided. Keep the materials. Reference the log in board meeting minutes. Even informal briefings become defensible training when documented this way.
The Compliance Monitoring and Testing post covers how compliance testing results should feed back into your training program — the mechanism that creates the feedback loop regulators expect to see. The Regulatory Examination Readiness Checklist includes training documentation as one of the pre-examination review items, with specific questions examiners are likely to ask.
So What? A Training Program Audit Checklist
Before your next examination — or before the examiner asks — answer these questions:
- Do you have a written Training Needs Analysis for the current year? If not, you don’t have evidence that your training is risk-based.
- Is your training content current? Pull the materials for your BSA/AML and consumer compliance modules and check the last update date against recent regulatory changes.
- Can you produce the actual training content — not just completion records? If only your LMS knows what was in the course, you have an archiving problem.
- Do your records show individual-level completion for high-risk roles? Especially for BSA officers, registered reps, and loan officers.
- Is board training documented somewhere other than a general reference in the minutes? A board training log with materials retained is the standard.
- Do you have a process that connects compliance test findings to training updates? Can you trace a prior exam finding through to a training curriculum change?
The Compliance Essentials Bundle includes a compliance calendar template (pre-populated with training deadlines), a compliance monitoring and testing plan with a findings-to-training feedback loop, and documentation templates designed to produce the records examiners expect. The training documentation gap is almost always a systems and process problem — the right records aren’t being created at delivery time. Building that habit before the exam is the work.
Training programs that survive examination scrutiny aren’t necessarily more extensive than the ones that generate findings. They’re the ones that run the same activities with better documentation — and a documented process that connects what was taught to why it was taught, who needed it, and what changed since last year.
External references: FFIEC BSA/AML Examination Manual — Training Program; FINRA Rule 1240 — Continuing Education Requirements; OCC Comptroller’s Handbook — Compliance Management Systems; FinCEN BSA Program Requirements; CFPB Supervision and Examination Manual — Compliance Management Review
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What are the BSA/AML training requirements for financial institutions?
What does the CFPB look for in compliance training during an examination?
What are FINRA's continuing education requirements for registered representatives?
What training documentation do bank examiners actually review?
Is annual compliance training sufficient, or do regulators expect more frequent training?
Does the board need compliance training?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ Keep reading
Related posts.
Compliance Strategy
FinCEN's June 2026 Update Turns Section 314(b) Into a Real-Time Fraud-Fighting Tool
FinCEN's June 12, 2026 guidance expanded the Section 314(b) safe harbor to explicitly cover fraud—wire fraud, bank fraud, mail fraud, computer fraud—without requiring an institution to connect the activity to money laundering first. Here's what changed, why it matters for BSA programs, and what enrollment and real-time sharing actually look like in practice.
Jul 8, 2026
Compliance Strategy
OCC's 2026 Exam Rightsizing: What Community Banks Should Stop Doing—and What Still Gets You Written Up
Effective January 1, 2026, OCC Bulletin 2025-24 eliminated mandatory examination activities that aren't required by law for community banks. That means fair lending risk assessments and flood insurance transaction testing are no longer mandatory every exam cycle. Here's what actually changed, what didn't, and where compliance teams are misreading this shift.
Jul 7, 2026
Compliance Strategy
Regulatory Examination Readiness: The 60-Day Checklist for Banks, Credit Unions, and Fintechs
The notification letter arrives with 30–60 days' notice. What happens in those weeks determines whether you walk out with a clean report or spend the next year managing MRAs. Here's the pre-examination preparation framework that actually reduces examination duration and findings count.
Jun 29, 2026