Field Guide

AML Compliance Training: A Practitioner's Guide

The short version

Training is one of the pillars of a BSA/AML program: the FFIEC BSA/AML Examination Manual treats it as the fourth pillar, and 31 CFR Chapter X requires ongoing, risk-based training. A defensible program trains the right people for their roles, covers the institution's own policies plus the regulatory requirements and red flags that matter to each role, runs at least annually and on every material change, and leaves an evidence trail an examiner can follow. As the institution grows, the program needs a clear owner, a function that builds and delivers the content, and a governance body that keeps it current.

Most compliance leaders agree training is required. Far fewer can show, on demand, that the right people were trained on the right material at the right time. That gap is where examination findings live. An examiner grades the evidence that training reached the people who run your controls, and intent counts for little once the evidence is on the table.

This guide walks the training pillar in plain language: why it is required, who must be trained, what the content must cover, how often, how to structure the program as you scale, and what makes training defensible when an examiner tests it.

Why training is a BSA/AML pillar

The Bank Secrecy Act (BSA) is the core U.S. anti-money-laundering law. Its implementing rules live in 31 CFR Chapter X, the body of Treasury regulations administered by the Financial Crimes Enforcement Network (FinCEN), the bureau that writes and enforces BSA rules. A covered institution must maintain a BSA/AML compliance program, and one of that program's required components is ongoing training.

The FFIEC BSA/AML Examination Manual, the playbook federal examiners use, organizes program requirements into pillars and treats training as the fourth pillar, alongside internal controls, a designated BSA compliance officer, and independent testing. (Customer due diligence is now widely described as a fifth pillar. The pillars guide walks all of them.)

The requirement is not satisfied by delivering a class once. It is ongoing and risk-based: training has to keep pace with the institution's products and customers as its obligations shift, and it has to be deeper for the roles that carry the most BSA/AML exposure. When an examiner reviews this pillar, they look for evidence that the program identified who needed training, delivered content matched to those roles, and kept a record of it. A pillar that exists only as a policy statement does not satisfy the requirement.

Who must be trained

Training is role-based and risk-based. Everyone whose work touches the BSA/AML program needs training, but the depth is tailored to what each role actually does. The goal is that each person understands the obligations that attach to their own job, rather than everyone sitting through the same generic module.

AudienceWhat their training emphasizes
Board and senior managementEnough to exercise oversight: the program's obligations, the institution's BSA/AML risks, and the consequences of program failure. A board that never receives BSA/AML training is a recurring finding.
Front-line and customer-facing staffThe red flags they are positioned to see, how to escalate, and the customer-facing procedures they execute (for example identity verification and unusual-activity referral).
Operations and supportThe procedures their work implements: recordkeeping, alert handling, data quality, and the points where their tasks feed reporting obligations.
The BSA/AML teamThe deepest and most current detail: typologies, monitoring and investigation, reporting obligations, and regulatory change as it happens.

A practical way to set this is a training needs assessment: map each job function to the BSA/AML obligations and red flags it touches, then size each role's training to its exposure. That mapping is also the evidence that your scoping was risk-based rather than arbitrary.

What the training must cover

Content has to be specific to the institution rather than a generic overview of money laundering. At minimum, role-appropriate training should cover:

Content that is current matters as much as content that is complete. A module that still describes a retired procedure, or omits a rule that changed last quarter, trains people on the wrong thing and signals to an examiner that the program is not keeping pace.

How often training must happen

Frequency is driven by role and risk rather than a single date on the calendar. Three triggers anchor a sound cadence:

The material-change trigger is the one programs most often miss. A product can launch, or a rule can change, months before the next annual cycle. Building a path for change-driven training keeps the gap from opening.

How to structure the program as it scales

A small institution can run training informally. As headcount and product lines grow, informal ownership stops scaling: requests arrive ad hoc, content drifts out of date, and no one can give an examiner a clear picture of who was trained on what. The fix is to give the program a structure with clear ownership and a few measurable goals.

Keep the objectives few and measurable

State what the training program is for in three or four objectives you can actually measure. Useful objectives tend to track that staff are trained on the institution's policies and procedures, that they are trained on the regulatory requirements and red flags relevant to their roles, that new products and their risks are covered as they launch, and that the program can scale as the institution grows. Few and measurable beats a long list no one can assess against.

Name a training lead who owns it

Give the program a single accountable owner. A training lead owns the strategy: setting the schedule, running the training needs assessment, coordinating continuing-education and certification requirements, and making sure every required course is built and delivered. Ownership in one named role keeps training from diffusing across the org until no one is accountable for it.

Build and deliver through a learning-and-development function

Separate owning the program from building it. A learning-and-development function provides the technical skills to develop content and to run the delivery system (commonly a learning management system, or LMS, the platform that hosts courses and records completions). The training lead sets priorities; this function turns them into modules people complete and a record the program can rely on.

Stand up a governance body

A governance board keeps the program aligned and current. Its responsibilities are defined and concrete:

Run it as a defined workflow

Treat intake, development, and delivery as one workflow rather than a series of one-off favors. A request for training enters a defined intake, gets prioritized against the program's objectives, is built by the learning-and-development function, is assigned to the right roles, and produces a completion record. A defined process is also what lets the program anticipate needs instead of scrambling to answer a partner or an examiner after the fact.

Align training to the wider program

Training does not sit on its own. It should connect to the institution's broader compliance priorities: a single source of truth for training data and reporting, a shared risk-based method for deciding who needs what, and the policies and frameworks the rest of the program runs on. When training is wired into those, gaps surface earlier and leadership can see the whole picture.

Evidence and recordkeeping

Training you cannot evidence is, for examination purposes, training that did not happen. The pillar is defensible when the institution can produce, on request, a clear record of who was trained, on what, and when. Keep:

The standing question an examiner brings to this pillar is whether the institution can show it works. Records that are current and role-keyed, retained under the institution's schedule, turn the training pillar from a claim into something an examiner can verify.

Common failures

The same failure patterns appear across public enforcement themes. None of them require an exotic mistake; each is a way a program looks fine on paper and falls short in practice:

The training pillar is simple to describe and easy to underbuild. Treat it as a standing function with an owner, a build-and-deliver capability, a governance body that keeps it current, and an evidence trail. Then an examination of this pillar becomes a review of work the program already did, which beats assembling that record under exam pressure.

Common questions

Is AML training legally required?
Yes. Ongoing training is one of the required components of a BSA/AML compliance program under 31 CFR Chapter X, and the FFIEC BSA/AML Examination Manual treats training as one of the program pillars. The program must provide training that is risk-based and reaches the people who operate the controls. A program with no training, or training that does not reach the right roles, is a deficiency an examiner will cite.
How often is AML training required?
Annual training is the common baseline for most roles. Beyond that, new staff should be trained at or near onboarding, before they begin work that touches BSA/AML obligations, and additional training should follow any material change, such as a new product, a new customer segment, or a regulatory change. The cadence should be driven by role and risk rather than a single fixed calendar.
Who needs to receive AML training?
Training should reach everyone whose work touches the BSA/AML program, scoped to their role. That includes the board and senior management, front-line and customer-facing staff, operations, and the BSA/AML team itself. The depth differs by role: the board needs enough to exercise oversight, front-line staff need the red flags relevant to their work, and the BSA/AML team needs the deepest, most current detail.
What records prove AML training to an examiner?
An examiner looks for evidence that training happened and reached the right people: completion records showing who was trained, on what, and when; the content that was delivered; assessment or testing results where used; and attestations or sign-offs. Keep this evidence current and retained, because in an exam what carries weight is whether you can show that training occurred, regardless of how the program was intended to run.
Does the board need AML training?
Yes. The board and senior management are responsible for an adequate program, and they need training sufficient to exercise that oversight. Board-level training does not have to match the depth given to the BSA/AML team, but a board that never receives BSA/AML training is a recurring examination finding.
How should a fintech structure AML training as it grows?
Give the training program a single owner, a training lead accountable for it, supported by a learning-and-development function that builds and delivers the content. Add a governance body that sets priorities, owns the controls and reporting around training, and manages updates driven by regulatory change. Keep the objectives few and measurable so the program stays legible as headcount and product lines grow.
From the team behind this guide

Your training pillar, built and evidenced

Rupture Labs builds and documents your AML training program and the evidence an examiner expects: role-keyed objectives mapped to the obligations each job touches, content tied to your own policies and risks, and a completion record that holds up under review. Compliance Command Center scores the training pillar against enforcement-calibrated benchmarks and keeps it current as rules and products change. Practitioners build it (JD, CAMS), with a human reviewing every deliverable.

See Compliance Command Center Talk to a Practitioner

Primary sources

The authoritative texts this guide is grounded in. Government sites may block automated access but resolve in a browser.