Training is one of the pillars of a BSA/AML program: the FFIEC BSA/AML Examination Manual treats it as the fourth pillar, and 31 CFR Chapter X requires ongoing, risk-based training. A defensible program trains the right people for their roles, covers the institution's own policies plus the regulatory requirements and red flags that matter to each role, runs at least annually and on every material change, and leaves an evidence trail an examiner can follow. As the institution grows, the program needs a clear owner, a function that builds and delivers the content, and a governance body that keeps it current.
Most compliance leaders agree training is required. Far fewer can show, on demand, that the right people were trained on the right material at the right time. That gap is where examination findings live. An examiner grades the evidence that training reached the people who run your controls, and intent counts for little once the evidence is on the table.
This guide walks the training pillar in plain language: why it is required, who must be trained, what the content must cover, how often, how to structure the program as you scale, and what makes training defensible when an examiner tests it.
Why training is a BSA/AML pillar
The Bank Secrecy Act (BSA) is the core U.S. anti-money-laundering law. Its implementing rules live in 31 CFR Chapter X, the body of Treasury regulations administered by the Financial Crimes Enforcement Network (FinCEN), the bureau that writes and enforces BSA rules. A covered institution must maintain a BSA/AML compliance program, and one of that program's required components is ongoing training.
The FFIEC BSA/AML Examination Manual, the playbook federal examiners use, organizes program requirements into pillars and treats training as the fourth pillar, alongside internal controls, a designated BSA compliance officer, and independent testing. (Customer due diligence is now widely described as a fifth pillar. The pillars guide walks all of them.)
The requirement is not satisfied by delivering a class once. It is ongoing and risk-based: training has to keep pace with the institution's products and customers as its obligations shift, and it has to be deeper for the roles that carry the most BSA/AML exposure. When an examiner reviews this pillar, they look for evidence that the program identified who needed training, delivered content matched to those roles, and kept a record of it. A pillar that exists only as a policy statement does not satisfy the requirement.
Who must be trained
Training is role-based and risk-based. Everyone whose work touches the BSA/AML program needs training, but the depth is tailored to what each role actually does. The goal is that each person understands the obligations that attach to their own job, rather than everyone sitting through the same generic module.
| Audience | What their training emphasizes |
|---|---|
| Board and senior management | Enough to exercise oversight: the program's obligations, the institution's BSA/AML risks, and the consequences of program failure. A board that never receives BSA/AML training is a recurring finding. |
| Front-line and customer-facing staff | The red flags they are positioned to see, how to escalate, and the customer-facing procedures they execute (for example identity verification and unusual-activity referral). |
| Operations and support | The procedures their work implements: recordkeeping, alert handling, data quality, and the points where their tasks feed reporting obligations. |
| The BSA/AML team | The deepest and most current detail: typologies, monitoring and investigation, reporting obligations, and regulatory change as it happens. |
A practical way to set this is a training needs assessment: map each job function to the BSA/AML obligations and red flags it touches, then size each role's training to its exposure. That mapping is also the evidence that your scoping was risk-based rather than arbitrary.
What the training must cover
Content has to be specific to the institution rather than a generic overview of money laundering. At minimum, role-appropriate training should cover:
- The institution's own policies and procedures. Staff are trained on how this institution actually onboards customers, monitors activity, escalates, and reports, down to the procedures they will follow rather than the law in the abstract.
- Regulatory requirements and red flags. The BSA/AML obligations that apply to the role, and the warning signs that role is positioned to notice, drawn from the institution's risk profile.
- New products and the risks they carry. When the institution launches a product or enters a new segment, the people who handle it are trained on the specific money-laundering and sanctions risks it introduces.
- Role-specific obligations. What this person must do, and what they must not do, given their seat in the program.
- Consequences of non-compliance. What failure means for the institution and the individual, so the training carries weight rather than reading as a formality.
Content that is current matters as much as content that is complete. A module that still describes a retired procedure, or omits a rule that changed last quarter, trains people on the wrong thing and signals to an examiner that the program is not keeping pace.
How often training must happen
Frequency is driven by role and risk rather than a single date on the calendar. Three triggers anchor a sound cadence:
- Annual baseline. An annual refresh for covered staff is the common floor, with higher-risk roles trained more often.
- On onboarding. New staff are trained at or near hire, before they begin work that touches BSA/AML obligations, rather than waiting for the next annual cycle.
- On material change. A new product, a new customer segment, a new delivery channel, or a regulatory change triggers targeted training for the affected roles when the change lands, not at the next annual interval.
The material-change trigger is the one programs most often miss. A product can launch, or a rule can change, months before the next annual cycle. Building a path for change-driven training keeps the gap from opening.
How to structure the program as it scales
A small institution can run training informally. As headcount and product lines grow, informal ownership stops scaling: requests arrive ad hoc, content drifts out of date, and no one can give an examiner a clear picture of who was trained on what. The fix is to give the program a structure with clear ownership and a few measurable goals.
Keep the objectives few and measurable
State what the training program is for in three or four objectives you can actually measure. Useful objectives tend to track that staff are trained on the institution's policies and procedures, that they are trained on the regulatory requirements and red flags relevant to their roles, that new products and their risks are covered as they launch, and that the program can scale as the institution grows. Few and measurable beats a long list no one can assess against.
Name a training lead who owns it
Give the program a single accountable owner. A training lead owns the strategy: setting the schedule, running the training needs assessment, coordinating continuing-education and certification requirements, and making sure every required course is built and delivered. Ownership in one named role keeps training from diffusing across the org until no one is accountable for it.
Build and deliver through a learning-and-development function
Separate owning the program from building it. A learning-and-development function provides the technical skills to develop content and to run the delivery system (commonly a learning management system, or LMS, the platform that hosts courses and records completions). The training lead sets priorities; this function turns them into modules people complete and a record the program can rely on.
Stand up a governance body
A governance board keeps the program aligned and current. Its responsibilities are defined and concrete:
- Priorities. Decide what gets built first and where to allocate effort, informed by risk and by results from the training needs assessment.
- Controls and quality. Set the quality standards for content and own the controls around how training is created, assigned, and verified.
- Reporting. Own the reporting process that gives leadership visibility into completion and gaps.
- Regulatory-change management. Set the priorities for updating training when rules change, so content does not drift behind the obligations it teaches.
Run it as a defined workflow
Treat intake, development, and delivery as one workflow rather than a series of one-off favors. A request for training enters a defined intake, gets prioritized against the program's objectives, is built by the learning-and-development function, is assigned to the right roles, and produces a completion record. A defined process is also what lets the program anticipate needs instead of scrambling to answer a partner or an examiner after the fact.
Align training to the wider program
Training does not sit on its own. It should connect to the institution's broader compliance priorities: a single source of truth for training data and reporting, a shared risk-based method for deciding who needs what, and the policies and frameworks the rest of the program runs on. When training is wired into those, gaps surface earlier and leadership can see the whole picture.
Evidence and recordkeeping
Training you cannot evidence is, for examination purposes, training that did not happen. The pillar is defensible when the institution can produce, on request, a clear record of who was trained, on what, and when. Keep:
- Completion tracking by employee, by course, by date, so coverage is provable across every in-scope role.
- The content delivered, retained in the version each cohort actually received, so you can show what was taught.
- Assessments or testing, where used, as evidence the training was understood and not merely opened.
- Attestations or sign-offs, where the program relies on them, tying completion to a named person.
- Retention of these records under the institution's BSA/AML retention schedule, so the evidence is available when an examiner asks for prior cycles.
The standing question an examiner brings to this pillar is whether the institution can show it works. Records that are current and role-keyed, retained under the institution's schedule, turn the training pillar from a claim into something an examiner can verify.
Common failures
The same failure patterns appear across public enforcement themes. None of them require an exotic mistake; each is a way a program looks fine on paper and falls short in practice:
- Training as a checkbox. A single annual module delivered to satisfy a requirement, with no connection to what people actually do.
- Stale content. Material that no longer reflects current rules, current products, or current procedures, so staff are trained on the wrong thing.
- No role tailoring. One generic course for everyone, so high-exposure roles get too little and the board often gets nothing.
- No evidence. Training that may have happened but cannot be proven, because completion was never tracked or the content was never retained.
- No path for change. No mechanism to train people when a product launches or a rule changes between annual cycles, leaving a known gap open for months.
The training pillar is simple to describe and easy to underbuild. Treat it as a standing function with an owner, a build-and-deliver capability, a governance body that keeps it current, and an evidence trail. Then an examination of this pillar becomes a review of work the program already did, which beats assembling that record under exam pressure.