AML Program Gap Analysis: A Practitioner's Guide

Q: What is an AML gap analysis?

An AML gap analysis is a structured comparison of a BSA/AML compliance program as it actually operates against the standard it should meet: the BSA program pillars, the FFIEC examination manual, and the regulations that apply to the institution. It identifies where the program falls short, rates the severity of each gap, and produces a prioritized list of what to fix.

Q: When does a company need an AML gap analysis?

Common triggers are launching a new product or entering a new customer segment, preparing for or responding to an exam, onboarding with a sponsor bank, a merger or acquisition, entering a new registration category, a change in regulation, or simply that it has been a year since the last one. A program that has materially changed since its last assessment is overdue.

Q: What do you measure an AML program against?

The benchmark is the BSA program pillars (internal controls, a designated BSA officer, training, independent testing, and customer due diligence / beneficial ownership), the FFIEC BSA/AML Examination Manual, and the specific regulations that apply to the institution's products and jurisdictions, including OFAC sanctions-program expectations. The analysis is risk-based: depth follows the institution's actual risk.

Q: Why do most AML gap analyses go stale?

Because they are delivered as a static document, a consultant's PDF that is accurate the day it ships and out of date the moment a product launches, a regulation changes, or a finding is partially fixed. A gap analysis only holds value if it is tied to a living remediation plan with owners and dates, and is re-run when the program changes.

The short version

A gap analysis compares your BSA/AML program as it actually runs against the standard it should meet: the program pillars, the FFIEC manual, and the rules that apply to you. It rates each shortfall and orders what to fix. Done well, it ends in a prioritized, owned, dated remediation plan. Done poorly, it's a consultant's PDF that's stale the week after it lands. The difference is whether it's tied to something living.

Most compliance officers inherit a program rather than build one. You arrive, you're handed a binder of policies, and the quiet question underneath every exam is the same: does what's written actually match what we do, and does either match what the regulator expects? A gap analysis is how you answer that on your own terms, before an examiner answers it for you.

This is a practitioner's walk through running one: what it is, when you need it, what to measure against, how to do it step by step, how to score what you find, and how to turn findings into a plan that closes instead of a document that gathers dust.

What an AML gap analysis is, and what it isn't

A gap analysis is a structured comparison: current state (how the program operates today, in practice, not on paper) versus required state (what the law, guidance, and your risk profile demand). The output is a list of gaps, each rated by severity, with a path to close it.

It is not a risk assessment, though the two are cousins. A risk assessment asks "what are we exposed to?" A gap analysis asks "given that exposure, where does our program fall short of what's required?" The risk assessment scopes the gap analysis. You measure most closely where you're most exposed.

When you need one

A gap analysis is overdue any time the program has materially changed since it was last assessed. The common triggers:

Launching a new product or entering a new customer segment that changes your risk profile.
Preparing for an exam, or responding to one that produced findings.
Onboarding with a sponsor bank that needs to see a defensible program before it'll carry you.
A merger or acquisition that joins two programs of different maturity.
A new registration category (e.g., money transmitter licensing) with its own obligations.
A regulatory change that shifts what's required.
Time. It's simply been a year, and "we've always done it this way" has gone unexamined.

What to measure against

A gap analysis is only as credible as its benchmark. Measure the program against three layers, in order:

Benchmark	What it anchors
The BSA program pillars	Internal controls · a designated BSA officer · training · independent testing · customer due diligence and beneficial ownership. The foundational structure every program must have.
The FFIEC BSA/AML Examination Manual	How examiners actually evaluate each area. It's the closest thing to the test you'll be graded on.
The regulations that apply to you	The specific obligations for your products, customers, and jurisdictions, including OFAC sanctions-program expectations. Risk-based: depth follows your actual exposure.

Anchoring to these means a finding is never a matter of opinion. It points to a specific expectation the program doesn't yet meet.

How to run it, step by step

Scope it to your risk. Start from the risk assessment. Put the most testing where the institution is most exposed; don't spend equal effort on a low-risk corner and your highest-volume product.
Gather the evidence. Policies, procedures (WSPs), training records, prior independent tests, system configurations, sample SARs and alerts. What the program does, not just what it says.
Compare current vs. required, area by area. Walk each pillar and each applicable obligation. For each, record: what's expected, what exists, and the delta.
Test, don't just read. Pull samples. A policy that says alerts are reviewed in five days is a gap if the queue shows fifteen. Paper compliance and real compliance are different claims.
Document each gap specifically. Name the expectation, the shortfall, the evidence, and the exposure. Write "no role-specific training for the fintech partner's onboarding staff since Q3," never the vague "training is weak."
Score and prioritize. Rate severity and likelihood (below), then sort.
Build the remediation plan. Every gap gets an owner, an action, and a date. This is the deliverable that matters.

Scoring the gaps

Not every gap deserves equal urgency. Score each on two axes and let the score drive sequence:

Severity → Likelihood ↓	Low severity	High severity
High likelihood	Schedule: fix in the normal cycle	Remediate first: material exposure, likely to surface
Low likelihood	Monitor: document and revisit	Plan: high impact if it lands, mitigate deliberately

Where you can, price the exposure in dollars: the cost of the likely enforcement outcome, the remediation, or the delayed launch. A gap rated "high" sits in a slide deck. A gap that reads "$400k of exposure and a blocked product launch" is a decision an executive will actually fund.

From findings to a plan that closes

The single most common failure mode is treating the analysis as the deliverable. The real deliverable is the remediation plan the analysis feeds: each gap mapped to an owner, an action, a due date, and a status that gets tracked to closure. Open findings from the last cycle are the first thing an examiner reads. A plan that visibly closes its own gaps is itself evidence of a healthy program.

Why most gap analyses go stale

It's a static PDF. Accurate the day it ships, wrong the moment a product launches or a rule changes.
It scores against generic best practice instead of the institution's actual obligations and risk.
It stops at findings and never becomes an owned, dated plan.
It's never re-run. A gap analysis is a snapshot; a program is a moving target. The value is in repeating it when the program changes.

A pre-start checklist

The scope is driven by a current risk assessment.
The benchmark is explicit: pillars, FFIEC manual, applicable regs.
You're testing what the program does, not only what it says.
Each gap is documented with the expectation, shortfall, evidence, and exposure.
Gaps are scored on severity and likelihood, priced in dollars where possible.
Every gap has an owner, an action, and a date.
There's a plan to re-run it when the program materially changes.

Common questions

What is an AML gap analysis?

A structured comparison of a BSA/AML program as it actually operates against the standard it should meet: the BSA program pillars, the FFIEC examination manual, and the regulations that apply to the institution. It identifies where the program falls short, rates the severity of each gap, and produces a prioritized list of what to fix.

When does a company need an AML gap analysis?

Common triggers: launching a new product or entering a new customer segment, preparing for or responding to an exam, onboarding with a sponsor bank, a merger or acquisition, entering a new registration category, a regulatory change, or simply that it's been a year. A program that has materially changed since its last assessment is overdue.

What do you measure an AML program against?

The BSA program pillars (internal controls, a designated BSA officer, training, independent testing, and CDD / beneficial ownership), the FFIEC BSA/AML Examination Manual, and the specific regulations that apply to the institution's products and jurisdictions, including OFAC sanctions-program expectations. The analysis is risk-based.

How do you prioritize the gaps you find?

Score each gap on severity (regulatory and financial exposure if unaddressed) and likelihood (how probable it is to cause a problem given current activity). High-severity, high-likelihood gaps come first. Pricing exposure in dollars turns an abstract finding into a fundable business decision.

Why do most AML gap analyses go stale?

Because they're delivered as a static document, accurate the day it ships and out of date the moment a product launches, a regulation changes, or a finding is partially fixed. A gap analysis holds value only if it's tied to a living remediation plan with owners and dates, and re-run when the program changes.