Read enough public BSA/AML enforcement actions and the same failures keep coming back. They cluster around a handful of themes: a program that is not reasonably designed or resourced for the institution's risk, suspicious-activity-report failures, weak transaction monitoring, thin customer due diligence, insufficient independent testing, and unremediated prior findings. More recently, sponsor banks get cited for inadequate oversight of their fintech partners. These themes are predictable, so they are also the ones to fix first.
A published enforcement action is about the closest thing compliance has to a graded exam made public. When a regulator brings one, the order spells out what went wrong in detail. Read a stack of them and what stands out is not exotic schemes. It is the same structural failures, repeated across institutions and years. This is a practitioner's read of those patterns, drawn from public actions, and what they tell you to do before your own program is the one being read.
One note on method. This is a qualitative read of recurring themes in public enforcement, not a statistical study. What you get from it is the shape of the risk rather than a ranked count.
The themes that recur
Across published BSA/AML actions, the citations tend to fall into a familiar set of categories.
| Theme | What it looks like in an order |
|---|---|
| Program adequacy | The program was not reasonably designed, or not resourced, for the institution's actual risk. Often the umbrella finding the others sit under. |
| SAR failures | Not filing when required, filing late, or filing with narratives that do not support the conclusion. |
| Transaction monitoring | Coverage gaps, rules never tuned to the customer base, or alert backlogs that let activity go unreviewed. |
| Customer due diligence | Weak or undocumented CDD, missing beneficial-ownership identification, or risk ratings that were never refreshed. |
| Independent testing | Testing that was inadequate, not independent, or whose findings were never closed. |
| Governance & resourcing | A BSA officer without the authority, staffing, or board support to run the program. |
| Partner oversight | Newer, and rising: a sponsor bank that did not adequately oversee the fintech partners operating under its charter. |
Why it almost always traces back to the pillars
A specific failure, a missed SAR or a monitoring gap, is usually the visible symptom of a weak pillar underneath. Thin internal controls produce inconsistent decisions. An under-resourced BSA officer cannot keep pace. When training never reaches the front line, you get gaps at onboarding. When independent testing does not close its findings, a known problem ages into an enforcement finding. Read that way, enforcement is rarely a surprise. It is where a weak pillar ends up if nobody shores it up. (For the structure itself, see the program pillars guide.)
The SAR pattern, specifically
SAR findings deserve their own note because they recur so often. They take three shapes: a report that should have been filed and was not, a report filed too late to meet the timeline, and a report filed with a narrative that asserts suspicion without explaining it. That last one draws less attention and still costs you. A narrative that says "the activity was suspicious" with nothing to support it gives an investigator and an examiner little to credit. (See how to write a SAR narrative that holds up.)
The newer one: partner oversight
The category rising fastest is sponsor-bank oversight of fintech partners. In the BaaS model, the bank carries the regulatory responsibility for activity it does not directly perform, and recent actions have cited banks for letting that oversight exist on paper without evidence it operated. The fintech's program and the bank's oversight of it are now both in scope. (See sponsor-bank oversight.)
How to get ahead of it
A predictable risk is one you can work on directly. The themes above map almost one-to-one onto a short list of standing habits:
- Keep the risk assessment current, so "reasonably designed" stays true as the business changes.
- Tune transaction monitoring to your actual customer base, and work the alert queue.
- Make CDD inspectable: risk-rated, documented, and refreshed.
- Write SAR narratives that support their filings, and file on time.
- Close every independent-testing finding; open findings are pre-written enforcement.
- Give the BSA officer the authority and resources to run the program.
- For sponsor banks, keep partner-oversight evidence current and retrievable.
- Retain evidence that controls operate, so a claim that you do something always comes with the proof attached.
None of this is exotic, and that is the whole point. The institutions that end up in an enforcement order rarely failed at something clever. They let a known, ordinary thing stay broken until a regulator found it. Reading enforcement is how you find yours first.