Field Guide

BSA/AML Independent Testing: The Third Pillar

The short version

Independent testing is the third pillar of a BSA/AML program: a periodic, risk-based review of the program by someone independent of the people who run it. It is not the examination, and it is not a financial-statement audit. The reviewer tests whether the program is designed for the institution's risk and operating in practice, documents findings with severity, and reports to the board or a board committee. An examiner reads the most recent independent test, and any open findings, before almost anything else.

Of the program pillars, independent testing is the one an examiner can verify fastest. There is a report or there is not. It covers the right ground or it does not. Its findings were remediated or they are still open. A strong independent test tells an examiner the institution checks its own work; a weak one, or a missing one, invites the examiner to do that checking instead.

This guide covers what independent testing is, what makes it independent, what the review has to cover, how often it runs, who can perform it, and the failures that turn the third pillar into a finding.

What independent testing is

Independent testing is an expressly required component of a BSA/AML compliance program. The program rule for banks (31 CFR 1020.210) requires, among other things, independent testing for compliance, and parallel rules apply to other institution types. Unlike the risk assessment, which the law expects without naming, independent testing is named in the rule. You have to have it.

The purpose is assurance. The institution's board and senior management are responsible for an adequate program, and independent testing is how they get an objective read on whether the program they are responsible for actually works. The reviewer evaluates design, whether the controls are built for the institution's risk, and operating effectiveness, whether those controls run as intended day to day.

What makes it independent

The word carries the weight. Independent testing has to be performed by a party that does not run the functions being tested and does not report, for this work, to the person accountable for the program. The FFIEC manual allows the internal audit department, outside auditors, qualified consultants, or other independent parties to perform it. The common thread is that the tester has no ownership of the controls under review and reports the results to the board or a board committee, not to the BSA officer whose program is being graded.

A BSA officer reviewing the BSA officer's own program is not independent testing. A vendor that built the monitoring system grading that same system is not independent testing. Independence is the first thing an examiner confirms, because without it the rest of the report carries no assurance.

What the review has to cover

Scope is risk-based, which means the test is scaled to the institution and weighted toward its higher-risk areas. It is not a fixed checklist applied identically everywhere. A complete independent test of a typical program reaches the areas below.

Area testedWhat the reviewer is checking
Risk assessmentWhether it is current, specific to the institution, and actually drives the rest of the program.
Internal controls and policiesWhether written procedures exist, match practice, and have owners and real thresholds.
CDD and beneficial ownershipWhether customers are identified, risk-rated, and refreshed, and whether enhanced due diligence reaches a conclusion.
Transaction monitoringWhether coverage, rules, and thresholds fit the risk, and whether the system is tuned and alerts are worked.
SAR and CTR filingWhether reports are filed completely and on time, with sampling of decisions to file and not to file.
OFAC and sanctionsWhether screening is in place, tuned, and resolving hits correctly.
TrainingWhether the right people were trained on the right material, with records.
Prior findingsWhether issues from the last test or exam were actually remediated and closed.

The single most common scope gap is transaction monitoring. A test that confirms the monitoring system exists, without testing whether its rules and thresholds are tuned to the institution's risk, has skipped the area examiners scrutinize hardest.

How often it has to run

There is no fixed statutory interval. The standard is risk-based frequency, and common practice for many institutions is at least every twelve to eighteen months, with more frequent testing where risk is higher or where a prior test or exam surfaced significant issues. A higher-risk program tested only every other year, or a program that changed materially without a fresh test, is exposed.

Who can perform it

Independent testing can be performed internally, by an internal audit function or other staff independent of the program, or externally, by a qualified consultant or audit firm. Two qualities decide whether a tester is acceptable: independence from the functions under review, and competence, meaning the knowledge to test a BSA/AML program rather than tick boxes. Smaller institutions often use an external party because they lack an internal function that is genuinely independent of the program.

The deliverable

A credible independent test produces a report with a defined scope, the methodology used, the sample sizes and what was tested, a findings register that rates each issue by severity, management's response with owners and dates, and an opinion on the overall adequacy of the program. The report goes to the board or a board committee. The findings register is the part an examiner reads first, alongside evidence that prior findings were closed.

Independent testing for fintechs and sponsor banks

In a banking-as-a-service model the sponsor bank holds the non-delegable responsibility for BSA/AML, and that extends to independent testing of the programs its fintech partners run. A fintech operating under a sponsor bank should expect its program to be independently tested, and the bank's own independent testing has to reach the partner activity that rides on the bank's charter. For many of these programs the third-pillar review is the FFIEC Pillar-3 independent test the sponsor bank and the next examiner both expect to see. The sponsor-bank oversight guide covers how the responsibility is allocated.

Where independent testing fails an exam

Independent testing is the pillar that proves the rest of the program. Keep it genuinely independent, scope it to your actual risk, test operation rather than existence, and close what it finds. For where it sits among the other pillars, see the guide to the BSA/AML program pillars; for how it differs from an audit, see AML audit vs. independent testing.

Primary sources

Common questions

What is independent testing in BSA/AML?
Independent testing is the third pillar of a BSA/AML compliance program: a periodic, risk-based review of the program by a party independent of the people who run it. It tests whether the program is designed for the institution's risk and operating in practice, documents findings, and reports to the board or a board committee.
Is BSA/AML independent testing legally required?
Yes. Unlike the risk assessment, independent testing is expressly named in the program rule. For banks, 31 CFR 1020.210 requires independent testing for compliance, and parallel rules apply to other institution types. A program without it fails a required component.
How often is BSA/AML independent testing required?
There is no fixed statutory interval. The standard is risk-based frequency. Common practice for many institutions is at least every twelve to eighteen months, with more frequent testing where risk is higher or where a prior test or exam found significant issues.
Who can perform independent testing?
It can be performed internally by an internal audit function or other staff independent of the program, or externally by a qualified consultant or audit firm. The tester must be independent of the functions under review and competent to test a BSA/AML program. Smaller institutions often use an external party.
Is independent testing the same as an audit or an exam?
Not exactly. The examination is conducted by a regulator. A financial-statement audit has a different purpose and does not satisfy the pillar. An internal or external audit can be the independent test if it is independent, risk-scoped, and genuinely tests the program. What matters is that the work meets the independent-testing standard, whatever it is called.
From the team behind this guide

Independent testing your examiner will accept

Compliance Command Center runs FFIEC Pillar-3 independent testing for BaaS fintechs and the banks that sponsor them: risk-scoped, with real sample testing across monitoring, CDD, SAR decisioning, and sanctions, a findings register rated by severity, and an opinion the board can rely on. Practitioners build it (JD, CAMS), with a human reviewing every deliverable, so it holds up as genuinely independent when an examiner reads it.

See Compliance Command Center Talk to a Practitioner