An exam asks one question in many forms: do you have a reasonably designed BSA/AML program, and does it actually run? Examiners measure your program against the pillars, read your risk assessment, then pull samples to test whether your controls operate. Real readiness is built continuously. A program that keeps its risk assessment current and retains evidence as a byproduct of daily work answers a document request in days. A program that waits for the entry letter spends the next three weeks assembling proof, and the examiner can tell.
The entry letter lands in your inbox on a Tuesday. Somewhere between the relief of knowing the dates and the dread of the document list, every compliance officer has the same thought: we are about to find out what we actually have. An exam is the moment your program stops being a set of intentions and becomes a set of facts someone else gets to grade.
This is a practitioner's guide to walking into that room ready. It covers what the exam tests, how it unfolds, what examiners ask for, how they read your program, where fintechs get caught, and a runbook for the weeks before the on-site.
What the exam actually tests
Examiners are evaluating two things at once. First, is the program reasonably designed for the institution's risk? Second, does it operate the way the documents say it does? A binder of polished policies that nobody follows fails the second test, and the second test is where most findings live.
The evaluation runs through the BSA program pillars: internal controls, a designated BSA officer, training, independent testing, and customer due diligence including beneficial ownership. The risk assessment sits underneath all of it, because a program can only be judged reasonable against the risk it claims to face.
How an exam unfolds
Exams vary by regulator and institution, but most move through four phases. Knowing the shape lets you prepare for each one instead of reacting to it.
| Phase | What happens |
|---|---|
| 1. Scoping | The regulator issues an entry letter and a document request, often several weeks before the on-site. The scope is shaped by your risk profile, prior findings, and any intervening events. |
| 2. Review and testing | Examiners read the policies and then test them, on-site or remotely. They sample alerts, SARs, CDD files, and monitoring output to see whether the program does on the ground what it claims on paper. |
| 3. Findings | Examiners raise issues, ask follow-up questions, and discuss what they have seen. This is the window to clarify a misunderstanding before it hardens into a written finding. |
| 4. Response | You receive written findings and submit a remediation commitment: each issue mapped to an owner, an action, and a date. Open items follow you into the next cycle. |
What examiners ask for
The document request is long, but it is predictable. Having these current and retrievable before the letter arrives is most of the battle.
- The BSA/AML policy and procedures, with version history.
- The risk assessment, current and matched to your actual products and volume.
- The most recent independent test and the status of every finding it raised.
- Training records: who was trained, on what, and when.
- The designated BSA officer's appointment and reporting line.
- SAR and CTR filings for the review period, with supporting workpapers.
- Alert and case samples, including decisions to close without filing.
- CDD and beneficial-ownership files for a sample of customers.
- Transaction-monitoring configuration: the rules, thresholds, and tuning history.
- Board and committee minutes showing senior oversight of the program.
For a fintech operating under a sponsor bank, add the partner-oversight evidence: the oversight framework, the partner risk rating, and proof that monitoring and testing of the relationship actually happened. The sponsor bank's examiner will be looking at the same boundary from the other side.
How examiners read your program
An examiner is forming a judgment about whether your program reasons about risk or simply processes paper. A few things shape that judgment quickly:
- Does the risk assessment drive anything? A risk assessment that names high-risk products but is not reflected in monitoring rules or CDD depth reads as decorative.
- Can you show your work? Evidence that monitoring happened beats a policy stating that it should. Examiners weigh what you can demonstrate over what you assert.
- Do your SAR narratives support the filing? Conclusory narratives signal a program that files to clear a queue rather than to report what it saw. (See the SAR narrative guide.)
- Did you close last time's findings? Open items from the prior independent test or exam are the fastest way to lose credibility.
Where fintechs get caught
The findings repeat across institutions. From public enforcement and exam patterns, the usual suspects:
- A stale risk assessment that describes last year's business after a product launch or a jump in volume.
- Untuned transaction monitoring: rules inherited at launch and never calibrated to the actual customer base, producing alert floods or silence.
- Thin CDD: onboarding that collects information but does not risk-rate or refresh it.
- SAR narratives that do not hold up, with no stated reason for suspicion.
- No evidence of monitoring: a control that exists in policy with nothing to prove it ran.
- Open prior findings that were acknowledged and never remediated.
A runbook for being ready before the letter
The work that makes an exam calm happens long before the entry letter. Treat the following as a standing program, with a final pass once the dates are set.
Standing, all year
- Keep the risk assessment current. Refresh it when a product, customer segment, or volume materially changes, not annually by reflex.
- Close independent-testing findings. Track each to closure with an owner and a date. An open finding is a loaded question.
- Retain evidence as you go. Design controls so each one leaves a timestamped artifact. If an examiner could ask "show me," there should already be a "here it is."
- Tune monitoring on a schedule and document the rationale, so the configuration tells a story instead of raising one.
Once the entry letter arrives
- Map the request to owners the day it lands. Assign every item and set internal dates ahead of the real one.
- Read your own samples first. Pull the alerts, SARs, and CDD files you expect them to pull, and read them with an examiner's eye.
- Reconcile the narrative. Make sure the policy, the risk assessment, and what the samples actually show tell one consistent story.
- Prepare the people. The BSA officer and anyone who will be interviewed should know the program cold and answer plainly, without guessing.
A pre-exam checklist
- The risk assessment matches the business as it operates today.
- Every prior finding is closed or has a documented, on-track remediation.
- You can produce evidence that monitoring ran, not just the policy that says it should.
- SAR narratives in the period support their filings and state the reason for suspicion.
- CDD files are risk-rated and current for the sample you expect to be pulled.
- Monitoring rules and thresholds have a documented tuning rationale.
- For sponsor-bank fintechs, partner-oversight evidence is current and retrievable.
- The document request is mapped to owners with internal dates ahead of the deadline.
- The people who will be interviewed know the program and answer without guessing.
An exam rewards the institution that treated every ordinary day as if the evidence would be read later. That is the whole posture: build the program so that being ready is the default state, and the entry letter changes your calendar rather than your stomach.