Introduction
This checklist will assist in-house counsel, compliance teams, and private practitioners responsible for ensuring a financial institution’s compliance with money laundering (ML) and terrorist financing (TF) laws and regulations under The Currency and Foreign Transactions Reporting Act of 1970 (commonly referred to as the Bank Secrecy Act (BSA)), as amended by the USA PATRIOT Act of 2001, and related anti-money laundering (AML) laws and regulations.
Specifically, this checklist suggests key steps to take in the following areas:
- Preparing for a visit by a financial regulator
- Establishing a response team
- Reviewing and preserving potentially relevant material
The checklist is presented as a list of steps that you can tick off as they are addressed. At the end of the document, there are explanatory notes corresponding to the steps in the checklist.
This checklist can be used in conjunction with the following How-to guides: How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern and How to monitor Bank Secrecy Act (BSA) compliance and Checklists: Screening employees for roles in AML compliance and Staff awareness and training to prevent money laundering and terrorist financing.
This checklist provides generally applicable guidance. The BSA and related AML laws and rules are among the most complex regulatory regimes in the United States.Each organization should check the BSA and related AML laws and regulations for additional, sector-specific requirements.
Step 1 – Preparing for a visit by a financial regulator
| No. | Requirement |
| 1.1 | Identify the purpose of the visit |
| 1.2 | Identify who is visiting |
| 1.3 | Identify why they are visiting |
| 1.4 | Instruct employees on the appropriate response to notice of a regulatory visit and determine a response person or team |
Step 2 – Establishing a response team
| No. | Requirement |
| 2.1 | Create clear points of contact and lines of communication |
| 2.2 | Define responsibilities of the response team and establish who will be the primary person and priority of backup individuals |
Step 3 – Reviewing and preserving potentially relevant material
| No. | Requirement |
| 3.1 | Create a document review team |
| 3.2 | Brief the team on the process of collecting and preserving potentially relevant documents |
| 3.3 | Create a central repository of potentially relevant documents |
General notes
Legal framework and key considerations
The BSA and its related AML laws and regulations form a complex network to detect and deter ML, TF, and other illicit financial activity through financial institutions. The BSA is codified in sections of 12 USC, 18 USC, and 31 USC. Regulations implementing the BSA primarily appear in 31 CFR Ch X.
The Financial Crimes Enforcement Network (FinCEN) in the Department of Treasury is responsible for ensuring BSA and AML compliance. Other federal agencies supervise, carry out examinations, and conduct civil and criminal investigations of financial institutions for BSA and AML compliance. These include the following:
- Federal Deposit Insurance Corporation (FDIC);
- Board of Governors of the Federal Reserve System (Federal Reserve);
- National Credit Union Administration;
- Office of the Comptroller of the Currency (OCC);
- Office of Foreign Assets Control;
- Commodity Futures Trading Commission (CFTC);
- Securities and Exchange Commission (SEC);
- Internal Revenue Service (IRS); and
- Department of Justice.
BSA and AML supervision also includes self-regulatory organizations (SROs) for the securities and futures industries, such as the Financial Industry Regulatory Authority (FINRA), and the National Futures Association (NFA).
Additionally, financial institutions may be subject to state AML compliance requirements and investigations by state supervisory and law enforcement agencies. Hundreds of additional agencies, including federal, state, and local law enforcement, can participate in BSA and AML enforcement.
Financial regulators can visit a financial institution for a wide variety of reasons. In general, financial institutions must be able to demonstrate to regulators that they have appropriately implemented the five pillars of BSA compliance which are as follows:
- internal compliance policies and controls for detecting and preventing ML, TF, and other illicit financial activity;
- independent testing for compliance to be conducted by the financial institution or an outside party;
- nominated personnel responsible for coordinating and monitoring day-to-day compliance;
- employee training programs; and
- a Customer Identification Program (CIP) that includes risk-based procedures that ensure the financial institution can maintain a reasonable expectation that it knows the identity of its customers.
See, for example, 31 CFR sections 1010.210, 1020.210, 1023.210, 1024.210, 1026.210; 12 CFR sections 208.63(c), 326.8(c), 748.2(c), 21.21(d).
Examinations for compliance with the five BSA pillars follow procedures in the BSA/AML Examination Manual published by the Federal Financial Institutions Examination Council (FFIEC), which is composed of federal and state financial regulators.
Explanatory notes
Overview
As financial regulators can visit an organization for many reasons, it is essential to study the individual details of each case to prepare for a regulator’s visit.
For instance, some organizations are subject to a scheduled examination cycle of visits by financial regulators to check the organization’s BSA compliance program. Other organizations are subject to risk-based examinations, where regulator visits are triggered by specific events, such as BSA reports filed by the financial institution.
Depending on the type of financial institution and regulator, routine examination cycles generally range from 12 to 18 months. This applies, for instance, to certain depository institutions overseen by the Federal Reserve, OCC, and FDIC.
Some organizations subject to risk-based visits are non-bank financial institutions, including money services businesses and casinos, overseen by the IRS, and broker-dealers overseen by SEC, FINRA, and NFA.
Unexpected events might trigger a visit, for example, a law enforcement inquiry, a subpoena, a regulatory breach revealed by an audit, or a problem reported by a whistle-blower or the press. There is no formal process of notice that is required for the visit, so a financial institution should be prepared for the possibility of a visit with little to no notice; however, unannounced visits are not common in the United States.
The frequency and depth of regulatory visits also depend on factors unique to the individual financial institution, such as its risk profile and asset size. An institution’s risk profile is based on various factors, such as the respective institution’s products, services, customers, and geographies served, and the varying degrees of risk associated with each.
In considering the financial institution’s risk profile, financial regulators identify risk categories for the institution based on its size, complexity, and the structure of its organization. However, there are no defined categories of risk for any particular financial institution, and a wide range of risks may exist within each identifiable risk category. Thus, each institution’s risk profile may fluctuate.
Recent events in the financial sector, such as the highly-publicized bank failures in 2023, have led to Congressional action that will increase oversight of banks. This intensified focus on financial institutions, and the need to stop problems before they spiral out of control, is likely to lead to more and more thorough visits and inspections by regulators.
Since President Donald Trump took office for his second term in January 2025, he has, however, issued a series of executive orders designed to reduce federal regulations. See the Reg Tracker provided by The Brookings Institution that summarizes each of these executive orders. Further evidence of the change in political climate can be found in a Memorandum issued by Deputy Attorney General Todd Blanche on 7 April 2025 regarding digital assets, entitled ‘Ending Regulation by Prosecution’.
Despite the variety of scenarios that might trigger a regulator to visit a financial institution in connection with AML, several common features of an appropriate response will help an organization respond in an orderly and cooperative fashion while also protecting privileged information.
Step 1 – Preparing for a visit by a financial regulator
Organizations should develop policies and procedures to prepare for visits from financial regulators. An effective response policy has several elements, including employee education within the entire organization regarding the types of contacts the organization might have with financial regulators, establishing clear internal points of contact and lines of communication within the response team, and collecting and preserving documents and information. Make all employees aware of the chain of command and points of contact (discussed below at Step 2) so that in case of an unannounced visit, the appropriate contact person will be notified to meet with the regulator.
1.1. Identify the purpose of the visit
Upon receiving notice of an upcoming visit by a financial regulator, an organization should initially gather information that establishes the following:
- which regulator is attending; and
- the purpose of the visit.
Usually, the regulator’s notification includes this information. Your organization’s in-house legal department or outside counsel may contact the regulator to obtain further information about the subject and scope of the investigation. In the event a regulator appears unannounced, communication with the regulator should be handled by the designated point person on the response team.
As indicated in the Overview section, above, significant changes have been made to the regulatory schemes of federal agencies under the Trump administration. Be fully informed of any Executive Orders that may have been promulgated, as well as changes in policy position by the regulator requesting the visit.
1.2 Identify who is visiting
There are many different financial regulators and quasi-regulators who may investigate a financial institution for some aspect of the BSA and AML framework. Organizations can fall under the authority of multiple regulators. Financial regulators have different investigatory powers and different goals of investigation. It is important to be aware of the relevant regulators and to identify potential scenarios for being contacted by each of them. This will allow the organization to recognize the proper communication channels to use and the appropriate documentation obligations it has under each of the scenarios. These financial regulators and quasi-regulators can include FinCEN, OCC, Federal Reserve, FDIC, SEC, CFTC, FINRA, Consumer Financial Protection Bureau (CFPB), and State banking regulators. For example, the California Department of Financial Protection and Innovation oversees the operations of state-licensed financial institutions, including banks, credit unions, debt collectors, nonbank mortgage lenders, student loan servicers, money transmitters, and others, in the State of California.
1.3 Identify why they are they visiting
Understanding the purpose and goal of the visit is essential to ensuring the organization’s response team is adequately equipped and knows what information to either divulge or protect. This stage also includes identifying the following:
- the business units or departments targeted by the regulator; and
- whether the organization faces possible penalties.
1.4 Instruct employees on the appropriate response to notice of a regulatory visit and determine a response person or team
Give employees clear directions to adhere to a chain of notification upward to management and the legal department or outside counsel upon notice of a regulatory visit.
Brief employees on what to expect during a visit by regulators and how to prepare for it. Preparation will depend on each visit but will likely include locating and preserving potentially relevant material and making sure all employees are aware of the response team and chain of command. See Step 2 below.
Step 2 – Establishing a response team
2.1. Create clear points of contact and lines of communication
It is beneficial for the organization to have a ready reference document with key instructions and a list of contacts. Circulate this document internally among employees as part of usual business protocols so that personnel are clear at all times on how to respond to a regulator’s visit (whether unannounced or otherwise).
On receipt of a notice from the regulator, it may be good practice to distribute an alert to staff at all levels to highlight the upcoming visit. Identify and notify any key individuals and units at different levels of management, including in-house or outside counsel. It is likely that they will be questioned by the regulator. Staff within the organization may also have questions. It is important to identify the types of individuals that might be key. This will depend on the financial institution and the scope and purpose of the visit.
2.2. Define responsibilities of the response team and establish who will be the primary person and priority of backup individuals
Appoint a response team to serve as a central source for directing actions and communications. Usually, this will include members of senior management, the legal department, and IT, at a minimum. There should also be a chain of command for backup employees in the event that one of the key individuals is absent during the visit.
Organizations lacking a legal department should establish an alternative point of contact to coordinate the organization’s response, such as outside counsel. Other response team members might include technical support partners, such as e-discovery and legal processing outsourcing providers, as well as the backup team members. There should be a primary contact who serves as the main point person in the event of an announced or unannounced visit and who has the authority to make last-minute decisions based on the situation.
Assigning responsibility for all communications to a single point of contact will ensure consistency in both internal and external messaging, and help to provide a coordinated response. Put in place a detailed plan regarding when and how the team will engage with management, the board, and shareholders.
Step 3 – Reviewing and preserving potentially relevant material
Counsel and senior management should determine whether an internal document preservation notice needs to be issued (to ensure that potentially relevant documents are retained and not destroyed), whether ahead of an announced visit or upon an unannounced visit. This will depend on the nature of the visit and should be discussed with in-house counsel. Notify all affected departments and staff in the covered subject areas. It may also be necessary for the IT department to suspend any scheduled document destruction, depending on the advice of legal counsel.
As seen in 2023, the SEC and CFTC vigorously monitor record-keeping, issuing substantial fines when they find organizations are not in compliance with regulations. In August of that year, various Wall Street companies agreed with the SEC and CFTC to pay fines totaling more than $555 million due to failures to maintain and preserve communications. This shows how organizations could be severely fined in the process of being investigated if they do not properly preserve documents.
3.1. Create a document review team
As a best practice, create an internal document review team to collect all documents potentially relevant to the purpose of the regulator’s visit.
The team should include, at a minimum:
- staff or outside legal processing providers trained to conduct document reviews and who will manage and direct the process;
- counsel and senior management to deal with requests for clarification and review of potentially privileged information; and
- members of the IT department to manage image processing and data privacy.
3.2 Brief the team on the process of collecting and preserving potentially relevant documents
Inform the team about which documents are within scope and how to collect and preserve all documents that are potentially relevant.
This process includes data mapping of all potential sources of relevant material, including information that may be held locally, such as individual devices. The process also includes creating records for all decisions about which documents are relevant or privileged.
3.3 Create a central repository of potentially relevant documents
Create a central repository and record of potentially relevant documents for further review by legal, compliance, and management personnel. On the advice of legal counsel, it may be necessary to put in place a suspension of any protocols that call for the destruction of any document.
Repeated offenses will often lead to a stricter regulatory response, with less room for compromise. Once the investigation concludes, establish a system for continuous compliance monitoring to avoid future issues.
This may involve internal training sessions and conducting additional compliance testing of systems and controls. Additionally, foster a culture that encourages prompt reporting of potential issues or concerns to compliance and a designated internal team or individual.
Additional resources
Related Lexology Pro content
How-to guides:
How to assess your organization for money laundering and terrorist financing risk
How to monitor Bank Secrecy Act (BSA) compliance
How to appoint a Bank Secrecy Act (BSA) compliance officer
How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern
How to identify suspicious activity and make a Suspicious Activity Report (SAR)
How to identify relevant sanctions regimes and deal with conflicting obligations
How to ensure sanctions screening and sanctions due diligence is effective
Checklists:
Currency transaction reporting requirements
Initial response to a report of suspicious activity
Screening employees for roles in AML compliance
Staff awareness and training to prevent money laundering and terrorist financing
Reliance on information posted:
While we use reasonable endeavors to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.