FFIEC BSA/AML Examination Manual

What is the FFIEC BSA/AML Examination Manual?

The FFIEC BSA/AML Examination Manual is the official guidance document used by federal and state examiners to assess how U.S. financial institutions comply with the Bank Secrecy Act (BSA), USA PATRIOT Act, and related anti-money-laundering and counter-financing-of-terrorism (AML/CFT) regulations. First issued in 2005 and most recently updated in 2024, the manual standardizes examination procedures across all five FFIEC member agencies — the OCC, Federal Reserve, FDIC, NCUA, and CFPB — ensuring consistent supervisory expectations regardless of an institution's primary regulator.

The manual is not itself a regulation. It is the examination playbook that translates BSA, USA PATRIOT Act, and FinCEN rules into testable procedures, risk-based criteria, and core program requirements. For BSA officers, compliance teams, and internal auditors, it functions as the single most authoritative reference on what examiners will look for during a review.

Who must comply with the FFIEC manual

The manual applies to all regulated U.S. financial institutions supervised by FFIEC member agencies, including national and state-chartered banks, federal and state-chartered credit unions, savings associations and thrift institutions, trust companies and edge act corporations, and U.S. branches and agencies of foreign banks.

It is also widely used by BSA/AML officers, compliance teams, internal auditors, and consultants preparing institutions for regulatory examinations.

The four pillars of BSA/AML compliance

The manual codifies the four pillars every covered institution must build into its BSA/AML compliance program: internal controls, independent testing, a designated BSA compliance officer, and ongoing training. A 2020 update added risk assessment as a foundational expectation underpinning all four pillars. For a deeper walkthrough, see our explainer on the 5 pillars of an AML program.

BSA/AML risk assessment under the FFIEC manual

The FFIEC manual requires every covered institution to conduct a risk-based BSA/AML assessment that identifies, measures, and documents money-laundering and terrorist-financing risks across products, services, customers, and geographies. Examiners expect a two-step methodology: first, an inherent-risk identification stage covering customer types, transaction volumes, channels, and high-risk jurisdictions; second, an internal-controls evaluation stage that maps existing mitigants to those risks. The residual risk score then drives the depth of monitoring, training, and independent testing — making the risk assessment the foundation of the entire compliance program.

A well-documented risk assessment is one of the first artifacts an examiner requests. Institutions should refresh it annually or whenever there is a material change in business model, customer base, products, or geographic footprint.

How FFIEC examiners use the manual

During an examination, FFIEC examiners follow a structured workflow defined in the manual: scoping, risk-focused testing, and conclusions. The scoping phase reviews prior exam findings, the institution's risk assessment, and changes in business model. The testing phase samples customer files, SAR filings, transaction-monitoring alerts, and training records to verify that documented policies match real practice. Findings are graded against the manual's core examination procedures and reported via Matters Requiring Attention (MRA) or formal enforcement actions for serious gaps in the four pillars of BSA/AML compliance.

Many institutions evaluate the best AML software for regulatory compliance to automate the documentation, alert dispositioning, and audit trails examiners review during testing.

CIP, CDD and beneficial ownership requirements

The manual operationalizes the BSA's Customer Identification Program (CIP) and Customer Due Diligence (CDD) rules. CIP requires verifying the identity of every new customer using documentary or non-documentary methods at account opening. CDD goes deeper — institutions must understand the nature and purpose of customer relationships, develop a customer risk profile, and conduct ongoing monitoring. Since 2018, beneficial ownership rules require identifying any individual owning 25% or more of a legal-entity customer, plus one control person. Examiners review CIP/CDD documentation closely as a leading indicator of overall program health.

For a practical walkthrough of identifying beneficial owners, see our guide to finding the UBO of a company.

Transaction monitoring expectations

The FFIEC manual sets out detailed expectations for automated and manual transaction monitoring systems. Institutions must define monitoring rules aligned to their risk assessment, validate model logic regularly, and document why thresholds are appropriate for their customer base. Examiners also assess alert clearance workflows, escalation paths, and the timeliness of Suspicious Activity Report (SAR) decisions. The manual specifically calls out that monitoring coverage gaps, untuned scenarios, and weak alert dispositioning are common findings — making this one of the most heavily scrutinized areas during an FFIEC BSA/AML examination.

For a primer on how these systems work in practice, see our guide to transaction monitoring in AML. Institutions typically combine a transaction monitoring platform with AML screening against sanctions, PEP, and adverse media lists to satisfy FFIEC expectations on suspicious activity detection.

SAR and CTR filing requirements

Two core reporting obligations are enforced through the manual: Currency Transaction Reports (CTRs), filed with FinCEN for any cash transaction exceeding $10,000 by or on behalf of one person in a single business day; and Suspicious Activity Reports (SARs), filed within 30 days, extendable to 60, when a transaction involves at least $5,000 and the institution suspects money laundering, structuring, fraud, or other illicit activity.

The manual also covers recordkeeping, information sharing under Section 314(a) and 314(b) of the USA PATRIOT Act, and the special-measures provisions used to address jurisdictions of primary money-laundering concern.

FFIEC BSA/AML Examination Manual: update history

The manual is updated periodically — not on a fixed schedule — to reflect new regulations, examiner findings, and emerging typologies. Major revisions include the 2014 update for electronic banking and prepaid access guidance, the 2020 update for risk assessment, customer due diligence, and beneficial ownership procedures, the 2021 update for charity and non-profit organizations and independent testing, the 2023 update for suspicious activity reporting and international transportation of currency, and the 2024 update for third-party risk and digital asset considerations.

Institutions should track FFIEC announcements to ensure their procedures align with the latest version of each manual section.

FFIEC manual and the USA PATRIOT Act

The FFIEC manual incorporates examination procedures for the BSA enhancements introduced by the USA PATRIOT Act — particularly the CIP rule, Section 312 EDD for foreign correspondent and private-banking accounts, the Section 313 shell-bank prohibition, and the Section 314 information-sharing mechanisms. Examiners assess each of these areas against the manual's defined procedures during inspection. Sanctions, PEP, and adverse-media AML watchlist screening sits at the centre of the controls examined under both the BSA framework and the PATRIOT Act overlays.

How the FFIEC manual compares to other AML frameworks

The FFIEC manual is the examination playbook, while FinCEN issues the underlying regulations for CTRs, SARs, and the beneficial ownership rule. State-level frameworks like NYDFS Part 504 add transaction-monitoring certification requirements on top of the BSA. International standards from the FATF 40 Recommendations and the Basel Committee AML Guidelines influence U.S. expectations but are not directly enforceable. For a U.S. bank or credit union, the FFIEC manual is the practical day-to-day reference; FinCEN regulations and state rules layer additional obligations on specific activities or jurisdictions.