How to Prepare for a BSA/AML Exam: An Examiner-Grade Checklist

For many compliance teams, exam season is the most stressful stretch of the year: scrambling to locate policies, chasing evidence across email and shared drives, and refreshing risk assessments that quietly went stale. It does not have to be that way. A BSA/AML examination is, at its core, a test of whether your program is real and operating - and you can prepare for it the same way you would prepare for any audit: by keeping the evidence ready and organized before anyone asks.

This is a practical, examiner-grade checklist for getting ready.

What examiners are actually evaluating

Examiners are not trying to trick you. They are assessing whether your program meets the BSA's core requirements and whether it is genuinely operating. They look at:

• Governance and oversight - do you have established programs, controls, and procedures, with clear board oversight and subject matter expertise guiding the program? Is governance documented, and do you regularly involve leadership in BSA/AML matters?
• Your risk assessments - are they current, documented, and tied to your actual products, customers, and geographies?
• Your written program - does it have the required pillars and is it tailored to you?
• Internal controls in practice - does what you do match what your policy says?
• Independent testing - was it performed, by someone independent, and were findings addressed?
• Training - is it role-appropriate, current, and documented?
• Suspicious activity monitoring and reporting - are alerts handled and SARs filed appropriately, with the reasoning preserved?

The recurring theme: governance, documentation, and evidence. A control you cannot evidence is, for exam purposes, a control that does not exist.

The pre-exam checklist

1. Refresh and date your risk assessment

Your risk assessments are the documents examiners reach for first. Make sure they are current, uses the inherent → controls → residual model, and that every control rating is backed by evidence. If your last assessment is more than a year old or predates a major product change, redo it. A formal, exportable risk assessment is the cornerstone of a clean exam.

2. Confirm your written program is tailored

Read your BSA/AML policy as an examiner would. Does it describe your business - your products, your customer types, your geographies - or is it a generic template? Remove language that does not apply and add what does. Build with PliOS Policy Interview to have policies tailored to your institution.

3. Assemble your evidence repository

For each control you claim, gather the proof: onboarding records, monitoring alert dispositions, sanctions screening logs, SAR/CTR filings and the decisions behind them, training completion records, and independent testing reports. Organize it so any item can be produced in minutes, not hours.

4. Reconcile policy to practice

The fastest way to draw a finding is a gap between what your policy promises and what your team actually does. Walk a few real cases end to end - an onboarding, an alert, a SAR decision - and confirm they followed the documented procedure. Fix the mismatch in whichever direction is correct.

5. Close or document open items

Every institution has gaps - that's normal. What matters is how you approach remediation. Review prior findings, audit items, and any known gaps. If you can close them, gather the evidence; if not, create a clear, dated remediation plan. Examiners appreciate transparency: "Here is the gap, and here is our plan to address it" is always better than appearing unaware of issues.

6. Prepare your people

Make sure the staff who will interact with examiners know the program, can speak to their part of it, and know where the evidence lives. Confidence comes from preparation.

Handling findings: MRAs and MRIAs

Even a strong program can and will receive findings. What separates institutions is how they respond.

1. Log every finding immediately with an owner, a due date, and a clear description.
2. Assemble the evidence the finding implicates - what the examiner saw and what the corrected state looks like.
3. Draft a formal response that acknowledges the finding, describes the corrective action, and commits to a timeline. This is where many teams lose days; AI drafting that reads the finding and assembles a first draft (for your review) can compress that to minutes.
4. Track remediation to completion and keep the evidence attached, so the next exam can see the full arc.

Treating findings as a tracked workflow - rather than a once-a-year panic - is the single biggest driver of smoother subsequent exams.

Turn exam prep into a year-round habit

The institutions that sail through exams are not the ones with the biggest teams; they are the ones whose programs are always exam-ready. That means:

• Risk assessments reviewed on a schedule, not when an exam is announced.
• Evidence captured as work happens, not reconstructed afterward.
• Findings tracked continuously, with response letters drafted as soon as findings land.
• Board reporting that keeps leadership informed quarter to quarter.

When that discipline is in place, the formal exam notice becomes a confirmation exercise rather than a crisis. For the broader toolset that supports it, see our guide to compliance software.

The bottom line

Preparing for an exam or audit is mostly about making your program's reality visible: current risk assessments, tailored policies, organized evidence, and tracked findings. Do that continuously and the exam stops being a fire drill.

PliOS keeps your risk assessments, evidence, findings, and board reports ready year-round - and drafts examiner response letters when findings land. Run a free gap assessment to see how ready you are today.