Regulatory Examinations and Enforcement

How Examinations Work

Regulatory examinations test whether an institution's AML program is reasonably designed and effectively implemented. In the United States, federal banking agencies (the OCC, Federal Reserve, FDIC, and NCUA) and FinCEN as BSA administrator examine against the FFIEC BSA/AML Examination Manual, the single most authoritative US procedural source. Examiners scope the review using the institution's own risk assessment, then test transaction monitoring, CDD/EDD files, SAR/CTR filing timeliness, sanctions screening, training, and independent testing.

Examiners grade the adequacy of the program, not merely whether one report was late. A weak monitoring system that misses obviously suspicious activity is a systemic finding; a single clerical error is not. The exam rewards distinguishing isolated lapses from program-level failures.

Findings escalate through a graduated ladder:

A look-back (transaction review of past activity) and an independent monitor are common consent-order conditions.

Enforcement, Penalties, and Modern Reforms

Enforcement may be civil/administrative or criminal, and the two often run in parallel. A Deferred Prosecution Agreement (DPA) lets an institution avoid conviction by admitting facts, paying penalties, and implementing remediation under monitoring. The landmark HSBC case (2012, roughly $1.9 billion) - involving Mexican drug-cartel money and sanctions failures - reset expectations: regulators now expect demonstrable, board-level ownership and a credible RBA, not paper policies.

The Anti-Money Laundering Act of 2020 (AMLA), enacted as part of the National Defense Authorization Act, is the most significant US AML reform in a generation and appears on current CAMS content. Know these AMLA pillars:

• The Corporate Transparency Act (CTA) within AMLA created a beneficial ownership registry at FinCEN, requiring many companies to report their true owners.
• A whistleblower program offers rewards (a percentage of sanctions over $1 million) and anti-retaliation protection.
• Expanded penalties, subpoena power over foreign banks with US correspondent accounts, and a mandate to prioritize a risk-based, effectiveness-focused supervisory model.

Worked scenario: An examiner finds the monitoring system was never tuned to the bank's stated high-risk segments, and several months of alerts went unreviewed. CAMS-correct analysis: this is a program-level failure (likely an internal-controls and independent-testing pillar breach), warranting more than an MRA - a consent order with a look-back is plausible, and remediation must be board-supervised. Contrast that with a single mis-keyed CTR, which is a correctable error, not an enforcement trigger.

Exam pacing tip: CAMS gives you 3.5 hours for 120 items - roughly 1 minute 45 seconds each. Flag enforcement-ladder questions and answer them with the principle of proportionality between deficiency severity and supervisory response.

Global Supervision and the FATF Evaluation Engine

Enforcement is not only a domestic story. The Financial Action Task Force (FATF) drives global expectations through its mutual evaluation process, in which a country is peer-reviewed against the 40 Recommendations for both technical compliance (are the laws on the books) and effectiveness (do they actually work, measured by 11 Immediate Outcomes). The current fourth-round methodology emphasizes effectiveness, and a fifth round is rolling out with shorter, follow-up-focused cycles. CAMS candidates should know that a poor evaluation can land a country on a FATF list.

FATF maintains two lists examiners and institutions act on:

A recurring exam point: grey-listing requires enhanced monitoring, not blanket de-risking of the affected country. Black-list status (currently a very small set, such as DPRK and Iran) triggers mandatory EDD and, at the extreme, counter-measures.

Other standard-setters reinforce the regime. The Basel Committee issues prudential guidance on sound ML risk management; the Wolfsberg Group (a private association of global banks) publishes widely used standards for correspondent banking and customer due diligence. None of these issue binding law, but examiners treat their guidance as evidence of expected practice.

Worked scenario: A bank has heavy exposure to a newly grey-listed country and its committee proposes exiting all customers there. The CAMS-correct response is enhanced monitoring and EDD on those relationships, with documented risk decisions - not automatic exit, which would be de-risking. Match the supervisory expectation to the FATF designation, and remember that effectiveness, not paperwork, is what modern evaluations and examiners ultimately grade.

Finally, know how individual accountability has sharpened. Modern enforcement increasingly names responsible individuals, not just institutions: compliance officers and senior managers can face personal civil money penalties or bars for willful program failures. AMLA reinforced this by funding the whistleblower program and expanding FinCEN's investigative reach, so internal staff have both protection and incentive to escalate.

The exam-correct takeaway is that a credible escalation culture - where front-line concerns reach the AML officer and the board - is itself a defense against enforcement, while a culture that punishes or buries escalation is an aggravating factor regulators weigh.