When a regulatory examination team from FinCEN, the OCC, FDIC, or state regulators walks into a compliance department, they're not there to check boxes. They're looking for something much more specific: evidence that your institution actually understands risk and is managing it deliberately.
Most banks approach examinations the way students approach standardized tests—they memorize what they think will be asked, fill in the expected answers, and hope for the best. The problem is that examiners have seen this play before. They know the difference between compliance that works and compliance that looks good in a PowerPoint presentation. And they're getting better at spotting the difference every year.
The Box-Checking Illusion
Banks still operate under the assumption that compliance is about doing what the rules require. Document the investigation. Check. File the SAR within 30 days. Check. Have policies written down. Check. But this misses what examiners actually evaluate.
Regulators focus on four things:
- Consistency: Did you apply the same decision-making logic across similar cases? If you filed a SAR for account A's wire pattern but buried account B's identical activity in your alert queues, examiners will find it.
- Risk-based decisioning: Can you articulate why you made the decision you did? Not "we followed the policy," but "we identified these specific risk factors, evaluated them against our institution's risk appetite, and determined this action was appropriate."
- Narrative quality: The SAR narrative is your evidence file—not a checklist. Examiners read these constantly, and they can instantly tell whether someone thought through the details or copy-pasted from a template.
- Investigation documentation: Did you actually investigate, or did you assume? What data sources did you consult? What did you rule out? What escalation criteria triggered your filing decision?
The institutions that sail through examinations aren't necessarily the ones with the most sophisticated systems. They're the ones where investigators—real people, doing real work—have documented their thinking in a way that a regulator can understand and verify.
The Narrative Quality Gap
Weak SAR narratives come up repeatedly in examination findings. It's worth understanding why.
Weak: "Customer conducted multiple wire transfers to high-risk jurisdictions. Activity is inconsistent with stated business purpose. Potential money laundering."
That's generic. It could describe fifty different accounts. No evidence of real investigation.
Strong: "Customer opened account on 1/15/2025 with stated business purpose of consulting services. On 1/28, initiated wire transfer of $47,500 to Dubai-based company registered 3 days prior. Customer's occupation listed as 'retired teacher.' We reviewed two years of banking history—no prior international transfers. Called customer regarding business relationship; customer unable to articulate specifics about the consulting contract or the receiving company. We searched the receiving company name in public records; no business registration found. Given the inconsistency between stated occupation, lack of historical precedent, and inability to verify the receiving company, we escalated to SAR filing."
Examiners read the second one and see actual investigation. Dates, amounts, specific steps taken. Contradictions an investigator actually found and resolved.
Real investigation includes specifics templates can't generate. Dates, amounts, contradictions the investigator uncovered, steps taken to resolve them. Templates are generic by definition. They can't replicate this specificity.
Common Examination Findings
When compliance teams ask what appears in examination findings, the pattern is consistent:
- Look-back deficiencies: Examiners pull a sample of historical alerts and find alerts that should have been filed but weren't—or weren't filed within the appropriate timeframe. This suggests your alert criteria or your investigation process has gaps.
- Inadequate SAR narratives: Narratives lack specificity, use boilerplate language, or fail to document the investigation process. The examiner can't understand your reasoning or verify that adequate investigation occurred.
- Inconsistent dispositioning: Similar alerts are handled differently across the book. Some trigger escalations; others are closed. The differences can't be explained by actual risk variations; they appear arbitrary or based on incomplete information.
- Missing investigation documentation: The SAR exists, but the case file doesn't show the steps taken to reach the filing decision. Did you check customer identification? Review transaction patterns? Consult external data sources? No evidence in the file means no evidence of compliance.
- Timeliness problems: SARs filed well after the 30-day window, or investigations that drag on indefinitely without clear escalation decisions.
All of these findings point to the same problem: the gap between what compliance teams did and what they can prove they did. Examiners assume mistakes will happen. What they care about is whether you can demonstrate that you thought it through.
The Evolving Expectations from FinCEN
FinCEN has raised the bar on SAR quality and timeliness. The days of minimal narratives and routine 30-day windows are ending. Recent guidance and examination priorities make this clear:
- SAR narratives must be detailed enough for law enforcement to use them. If your narrative wouldn't help a financial crimes investigator determine next steps, it's insufficient.
- Timeliness matters more than ever. While the 30-day threshold remains, FinCEN emphasizes that suspicious activity should be reported as soon as detected if the suspicious nature is clear. The expectation is trending toward faster reporting.
- Risk-based decision-making must be documented. You can't just file SARs—you need to show you considered whether filing was required based on your risk assessment and the specific facts of the case.
- Updates to open SARs are expected when new information emerges. Examiners now look for evidence that institutions revisit potentially suspicious activity if additional information comes to light.
This is a shift from "did you follow the rules?" to "did you think critically about risk?" It has real operational implications for compliance teams.
What a Clean Examination Looks Like
When an examination goes smoothly, the compliance function has these characteristics:
- Clear investigation protocols: The team has written procedures that specify what data sources to review, what questions to ask, what constitutes adequate investigation, and when escalation is required.
- Individual case files: Each alert generates a documented investigation record, not just a decision. The file shows what was checked, what was found, what assumptions were made, and how the final decision was reached.
- Consistent application: Similar risk factors are handled similarly across the alert portfolio. Deviations are rare and documented when they occur.
- Quality narratives: SAR narratives read like investigation reports, not form letters. They include specifics, contradictions, and the thinking behind the filing decision.
- Demonstrated ownership: Examiners can see that actual people took responsibility for decisions, not that processes ran on autopilot.
- Timely escalation and filing: SARs are filed within appropriate timeframes. There's no backlog of alerts awaiting investigation.
Examiners seeing these attributes view an institution that treats compliance as a core business function, not a checkbox exercise. That distinction matters.
The Practical Takeaway
Make your thinking visible. Document your investigation process. Write narratives that explain specific findings and reasoning. Apply criteria consistently. Be able to explain each decision, not just say you followed the rules.
Institutions that pass examinations cleanly aren't guessing what examiners want. They do actual compliance work—real investigation, solid documentation, consistent decisions—and can prove it when asked.
That's what examiners are actually looking for. Everything else is just performance.