What US BSA/AML training really requires in 2026 — FinCEN and FFIEC expectations, and what your LMS needs to evidence at audit.
Got an LMS decision on your plate?
45-minute call. Plain-English audit. Fixed-price quote if there's a fit, or a "no" if there isn't. No deck. No pitch.
New state laws require plan-specific workplace violence prevention training. Here is how multi-site employers track and prove it.
What OSHA 1910.1030 requires for bloodborne pathogens training, who needs it, and how to track at-hire and annual training across every site.
An honest look at where VR safety training earns its cost for high-hazard industrial work, and how completions still have to land in your LMS for audit.
The single most common question we get from US BSA/AML officers about LMS provision is some version of: "can your platform produce the AML training record I need to give an examiner from FinCEN, our federal banking regulator, or a state examiner when they come knocking?"
The honest answer is: yes, but only if the LMS is configured properly. A surprising number of platforms that nominally "have" AML training functionality produce evidence packs that are awkward at audit, missing key fields, or hard to reconcile against the firm's actual training program.
This is the practical layer underneath the broader financial-services compliance pillar — specifically what US BSA/AML training requires, and what your LMS needs to demonstrate.
The training requirements come from a layered set of regulations and examiner expectations.
The Bank Secrecy Act and FinCEN's implementing regulations sit at the top. The four (now five) pillars of an AML program include a requirement for ongoing employee training. Covered institutions must ensure relevant employees:
"Regular basis" is interpreted by most firms as annual minimum, with new-starter training within the first weeks of joining and additional ad-hoc training following material regulatory or risk changes.
The FFIEC BSA/AML Examination Manual is the operationalized version of the regulations. While not statute itself, it's the standard against which federal examiners assess banks and many other institutions. It expands on what AML training should cover and how it should be evidenced.
The FFIEC manual specifically calls out:
The AML training requirement sits within the broader AML program a covered institution must maintain. Examiners expect firms to demonstrate AML training as part of the BSA program assessment and as part of supervisory exams.
Sanctions training is a parallel mandatory track for any firm with international exposure. OFAC guidance is explicit that firms should be training staff on sanctions awareness, screening obligations, and reporting routes.
Each of these adds nuance to a baseline AML training program.
The data points an MLRO needs to produce on demand:
For each member of staff (or relevant contractor):
When the rules are amended (for example, beneficial-ownership reporting changes under the Corporate Transparency Act), the training content updates. Your LMS needs to record:
This matters because at audit, "they completed AML training" isn't enough — the supervisor wants to know they were trained on the current AML rules, or close enough to current to be defensible.
FFIEC guidance emphasizes a risk-based approach. The LMS should support segmentation by AML risk profile of the role:
A blanket "all staff completed the AML module" report doesn't reflect the risk-based approach examiners expect.
AML training without assessment is increasingly hard to defend. The LMS should record:
The supervisory tone is: completion without assessment doesn't constitute "understanding," and understanding is what the regulation requires.
The BSA Officer and the board / senior management AML responsibilities have specific training expectations. Your LMS should distinguish:
And the audit trail should be able to surface each cohort separately on demand.
The hardest operational layer.
Without proper HRIS integration, these transitions are usually managed by spreadsheet, with predictable drift.
Patterns from AML audit prep work for US firms:
New starter joins. AML training enrolled. But the enrollment runs on a weekly batch. Starter is in role for 8-10 days before they hit the training. In most cases harmless; under examiner scrutiny, "delays in mandatory training" gets flagged.
Recent beneficial-ownership reporting changes under the Corporate Transparency Act included material updates. Many firms hadn't refreshed their AML content by mid-2026 — meaning trained staff were trained on outdated content.
Sanctions has been a recent supervisory focus. Many firms still treat sanctions as part of the AML bundle rather than as a parallel discipline. Result: sanctions-specific training is shallow, and the audit trail doesn't separate it cleanly.
Front-line onboarding staff are doing PEP screening daily. The training that supports this is often a generic "what is a PEP" module rather than role-specific PEP screening workflow training. Audit risk: skills gap between training content and actual operational duties.
Board members and senior managers responsible for AML often have shallow AML training records — the all-staff module from 2-3 years ago, with no senior-level deep-dive. At supervisory review this attracts attention.
For a mid-sized US covered institution with ~1,200 relevant persons, a defensible AML training program in 2026 looks like:
This is straightforward on a properly configured Moodle Workplace deployment (around $45,000 plus roughly $1,500/mo hosting and support) — a platform you own outright, with no per-seat fees. On most off-the-shelf SaaS LMS billed at $8-$12/user/month (illustrative), parts of it require premium-tier add-ons or custom configuration that wasn't budgeted in the original implementation.
US BSA/AML training requirements have always been demanding; in 2026 they're noticeably more so, both in the underlying regulation and in supervisory style. Tick-box annual completion is no longer a defensible posture — FinCEN, federal banking regulators, and OFAC all expect role-tailored, recently-refreshed, assessment-supported, audit-trailed training that's queryable by risk segment and individual.
For firms with more than 300 relevant persons, getting this right is more LMS configuration than LMS replacement. The platform usually has the capability; whether the deployment exposes it is a separate question — and a platform you own outright, rather than rent, makes closing those gaps far cheaper over time.