We are looking forward to teaching at the Georgia Bankers Association’s 2026 compliance school! Stewart Thigpen, CPA; Brad Washburn, CRCM, CAMS; and James Moore, CRCM will be teaching at the upcoming school on a variety of topics. The GBA compliance school is a 2-year program and open to out of state bankers. We would love to see you there. Let us know if you have any questions about the school! See below for more information:

​Author: Jeremy T. Clifton, CRCM, CAMS

On October 9, 2025, FinCEN in conjunction with the Joint Agencies, released four new SAR related FAQs. The overall theme of the press release and FAQs is to provide clarification so BSA/AML/CFT and Fraud related employees can better use time and resources to provide law enforcement with highly valuable information via SARs and to de-emphasize SARs that may be less valuable. This all sounds great as many BSA/AML/CFT and Fraud departments are understaffed, overstretched, and running from one fire to another. However, these FAQs seem to provide more confusion than relief as no laws, regulations, or the FFIEC BSA/AML Examination Manual have been changed to correspond to these FAQs. I can foresee that these FAQs will be used to argue against resources, staffing, and wise SAR filing. Please encourage management to read this blog and the FAQs in their entirety as the headlines are deceiving. The opening paragraph of the FAQ even states, “The answers to these FAQs do not alter existing BSA legal or regulatory requirements or establish new supervisory expectations.”  Let’s look at each of the FAQs. We have restated the FAQs below with our commentary provided for each.  
 
Question 1: SAR Filings for Potential Structuring-related Activity
Is a financial institution required to file a SAR for a transaction or a series of transactions with a value at or near the currency transaction reporting (CTR) threshold (i.e., over $10,000) absent information that the transaction or series of transactions is designed to evade BSA reporting requirements?
No. The mere presence of a transaction or series of transactions by or on behalf of the same person at or near the $10,000 CTR threshold is not information sufficient to require the filing of a SAR. Financial institutions are only required to file a SAR if the institution knows, suspects, or has reason to suspect that the transaction or series of transactions are designed to evade CTR reporting requirements. Absent this knowledge, suspicion, or reason to suspect, financial institutions are not required to file a SAR.

A financial institution is required to file a SAR for a transaction conducted or attempted by, at, or through the institution if it involves or aggregates at least $5,000 in funds or other assets and the institution knows, suspects, or has reason to suspect that, among other criteria, the transaction is designed to evade any BSA reporting requirement. This includes transactions designed to evade the requirement that a financial institution file a CTR for one or more transactions in currency by, through, or to the institution, by or on behalf of any person, and that result in either cash in or cash out totaling more than $10,000 during any one business day.

Attempting to evade CTR reporting requirements—known as structuring—may be indicative of underlying illegal activity and is unlawful under the BSA. Under FinCEN’s regulations, structuring is defined as a person, acting alone, or in conjunction with, or on behalf of, other persons, conducting or attempting to conduct one or more transactions in currency, in any amount, at one or more financial institutions, on one or more days, in any manner, for the purpose of evading CTR reporting requirements.  “In any manner” includes, but is not limited to, the breaking down of a single sum of currency exceeding $10,000 into smaller sums, including sums at or below $10,000, or the conduct of a transaction, or series of currency transactions, at or below $10,000.

A financial institution’s AML/CFT program should be designed to detect and report structuring to guard against use of the institution for money laundering and ensure the institution is compliant with the suspicious activity reporting requirements of the BSA. The extent and specific parameters under which a financial institution must monitor accounts and transactions for suspicious activity should be commensurate with the level of money laundering and terrorist financing risk of the specific institution, considering the type of products and services it offers, the locations it serves, and the nature of its customers.
 
Powell & Co. Comments on FAQ 1 SAR Filings for Potential Structuring:
Please do not read FAQ 1 to say your FI should stop filing SARs on structuring, that could result in legal and regulatory issues. What the FAQ seems to be possibly indicating is that super defensive structuring SARs are not what most FIs should be getting bogged down in. The problem with that is the SAR filing thresholds are pretty low; therefore, FIs would be unwise not to investigate possible structuring and there is little incentive to not file.  “Financial institutions are only required to file a SAR if the institution knows, suspects, or has reason to suspect that the transaction or series of transactions are designed to evade CTR reporting requirements. Absent this knowledge, suspicion, or reason to suspect, financial institutions are not required to file a SAR.” It’s easy to “know” if someone is structuring, they often mention it to an employee plainly that they intend to structure transactions to avoid requirements, so a SAR is required assuming thresholds are met. On the other hand, having “reason to suspect” can be quite tricky. We typically recommend a process that includes educating customers that are possibly structuring by providing FinCEN’s Educational Pamphlet on CTR Requirements, having direct discussions about transaction activity at the transaction source (tellers, CSRs, etc.) and having conversions, if needed, by account officers or BSA/AML /CFT staff.  Remember, none of these conversions should affirm or deny the existence of a SAR. Once your staff better understands transaction patterns and the business itself the FI should be better able to determine if a SAR is required. The bad news is that this takes more work to make an informed decision, not less.  
 
Question 2: Continuing Activity Reviews
Is a financial institution required to conduct a review of a customer or account following the filing of a SAR to determine whether suspicious activity has continued?
No. Recognizing the burden that continued SAR filings on the same customer or account place on institutions, FinCEN suggested in October 2000 that institutions file a SAR for repeated and ongoing suspicious activity at least every 90 days. Over time, this suggestion has become interpreted as a requirement or expectation that financial institutions conduct a separate review of a customer or account following the filing of a SAR to determine whether suspicious activity has continued.

A financial institution is not required to conduct a separate review—manual or otherwise—of a customer or account following the filing of a SAR to determine whether suspicious activity has continued. Financial institutions instead may rely on risk-based internal policies, procedures, and controls to monitor and report suspicious activity as appropriate, provided those internal policies, procedures, and controls are reasonably designed to identify and report such activity.
 
Powell & Co. Comments on FAQ 2 Continuing Activity Reviews:
The FAQ notes that FIs would still be expected to reasonably design policies, procedures, and controls to identify ongoing suspicious activity. If the activity continues, your FI still is required to file a SAR assuming applicable thresholds are exceeded (e.g., $0, $5,000.00, $25,000.00, & $5,000.00). If your FI has a smooth process in place with 90-day reviews, I would not fix a process that is not broken.
 
Question 3: Continuing Activity Reviews – Timeline
What is the timeline for a financial institution that elects to file SARs in accordance with FinCEN’s continuing suspicious activity guidance?
As noted in the prior FAQ, FinCEN previously suggested that financial institutions report continuing suspicious activity via a SAR filing at least every 90 days. Subsequent FinCEN guidance advised financial institutions to file SARs for continuing activity after a 90-day period with the filing deadline being 120 calendar days after the date of the previously related SAR filing. However, financial institutions are not required to do so and may instead file SARs as appropriate in line with applicable timelines.

For financial institutions that elect to file SARs in accordance with FinCEN’s continuing suspicious activity guidance, below is a timeline in which a financial institution files a SAR with an identified subject and determines that suspicious activity has continued:
• Day 0: detection of facts that may constitute a basis for filing a SAR
• Day 30: filing of initial SAR
• Day 120: end of 90-day period
• Day 150: filing of a SAR for continued suspicious activity

When filing a SAR for continuing activity, the date or date range of suspicious activity (Item 30 on the SAR form) should include the entire 90-day period starting on the date immediately following the filing of the initial SAR or the date following the end of the previous 90-day period.
 
Powell & Co. Comments on FAQ 3 Continuing Activity Reviews-Timeline:
Remember that, absent the 90-day SAR guidance which was in itself regulatory relief, financial institutions are required to file SARs generally 30 days after determining the activity is suspicious. So, without the 90-day guidance you would generally be subject to filing every 30 days. In some cases, it may be appropriate to file before the end of 120 days, but we don’t see anything new here with the timeline as noted by FinCEN. One thing that is unclear is the brief description of “Day 0”. We are working under the assumption that the exam manual guidance on “initial detection” is still in effect. “The phrase "initial detection" should not be interpreted as meaning the moment a transaction is highlighted for review. The 30-day (or 60-day) period does not begin until an appropriate review is conducted and a determination is made that the transaction under review is "suspicious" within the meaning of the SAR regulation.” 
 
Question 4: No SAR Documentation
Is a financial institution required to document the decision not to file a SAR?
No. There is no requirement or expectation under the BSA or its implementing regulations for a financial institution to document its decision not to file a SAR. FinCEN has previously encouraged, but not required, financial institutions to document the decision not to file a SAR. Should a financial institution choose to document its decision not to file a SAR, the level of appropriate documentation may vary based on the specifics of the activity being reviewed and need not exceed that which is necessary for the institution’s internal policies, procedures, and controls, which should be risk-based and reasonably designed to identify and report suspicious activity. In most cases, a short, concise statement documenting a financial institution’s SAR decision will likely suffice, although a financial institution may consider more documentation to explain the factors that the institution considered in reaching a SAR filing determination in more complex investigation scenarios.
 
Powell & Co. Comments on FAQ 4 No SAR Documentation:
Hopefully, this will help with the picky examiner or independent auditor/reviewer that expects a formally documented decision not to file for any and every transaction on the books.  However, most examiners or reviewers aren’t looking for those “got you” moments.  What this doesn’t mean is that FIs can do a shoddy job with case documentation or alert disposition. A well-run suspicious activity program, whether manual or more automated should spin off decisions not to file through cases, internal referrals, emails from employes, etc. and every instance of suspicious activity will not result in a SAR being filed.

Author: James M. Moore, CRCM

Disparate impact occurs when a lending policy or practice that appears neutral on its face has a disproportionately negative effect on a protected class (such as race, national origin, sex, age, etc.) even if there is no intent to discriminate. In practice, the rule results in significantly fewer approvals, worse pricing, or higher denial rates for a protected group. For disparate impact, regulators or courts don’t have to prove the lender meant to discriminate. The effect itself can be enough.

Examination teams from the OCC, FDIC, and NCUA have included procedures for testing for disparate impact in their examination manuals for years.  This is changing.  In April 2025, President Trump signed Executive Order 14281, titled “Restoring Equality of Opportunity and Meritocracy.” The order states that disparate-impact liability is “unlawful” and directs federal agencies, including the DOJ, to deprioritize enforcement of any statutes or regulations that rely on disparate impact theory. It also revoked prior regulatory approvals that supported such liability under Title VI of the Civil Rights Act.

The Trump Administration has stated they believe disparate impact theory is illegal.  The Supreme Court has not. The Executive Branch of the government has the ability and the right to direct their time and resources as they should. This appears to be simply an enforcement rollback as no laws have been changed. The legal foundation for disparate-impact liability established by Supreme Court precedent (e.g., Griggs v. Duke Power Co., 1971) and reinforced in Texas Dept. of Housing v. Inclusive Communities (2015) remains intact. A new administration can reverse course at any time.

Use caution if you make changes to your fair lending programs. It may not be prudent for a Financial Institution to remove disparate impact theory and associated risks from their fair lending programs at this time. This may only be a temporary reprieve during the current exam cycle.

Author: Jeremy Clifton, CRCM, CAMS

On August 7, 2025, President Trump issued an executive order entitled Guaranteeing Fair Banking For All Americans. The EO outlines the administration’s road map for governing and reigning in what is defined as, “politicized or unlawful debanking”. The EO defines politicized or unlawful debanking as “an act by a bank, savings association, credit union, or other financial services provider to directly or indirectly adversely restrict access to, or adversely modify the conditions of, accounts, loans, or other banking products or financial services of any customer or potential customer on the basis of the customer’s or potential customer’s political or religious beliefs, or on the basis of the customer’s or potential customer’s lawful business activities that the financial service provider disagrees with or disfavors for political reasons.”

We know this as debanking or derisking which is generally utilized when a client has a risk profile that does not align with a financial institution’s risk tolerance.  Many times, the FI does not have staffing, resources, or expertise to properly mitigate the risks certain clients. 
​
The debanking could happen for appropriate reasons, such as:

• The customer may be in an industry that the Board of the financial institution has chosen not to bank (e.g., crypto exchange or ATM, marijuana, MSB, PEP).
• The customer has been subject to multiple SAR filings.
• The customer has participated in fraud, money laundering, or other illegal activity.
• The customer has not provided applicable or standard CDD or CIP information necessary to mitigate ongoing risk and/or open the account.

 
Most community FIs that we service are not debanking outdoor or gun shops, or “persons participating in activities and causes commonly associated with conservatism and the political right”, or targeting P2P transactions with terms like “MAGA”; however, we still see some risks that can be somewhat mitigated. The EO orders each Federal banking regulator to identify FIs that have engaged in unlawful debanking and to take appropriate remedial action, so we would expect this to be a possible test point for FIs in the near future.
 
Action Steps for FIs:

• Update BSA/AML policy to include debanking and include a statement prohibiting “politicized or unlawful debanking”.
• Understand what rights your account agreement provides for account closure.
• For industries that the FI has determined to be prohibited ensure a documented rationale as to why those industries (e.g., crypto exchange or ATM, marijuana, MSB, PEP) are prohibited.
• Ensure that the FIs SAR program includes possible account closure as a result of continued suspicious activity.
• Ensure that the FIs CDD & EDD program includes expected initial due diligence and ongoing due diligence expectations for higher risk industries.
• Ensure that the FIs CDD & EDD program includes guidance, for instances when expected due diligence is not provided including closing the account within a reasonable timeframe.
• Ensure that the FIs CIP program includes guidance, for instances when required documentation is not provided including closing the account within a reasonable timeframe.
• Ensure that any action taken from a periodic loan review (freezing lines of credit, utilizing demand clauses, etc.) is in line with the loan agreement and bank policy.

Authors: Jeremy Clifton, CRCM, CAMS and Nick Milcarek, CAMS

On June 25, 2025, the Treasury issued special measures under section 2313a placing restrictions on three institutions in Mexico for facilitating the illegal drug trade on behalf of cartel organizations and being of primary money laundering concern. These institutions have been identified as CIBanco S.A., Institutión de Banca Multiple (CIBanco), Intercam Banco S.A., Institución de Banca Multiple (Intercam), and Vector Casa de Bolsa, S.A. de C.V. (Vector). While these orders are not OFAC sanctions, covered institutions will be required to restrict transmittals to and from these Mexican banks. The requirements only apply to these institutions’ Mexican operations and subsidiaries. This order will become effective September 4, 2025.

To comply with this order, financial institutions should ensure their systems in place are properly screening for these entities in all “transmittal of funds”.  The FAQ notes “transmittal of funds” as the sending and receiving of funds from all payment methods and for all purposes including virtual currency. We see the most risk with foreign wires and IATs. A majority of AML systems and some core processors automatically update lists of restricted and sanctioned names usually the day after an update. However, FIs should verify with core providers, AML systems providers, wire correspondents and other parties that subject transactions will be effectively screened. Make sure to include any details or description fields on wires including intermediaries, FFTC, or FBO fields in the screening process. If service providers do not have a ready-made solution, you may be able to use the keyword function within some core system parameters to search for the restricted institutions.

If your FI finds a covered transaction the FI is not required to block or freeze the transaction or even report it to OFAC unless otherwise covered by another sanctions program. The FI simply cannot process or accept the transaction. However, any positive match would be a trigger for review for possible suspicious activity that could be SAR reportable. Please see FinCEN’s advisory (FIN-2024-A002) outlining various typologies associated with the procurement of fentanyl precursor chemicals and manufacturing equipment at the following link: https://www.fincen.gov/sites/default/files/advisory/2024-06-20/FinCENSupplemental-Advisory-on-Fentanyl-508C.pdf. FIs should consider a risk based approach to reviewing transactions for these covered institutions as soon as possible as bad actors may try to move funds before the effective date of September 4, 2025.

From a BSA/AML/CFT Program standpoint you should update your Special Measures sections of the Program to be inclusive of these new Special Measures and document written procedures within your Program.
​
Press releases and the FAQs can be found below:
Initial Treasury Press Release: https://home.treasury.gov/news/press-releases/sb0179
Effective Date Extension Press Release: https://www.fincen.gov/news/news-releases/treasury-extends-effective-dates-orders-issued-under-new-authority-counter
FAQs on the order: Final-FAQs.pdf

Author: W. Brad Washburn, CRCM, CAMS

On July 16, 2025, the federal bank regulatory agencies — the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board, and the Office of the Comptroller of the Currency (OCC) — jointly issued a proposal to rescind the Community Reinvestment Act (CRA) final rule that was adopted in October 2023. In its place, the agencies propose to reinstate the prior CRA regulations that were originally issued in 1995, with certain technical amendments.

Background and Purpose
The 2023 CRA final rule has not yet taken effect and is currently subject to ongoing litigation. The newly issued proposal aims to provide clarity and consistency for stakeholders, reduce regulatory burdens for institutions, and maintain the foundational goals of the CRA — ensuring that banks continue to meet the credit needs of the communities they serve, including low- and moderate-income neighborhoods.

Public Comment Period
The agencies are seeking public comment on the proposed rule. Interested parties have until August 18, 2025, to submit their feedback.  Review the proposed rule at the following link:
community-reinvestment-act-regulations-notice-proposed-rulemaking.pdf (SECURED)
​
What’s Next?
The agencies have emphasized that they will continue to apply the 1995 CRA regulations in the interim. We will closely monitor developments and provide updates as further information becomes available or if the final rule is issued.
​
Stay tuned to our blog for ongoing coverage of CRA developments and regulatory changes affecting the banking industry.

We are excited to announce the date for our 2nd quarter clients-only webinar which will be Tuesday, June 24th, at 9:30 am. Brad Washburn will be leading a webinar where we will discuss the latest developments in the regulatory compliance environment, including but not limited to insights into the most recent regulatory shifts under the new administration, as well as insight into other upcoming rules and regulatory changes that could impact various aspects of your operations.  We will send out more details about sign-up closer to the webinar date, but we wanted to announce this to ensure you all have time to save it on your calendar. If you have not participated in any of the previous webinars this year nor received communication about them, you are more than likely not on the webinar invitee list. If you are a Powell & Co. client in any fashion and are unsure if you are on the mailing list for the webinars, please reach out to us and we will make sure to get your information. You can email Jeremy Clifton at [email protected]. We look forward to seeing you all there.

Author: Andrew Howard

On March 3, 2025, the FDIC announced the postponement of the compliance date for 12 CFR 328.4 and 328.5 rules that were set to go into effect on May 1st of this year. These requirements related to the display of the FDIC official sign on insured depository institution’s digital channels, as well as the requirement related to the institution’s ATMs and like devices. This postponement goes into effect as certain requirements for the digital pages continue to generate questions about the implementation and may result in customer confusing. With this in mind, the FDIC has decided to delay the implementation of these parts to develop proposed changes to the regulation to address the implementation problem and possible sources of confusion.

This delay does not apply to the other requirements stated under subpart A, which still have a required compliance date of May 1, 2025. Sections of Part 328, with changes still effective May 1, 2025, are noted below:

• 328.3 - Signs within institution premises and offering of non-deposit products within institution premises.
• 328.6 - Official advertising statement requirements
• 328.8 - Policies and procedures

A foot note to the recent Federal Register update states that written policies and procedures need not address section 328.4 and 328.5 changes until the full compliance date for these sections which is noted as March 1, 2026.  So, it appears that March 1, 2026, will be the effective date for these sections (328.4 and 328.5) once updates occur. Do note that your financial institution will need written policy and procedures to generally comply with Part 328 by May 1, 2025. We will keep you posted on any updates as they evolve.

FIL-5-2025
FIL-65-2023
12 CFR 328

We are excited to announce that three of the faculty members at GBA Compliance school are our very own.  Stewart Thigpen, CPA, Brad Washburn, CRCM, CAMS, and James Moore, CRCM are teaching classes this year.  This is a great way to learn the ins and outs of bank compliance requirements!  We hope to see you there!

Click here for registration:
Summary - GBA Compliance School (2025 Session)

Authors: Jeremy Clifton CRCM, CAMS & Nick Milcarek, CAMS

On July 22, 2024, the Office of Foreign Assets Control released guidance on the extension of the statute of limitations specifically involving OFAC record keeping requirements. Beginning March 12, 2025, the interim final rule will extend recordkeeping requirements from 5 to 10 years. This comes after the prior administration signed into law the 21st Century Peace Through Strength Act. Section 3111 of the law specifically states that the statute of limitations on sanctions violations be extended to 10 years under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TEA).

Section 501.601 of the Department of Treasury’s rules now reads:

“Records and recordkeeping requirements.

Except as otherwise provided, every person engaging in any transaction subject to the provisions of this chapter shall keep a full and accurate record of each such transaction engaged in, regardless of whether such transaction is effected pursuant to license or otherwise, and such record shall be available for examination for at least 10 years after the date of such transaction. Except as otherwise provided, every person holding property blocked pursuant to the provisions of this chapter or funds transfers retained pursuant to § 596.504(b) of this chapter shall keep a full and accurate record of such property, and such record shall be available for examination for the period of time that such property is blocked and for at least 10 years after the date such property is unblocked.”

What does this mean for financial institutions? It clearly indicates that any transaction subject to sanctions blocking or rejecting will now need to be retained for a minimum of 10 years. Most community financial institutions have historically had little if any experience or need to block or reject transactions as true sanctions matches are very rare.

What does this mean for non-match OFAC or sanctions documentation? This is not as clear as we would have hoped at this time; keep in mind this is an interim final rule with comments and a final rule to come.  With the statute of limitations being 10 years and with the ambiguity of the section “every person engaging in any transaction subject to the provisions of this chapter shall keep a full and accurate record of each such transaction engaged in, regardless of whether such transaction is effected pursuant to license or otherwise, and such record shall be available for examination for at least 10 years”, we are recommending a wait and see approach at this time. If your institution has non-match OFAC records after April 24, 2019, we recommend that they continue to be maintained for the interim.  We will keep you updated on any changes.

For more information and guidance on the new OFAC requirements, please see the below links.

Guidance from OFAC: extension_statute_of_limitations_guidance_20240722.pdf

Federal Register Mentioning OFAC Changes:
ttps://www.federalregister.gov/documents/2024/09/13/2024-20674/reporting-procedures-and-penalties