FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryfinancial servicesbankingcomplianceBSA

BSA/AML Program Documentation in the AI Era: What Examiners Want to See

By Basel IsmailMay 8, 2026

BSA/AML Program Documentation in the AI Era: What Examiners Want to See

If you've integrated machine learning models into your transaction monitoring pipeline, you already know the technology works well. Models can reduce false positives by 40% to 60% compared to legacy rule-based systems, depending on who you ask and how they measure. FinCEN has been broadly supportive of innovation here, going back to the December 2018 joint statement from FinCEN, the OCC, FDIC, NCUA, and the Fed encouraging "innovative approaches" to BSA/AML compliance. But examiner expectations around documentation have evolved considerably since then, and most institutions haven't kept pace.

The core issue: your BSA/AML program still needs to satisfy the four pillars under 31 U.S.C. § 5318(h), and examiners evaluate those pillars the same way regardless of whether your monitoring is powered by if-then rules or gradient-boosted trees. Internal controls, independent testing, a designated BSA officer, and training. What changes when AI enters the picture is the depth and specificity of documentation required to demonstrate each pillar is functioning.

Internal Controls: Model Documentation Is Now a BSA Artifact

The FFIEC BSA/AML Examination Manual was updated in 2021 and again with targeted revisions, and it makes clear that examiners expect to see documentation of how monitoring systems identify potentially suspicious activity. When that system is a machine learning model, "how it works" becomes a significantly harder question to answer, and examiners know it.

At a minimum, your internal controls documentation should now include:

Model development documentation covering the objective function, training data characteristics (including date ranges, customer segments, and volume), feature engineering decisions, and the rationale for algorithm selection.
Threshold and tuning records showing how alert generation thresholds were set, what tradeoffs were considered between false positive rates and detection coverage, and who approved those decisions.
Ongoing monitoring metrics including model performance over time, data drift analysis, and any recalibration events. The OCC's SR 11-7 (Supervisory Guidance on Model Risk Management) applies here even though it predates the AI wave. Examiners will reference it.
Override and suppression logs documenting any cases where model outputs were overridden by analysts, with reasons. This is where examiners look for patterns suggesting the model is being second-guessed systematically without triggering a formal review.

One thing I've seen catch institutions off guard: examiners increasingly ask for documentation of what the model does not monitor. If your ML system was trained on historical SAR data, it may have blind spots around typologies that were historically under-reported. You need to document those known limitations and explain what compensating controls exist.

Independent Testing: Your Auditors Need to Understand the Model

The independent testing requirement under BSA has always been straightforward in concept and uneven in execution. Adding AI to the stack raises the bar. The 2023 FinCEN enforcement action against USAA Federal Savings Bank, which resulted in a $140 million penalty, included findings about inadequate oversight of transaction monitoring systems. While that case involved rule-based systems, the underlying principle applies with even more force to ML models: you cannot demonstrate adequate independent testing if your testers don't understand what they're testing.

Practically, this means your independent testing program should cover:

Model validation performed by qualified personnel independent of the development team. "Qualified" here means someone who can evaluate the statistical methodology, not just confirm that alerts are being generated.
Back-testing against known suspicious activity to verify the model would have detected previously identified cases. This is table stakes but often poorly documented.
Scenario analysis covering emerging typologies that may not be well-represented in training data. FinCEN's advisories on specific threats (ransomware, human trafficking, fentanyl proceeds) are a good starting point for building test scenarios.
Assessment of the full pipeline, not just the model in isolation. Data ingestion, preprocessing, feature computation, alert generation, case management handoff. A model that performs well in a notebook but receives corrupted input data in production is a compliance failure, not a technology failure.

The BSA Officer's Role: Accountability Without Expertise Gaps

Your designated BSA officer is personally accountable for the program's effectiveness. When AI is part of the monitoring infrastructure, this creates a real tension. Most BSA officers are deeply experienced in financial crime compliance but were not trained in machine learning. Examiners are aware of this, and they're looking for evidence that the institution has bridged the gap.

Document how the BSA officer is kept informed about model performance, changes, and limitations. Regular reporting from the model risk management team to the BSA officer should be formalized, not ad hoc. Meeting minutes, dashboards, and escalation protocols all matter here. The 2020 Anti-Money Laundering Act (AMLA), specifically Section 6209, reinforced the expectation that BSA officers have sufficient authority and resources. If your BSA officer can't explain at a high level why the model generates the alerts it does, examiners will view that as a resource gap.

Training: It Has to Cover the AI Components

BSA training programs need to be updated to reflect the actual systems staff are using. If investigators are working alerts generated by an ML model, they need to understand what the alert scores mean, what features drove a particular alert, and what the model's known limitations are. Generic training on "what is machine learning" is not sufficient. The training should be specific to your implementation.

Examiners have started asking frontline investigators how they interpret model-generated alerts during exam interviews. If your analysts can't articulate why a particular transaction was flagged beyond "the system scored it high," that's a documentation and training deficiency that will show up in the exam report.

Explainability Is a Regulatory Requirement, Not a Nice-to-Have

This is worth calling out separately. FinCEN requires that SARs include a narrative explaining why the activity is suspicious. If your model flags activity but you cannot explain in human terms why, you have a SAR quality problem. The narrative can't say "the model identified this as anomalous." It needs to articulate the specific behavioral patterns that triggered the alert.

This is where many institutions discover that their model's explainability layer is inadequate. SHAP values and feature importance scores are useful for data scientists but need to be translated into language that works in a SAR narrative and that an examiner or FinCEN analyst can follow. Your documentation should describe this translation process and who is responsible for it.

Recordkeeping and Audit Trails

Under 31 CFR 1010.306 and related recordkeeping requirements, you need to retain records sufficient to reconstruct the basis for filing or not filing a SAR. When an ML model is involved, this means retaining not just the alert and disposition, but the model version that generated the alert, the input data at the time of scoring, and the feature values. If you retrain your model quarterly and can't reproduce what the prior version would have flagged, you have a recordkeeping problem.

Version control for models, training data, and configuration parameters should be treated with the same rigor as document retention for customer records. Five-year retention minimums apply, and examiners will want to see that you can reconstruct historical alert generation logic.

How FirmAdapt Addresses This

FirmAdapt's architecture was built around the assumption that every AI-assisted decision in a regulated workflow needs to be explainable, auditable, and reconstructable. For BSA/AML programs specifically, this means full version control of model configurations, automated logging of input data and feature values at the time of each scoring event, and explainability outputs designed to support SAR narrative drafting rather than just data science review.

The platform also maintains structured documentation artifacts aligned with FFIEC examination expectations, including model development records, threshold justification logs, and performance monitoring reports that can be produced for examiners without requiring a data science team to manually compile them. If your institution is integrating AI into transaction monitoring, FirmAdapt provides the compliance infrastructure layer that examiners expect to see but that most ML platforms don't include out of the box.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free