3 seats free. No card. Upgrade per seat as you grow.
Free forever for teams up to 3 seats.
Your newest hires learned from YouTube, not textbooks. Here's why your training is failing them.
Free download. No credit card required.
A field guide for BSA Officers and AML Program Managers · 2026
A typology updates. The annual training cycle does not. By the time the exam team arrives for the look-back, the front line has been operating against the old typology for nine months. This paper covers why annual AML training fails the look-back test, what training-effectiveness evidence the FFIEC manual actually calls for, and how to evaluate the approach on public material — without uploading any internal AML program docs to an unvetted vendor.
In short: The exam team is not asking whether the front line was trained on the typology. They are asking whether the front line was operating against it on the days the suspicious activity occurred.
Every BSA officer at a community or regional bank has been through a look-back conversation. The questions take a recognizable shape:
“FinCEN issued the advisory in March. The CTRs and SARs we are reviewing today were filed in October. What evidence do you have that the typology was retained by front-line staff during the intervening period?”
The honest answer at most institutions is: training was assigned in March. Completion was tracked. Whether the typology was retained by the teller making a CTR judgment in October is not measurable from the records currently produced.
This is not a minor finding. The training-effectiveness language in the FFIEC BSA/AML Examination Manual exists specifically because the manual’s authors recognized this gap.
In short: Training that is “tailored to specific responsibilities” and a program that can be evaluated. The phrase the manual uses repeatedly is “effective training.”
The FFIEC BSA/AML Examination Manual (2024 ed.) is explicit on training requirements:
The last point is where most programs are thin. Annual completion records demonstrate that training occurred. They do not demonstrate effectiveness, which the manual implies is the actual goal.
The exam team’s interpretation of “effectiveness” is institution-specific, but the common pattern is: can the institution produce evidence that front-line staff recalled the relevant typology on the day it mattered? Completion percentages do not answer that.
In short: FinCEN advisories arrive on FinCEN’s schedule. Annual recertification arrives on the bank’s. The gap between them is where the look-back lives.
The typology update cycle is asynchronous. A FinCEN advisory on a new structuring pattern might land in March. The bank’s annual AML refresher is in November. For seven months, the front line is being trained on the prior year’s typology set.
The look-back, when it happens, is usually focused on transactions that occurred during this gap window. The exam team selects suspicious-activity examples from October. They ask: was the front line operating against the relevant typology in October? The institution’s training records show training delivered in November and the prior November. Neither matches the question.
A daily practice layer collapses the gap. When the typology updates in March, the drill set updates in March. The front line is practicing against the current typology by the following morning, not by the following recertification cycle.
In short: Same retention finding as in clinical, industrial, and compliance contexts.
The Cepeda 2006 meta-analysis found ~2× retention improvement from spaced practice over massed practice. Roediger & Karpicke 2006 documented the testing effect: retrieval attempts produce better recall than re-reading. These findings generalize to typology recognition, SAR decision logic, KYC red flag identification, and OFAC sanctions screening.
The cadence that fits the operational pattern at a bank is brief and frequent: 60-second drills, daily, on the phone the teller or analyst already carries (or on the workstation in branch settings). Each drill answer is timestamped. The per-role mastery view shows percent correct over time, by typology, by role.
In short: Different drill content per role. The teller’s drill set is not the BSA analyst’s drill set.
The FFIEC manual’s “tailored to specific responsibilities” requirement maps to per-role drill content:
Each role’s drill set is a subset of the bank’s full AML training program. Each role’s mastery view answers the role-specific look-back question.
In short: BSA officers do not upload AML program docs to unvetted vendors. You do not have to.
This is the most important paragraph in this paper. Internal AML program documents, suspicious-activity narratives, customer cohort information, and look-back exam findings are confidential under 12 U.S.C. § 3401 and SAR-confidentiality rules. Putting them in front of an unvetted vendor — even one with a strong security posture — is a regulatory and reputational risk we do not ask you to take.
The five-minute test runs on public material. FFIEC BSA/AML Examination Manual sections (publicly available at bsaaml.ffiec.gov), recent FinCEN advisories (fincen.gov), OFAC SDN list updates (treasury.gov), CFR sections — all public, all suitable as the test document. The drill set generated from a public document is identical in mechanism to one generated from your internal AML training material.
If the five-minute test reads as useful, the recommended sequence is: complete our vendor security questionnaire (5-business-day turnaround), execute a DPA if applicable, then upload internal materials. Not before.
“Our compliance officer requires SOC 2.” HeyLoopy is built on SOC 2 Type II-certified AWS infrastructure following SOC 2-aligned controls. We are not ourselves SOC 2 certified at this time. Customer data lives in AWS us-east-1; AES-256 at rest, TLS for all customer-facing traffic. Full posture on the trust page. For prudential-regulator buyers, we also reference our PCI scope (Stripe handles all payment data; HeyLoopy is out of PCI scope by design).
“What about FFIEC IT Examination Handbook posture?” A FFIEC IT-handbook mapping document is in active development; we share it under NDA on request once a vendor security questionnaire is in flight. For the interim, the VSQ (SIG Lite, CAIQ, or your institution’s custom form) is the standard path and turns around within 5 business days. SOC 2 Type I is on our near-term roadmap; we will publish a target date when it firms up.
“What about SAR-narrative content?” Drill content authored from internal SAR examples, look-back exam findings, or typology-investigation memos lives in your tenant only. We do not train any AI model on customer content, ours or any third party’s. Tenant data is segregated per institution; cross-tenant access is not possible by design. Full posture on the privacy policy AI section.
“Annual training already exists. Why add another layer?” You do not replace annual training. The annual cycle continues to deliver the comprehensive curriculum and produce completion records the manual references. The practice layer runs alongside, surfacing the typology-update propagation and the retention evidence the annual cycle cannot produce on its own.
Sign up free at heyloopy.com (three seats, no credit card). Drop a FFIEC manual section or recent FinCEN advisory. Answer the first drill yourself. If the experience reads as useful, the next conversations are about which typologies and roles to drill first, the procurement path (VSQ, DPA), and how the per-role mastery view fits into your annual training-effectiveness assessment.
Email support@heyloopy.com for a direct conversation.
3 seats free · no card · first drill in five minutes