Representative capture · 10 Jul 2026
Regulatory change analysis
Cadre pack · Marginalia
Turns a supplied rule change into candidate obligations, control mappings, gaps, and proposed actions for review.
One frozen, sanitized execution on representative data. It shows an observed path and retained decision—not repeatability, production fitness, legal instruction, or regulatory compliance.
Recorded decision
Decision record
Assessment Recorded — 31 CFR § 1020.320
The assessment has been committed. Here is the executive summary for your compliance file.
Obligation Inventory (10 obligations)
| ID | Obligation | Citation | Coverage |
|---|---|---|---|
| OBL-01 | Detect suspicious transactions ≥ $5,000 meeting enumerated triggers | (a)(1)–(2) | Covered |
| OBL-02 | File SAR with FinCEN on prescribed form | (a)(1), (b)(1)–(2) | Covered |
| OBL-03 | File within 30 calendar days of initial detection | (b)(3) | Partial |
| OBL-04 | Extend to 60-day maximum if no suspect identified; never exceed 60 days | (b)(3) | Partial |
| OBL-05 | Immediate telephone notification to law enforcement for urgent violations | (b)(3) | Gap |
| OBL-06 | Collect and label supporting documentation for every SAR | (b)(1), (d) | Partial |
| OBL-07 | Retain SAR copies + supporting docs for 5 years from filing date | (d) | Gap |
| OBL-08 | Produce SAR records to FinCEN/law enforcement/regulators upon request | (d) | Gap |
| OBL-09 | SAR confidentiality — prohibition on disclosure by all bank personnel | (e)(1)(i) | Gap |
| OBL-10 | Decline subpoenas for SARs; cite statute; notify FinCEN | (e)(1)(i) | Gap |
Control Mapping Summary
| Control | OBLs Addressed | Max Coverage |
|---|---|---|
| CTRL-SAR-01 Suspicious Activity Monitoring & Reporting | OBL-01, 02, 03, 04, 06 | Partial on 03, 04, 06 |
| CTRL-AML-01 AML Program & BSA Officer | OBL-01 | Covered (supporting) |
| CTRL-CIP-03 / CTRL-CTR-01 / CTRL-CIP-01 / CTRL-CIP-02 | — | Out of scope — not credited |
Gaps & Remediation Actions (7 actions)
| # | Action | Owner | Priority |
|---|---|---|---|
| ACTION-1 | Enhance CTRL-SAR-01 to explicitly codify 30-day deadline (OBL-03) | BSA Officer | alert HIGH |
| ACTION-2 | Enhance CTRL-SAR-01 to document 60-day cap + suspect-extension protocol (OBL-04) | BSA Officer | alert HIGH |
| ACTION-3 | Enhance CTRL-SAR-01 to require explicit collection & labeling of supporting docs (OBL-06) | BSA Officer | alert HIGH |
| ACTION-4 | New control — SAR Record Retention (5 yrs from filing; distinct from CIP retention) (OBL-07) | Records Mgmt | alert HIGH |
| ACTION-5 | New control — SAR Records Access & Production to authorities on request (OBL-08) | BSA Officer / Compliance | alert HIGH |
| ACTION-6 | New control — SAR Confidentiality & Tipping-Off Prohibition + staff training (OBL-09) | BSA Officer / Legal | alert HIGH |
| ACTION-7 | New control — Urgent telephonic law enforcement notification procedure (OBL-05) | Financial Crime | caution MEDIUM |
| ACTION-8 | New control — SAR subpoena-decline playbook + FinCEN notification log (OBL-10) | Legal / BSA Officer | caution MEDIUM |
Key Auditor Notes
- Scope is confirmed — § 1020.320 is in Part 1020, which governs banks specifically. All 10 obligations apply to the bank.
- CTRL-CIP-03 was expressly not credited for OBL-07. CIP record retention (5 years after account closure) and SAR record retention (5 years from filing date) are different obligations with different clocks, triggers, and record types.
- CTRL-SAR-01's "regulatory timelines" language is the primary risk surface following this clarification — it must be updated to enumerate the 30/60-day rules explicitly before the bank can assert demonstrable procedural compliance.
- The five pure gaps (OBL-05, 07, 08, 09, 10) represent structural control absences, not documentation gaps in existing controls. New controls need to be designed, approved, and operationalized.
Inspect the observed pathOpen the sanitized reasoning, actions, and ordered event record behind this decision.
Observed path
This is the retained public trace from one frozen representative execution. It is not a live run, a repeatability claim, or a complete production audit record.
I'll kick off both fetches in parallel — the regulation section and the control inventory are independent.
I have the regulatory text and the full control inventory. Now I'll work through the text systematically — extracting every atomic obligation, scoping each one, and mapping to controls — before recording the assessment.
Parsing § 1020.320 → 10 discrete obligations:
| # | Obligation | Citation |
|---|---|---|
| OBL-01 | Detect suspicious transactions ≥$5,000 meeting the three enumerated triggers | (a)(1)-(2) |
| OBL-02 | File a SAR with FinCEN using the prescribed form | (a)(1), (b)(1), (b)(2) |
| OBL-03 | File within 30 calendar days of initial detection | (b)(3) |
| OBL-04 | When no suspect identified at detection, may extend up to 60 days total; never exceed 60 days | (b)(3) |
| OBL-05 | Immediately notify law enforcement by telephone for urgent violations (e.g., ongoing ML), in addition to SAR | (b)(3) |
| OBL-06 | Collect and maintain supporting documentation for every SAR | (b)(1), (d) |
| OBL-07 | Retain SAR copy + supporting documentation for 5 years from filing date | (d) |
| OBL-08 | Make SAR records available to FinCEN/law enforcement/regulators upon request | (d) |
| OBL-09 | Keep SARs and their existence strictly confidential; prohibit disclosure by all bank personnel | (e)(1)(i) |
| OBL-10 | Decline any subpoena/request to produce SAR, cite statute, and notify FinCEN of request and response | (e)(1)(i) |
Control scope check: CTRL-CIP-03 covers CIP identity record retention (5 years after account closure) — its scope does NOT reach SAR record retention, which has a different trigger (filing date) and purpose. These will not be cross-credited.