Skip to content
Regulatory change analysis pack

Representative capture · 10 Jul 2026

Regulatory change analysis

Cadre pack · Marginalia

Turns a supplied rule change into candidate obligations, control mappings, gaps, and proposed actions for review.

One frozen, sanitized execution on representative data. It shows an observed path and retained decision—not repeatability, production fitness, legal instruction, or regulatory compliance.

Recorded decision

Decision record

Coverage
10 obligations · 8 gaps

Assessment Recorded — 31 CFR § 1020.320

The assessment has been committed. Here is the executive summary for your compliance file.


Obligation Inventory (10 obligations)

IDObligationCitationCoverage
OBL-01Detect suspicious transactions ≥ $5,000 meeting enumerated triggers(a)(1)–(2) Covered
OBL-02File SAR with FinCEN on prescribed form(a)(1), (b)(1)–(2) Covered
OBL-03File within 30 calendar days of initial detection(b)(3) Partial
OBL-04Extend to 60-day maximum if no suspect identified; never exceed 60 days(b)(3) Partial
OBL-05Immediate telephone notification to law enforcement for urgent violations(b)(3) Gap
OBL-06Collect and label supporting documentation for every SAR(b)(1), (d) Partial
OBL-07Retain SAR copies + supporting docs for 5 years from filing date(d) Gap
OBL-08Produce SAR records to FinCEN/law enforcement/regulators upon request(d) Gap
OBL-09SAR confidentiality — prohibition on disclosure by all bank personnel(e)(1)(i) Gap
OBL-10Decline subpoenas for SARs; cite statute; notify FinCEN(e)(1)(i) Gap

Control Mapping Summary

ControlOBLs AddressedMax Coverage
CTRL-SAR-01 Suspicious Activity Monitoring & ReportingOBL-01, 02, 03, 04, 06Partial on 03, 04, 06
CTRL-AML-01 AML Program & BSA OfficerOBL-01Covered (supporting)
CTRL-CIP-03 / CTRL-CTR-01 / CTRL-CIP-01 / CTRL-CIP-02Out of scope — not credited

Gaps & Remediation Actions (7 actions)

#ActionOwnerPriority
ACTION-1Enhance CTRL-SAR-01 to explicitly codify 30-day deadline (OBL-03)BSA Officeralert HIGH
ACTION-2Enhance CTRL-SAR-01 to document 60-day cap + suspect-extension protocol (OBL-04)BSA Officeralert HIGH
ACTION-3Enhance CTRL-SAR-01 to require explicit collection & labeling of supporting docs (OBL-06)BSA Officeralert HIGH
ACTION-4New control — SAR Record Retention (5 yrs from filing; distinct from CIP retention) (OBL-07)Records Mgmtalert HIGH
ACTION-5New control — SAR Records Access & Production to authorities on request (OBL-08)BSA Officer / Compliancealert HIGH
ACTION-6New control — SAR Confidentiality & Tipping-Off Prohibition + staff training (OBL-09)BSA Officer / Legalalert HIGH
ACTION-7New control — Urgent telephonic law enforcement notification procedure (OBL-05)Financial Crimecaution MEDIUM
ACTION-8New control — SAR subpoena-decline playbook + FinCEN notification log (OBL-10)Legal / BSA Officercaution MEDIUM

Key Auditor Notes

  1. Scope is confirmed — § 1020.320 is in Part 1020, which governs banks specifically. All 10 obligations apply to the bank.
  2. CTRL-CIP-03 was expressly not credited for OBL-07. CIP record retention (5 years after account closure) and SAR record retention (5 years from filing date) are different obligations with different clocks, triggers, and record types.
  3. CTRL-SAR-01's "regulatory timelines" language is the primary risk surface following this clarification — it must be updated to enumerate the 30/60-day rules explicitly before the bank can assert demonstrable procedural compliance.
  4. The five pure gaps (OBL-05, 07, 08, 09, 10) represent structural control absences, not documentation gaps in existing controls. New controls need to be designed, approved, and operationalized.
Decision record retained · contract-validated
Inspect the observed pathOpen the sanitized reasoning, actions, and ordered event record behind this decision.

Observed path

This is the retained public trace from one frozen representative execution. It is not a live run, a repeatability claim, or a complete production audit record.

Marginalia
Briefed on the case

I'll kick off both fetches in parallel — the regulation section and the control inventory are independent.

I have the regulatory text and the full control inventory. Now I'll work through the text systematically — extracting every atomic obligation, scoping each one, and mapping to controls — before recording the assessment.

Parsing § 1020.320 → 10 discrete obligations:

#ObligationCitation
OBL-01Detect suspicious transactions ≥$5,000 meeting the three enumerated triggers(a)(1)-(2)
OBL-02File a SAR with FinCEN using the prescribed form(a)(1), (b)(1), (b)(2)
OBL-03File within 30 calendar days of initial detection(b)(3)
OBL-04When no suspect identified at detection, may extend up to 60 days total; never exceed 60 days(b)(3)
OBL-05Immediately notify law enforcement by telephone for urgent violations (e.g., ongoing ML), in addition to SAR(b)(3)
OBL-06Collect and maintain supporting documentation for every SAR(b)(1), (d)
OBL-07Retain SAR copy + supporting documentation for 5 years from filing date(d)
OBL-08Make SAR records available to FinCEN/law enforcement/regulators upon request(d)
OBL-09Keep SARs and their existence strictly confidential; prohibit disclosure by all bank personnel(e)(1)(i)
OBL-10Decline any subpoena/request to produce SAR, cite statute, and notify FinCEN of request and response(e)(1)(i)

Control scope check: CTRL-CIP-03 covers CIP identity record retention (5 years after account closure) — its scope does NOT reach SAR record retention, which has a different trigger (filing date) and purpose. These will not be cross-credited.