Mid-size banks and credit unions inside the Bank Secrecy Act and anti-money laundering (BSA/AML) regulatory orbit are entering 2026 with their eyes open, and for good reason. A year of enforcement activity and evolving expectations has sent a clear message: supervisors want compliance programs that are stronger, faster, and more genuinely risk-focused. Institutions that cannot keep pace should expect heightened scrutiny, and in some cases penalties. Reading the recent trends, here are three program areas mid-size institutions should prioritize this quarter to stay ahead of what examiners are looking for.
1. Re-commit to effective BSA/AML leadership and resourcing
A consistent theme across recent enforcement cases is inadequate compliance leadership and staffing. The OCC, for instance, took action against a bank for failing to maintain a qualified BSA/AML officer and properly trained staff, a gap that led to missed suspicious activity reports and weak monitoring. The takeaway is simple. Make sure the compliance function has the right leader, enough people, and real board engagement. Mid-size institutions sometimes assume their smaller scale excuses them from investing in senior compliance talent. It does not. Examiners are putting governance first, and they want evidence that the board and senior management actively oversee BSA/AML and sanctions compliance, with accountability that is clearly assigned.
In practice, that means confirming the BSA officer has sufficient authority and resources to run a serious program. Run a candid resource-adequacy review. Are there enough experienced analysts to handle rising alert volumes from your monitoring systems? Is there a succession plan if a key compliance manager leaves? Is the training program current, including emerging risks such as digital assets and new fraud typologies, and do staff have access to ongoing development? With turnover a challenge across the industry, examiners understand that under-resourcing and under-training is a reliable predictor of program gaps, and they will cite it.
2. Modernize transaction monitoring and data controls to keep up with new risks
The next priority the trends point to is modernization, especially in suspicious activity monitoring and data management. Financial crime is evolving quickly, with criminals exploiting instant payments, cryptocurrencies, and synthetic identities. In the past year a Federal Reserve order required a banking-as-a-service bank to strengthen its monitoring procedures for fintech partners. Separate industry analysis has made the point that in a world of faster payment rails and anonymous digital wallets, what used to look unusual can quickly become routine. Mid-size institutions cannot lean on outdated systems or static rules that miss modern patterns.
Data integrity is a related and growing focus. Examiners are paying closer attention to the quality and agility of a bank's data. In one case, they criticized a bank whose customer risk profiles stayed static even as customer behavior changed, which let high-risk activity slip past undetected. To avoid that kind of finding, mid-size banks should invest in data-quality controls and dynamic risk scoring. Make sure customer due diligence and transaction monitoring run on accurate, current data about customers and how their activity is changing. Look hard at whether your rules and models need tuning to catch patterns such as rapid small-dollar transfers that split deposits below reporting thresholds, transactions moving through real-time payment networks, or the signatures of money mule accounts. That may mean adding new data sources or upgrading technology. Given the regulatory push toward an effective, risk-based program, mid-size institutions need to show that their monitoring is a living system that actually catches suspicious behavior, not a compliance checklist.
3. Double down on sanctions and third-party risk oversight
Sanctions compliance and third-party risk management have both moved to the front of supervisory attention, mid-size institutions included. Sanctions regimes such as OFAC are updating more often as global conflicts and geopolitical shifts accelerate. Regulators expect banks of every size to update screening lists in near real time and to maintain solid interdiction controls, because any lag risks processing a prohibited transaction. If your screening system is not updated the moment a new name is added to a sanctions list, that gap needs to close now. One mid-size bank learned this the hard way after a foreign payment slipped through because its list update lagged by a few days, prompting examiners to question both the control design and the response process. The signal is unambiguous. Compliance teams need the technology and the process to keep up with the speed of sanctions changes, including immediate list updates and thorough screening of customers, counterparties, and beneficial owners alike.
Alongside sanctions, third-party relationships carry outsized risk in the current environment, and regulators know it. Mid-size banks increasingly depend on vendors, fintech partnerships such as banking-as-a-service arrangements, and other service providers to deliver products and run operations. The OCC and the Fed have issued enforcement actions against banks over fintech partnerships that lacked adequate risk management. Even if your institution does not see itself as a sponsor bank, examiners will probe how you govern vendor risk. Do you know every place customer data or processes are outsourced? How do you monitor those partners? A well-run regional bank might outsource online account opening to a third-party platform, and if that vendor quietly changes an identity verification step, it can open a door to fraud. That scenario is not hypothetical. Regulators increasingly expect continuous vendor oversight rather than an annual check-the-box review. For mid-size institutions in 2026, putting more energy into third-party risk management, particularly across fintech and IT, is a sensible way to get ahead of examiner criticism.
From static compliance to dynamic risk management
Taken together, the coming BSA/AML exam cycle signals a shift from static compliance toward dynamic risk management. Mid-size institutions can respond by strengthening compliance leadership and resourcing, with no lite version of commitment just because of size; by modernizing monitoring and data practices so the program can demonstrably catch today's more sophisticated activity; and by reinforcing sanctions and third-party controls, since threats arrive from outside as readily as from within. Focusing on these areas now does more than prepare you for the 2026 exam. It builds a more resilient posture that pays off in safety, trust, and regulatory confidence.