Staffing Blueprint for BSA/AML & KYC Teams

Small Banks, Staffing

Three colleagues review a receipt at a point-of-sale screen in a modern office, illustrating teamwork and controls.

For community and small banks, regulatory expectations don’t shrink with asset size. This blueprint shows CXOs and hiring leaders how to right-size BSA/AML & KYC staffing, quantify capacity, and stand up a resilient operating model without ballooning costs.

TL;DR

Start with quantified risk and volume, not titles. Capacity drives headcount.
Build a lean core: BSA Officer, Alerts (L1), Investigations (L2), KYC Onboarding & Periodic Review, Sanctions, QA, and Reporting/MIS.
Use simple math to size the team (volume × handling time ÷ productive minutes).
Stand up governance, SLAs, QA, and reporting on day one; automate gradually.
Scale with a hub-and-spoke model and targeted partners for peaks and niche skills.

Why Small Banks Feel “Big Bank” Pressure

Regulators expect effective programs for Bank Secrecy Act/Anti-Money Laundering (BSA/AML), Customer Identification Program (CIP), Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), sanctions screening, suspicious activity monitoring, and timely SAR/CTR reporting—regardless of headcount. Digital growth, real-time payments, and higher fraud sophistication create more alerts and investigations, while small banks must still deliver fast onboarding for customers and small businesses. The result: capacity strain without a clear staffing plan.

The Operating Model That Works

1) Core Functions

Program Leadership: BSA Officer (and Deputy) accountable for policy, governance, training, risk assessments, and exam response.
Monitoring & Investigations: L1 alert triage, L2 investigations, SAR drafting and quality checks.
KYC/CDD: New-to-bank onboarding, periodic reviews, EDD for higher-risk customers.
Sanctions: Name screening, alert clearing, list management coordination.
Quality Assurance (QA): Independent reviews of L1/L2/KYC outputs, procedure adherence.
Reporting & Data (MIS): Dashboarding, metrics, model performance monitoring, issues management.

2) Governance & RACI

Board/Exec Oversight: Policy approval, risk appetite, program effectiveness.
BSA Officer: Owns program, SLAs, roadmap, and exam management.
Ops Leads: Day-to-day output, training, and quality controls.
Internal Audit/Compliance Testing: Independent testing cadence, remediation tracking.

Roles & Must-Have Skills (Lean Profiles)

BSA Officer: Program ownership, exam readiness, stakeholder management. Skills: policy, risk assessments, issue remediation, board reporting.
Deputy/Manager: Run books, queue management, coaching, metrics. Skills: workforce planning, SOP design, escalation protocols.
L1 Alert Analyst: Clear transaction monitoring alerts, document decisions. Skills: triage discipline, writing concise rationales.
L2 Investigator: Deep-dive cases, SAR narratives, law-enforcement liaison. Skills: investigative writing, typology knowledge.
KYC Analyst (Onboarding/Periodic): CIP/CDD collection, risk scoring, EDD triggers. Skills: document review, beneficial ownership analysis.
EDD Specialist: Complex customers (MSBs, cash-intensive, cross-border). Skills: source-of-funds, adverse media synthesis.
Sanctions Analyst: Screening hits adjudication, escalation. Skills: fuzzy matching judgment, list tuning feedback.
QA Analyst: Independent sampling, error taxonomy, coaching feedback. Skills: attention to detail, procedure mastery.
Reporting/MIS Analyst: Metrics, backlog, SLA tracking, model ops liaison. Skills: SQL/Excel, root-cause analysis.

Capacity Planning: A Simple, Defensible Formula

Right-size with math, not guesswork.

FTE Needed = (Monthly Volume × Avg Handling Time in Minutes) ÷ Productive Minutes/FTE

Productive Minutes/FTE (baseline): 7.5 hrs/day × 20 days × 60 × 80% utilization ≈ 7,200 minutes.

Typical Handling-Time Benchmarks (use to start; tune with your data)

Work Type	Baseline AHT (Minutes)	Notes
L1 Alert Triage	15	Varies 12–20 based on data quality & alert type
L2 Investigation	240	Varies 180–300 by complexity/typology
KYC Standard (Onboarding/Periodic)	30	Retail/SBO without complexity
KYC EDD	120	Higher-risk customers, deeper validation
Sanctions Hit Review	5	Post-tuning hits; true-hit escalation separate

Worked Example (mid-sized community bank)

Assumptions: 2,000 monitoring alerts/month; 5% escalate to L2; 1,200 new accounts/month (10% require EDD); 50,000 customers with 25% annual periodic reviews; 1,500 sanctions potential hits/month.

Area	Monthly Volume	AHT (min)	FTE (calc)
L1 Alerts	2,000	15	4.17
L2 Investigations	100	240	3.33
KYC Standard (Onboarding)	1,080	30	4.50
KYC EDD (Onboarding)	120	120	2.00
Periodic Review (Standard)	~1,000	30	4.12
Periodic Review (EDD)	~50	120	0.87
Sanctions Hits	1,500	5	1.04
Production Subtotal			≈ 20.0

Add QA (10–15% of production ≈ 2–3 FTE), BSA Officer & Deputy (2), and Reporting/MIS (1). Total starting team ≈ 25–26 FTE for this scenario. Scale down or up using your actual volumes and times.

Team Shapes by Asset Size & Risk

Bank Profile	Low–Moderate Risk	Moderate–High Risk
< $1B Assets	1 BSAO, 1 Lead, 2–3 L1, 1–2 L2, 2 KYC, 0–1 Sanctions, 1 QA/Reporting (shared)	1 BSAO, 1 Deputy, 3–4 L1, 2–3 L2, 3–4 KYC (incl. EDD), 1 Sanctions, 1 QA, 1 Reporting
$1–5B Assets	1 BSAO, 1 Deputy, 4–6 L1, 2–3 L2, 5–6 KYC, 1 Sanctions, 1–2 QA, 1 Reporting	1 BSAO, 1 Deputy, 6–8 L1, 3–4 L2, 7–9 KYC (incl. EDD), 1–2 Sanctions, 2 QA, 1–2 Reporting
$5–10B Assets	Dedicated leads per tower, small QA team, 1–2 MIS	Formal hubs/spokes, model oversight liaison, expanded QA/testing

Use as starting points; validate against actual alerting, onboarding, and review demand.

SLAs & KPIs That Keep You Exam-Ready

Alert Timeliness: ≥80% cleared < 24 hours; no alert > 2 business days without touch.
Case Aging: Investigations completed within defined typology targets (e.g., 3–7 business days).
SAR Timeliness & Quality: Filed within regulatory timeframes; narrative quality error rate < 5% on QA sample.
KYC TAT: Retail/SBO onboarding completed same-day (standard); EDD within 2–3 days.
Periodic Review Currency: >95% in-cycle.
QA Pass Rate: >95% for standard work; trend corrective actions to closure.
Backlog Health: < 5 days work on hand per tower; visible daily.
Training: 100% mandatory completion; error reduction post-training.

90-Day Stand-Up Plan

Days 0–30: Foundations

Approve program charter, policy, procedures, and tower-level SOPs.
Baseline risk assessment: products, geographies, customer types, channels.
Instrument core metrics & dashboards (alerts, aging, SLA, QA, SAR timeliness).
Hire BSAO/Deputy and 40–50% of production roles; define training & QA checklists.

Days 31–60: Stabilize & Tune

Finish hiring for L1/L2/KYC; stand up QA and Reporting.
Refine queues, work assignment rules, and escalation thresholds.
Tune case templates and narrative templates; start playbooks by typology.

Days 61–90: Optimize

Calibrate handling times; adjust staffing using the FTE formula.
Introduce light automation (auto-closure rules, duplicate suppression, templates).
Run a mock exam: end-to-end sample trace, findings log, and remediation plan.

Interview & Evaluation Rubrics

Role	What to Test	Evidence of Proficiency
L1 Alert Analyst	Decision discipline, documentation, escalation judgment	Clear yes/no with rationale on sample alerts; consistent use of SOP
L2 Investigator	Narrative quality, typology knowledge, data gathering	Concise SAR narrative draft; links activity to suspicion logically
KYC/EDD Analyst	Beneficial ownership analysis, risk scoring	Accurate BO identification; clear EDD triggers and outcomes
Sanctions Analyst	Fuzzy match adjudication, escalation criteria	Consistent hit/no-hit logic on test set; minimal false clears
QA Analyst	Error taxonomy, coaching feedback	Root-cause clarity; actionable feedback phrased professionally

QA Program: Sample Checklist

Sampling: 10% standard work; 100% for new hires first 2 weeks.
Scoring: policy adherence, data sufficiency, narrative strength, SLA hit/miss.
Feedback loop: daily huddles; weekly error themes; monthly refresher training.
Independent retesting of corrected items for closure validation.

Technology: Buy Only What You Will Use

Minimum viable stack: Case management, transaction monitoring rules, name screening, document capture, basic dashboarding.
Data hygiene: Standardize customer/master data early; it reduces false positives and handling time.
Automation later: Template narratives, auto-close low-risk alerts, basic entity resolution; scale advanced analytics as volumes justify.

Partners & Flexible Capacity

Use a hub-and-spoke approach: keep leadership, QA, sanctions decisions, and high-risk investigations in-house; flex partners for volume spikes (L1, standard KYC, periodic reviews) and scarce skills (EDD surges, model validation liaison). Contract-to-hire is useful to de-risk fit and ramp quickly.

Budgeting the Team (Guideline Mix)

Production Towers (L1/L2/KYC/Sanctions): 60–70%
Leadership & Governance: 8–12%
QA & Training: 8–12%
Reporting/MIS & Analytics: 5–8%
Contingency/Peaks/Partners: 5–10%

Trigger Points to Add Headcount

Backlog > 5 days of work on hand for two consecutive weeks.
SLA misses > 10% for two consecutive months.
QA critical error rate > 5% or rising trend quarter-over-quarter.
Model or channel changes that increase alerts by > 20%.

One-Page Kickoff Checklist

Document policy, procedures, role charters, and SLAs.
Instrument dashboards (alerts, aging, SAR timeliness, KYC TAT, QA pass rate).
Hire the spine (BSAO/Deputy, 2 L1, 1 L2, 2 KYC, 1 QA/Reporting); expand to calculated FTEs.
Launch training & certification plan with shadowing and weekly calibration.
Run a Day-30 and Day-60 calibration on handling times and volumes; adjust staffing.
Schedule quarterly mock exams and model/controls reviews.

Closing Thought

Small banks can meet “big bank” expectations by staffing to actual demand, enforcing crisp SLAs, and building a coaching-first culture. Start lean, measure relentlessly, and scale capacity exactly where the work proves you need it.