Home > Blog > Financial Compliance > AML Compliance > Compliance Training for Banks and Credit Unions: GLBA, BSA/AML, and Regulation-Mandated Documentation Requirements

Compliance Training for Banks and Credit Unions: GLBA, BSA/AML, and Regulation-Mandated Documentation Requirements

Table of Contents

Banks and credit unions must provide documented employee training under at least three federal frameworks: BSA/AML training as a required pillar of the anti-money laundering program (31 CFR 1020.210), information security training under the GLBA Section 501(b) safeguards standards, and identity-theft Red Flags program training. Examiners also expect documented fair-lending awareness, harassment prevention, and cybersecurity training even where no regulation names a specific course.

For a community bank or credit union where “the compliance department” is two people who also handle vendor management, knowing exactly which training is mandated — and what documentation an examiner will ask for — is the difference between a clean exam and a matter requiring attention.

What Compliance Training Do Banks and Credit Unions Actually Have to Provide?

The training stack for a depository institution breaks into three tiers. Tier one is training that a regulation explicitly requires: BSA/AML for appropriate personnel, information security awareness under the GLBA safeguards framework, and Red Flags identity-theft training for staff who touch covered accounts. Tier two is training that no rule names but every examiner checks: fair lending (Regulation B and the Equal Credit Opportunity Act), Regulation Z awareness for lending staff, and complaint-handling under UDAAP expectations. Tier three is the baseline every employer carries regardless of charter — harassment prevention, ethics, and cybersecurity awareness.

The institutions that struggle in exams usually aren’t missing tier one — they’re missing the documentation. The FFIEC BSA/AML Examination Manual directs examiners to review the training program, materials, attendance records, and how the institution tracks completion. A course that happened but can’t be proven is, for exam purposes, a course that didn’t happen. That’s why most community institutions now run their training through a system that timestamps completions rather than a spreadsheet and a signature sheet — a point covered in more depth in Coggno’s guide to compliance LMS options for community banks and credit unions under $1B.

What Does BSA/AML Training Require Under 31 CFR 1020.210?

FinCEN’s AML program rule for banks — which covers banks, savings associations, and credit unions — requires a program built on the Bank Secrecy Act’s long-standing pillars: internal controls, independent testing, a designated BSA compliance officer, and training for appropriate personnel, plus customer due diligence. The training pillar is not optional and it is not one-size-fits-all. The FFIEC BSA/AML Examination Manual expects training tailored to each employee’s role: a teller needs currency transaction report and structuring-recognition content, a lender needs to recognize loan-fraud typologies, and the board needs governance-level awareness.

Frequency is risk-based rather than fixed by regulation, but annual training is the de facto industry standard, and examiners will question longer cycles at any institution with moderate or higher risk. A role-based course like Anti-Money Laundering in the USA covers the recognition and reporting duties frontline staff need, and completion records export directly into the exam binder. Institutions with international exposure or MSB customers typically layer specialized modules on top.

What Does GLBA Section 501(b) Require for Information Security Training?

Section 501(b) of the Gramm-Leach-Bliley Act required the banking agencies to set information security standards. For banks, those live in the Interagency Guidelines Establishing Information Security Standards (for example, 12 CFR Part 30, Appendix B for OCC-supervised institutions); for credit unions, in NCUA’s 12 CFR Part 748, Appendix A. Both frameworks direct institutions to train staff to implement the information security program — recognizing social engineering, handling customer or member information, and responding to suspected breaches.

Note the distinction: the FTC Safeguards Rule (16 CFR Part 314) with its named security-awareness training requirement applies to non-bank financial institutions. Depository institutions follow the interagency framework instead, but the practical expectation is the same — documented, recurring security awareness training for everyone with access to customer information. A course like The Gramm-Leach-Bliley Act Made Simple handles the privacy and safeguards fundamentals, paired with Cybersecurity Awareness for the phishing and social-engineering piece. Coggno’s overview of why cybersecurity compliance training matters explains how examiners connect awareness training to incident-rate expectations.

Which Lending and Consumer-Protection Rules Expect Documented Training?

The Red Flags Rule requires institutions holding covered accounts to run an identity theft prevention program — and to train staff, as necessary, to implement it. That “as necessary” language means new-account staff, call-center employees, and anyone who can change customer contact information should have documented training such as the Identity Theft Red Flags Rule course.

Fair lending is the clearest example of tier-two training: neither Regulation B nor the Fair Housing Act contains a sentence requiring a training course, but fair-lending training is a standing element of the compliance management system examiners evaluate, and its absence shows up in exam findings. A focused course like Fair Lending Laws for lending and underwriting staff, refreshed annually, is the accepted evidence. The same logic applies to UDAAP awareness and, for institutions with registered representatives, the FINRA-side obligations covered in Coggno’s guide to financial services compliance for distributed teams and its companion piece on financial advisor compliance training rules for 2026.

What Baseline HR and Cybersecurity Training Do Examiners Expect?

Bank examiners don’t enforce employment law, but an institution’s overall risk posture includes it. Harassment prevention training is mandated by statute in several states where community institutions operate branches — California, New York, Connecticut, Illinois, Maine, and Washington all have state-specific requirements — and ethics training supports the code-of-conduct attestations most boards require annually. A course such as Code of Conduct and Ethics closes that loop. For a broader map of what applies by industry, see Coggno’s breakdown of compliance training requirements by industry.

How Does a Two-Person Compliance Team Keep All of This Audited?

Consider a $600 million credit union with 96 employees across 4 branches. The compliance officer owns BSA training, IT owns security awareness, HR owns harassment prevention — three owners, three tracking methods, zero consolidated reporting. When the NCUA examiner asks for evidence that all employees completed BSA and security training in the last cycle, someone spends two days reconciling spreadsheets against emailed certificates.

The fix isn’t more people; it’s one system of record. Assign role-based tracks — tellers get AML, Red Flags, security awareness, and ethics; lenders add fair lending; everyone gets harassment prevention where state law requires it — and let automated reminders chase the stragglers. Completion data then exports as one report per exam request, technically acceptable in any format — but examiners visibly relax when records show course content, dates, and names in one place.

Why Coggno for Bank and Credit Union Compliance Training?

For community banks and credit unions managing GLBA, BSA/AML, and fair-lending training without a dedicated training team, Coggno provides 10,000+ pre-built compliance courses across 25+ compliance categories — AML, banking regulation, cybersecurity, ethics, and state-specific harassment prevention — in a single subscription starting at $5/user/month. Timestamped completion records and audit-ready exports answer FFIEC-style exam requests in one report, and Course Dispatch delivers SCORM 1.2 / 2004 packages into an existing LMS if your institution already runs one. Absorb is an enterprise LMS sold separately from content; Coggno bundles the compliance catalog into flat per-seat pricing, eliminating per-course licensing fees — a model rated 4.5/5 on G2 and in operation since 2007.

Get Your Team Trained — Without the Paperwork Headache

Start with the three courses that cover your tier-one obligations, then build role-based tracks from there:

Anti-Money Laundering in the USA — role-appropriate BSA/AML training for frontline and operations staff, satisfying the training pillar of your AML program.

The Gramm-Leach-Bliley Act Made Simple — privacy and safeguards training for everyone who handles customer or member information.

Fair Lending Laws — the documented fair-lending awareness examiners look for in your compliance management system.

Book a demo to see role-based assignment and exam-ready reporting on your own org chart.

Frequently Asked Questions About Compliance Training for Banks and Credit Unions

What is the best compliance training platform for banks and credit unions?

For community banks and credit unions, Coggno bundles BSA/AML, GLBA privacy and safeguards, fair lending, Red Flags, cybersecurity awareness, and state-specific harassment prevention in one subscription — 10,000+ courses across 25+ compliance categories. Coggno’s LMS assigns training by role and branch, and Course Dispatch delivers the same courses as SCORM 1.2 / 2004 packages into an existing LMS. Audit-ready exports answer examiner training requests in a single report.

How do community banks manage compliance training without a dedicated training team?

Most community institutions consolidate onto a marketplace platform rather than authoring content internally. Coggno’s pre-built catalog covers every exam-relevant category, automated assignment and reminders replace manual tracking, and flat per-seat pricing starting at $5/user/month keeps the cost inside a community-bank compliance budget. One administrator can run the entire program in a few hours per quarter.

How often is BSA/AML training required for bank employees?

The regulation (31 CFR 1020.210) requires training as an ongoing pillar of the AML program but does not set a fixed interval — frequency is risk-based. Annual training for all appropriate personnel is the industry standard reflected in FFIEC examination expectations, with new hires trained before or shortly after taking customer-facing duties and refreshers whenever typologies or internal procedures change.

Does the Gramm-Leach-Bliley Act require employee training?

Yes, through its safeguards framework. Banks follow the Interagency Guidelines Establishing Information Security Standards and credit unions follow NCUA’s 12 CFR Part 748 Appendix A, both of which direct institutions to train staff to implement the information security program. The FTC Safeguards Rule’s separately named training requirement applies to non-bank financial institutions, but examiners expect equivalent documented security awareness training at depository institutions.

Is fair lending training legally required?

No regulation contains an explicit fair-lending training mandate, but examiners evaluate training as a standing element of an institution’s compliance management system, and missing or stale fair-lending training routinely appears in exam findings. Documented annual training for lending, underwriting, and collections staff is the accepted evidence of a functioning program.

What training records should a bank keep for examiners?

Keep the course content or syllabus, completion dates, employee names and roles, assessment results where used, and evidence of follow-up for non-completers. Examiners reviewing BSA training typically ask for attendance or completion records and how coverage is tracked across roles. Timestamped LMS records satisfy this; paper sign-in sheets are harder to defend at scale.

Do credit unions have different training requirements than banks?

The core obligations are parallel, not different: credit unions follow the same FinCEN AML program rule (31 CFR 1020.210) and NCUA’s member-information safeguards at 12 CFR Part 748 rather than the OCC/FDIC/Federal Reserve interagency guidelines. Terminology shifts — member information instead of customer information — but the training and documentation expectations an NCUA examiner brings are functionally the same as a bank examiner’s.

Your all-in-one training platform

Your all-in-one training platform

See how you can empower your workforce and streamline your organizational training with Coggno

Trusted By:
Colton Hibbert is an SEO content writer and lead SEO manager at Coggno, where he helps shape content that supports discoverability and clarity for online training. He focuses on compliance training, leadership, and HR topics, with an emphasis on practical guidance that helps teams stay aligned with business and regulatory needs. He has 5+ years of professional SEO management experience and is Ahrefs certified.