Replay of a real run — captured 10 Jul 2026
Marginalia
Regulatory Change Parser
Every step below is a real trace event from the signed run ledger.
sc-marginalia
Transcript
I'll kick off both fetches in parallel — the regulation section and the control inventory are independent.
I have the regulatory text and the full control inventory. Now I'll work through the text systematically — extracting every atomic obligation, scoping each one, and mapping to controls — before recording the assessment.
Parsing § 1020.320 → 10 discrete obligations:
| # | Obligation | Citation |
|---|---|---|
| OBL-01 | Detect suspicious transactions ≥$5,000 meeting the three enumerated triggers | (a)(1)-(2) |
| OBL-02 | File a SAR with FinCEN using the prescribed form | (a)(1), (b)(1), (b)(2) |
| OBL-03 | File within 30 calendar days of initial detection | (b)(3) |
| OBL-04 | When no suspect identified at detection, may extend up to 60 days total; never exceed 60 days | (b)(3) |
| OBL-05 | Immediately notify law enforcement by telephone for urgent violations (e.g., ongoing ML), in addition to SAR | (b)(3) |
| OBL-06 | Collect and maintain supporting documentation for every SAR | (b)(1), (d) |
| OBL-07 | Retain SAR copy + supporting documentation for 5 years from filing date | (d) |
| OBL-08 | Make SAR records available to FinCEN/law enforcement/regulators upon request | (d) |
| OBL-09 | Keep SARs and their existence strictly confidential; prohibit disclosure by all bank personnel | (e)(1)(i) |
| OBL-10 | Decline any subpoena/request to produce SAR, cite statute, and notify FinCEN of request and response | (e)(1)(i) |
Control scope check: CTRL-CIP-03 covers CIP identity record retention (5 years after account closure) — its scope does NOT reach SAR record retention, which has a different trigger (filing date) and purpose. These will not be cross-credited.
The decision brief
Assessment Recorded — 31 CFR § 1020.320
The assessment has been committed. Here is the executive summary for your compliance file.
Obligation Inventory (10 obligations)
| ID | Obligation | Citation | Coverage |
|---|---|---|---|
| OBL-01 | Detect suspicious transactions ≥ $5,000 meeting enumerated triggers | (a)(1)–(2) | Covered |
| OBL-02 | File SAR with FinCEN on prescribed form | (a)(1), (b)(1)–(2) | Covered |
| OBL-03 | File within 30 calendar days of initial detection | (b)(3) | Partial |
| OBL-04 | Extend to 60-day maximum if no suspect identified; never exceed 60 days | (b)(3) | Partial |
| OBL-05 | Immediate telephone notification to law enforcement for urgent violations | (b)(3) | Gap |
| OBL-06 | Collect and label supporting documentation for every SAR | (b)(1), (d) | Partial |
| OBL-07 | Retain SAR copies + supporting docs for 5 years from filing date | (d) | Gap |
| OBL-08 | Produce SAR records to FinCEN/law enforcement/regulators upon request | (d) | Gap |
| OBL-09 | SAR confidentiality — prohibition on disclosure by all bank personnel | (e)(1)(i) | Gap |
| OBL-10 | Decline subpoenas for SARs; cite statute; notify FinCEN | (e)(1)(i) | Gap |
Control Mapping Summary
| Control | OBLs Addressed | Max Coverage |
|---|---|---|
| CTRL-SAR-01 Suspicious Activity Monitoring & Reporting | OBL-01, 02, 03, 04, 06 | Partial on 03, 04, 06 |
| CTRL-AML-01 AML Program & BSA Officer | OBL-01 | Covered (supporting) |
| CTRL-CIP-03 / CTRL-CTR-01 / CTRL-CIP-01 / CTRL-CIP-02 | — | Out of scope — not credited |
Gaps & Remediation Actions (7 actions)
| # | Action | Owner | Priority |
|---|---|---|---|
| ACTION-1 | Enhance CTRL-SAR-01 to explicitly codify 30-day deadline (OBL-03) | BSA Officer | alert HIGH |
| ACTION-2 | Enhance CTRL-SAR-01 to document 60-day cap + suspect-extension protocol (OBL-04) | BSA Officer | alert HIGH |
| ACTION-3 | Enhance CTRL-SAR-01 to require explicit collection & labeling of supporting docs (OBL-06) | BSA Officer | alert HIGH |
| ACTION-4 | New control — SAR Record Retention (5 yrs from filing; distinct from CIP retention) (OBL-07) | Records Mgmt | alert HIGH |
| ACTION-5 | New control — SAR Records Access & Production to authorities on request (OBL-08) | BSA Officer / Compliance | alert HIGH |
| ACTION-6 | New control — SAR Confidentiality & Tipping-Off Prohibition + staff training (OBL-09) | BSA Officer / Legal | alert HIGH |
| ACTION-7 | New control — Urgent telephonic law enforcement notification procedure (OBL-05) | Financial Crime | caution MEDIUM |
| ACTION-8 | New control — SAR subpoena-decline playbook + FinCEN notification log (OBL-10) | Legal / BSA Officer | caution MEDIUM |
Key Auditor Notes
- Scope is confirmed — § 1020.320 is in Part 1020, which governs banks specifically. All 10 obligations apply to the bank.
- CTRL-CIP-03 was expressly not credited for OBL-07. CIP record retention (5 years after account closure) and SAR record retention (5 years from filing date) are different obligations with different clocks, triggers, and record types.
- CTRL-SAR-01's "regulatory timelines" language is the primary risk surface following this clarification — it must be updated to enumerate the 30/60-day rules explicitly before the bank can assert demonstrable procedural compliance.
- The five pure gaps (OBL-05, 07, 08, 09, 10) represent structural control absences, not documentation gaps in existing controls. New controls need to be designed, approved, and operationalized.