Compliance Documentation Gap Report

Prepared for PCI-DSS v3.2.1 Policy Template | April 02, 2026 | Generated by FinCompliance

0/100
Compliance Documentation Score
25
Errors (must fix)
10
Warnings (should fix)
8
Suggestions

Detailed Findings

[ERROR] DocumentMetadata: Missing required metadata: 'Effective Date'. All compliance documents must include an effective date.
[ERROR] DocumentMetadata: Missing required metadata: 'Last Reviewed'. Examiners check that policies are reviewed regularly.
[ERROR] DocumentMetadata: Missing required metadata: 'Next Review Date'. Demonstrates commitment to ongoing review.
[ERROR] DocumentMetadata: Missing required metadata: 'Approved By'. Documents must show who authorized the policy.
[ERROR] DocumentStructure: Document missing top-level heading (# Title).
[WARNING] DocumentStructure: Document has no section headings. Compliance documents need clear section organization.
[ERROR] BSA_FivePillars: BSA/AML policy is missing required pillar: 'Internal Controls'. (FFIEC BSA/AML Manual, Core Overview)
[ERROR] BSA_FivePillars: BSA/AML policy is missing required pillar: 'Independent Testing'. (FFIEC BSA/AML Manual, Core Overview)
[ERROR] BSA_FivePillars: BSA/AML policy is missing required pillar: 'Designated BSA Compliance Officer'. (FFIEC BSA/AML Manual, Core Overview)
[ERROR] BSA_FivePillars: BSA/AML policy is missing required pillar: 'Customer Due Diligence'. (FFIEC BSA/AML Manual, Core Overview)
[WARNING] BSA_SARRequirements: SAR section may be missing: 'SAR filing threshold'. (31 CFR 1020.320)
[WARNING] BSA_SARRequirements: SAR section may be missing: 'FinCEN filing'. (31 CFR 1020.320)
[WARNING] BSA_CTRRequirements: CTR section may be missing: '$10,000 threshold'. (31 CFR 1010.310)
[WARNING] BSA_CTRRequirements: CTR section may be missing: 'Aggregation rules'. (31 CFR 1010.310)
[WARNING] BSA_CTRRequirements: CTR section may be missing: 'Structuring monitoring'. (31 CFR 1010.310)
[WARNING] BSA_CIPRequirements: CIP section may be missing: 'Government list screening'. (31 CFR 1020.220)
[WARNING] BSA_CIPRequirements: CIP section may be missing: 'Customer notice'. (31 CFR 1020.220)
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] PCI_PasswordRequirements: PCI password concern: 'Passwords must be at least 7'. PCI-DSS v4.0.1 requires minimum 12-character passwords and MFA for all CDE access (Req 8).
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[SUGGESTION] PassiveVoicePolicy: Passive voice detected: 'must be reviewed'. Assign clear responsibility with active voice (who does what).
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[WARNING] UnquantifiedFrequency: Unquantified frequency: 'regular basis'. Specify exact cadence (daily/weekly/monthly/quarterly/annually).
[SUGGESTION] PassiveVoicePolicy: Passive voice detected: 'must be reviewed'. Assign clear responsibility with active voice (who does what).
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[WARNING] ProhibitedTerms: Use 'at least [quarterly/monthly/annually]' instead of 'periodically' for regulatory precision.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[SUGGESTION] PassiveVoicePolicy: Passive voice detected: 'must be conducted'. Assign clear responsibility with active voice (who does what).
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[SUGGESTION] PassiveVoicePolicy: Passive voice detected: 'must be reviewed'. Assign clear responsibility with active voice (who does what).
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[ERROR] StaleRegulatoryReferences: Outdated regulatory reference: 'PCI DSS v3.2'. This standard has been superseded. Update to current version.
[SUGGESTION] PassiveVoicePolicy: Passive voice detected: 'must be conducted'. Assign clear responsibility with active voice (who does what).
[SUGGESTION] PassiveVoicePolicy: Passive voice detected: 'must be conducted'. Assign clear responsibility with active voice (who does what).
[SUGGESTION] PassiveVoicePolicy: Passive voice detected: 'must be conducted'. Assign clear responsibility with active voice (who does what).
[SUGGESTION] PassiveVoicePolicy: Passive voice detected: 'must be reviewed'. Assign clear responsibility with active voice (who does what).

What These Findings Mean

Each error represents a gap that NCUA or OCC examiners are likely to cite as a finding during your next examination. Errors include missing required policy elements, prohibited language suggesting incomplete compliance, and structural issues that prevent examiner review.

Warnings are issues that weaken your documentation but may not result in a formal finding. These include vague language, unspecified timeframes, and unassigned responsibilities that make policies harder to enforce and audit.

Recommended Next Steps

  1. Address all errors before your next examination cycle
  2. Review warnings with your compliance officer or committee
  3. Consider a full documentation suite review across all compliance policies

Want a full compliance documentation audit?

FinCompliance checks your entire policy suite against BSA/AML, SOX, PCI-DSS, GLBA, and NCUA requirements. Get a complete gap analysis with specific remediation steps.

Contact: bipinrimal314@gmail.com | github.com/BipinRimal314/comply

This report was generated by FinCompliance v0.1.0 — the first open-source compliance documentation linter for financial institutions. The analysis covers document structure, regulatory language, required elements, and policy completeness. It is not a substitute for legal or compliance advice.

Report generated: 2026-04-02 13:25:11 UTC