Two strikes and you’re out, say four federal agencies to repeat violators of Bank Secrecy Act/anti-money laundering (BSA/AML) compliance requirements.

The four agencies—the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC)—issued guidance Thursday outlining when they would issue cease-and-desist orders against supervised financial institutions deemed to be in noncompliance with BSA/AML rules.

Each supervised financial institution must “establish and maintain procedures reasonably designed to assure and monitor the institution’s compliance with the requirements” of the BSA, and its compliance with the law is subject to review by federal regulators. If an institution fails to maintain a BSA/AML compliance program, or fails to address deficiencies, regulators can issue a cease-and-desist order.

According to the law, each compliance program must have a system of internal controls to assure ongoing compliance; allow for independent testing of its BSA/AML compliance; an individual or individuals who are responsible for coordinating and monitoring BSA/AML compliance; and provide training for appropriate personnel.

Here’s where the two strikes policy comes in, the regulators said.

Should regulators issue a written report on an issue or issues of noncompliance to the financial institution’s board of directors—which would be the first strike—the institution should show substantial progress toward addressing the issue or issues by the next examination. If the issue or issues are not addressed to the satisfaction of regulators—the second strike—the agencies will issue a cease-and-desist order against that institution.

The agencies listed several types of noncompliance that would warrant a cease-and-desist order, including failing to maintain an adequate BSA/AML compliance program; or failure to correct a previously reported problem with the BSA/AML program, like failing to designate a qualified BSA compliance officer.

Issues that would not merit a cease-and-desist order would be if the compliance program’s policies were simply out-of-date, or if the compliance officer appointed needed more training. There would also be some leeway granted if a problem is taking more time than anticipated to correct, as long as regulators determine the institution has made substantial progress toward addressing the deficiency.

“Isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action,” the agencies said in an accompanying press release.