Why AML Compliance Matters More in 2026
The regulatory landscape has tightened significantly. The Anti-Money Laundering Act of 2020 (AMLA) — the most sweeping reform to the Bank Secrecy Act since the Patriot Act — is now fully in effect, with FinCEN actively implementing its new rules. The Act expanded the definition of "financial institution," increased civil money penalties, created new whistleblower incentives, and mandated information sharing between institutions and regulators.
Simultaneously, FATF's updated Recommendations and the EU's 6th Anti-Money Laundering Directive (6AMLD) have raised the bar internationally. For institutions operating cross-border, compliance now requires alignment with multiple overlapping frameworks simultaneously.
Three trends define enforcement in 2026:
2026 Enforcement Trends
1. Transaction monitoring failures are the #1 citation. FinCEN continues to cite inadequate transaction monitoring systems in the majority of formal enforcement actions — not just for missing alerts, but for failure to investigate and close flagged alerts promptly.
2. Beneficial ownership gaps draw individual liability. Following the Corporate Transparency Act, regulators are now specifically examining whether institutions verify the beneficial ownership data customers self-certify. Discrepancies between BO certifications and third-party data are a red flag.
3. SAR quality, not just quantity, is under review. Examiners are no longer satisfied by high SAR filing volume. They want SARs that are timely, complete, and actionable — with clear narratives describing the suspicious activity, not boilerplate language.
The Complete AML Compliance Checklist
An effective AML program must cover all five pillars required by FinCEN's BSA framework. Below is the complete operational checklist compliance teams should run through at least annually — and as new business activities arise.
-
01
Written AML Policies, Procedures & Controls
Document your AML program in writing. Policies must cover customer acceptance, risk rating methodology, transaction monitoring thresholds, SAR decision criteria, and escalation paths. Procedures must be specific enough for a new employee to follow without interpretation. Review and update annually or after material business changes.
-
02
Customer Due Diligence (CDD) Program
Verify the identity of every customer at onboarding: name, address, date of birth, and government-issued ID for individuals; legal name, principal place of business, EIN/TIN, and ownership structure for legal entities. Assign a risk rating to each customer based on their profile, industry, and transaction behavior. Document the basis for the risk rating. See our Enhanced Due Diligence guide for high-risk customer protocols.
-
03
Beneficial Ownership Identification
For legal entity customers, collect beneficial ownership certifications identifying every individual who owns 25% or more of the entity, plus one controlling person. Verify this information against third-party data sources — don't rely solely on customer self-certification. Cross-check against the FinCEN Beneficial Ownership Secure System (BOSS) where accessible. Review our FinCEN Beneficial Ownership Rule 2026 guide for current requirements.
-
04
Enhanced Due Diligence (EDD) for High-Risk Customers
Apply heightened scrutiny to customers who are Politically Exposed Persons (PEPs), located in high-risk jurisdictions (FATF blacklist/greylist countries, OFAC-sanctioned jurisdictions), operate in high-risk industries (cannabis, virtual assets, money services), or have complex ownership structures. EDD requires source of wealth documentation, more frequent relationship reviews, and senior management sign-off.
-
05
Sanctions Screening
Screen all customers, beneficial owners, and counterparties against OFAC's SDN List, the EU Consolidated Sanctions List, UN Security Council Sanctions, and relevant domestic lists at onboarding and on an ongoing basis. Sanctions lists update daily — batch screening weekly is insufficient for high-volume institutions. Implement real-time screening for wire transfers and payments. False positive management must be documented: the decision rationale for every cleared match must be recorded and retained.
-
06
PEP Detection and Monitoring
Identify Politically Exposed Persons — current and former senior government officials, their close family members, and known associates — at onboarding and on an ongoing basis. PEPs are not prohibited customers, but they require EDD and senior management approval. Maintain a clear definition of who qualifies as a PEP at your institution, including domestic vs. foreign PEPs and relative vs. associate classifications under your risk appetite.
-
07
Transaction Monitoring
Deploy a transaction monitoring system calibrated to your customer base and risk profile. Rules should detect structuring (transactions designed to evade the $10,000 CTR threshold), velocity anomalies, unusual counterparty patterns, and geography-based risk. All generated alerts must be investigated and documented within defined timeframes — typically 30 to 45 days. Tune your rules at least annually using backtesting data to reduce false positive rates without increasing false negatives.
-
08
Suspicious Activity Reports (SARs)
File a SAR with FinCEN within 30 calendar days of detecting suspicious activity (60 days if no suspect is identified). The SAR narrative must describe: who was involved, what happened, when and where it occurred, why the activity is suspicious, and how much money was involved. Document decisions not to file with the same rigor — the examiners will look at your declined filings. Maintain a 90-day continuing activity SAR review process.
-
09
Currency Transaction Reports (CTRs)
File a CTR for every cash transaction (or series of related transactions) exceeding $10,000 in a single business day. CTRs are required regardless of suspicion — this is a volume threshold, not a suspicion threshold. Maintain a CTR exempt customer list with proper documentation. Review exemptions at least annually. Note: structuring transactions to avoid the $10,000 threshold is itself a federal crime requiring a SAR, not a compliance strategy.
-
10
AML Risk Assessment
Conduct a formal, written enterprise-wide AML risk assessment at least annually. The assessment must evaluate your institution's money laundering risk exposure across products, services, customers, geographies, and delivery channels. Risk ratings must be justified with supporting data. The risk assessment drives your control priorities — higher-risk areas require stronger controls, higher alert thresholds, and more frequent review.
-
11
BSA/AML Compliance Officer
Designate a qualified BSA/AML Compliance Officer who reports to senior management and has direct board access. The BSA Officer must have sufficient authority, resources, and time to fulfill their responsibilities — it cannot be a collateral duty with competing priorities. Document the designation formally, including the scope of their authority and responsibilities.
-
12
Employee Training Program
Provide AML training to all employees with customer contact or transaction-processing responsibilities — not just compliance staff. Training must cover: how to recognize suspicious activity, how to escalate concerns internally, the legal prohibition on tipping off customers about SAR filings, and the specific risks in your institution's business lines. Training records must document who completed which training and when. Annual training is the minimum; quarterly refreshers are best practice for frontline staff.
-
13
Independent AML Audit
Commission an independent audit of your AML program annually. "Independent" means conducted by staff or a firm that is not responsible for implementing the program being tested. The audit scope must cover all five BSA program pillars, transaction monitoring rule effectiveness, SAR quality and timeliness, and training completion rates. Findings must be reported to the board, tracked through remediation, and documented with evidence of closure.
-
14
Record Retention
Retain BSA-related records for a minimum of five years from the date of the record. This includes: CTRs and SARs, customer identification records, beneficial ownership certifications, correspondent account records, wire transfer records ($3,000 or more), and documentation of any SAR decision (file or no-file). Ensure records are retrievable within a reasonable timeframe — examiners will request specific records on short notice.
-
15
Adverse Media and Negative News Screening
Screen customers and beneficial owners against adverse media sources — news databases, regulatory actions, legal proceedings, and reputational risk signals. Adverse media screening catches risks that sanctions lists and PEP databases miss: a customer who was acquitted of fraud charges won't appear on any official list, but may present material reputational risk. This should run at onboarding and on a periodic basis for existing customers.
Common AML Compliance Failures and Enforcement Penalties
Enforcement actions follow predictable patterns. The same failures appear across institutions of all sizes. Here are the largest recent cases and the specific deficiencies that triggered them:
| Institution | Year | Penalty | Primary Deficiency |
|---|---|---|---|
| TD Bank | 2024 | $3.09B | Systemic failures in transaction monitoring; allowed drug trafficking proceeds to flow for years despite known red flags |
| Deutsche Bank | 2023 | $186M | Deficiencies in BSA/AML controls and failure to remediate previously identified issues in correspondent banking |
| Binance | 2023 | $4.3B | Willful failure to implement AML program; allowed transactions with sanctioned jurisdictions; no SAR filing program |
| Wells Fargo | 2022 | $1.7B | Multiple compliance program deficiencies including inadequate monitoring across consumer and business accounts |
| USAA Federal Savings | 2022 | $140M | Willful failure to implement and maintain effective AML program; failure to file timely SARs on known suspicious activity |
Individual Liability Is Increasing
The AMLA 2020 introduced enhanced whistleblower protections and increased individual accountability provisions. FinCEN and DOJ have both signaled a shift toward pursuing individual BSA Officers and executives in addition to institutional penalties when compliance failures are found to be the result of willful neglect or deliberate underinvestment in compliance infrastructure.
How Technology Streamlines AML Compliance
Manual AML compliance processes don't scale. When your institution processes thousands of transactions daily and onboards hundreds of new customers monthly, spreadsheet-based screening and manual adverse media searches create both coverage gaps and unsustainable operational burden.
Modern AML compliance platforms automate the high-frequency, high-stakes tasks while building the documentation trail regulators require:
Automated Screening
Real-time screening against OFAC SDN, EU/UN sanctions, PEP databases, and adverse media — at onboarding and continuously.
Beneficial Ownership Verification
Cross-reference customer-provided BO certifications against corporate registries and third-party data sources automatically.
Risk Scoring
Automated risk tier assignment based on customer profile, jurisdiction, industry, and behavioral signals — not manual judgment calls.
Audit-Ready Documentation
Every screening result, match, decision, and override logged with timestamps and analyst notes — ready for examiner review.
EDD Workflows
Structured EDD processes triggered automatically for high-risk customers: PEPs, high-risk jurisdictions, complex ownership.
API Integration
Connect directly to your core banking system or onboarding platform — screen customers where they enter, not as a separate step.
Veridact automates the screening and documentation layers of AML compliance — sanctions screening, PEP detection, adverse media analysis, beneficial ownership verification, and risk scoring — generating the structured, timestamped evidence your compliance team and examiners need. Start a free trial to run your first screening in minutes.
Run Your First AML Screening in Minutes
Veridact screens against sanctions lists, PEP databases, adverse media, and beneficial ownership records — and generates audit-ready documentation automatically.
Start Free Trial at veridact.solutionsNo credit card required · Full access for 14 days
Frequently Asked Questions
What are the five pillars of an AML compliance program?
FinCEN's BSA framework requires five pillars: (1) internal policies, procedures, and controls; (2) a designated BSA/AML Compliance Officer; (3) ongoing employee training; (4) independent testing and auditing; and (5) customer due diligence. The Customer Due Diligence Rule added beneficial ownership identification as a core requirement within the fifth pillar.
How often must AML risk assessments be performed?
Regulators expect AML risk assessments to be performed at least annually and whenever significant business changes occur — new markets, new products, changes in customer base, or material changes to delivery channels. Many larger institutions run rolling quarterly risk reviews and update the formal written assessment annually.
What triggers a Suspicious Activity Report (SAR)?
A SAR must be filed when an institution suspects a transaction involves funds from illegal activity, is designed to evade BSA reporting requirements, lacks a lawful purpose, or involves $5,000 or more (banks) or $2,000 or more (money services businesses). SARs must be filed within 30 days of detection. Law enforcement uses SARs as investigative leads — quality narratives are essential.
What is the record retention requirement for AML compliance?
BSA regulations require a minimum five-year retention period for CTRs, SARs, customer identification records, beneficial ownership certifications, and wire transfer records. The five-year clock runs from the date of the record, not the customer relationship end date. Records must be retrievable on short notice — an examiner may request specific records within days.
What is the difference between CDD and EDD in AML compliance?
Customer Due Diligence (CDD) is the baseline identity verification and risk assessment required for all customers. Enhanced Due Diligence (EDD) is an elevated level of scrutiny applied to high-risk customers — PEPs, high-risk jurisdictions, complex ownership structures, and high-risk industries. EDD requires deeper investigation into source of wealth and funds, more frequent reviews, and senior management approval.
What are the penalties for AML compliance failures?
Civil penalties for willful BSA/AML violations can reach $1 million per violation per day. Criminal penalties include fines up to $500,000 and up to 10 years imprisonment. FinCEN can also issue cease-and-desist orders, prohibit institution officers, and mandate independent compliance monitors. The costs of a formal enforcement action typically far exceed the cost of a properly resourced compliance program.