Anti-money laundering compliance is not optional — it is a legal obligation for financial institutions, MSBs, fintech companies, and an expanding list of regulated entities. Getting it wrong means consent orders, multimillion-dollar fines, and criminal prosecution for responsible individuals.

This checklist covers every pillar of a defensible AML program, aligned with FinCEN's Bank Secrecy Act (BSA) requirements, FATF's 40 Recommendations (updated February 2026), and the EU's 6th Anti-Money Laundering Directive (6AMLD). Use it to build, audit, or remediate your program.

Why a checklist matters: Regulators evaluate AML programs on structure, not just outcomes. A well-documented program that catches fewer cases will score better than an ad-hoc approach that catches more. This checklist helps you prove your program is reasonably designed.

Pillar 1: AML Program Structure

Every AML program must have five core components under BSA/AML regulations. Missing any one of these is a standalone violation.

PILLAR 1 Program Foundation

  • Designated BSA/AML Officer: A qualified individual with authority and resources to manage the program. Must have direct reporting line to the board or senior management — not buried under operations
  • Written AML policies and procedures: Documented, board-approved policies covering CDD, transaction monitoring, SAR filing, sanctions screening, and record retention. Reviewed and updated at least annually
  • Risk assessment: Enterprise-wide ML/TF risk assessment covering products, services, customers, and geographies. Must be updated when risk profile changes (new products, new markets, regulatory guidance)
  • Internal controls: Dual controls for SAR filing, independent review of alerts, escalation procedures, and quality assurance on CDD. Segregation of duties between first and second line
  • Independent testing: Annual independent audit of AML program by qualified internal audit or external firm. Findings tracked to remediation with deadlines

Pillar 2: Customer Due Diligence (CDD)

CDD is where most AML failures originate. Regulators expect a risk-based approach — not a checkbox exercise.

PILLAR 2 CDD & KYC Requirements

  • Customer identification program (CIP): Collect and verify name, date of birth, address, and identification number for all customers. Documentary and non-documentary methods acceptable
  • Beneficial ownership identification: Identify all individuals owning 25%+ equity and one individual with significant management control. FinCEN's updated rule (effective 2026) lowers threshold to 10% for certain entity types
  • Risk rating at onboarding: Assign initial risk score based on customer type, geography, product usage, and source of funds. High-risk triggers EDD before account opening
  • Enhanced due diligence (EDD): For PEPs, high-risk jurisdictions, complex ownership structures, and customers with adverse media. Includes source of wealth verification and senior management approval
  • Ongoing CDD: Periodic review schedule based on risk tier — annual for high-risk, biennial for medium, triennial for low. Event-driven reviews for material changes
  • PEP and sanctions screening: Screen all customers against PEP lists, sanctions lists (OFAC SDN, UN, EU, UK), and adverse media at onboarding and on an ongoing basis

Common finding: Examiners frequently cite inadequate beneficial ownership verification. "We asked the customer and they said no one owns 25%+" is not sufficient. You must independently verify ownership through corporate registries, formation documents, or reliable third-party databases.

Pillar 3: Transaction Monitoring

Your transaction monitoring system is the detection engine of your AML program. It must be tuned to your risk profile, not run on vendor defaults.

PILLAR 3 Transaction Monitoring

  • Rule-based monitoring: Scenarios covering structuring, rapid movement of funds, round-dollar transactions, geographic risk, peer-group outliers, and dormant account reactivation
  • Threshold calibration: Thresholds set based on your customer base and risk assessment — not vendor defaults. Documented rationale for every threshold. Above-the-line and below-the-line testing to validate detection rates
  • Alert management: Defined SLAs for alert review (typically 24-48 hours for high-priority). Documented disposition with narrative explaining why an alert was closed or escalated
  • Model validation: Independent validation of monitoring rules and models at least annually. Back-testing against known SARs and typologies. Documentation of model limitations
  • CTR filing: Automated Currency Transaction Reports for cash transactions over $10,000. Aggregation logic for multiple transactions by same customer in same business day
  • SAR filing: Suspicious Activity Reports filed within 30 days of detection (60 days if no suspect identified). Narrative must be clear, complete, and concise — regulators read these

Pillar 4: Sanctions Compliance

Sanctions violations carry strict liability — intent is irrelevant. Your screening program must be real-time, comprehensive, and well-documented.

PILLAR 4 Sanctions Screening

  • List coverage: OFAC SDN and non-SDN lists, Sectoral Sanctions, UN Security Council, EU consolidated list, UK HMT, and country-specific lists relevant to your business
  • Real-time screening: All transactions, wire transfers, and new customer onboarding screened against current sanctions lists. Batch screening is not sufficient for transaction-level compliance
  • Fuzzy matching: Name-matching algorithms that handle transliteration, nicknames, spelling variations, and partial matches. Documented match-score thresholds with rationale
  • False positive management: Documented process for reviewing, dispositioning, and whitelisting false positives. Whitelists reviewed periodically and after list updates
  • OFAC reporting: Blocked property reports filed within 10 business days. Rejected transactions documented with full details. Annual OFAC report if applicable
  • Interdiction: Ability to freeze/block transactions and accounts in real-time upon confirmed match. Documented escalation to OFAC compliance officer

Pillar 5: Training & Culture

PILLAR 5 Training & Awareness

  • Role-based training: Annual AML training for all employees, with specialized training for frontline staff, compliance team, and senior management. Training content updated for new typologies and regulatory changes
  • Board reporting: Quarterly AML reports to the board covering program metrics, SAR filing trends, audit findings, and regulatory developments. Board must demonstrate informed oversight
  • Whistleblower protections: Documented process for employees to report suspicious activity internally without fear of retaliation. Required under both BSA and 6AMLD
  • Record retention: All CDD records, transaction monitoring alerts, SAR filings, and training records retained for minimum 5 years (10 years in some jurisdictions). Records must be retrievable within reasonable timeframe

Regulatory Penalty Benchmarks

Understanding the penalty landscape helps prioritize remediation efforts. These are recent enforcement benchmarks:

Violation Type Typical Penalty Range Severity
Inadequate AML program $1M - $100M+ (consent order) HIGH
SAR filing failures $500K - $50M HIGH
Sanctions violations (OFAC) $50K - $1B+ (strict liability) HIGH
CDD/beneficial ownership gaps $250K - $25M MEDIUM
Training deficiencies MRA/MRIA (no direct fine typical) LOW
Record-keeping failures $100K - $5M MEDIUM

Automating Your AML Program

Manual AML compliance does not scale. As transaction volumes grow, manual alert review becomes a bottleneck — and regulators have increasingly noted that understaffed compliance teams are themselves a program deficiency.

Veridact automates the core AML workflow: real-time sanctions screening across 29 global databases, PEP identification, adverse media monitoring, beneficial ownership verification, and structured audit trails. What takes a compliance analyst hours takes Veridact seconds — with consistent documentation that satisfies examiners.

Automate Your AML Screening

No credit card required. Screen any individual or entity against sanctions, PEPs, and adverse media databases — with a full audit trail — in under 60 seconds.

Start Free Trial See All Plans

Related Compliance Guides

KYC

KYC Best Practices

Modern KYC procedures covering identity verification, document collection, and risk scoring.
CDD/EDD

Due Diligence Checklist

Complete CDD and EDD checklist for compliance officers covering risk-based approach and beneficial ownership.
Sanctions

Sanctions Screening Guide

OFAC SDN, UN Security Council, EU consolidated list, and UK sanctions — screening requirements and false positive management.