AML Compliance Checklist: 9 Essential Steps

Introduction

AML enforcement isn't slowing down. According to Fenergo's 2024 global AML report, financial institutions faced $4.6 billion in AML enforcement actions in a single year — and fintechs and payments companies are increasingly in the crosshairs. State regulators issued an $80 million penalty against Block, Inc./Cash App in January 2025 for BSA/AML violations, signaling that no company is too fast-growing or too tech-forward to escape scrutiny.

The pressure is real. But most compliance teams don't fail because they ignore AML — they fail because their programs are poorly structured, under-documented, or built for where the business was, not where it's going.

This checklist walks compliance officers and fintech leaders through nine practical steps to build an AML program that can withstand regulatory examination — not just pass a surface-level review. Each step covers a distinct pillar of program design:

  • Governance & accountability — who owns AML at the board and executive level
  • Risk assessment — how to size your program to actual exposure
  • Transaction monitoring — building alert logic that catches risk without drowning your team
  • Independent testing — validating the program before examiners do it for you

These aren't abstract best practices. They're the structural components regulators look for — and the gaps most commonly cited in enforcement actions.

Key Takeaways

  • Every covered institution must designate a qualified BSA/AML Compliance Officer with board-level accountability
  • A documented, enterprise-wide risk assessment is the strategic foundation of the entire program
  • CDD and sanctions screening are ongoing obligations that extend well beyond initial onboarding
  • Transaction monitoring effectiveness depends on calibration quality, not just system deployment
  • Independent program testing is required, and proactive gaps identified internally carry far fewer consequences than those found during an exam

What Is an AML Compliance Checklist?

An AML compliance checklist is a structured set of policies, procedures, and controls that financial institutions use to detect, prevent, and report money laundering and terrorist financing. It serves two functions simultaneously: meeting legal obligations and managing operational risk.

The legal foundation in the US is the Bank Secrecy Act (BSA), with implementing regulations codified in 31 CFR Chapter X and administered by FinCEN under Treasury authority. Internationally, the FATF Recommendations set the global framework for AML/CFT program design — and US examiners increasingly reference FATF standards when evaluating program quality.

Why the Bar Is Rising

FinCEN's June 2024 proposed rule on AML/CFT program effectiveness signals a clear regulatory direction: programs must be formalized, risk-based, and demonstrably effective — not static documents that haven't been revisited in years. Regulators now expect documented risk assessments, calibrated controls, and measurable outcomes.

That shift applies across the board. Fintechs and payments companies face the same scrutiny as traditional banks, with no regulatory accommodation for being newer or faster-moving. The expectation is the same; the margin for underdeveloped programs is not.

Key drivers raising the compliance bar:

  • Increased FinCEN and prudential examiner focus on program effectiveness, not just technical compliance
  • FATF standards now routinely referenced by US examiners during program evaluations
  • Expanded BSA obligations for non-bank financial institutions, including fintechs and payments companies
  • Enforcement actions targeting programs that are present on paper but weak in practice

Steps 1–3: Governance, Risk Assessment, and Written Policies

These three steps anchor every AML program. Without a designated leader, a calibrated risk picture, and documented policies, every downstream control lacks both direction and defensibility.

Step 1: Designate a BSA/AML Compliance Officer

Every covered financial institution must formally designate a compliance officer responsible for coordinating and monitoring AML program compliance. This requirement appears across institution types:

  • Banks: 31 CFR 1020.210
  • Broker-dealers: 31 CFR 1023.210 and FINRA Rule 3310
  • Money Services Businesses: 31 CFR 1022.210

This is a threshold requirement, not a title. The FFIEC expects the compliance officer to hold genuine authority, board access, relevant expertise, and resources proportionate to the institution's risk profile and transaction volume. CAMS certification is the recognized benchmark for this role.

For fintechs and payments companies not yet ready to hire full-time, a fractional BSA Officer can satisfy this requirement while delivering institutional-grade expertise on a flexible basis. Joshua Douglas at Pillars FinCrime Advisory brings 12+ years of financial crime experience to these engagements — providing the same depth of oversight without the overhead of a full-time hire.

Step 2: Conduct an Enterprise-Wide AML Risk Assessment

The risk assessment is the program's compass. Per FFIEC guidance, it must analyze risks across:

  • Products and services
  • Customer segments
  • Distribution channels
  • Geographic locations
  • Business lines and legal entities

FATF Recommendation 1 requires that controls be proportionate to identified risk — which means a high-volume payments platform or crypto on-ramp must apply materially stronger controls than a low-risk retail institution. A one-size-fits-all program satisfies neither regulators nor the business.

The assessment must be documented, defensible, and updated whenever material changes occur: new products, new geographies, acquisitions, or significant shifts in customer mix all trigger a review. Annual review is sound practice even without such changes.

AML enterprise-wide risk assessment five-category framework infographic

Step 3: Create and Maintain Written Internal AML Policies and Procedures

Documented policies translate risk findings into operational rules. At minimum, written policies must address:

  • Customer onboarding standards
  • Transaction monitoring thresholds and escalation procedures
  • SAR filing processes and timelines
  • Record retention requirements
  • How the program is tested and updated

FINRA Rule 3310 explicitly requires a written AML program approved by senior management for broker-dealers. Banks must have board-approved written programs under 31 CFR 1020.210.

For growing fintechs, these policies have a second design requirement that gets overlooked until it's too late: scalability. Policies built for 10,000 customers must hold up at one million. That means building in flexibility, documented exception processes, and clear version control from day one — not retrofitting them during a regulatory exam. Pillars FinCrime Advisory's policy development work addresses this scaling challenge directly, building frameworks designed to grow alongside the business.

Steps 4–5: Know Your Customer — CDD, EDD, and Sanctions Screening

Who you onboard and who you continue serving are among the highest-risk decisions any financial institution makes. These two steps establish the controls for getting those decisions right and maintaining them as the customer relationship evolves.

Step 4: Implement a Risk-Based CDD and EDD Program

FinCEN's CDD Rule requires covered institutions to:

  • Verify customer identity
  • Identify and verify beneficial owners of legal entity customers (those owning 25% or more of equity interests under 31 CFR 1010.230)
  • Understand the nature and purpose of the customer relationship
  • Conduct ongoing monitoring to detect suspicious activity and update customer information

In practice, this means operating three tiers of diligence:

Risk Tier Customer Type Approach
Simplified Low-risk, clearly defined customers Reduced verification requirements
Standard CDD Most customers Full identity verification and risk profiling
Enhanced Due Diligence (EDD) PEPs, high-risk jurisdictions, complex structures Deeper scrutiny, source of funds, senior approval

Three-tier CDD EDD customer risk diligence comparison table infographic

Onboarding is not a one-time event. Strong CDD programs set clear re-verification triggers — such as unusual transaction patterns, behavioral shifts, or ownership changes — and treat customer relationships as continuously evolving.

That same ongoing monitoring discipline extends directly into sanctions screening — because a customer who was clean at onboarding may not remain that way.

Step 5: Screen Customers Against Sanctions Lists and Watchlists

All US persons and entities must comply with OFAC sanctions. Screening failures carry severe consequences: TD Bank's BSA/AML failures contributed to a $3 billion-plus resolution — the largest of its kind against a bank. Enforcement against payments companies and fintechs follows the same logic.

A complete screening program covers:

  • OFAC SDN List — mandatory; blocked parties cannot transact
  • OFAC non-SDN lists — additional restricted parties programs
  • UN Security Council Consolidated List
  • PEP databases — per FATF Recommendation 12
  • Adverse media — particularly useful for surfacing risk on high-risk customer reviews

List data must be updated in real time. Screening against stale data provides no protection. When an enforcement action lands, examiners and OFAC reviewers will look at exactly when your lists were last refreshed.

Steps 6–7: Detect and Report Financial Crime

Transaction monitoring and SAR filing work as a pair. Monitoring without quality reporting is incomplete; reporting without calibrated monitoring produces noise that frustrates law enforcement and telegraphs program weakness to regulators.

Step 6: Deploy and Calibrate Your Transaction Monitoring System

Transaction monitoring identifies patterns that deviate from a customer's established baseline. Core red flags to monitor include:

  • Large cash transactions approaching or exceeding CTR thresholds
  • High-frequency transactions just below reporting thresholds (structuring/smurfing)
  • Transactions with high-risk jurisdictions or sanctioned entities
  • Activity inconsistent with the customer's documented risk profile

Calibration is where most programs break down. A high false positive rate signals an under-optimized system. It burns investigator capacity and obscures genuine risk signals. A well-calibrated system produces alerts that reflect real anomalies, not statistical noise.

Regulators and the Federal Reserve's model risk management guidance expect periodic model validation and scenario testing to demonstrate that monitoring remains effective as the customer base and product mix evolve. For fintechs with high transaction volumes or novel product risk profiles, skipping this validation creates measurable exam exposure.

Pillars FinCrime Advisory's Transaction Monitoring Optimization service is built around this calibration challenge. Clients have seen alert quality improve while operational friction drops, two outcomes that matter to both compliance teams and examiners.

Step 7: Establish a Formal SAR Filing Process

When a financial institution detects activity it knows, suspects, or has reason to suspect involves funds from illegal activity or is designed to evade reporting, it must file a Suspicious Activity Report with FinCEN within 30 days of initial detection.

A defensible SAR process includes:

  1. A clear escalation path from alert to investigation to filing decision
  2. Documented decision logic for both filed and declined cases
  3. Quality assurance review before submission, with attention to narrative clarity
  4. Confidentiality controls to ensure the subject is never tipped off

Four-step SAR suspicious activity report filing process flow infographic

Regulators and law enforcement evaluate SAR quality, not just volume. Narratives should identify the who, what, when, where, and why of suspicious activity clearly enough for law enforcement to act without requesting additional information.

Steps 8–9: Train Your Team and Test Your Program

Step 8: Conduct Ongoing, Role-Specific AML Training

US regulations and FATF guidance both require AML training for all covered institution staff. But effective training goes beyond annual completion records. Role-specific content matters:

  • A relationship manager needs to recognize red flags during client interactions
  • A compliance analyst needs to conduct a rigorous investigation
  • Senior management needs to understand program governance and escalation obligations

Training must track comprehension, not just attendance. And it must stay current — typologies evolve, regulations change, and enforcement trends shift. Document completion and assessment scores. During an exam, training records are among the first materials requested.

Step 9: Maintain Records and Conduct Independent Program Testing

Record Retention

Under BSA requirements, AML documentation must generally be retained for a minimum of five years. Everything must be audit-ready and retrievable on demand. Required records include:

  • CDD records
  • SAR filings and supporting documentation
  • Training logs and assessment scores
  • Risk assessments
  • All policy versions

Independent Testing

A qualified internal or external party must periodically review the entire AML program — not just selected controls — and assess whether those controls are operating effectively. Findings must be tracked to remediation, with results reported to senior management and the board.

For growing fintechs and payments companies, engaging an experienced outside advisor accelerates exam readiness and surfaces gaps before regulators find them. Pillars FinCrime Advisory provides audit readiness and program testing support for organizations scaling fast and needing to demonstrate program maturity to both examiners and sponsor banks.

Frequently Asked Questions

What is an AML checklist?

An AML checklist is a structured set of compliance controls, policies, and procedures that financial institutions use to detect, prevent, and report money laundering and terrorist financing. It functions as both a regulatory requirement under frameworks like the BSA and FATF Recommendations, and as an operational risk management tool.

What are the 5 pillars of AML compliance?

FinCEN's AML/CFT framework identifies five pillars:

  • Designating a compliance officer
  • Creating written internal policies and procedures
  • Conducting employee AML training
  • Performing independent program reviews
  • Implementing risk-based customer due diligence

These pillars apply to banks, fintechs, broker-dealers, and money services businesses.

How often should an AML compliance program be reviewed or updated?

Programs should be reviewed at minimum annually. Updates are also triggered by regulatory changes, new product launches, significant business model shifts, new geographic markets, or material findings from an audit or examination.

What are the consequences of AML non-compliance?

Consequences include substantial regulatory fines, consent orders, mandatory remediation programs, and reputational damage. TD Bank's 2024 BSA/AML failures resulted in a $3 billion-plus settlement. In serious cases, individuals also face criminal liability alongside institutional penalties.

How does AML compliance differ for fintechs versus traditional banks?

The core regulatory obligations are the same. Fintechs typically face higher transaction volumes, faster onboarding cycles, and newer product risks — digital payments, crypto, BNPL — that require more scalable, automated program designs. Regulators increasingly hold fintechs to the same standards as traditional banks.

What is the difference between CDD and EDD?

CDD (Customer Due Diligence) is the standard identity verification and risk profiling process required for all customers. EDD (Enhanced Due Diligence) is a deeper level of scrutiny for higher-risk customers: PEPs, customers in high-risk jurisdictions, or entities with complex ownership structures. It requires additional documentation and senior approval.