← All articles
·9 min read

AML Compliance Checklist for 2026: A Complete Program Framework

A practical AML compliance checklist covering the five pillars, KYC, sanctions and PEP screening, transaction monitoring, SAR and CTR filing, training, and independent testing.

An anti-money-laundering compliance program is not a document — it is a set of controls that work together to detect, prevent, and report financial crime. U.S. regulators evaluate programs against the five pillars codified in FinCEN's 2018 CDD Rule and reinforced by the Anti-Money Laundering Act of 2020. This checklist walks through what a defensible program actually contains in 2026.

Pillar one: a designated BSA / AML compliance officer. The officer must be a specific named individual (not a committee), have direct access to the board or an appropriate committee, have sufficient authority and resources to enforce program requirements, and be independent enough that business-line pressure cannot suppress escalations. For smaller institutions the role can be part-time, but the reporting line must be documented and reviewed annually.

Pillar two: internal controls and written policies. At minimum, the program needs a customer identification program (CIP), customer due diligence (CDD) and enhanced due diligence (EDD) procedures, beneficial ownership collection meeting the 25% and control-prong thresholds, a sanctions screening policy covering OFAC, EU, UK and UN at onboarding and on an ongoing basis, a PEP screening policy, transaction monitoring rules mapped to the institution's risk assessment, SAR and CTR filing procedures with deadlines, a recordkeeping schedule (five years for most BSA records), and an escalation matrix that names roles, not people.

Pillar three: ongoing training. Every employee who interacts with customers, transactions, or the compliance function needs role-based AML training at hire and at least annually thereafter. Tellers, relationship managers, operations staff, and the board itself require different depth. Training records — attendee, date, topic, assessment score — must be retained and produced on examination. Generic 'watch a video' training rarely survives an exam finding.

Pillar four: independent testing. The program must be independently reviewed at a frequency commensurate with risk (typically every 12–18 months). 'Independent' means the reviewer does not report to the BSA Officer and did not participate in designing the controls being tested. Internal audit, a qualified consulting firm, or a shared services group at a parent company can all qualify. The review scope must include CIP, CDD, sanctions screening effectiveness, SAR/CTR filing quality and timeliness, training, and prior-finding remediation.

Pillar five: customer due diligence — the newest pillar and the one examiners focus on most. CDD requires identifying and verifying customer identity, understanding the nature and purpose of the relationship, ongoing monitoring calibrated to the customer's risk profile, and — for legal-entity customers — collecting and verifying beneficial ownership. As of 2024, beneficial ownership information is also reported federally under the Corporate Transparency Act, though the institution's CDD obligation is separate and continues.

Sanctions screening sits inside pillar two but deserves its own checklist. Screen every new customer and counterparty against OFAC SDN, OFAC Consolidated, EU Consolidated, UK OFSI, and UN Security Council lists before onboarding. Re-screen the full customer base every time any of those lists changes — not just on a monthly batch. Screen every wire transfer and material transaction in real time. Use fuzzy matching with tuned thresholds, capture the alerts and dispositions in an audit trail, and retain screening records for five years.

Transaction monitoring is where most programs quietly fail. Rules should be documented, tuned against the institution's own historical alerts (not vendor defaults), reviewed at least annually, and mapped to the risk assessment. Alert-to-SAR conversion rates that are extremely low (under a few percent) usually indicate over-broad rules; conversion rates that are unusually high suggest missing detection. Model risk management under SR 11-7 applies to any statistical or machine-learning monitoring model.

Reporting obligations to remember: CTR within 15 days for cash over $10,000, SAR within 30 days of detection (60 with no identified suspect), 314(a) responses to FinCEN within 14 days, 314(b) voluntary information-sharing where enrolled, OFAC blocked-transaction reports within 10 business days, and annual OFAC reports of blocked property by September 30. Beneficial ownership reports to FinCEN under the CTA follow a separate schedule and are the customer's obligation, not the institution's.

The final pillar in practice — even though it is not one of the statutory five — is documentation. Regulators evaluate programs by pulling files, not by reading policies. Every risk assessment, every training record, every SAR narrative, every sanctions-screening alert disposition, every independent-test finding and its remediation must be retrievable in an examiner-usable format for at least five years. Programs that cannot produce artifacts on demand fail exams even when the underlying controls are sound.

SanctionsScreening covers the sanctions-list leg of pillar two: unified OFAC, EU, UK and UN screening with fuzzy matching, ongoing re-screening on list updates, PDF audit reports per search, batch CSV screening for periodic reviews of your full customer base, and an API for real-time onboarding and transaction checks. See the pricing page for Team and Enterprise tiers, or run a free search from sanctionsscreening.io to test coverage.

Try it free on SanctionsScreening.io

Run a free sanctions search against OFAC, EU, UK and UN lists — no signup required.