AML/KYC Checklist

AML (Anti-Money Laundering) compliance refers to the policies, procedures, and controls financial institutions must maintain to detect and prevent money laundering, terrorist financing, and other financial crimes. KYC (Know Your Customer) is the process of verifying customer identities and understanding the nature of their business — a foundational element of CDD. Together, AML/KYC programs are required under the Bank Secrecy Act (BSA) in the U.S. and similar laws globally.

CDD is the process of identifying and verifying the identity of customers, understanding the nature and purpose of their accounts, and assessing their risk level. Since 2018, FinCEN's CDD Final Rule requires covered financial institutions to collect beneficial ownership information (identifying individuals who own 25% or more of a legal entity customer). This checklist includes CIP, beneficial ownership identification, customer risk rating, PEP screening, sanctions screening, and adverse media checks.

EDD is additional scrutiny applied to high-risk customers, including politically exposed persons (PEPs), high-risk geographies, cash-intensive businesses, and correspondent banking relationships. EDD requirements include verifying the source of funds and source of wealth, obtaining senior management approval before opening high-risk accounts, and conducting more frequent ongoing monitoring of these relationships.

A SAR is a report filed with FinCEN when a financial institution knows, suspects, or has reason to suspect that a transaction involves funds from illegal activity, is designed to evade BSA reporting requirements, or has no lawful purpose. SARs must generally be filed within 30 days of detecting suspicious activity (60 days if no suspect is identified). SAR filings are confidential — institutions may not disclose to the subject that a SAR was filed.

A CTR must be filed with FinCEN for cash transactions exceeding $10,000 in a single business day by or on behalf of the same person. This includes both deposits and withdrawals. Structuring — intentionally breaking up transactions to avoid the $10,000 CTR threshold — is itself a federal crime and a key transaction monitoring red flag.

Financial institutions must retain transaction records for at least 5 years. This includes records of all cash transactions over $10,000, wire transfers of $3,000 or more, all CTR and SAR filings, customer identification records (passports, driver's licenses, EIN documents), beneficial ownership certifications, and records of any AML training activities. Audit trails documenting all AML decisions must also be maintained.

An independent audit is a periodic review of the AML compliance program conducted by parties independent of the compliance function — typically internal audit, external auditors, or qualified third-party consultants. The audit assesses whether the program's policies, procedures, controls, and training are adequate and effective. Regulators expect this to be conducted annually for most institutions, with findings reported to senior management and the board.

Under the BSA and FinCEN regulations, AML programs are required for banks, credit unions, broker-dealers, mutual funds, futures commission merchants, money service businesses (MSBs), casinos, insurance companies, precious metals dealers, and many fintech companies. The specific requirements vary by institution type and size, but all must maintain the five pillars: policies/procedures, a designated compliance officer, ongoing employee training, independent testing, and customer due diligence.