AML Compliance Checklist: Key Requirements for 2026

The Five Pillars of an AML Compliance Program

FinCEN and the FFIEC require financial institutions to maintain a BSA/AML compliance program built on five pillars. The Bank Secrecy Act and its implementing regulations set the foundation for these requirements. This checklist covers each pillar with specific, actionable items that compliance officers, internal auditors, and examiners evaluate during regulatory reviews.

Whether you are building a new program or assessing the adequacy of an existing one, use this checklist to identify gaps and prioritize remediation efforts. An effective AML compliance checklist helps organizations fight financial crimes, maintain anti money laundering compliance, and demonstrate regulatory readiness.

Pillar 1: Internal Controls

Internal controls are the policies, procedures, and processes that form the operational backbone of your AML program.

Policies and Procedures

• Written BSA/AML policies approved by the board of directors
• Policies cover all products, services, customer types, and geographic markets
• Procedures detail specific steps for CIP, CDD, EDD, sanctions screening, transaction monitoring, and SAR filing
• Policies updated to reflect regulatory changes, new products, and examination findings
• Version control and change management documentation maintained

Customer Due Diligence

• Customer Identification Program (CIP) procedures for individuals and entities
• Beneficial ownership identification and verification procedures (25% threshold)
• Risk-based customer classification methodology documented and approved
• Enhanced due diligence procedures for high risk customers such as PEPs, high-risk jurisdictions, and complex structures
• Ongoing monitoring parameters defined for each customer risk tier
• Periodic review schedules established and tracked

Transaction Monitoring

• Automated transaction monitoring system implemented with documented scenarios and thresholds
• Monitoring rules aligned with institutional risk assessment findings
• Alert review and disposition procedures documented
• Alert quality metrics tracked (SAR conversion rate, false positive rate, aging)
• Model validation conducted at least annually
• Threshold tuning documented with supporting analysis

Sanctions Compliance

• Real-time screening of all customers, counterparties, and transactions against OFAC SDN list
• Screening coverage includes EU, UN, HMT, and other applicable sanctions programs
• Fuzzy matching parameters configured to minimize false negatives
• Hit resolution procedures documented and consistently followed
• Interdiction procedures for true matches (blocking, rejecting, reporting)
• Screening system testing conducted periodically

Suspicious Activity Reporting

• SAR decision-making process documented with clear criteria
• SARs filed within 30 calendar days of initial detection (60 days if no suspect identified)
• SAR narrative quality standards defined and enforced
• SAR filing tracked and quality reviewed
• 314(a) request procedures established (for US institutions)
• 314(b) information sharing program participation (voluntary but recommended)

Currency Transaction Reporting

• CTRs filed for cash transactions exceeding $10,000 (aggregate daily)
• Multiple transaction aggregation procedures implemented
• Exemption procedures documented and reviewed annually
• CTR accuracy reviewed before filing

Pillar 2: BSA/AML Compliance Officer

• Designated BSA/AML compliance officer with adequate authority, independence, and resources
• Officer has direct reporting line to senior management and/or board
• Officer's qualifications and experience appropriate for the institution's risk profile
• Officer has access to all necessary information across business lines
• Adequate compliance staff to handle workload (alert volumes, review schedules, regulatory filings)
• Succession planning documented for the BSA officer role
• BSA officer reports regularly to the board on program status, risk assessment updates, and examination findings

Pillar 3: Training Program

• Comprehensive BSA/AML training program covering all employees
• Role-specific training for high-risk functions (front-line staff, operations, compliance, management)
• Training covers: CIP/CDD procedures, transaction monitoring alert recognition, SAR referral process, sanctions compliance, and identifying red flags
• Training delivered at onboarding and at least annually thereafter
• Training content updated to reflect new regulations, emerging typologies, and examination findings
• Training completion tracked and documented
• Board and senior management receive AML training tailored to governance responsibilities

Pillar 4: Independent Testing (Audit)

• Independent testing of BSA/AML compliance program conducted at least every 12–18 months
• Testing scope covers all program components: risk assessment, internal controls, training, reporting
• Testing performed by qualified individuals independent of the compliance function (internal audit, external firm)
• Transaction testing includes sample-based review of alerts, SARs, CTRs, and CDD files
• Testing results reported to the board or audit committee
• Findings tracked to remediation with defined owners and deadlines
• Remediation verified by re-testing or management attestation

Pillar 5: Risk Assessment

• Comprehensive, enterprise-wide BSA/AML risk assessment documented
• Risk assessment covers customers, products, services, geographies, and delivery channels
• Inherent risk assessed for each risk category
• Mitigating controls evaluated for effectiveness
• Residual risk determined for each category
• Risk assessment approved by the board of directors
• Assessment updated at least annually and when material changes occur
• Risk appetite defined and approved by the board
• Risk assessment findings drive program design (monitoring rules, CDD requirements, staffing)

Regulatory Examination Readiness

Beyond the five pillars, prepare for regulatory examination with:

• Prior examination findings and commitments tracked and resolved
• Self-assessment or gap analysis completed before the exam
• Key documents organized and accessible: risk assessment, policies, training records, testing reports, SAR filings, monitoring system documentation
• Responsible personnel identified and briefed on examination procedures
• Board minutes reflecting BSA/AML oversight discussions

Record Retention

• All BSA records retained for minimum 5 years (many institutions retain 7 years)
• CIP records retained for 5 years after account closure
• SAR records retained for 5 years from filing date
• CTR records retained for 5 years from filing date
• Training records retained for examination review
• Retention schedules documented and consistently applied

What's Changed for 2026

Several developments affect AML compliance programs in 2026:

• Corporate Transparency Act (CTA) beneficial ownership reporting — FinCEN's BOI database is now operational; understand how it affects your CDD processes
• FinCEN's AML/CFT Priorities — Updated national priorities that your risk assessment should address
• EU AML Package — The new AMLR and AMLA framework creating a single AML rulebook for the EU
• AI and technology guidance — Increasing regulatory clarity on the use of AI in transaction monitoring and alert triage
• Cryptocurrency and digital assets — Expanded regulatory scope covering virtual asset service providers

Using This AML Compliance Checklist

This AML compliance checklist — covering all five BSA/AML pillars — is a starting point, not an exhaustive list. Customize it to your institution's specific risk profile, regulatory environment, and organizational structure. Use it for:

• Self-assessment — Identify gaps before regulators do
• Examination preparation — Organize documentation and verify readiness
• Program enhancement — Prioritize investments where gaps are most significant
• Board reporting — Communicate program status and compliance posture clearly

The most effective AML programs treat anti-money laundering compliance as a continuous improvement process. Regular self-assessment using an AML compliance checklist like this one — combined with ongoing risk monitoring and regulatory awareness — ensures your program keeps pace with evolving threats and expectations.