Anti-Money Laundering (AML) Checklist

Capture name, date of birth, residential address (no PO boxes for individuals), and SSN or TIN per 31 CFR 1020.220. For non-US persons, collect passport number and country of issuance plus a US taxpayer ID where applicable.

Run identity verification through LexisNexis Bridger, IDology, or equivalent. Document the method used — drivers license image match, knowledge-based authentication, or credit-header lookup. Discrepancies (address mismatch, deceased indicator) require manual resolution before account funding.

Screen the account holder, joint owner, beneficiaries, trustees, authorized traders, and any 25%+ beneficial owner against the OFAC SDN list, consolidated sanctions, and PEP databases. Re-screen on every party add — not just at onboarding.

Per FinCEN's CDD rule, collect identifying information for each individual owning 25%+ of the legal entity plus one control person. Common gotcha: trusts and tiered LLCs require look-through to the ultimate beneficial owner, not just the first layer.

Capture expected funding source (W-2 income, business proceeds, inheritance, sale of property), expected monthly transaction volume, and purpose of the account. This is the baseline that transaction monitoring measures activity against.

Score using the firm's risk matrix: customer type, geography (FATF high-risk jurisdictions), product (cash-intensive, private banking, correspondent), and delivery channel. PEPs, foreign nationals, and cash-intensive businesses default to high risk.

Pull alerts from Verafin, Actimize, Alessa, or the bank core's monitoring module. Common alert types: structuring (transactions just under $10K CTR threshold), velocity (sudden activity spike vs. baseline), high-risk geography, and rapid in-and-out movement.

For each alert, document the customer's expected baseline, what triggered the alert, the investigator's review of recent activity, and the disposition. Thin documentation (just "cleared - no concerns") is the most common BSA exam citation.

FinCEN Form 112 due within 15 calendar days of the reportable transaction. Aggregate same-day cash transactions by the same person across branches. File via the BSA E-Filing System.

BSA officer, compliance, and a business-line representative review the case file and decide whether the activity meets the SAR threshold (knows, suspects, or has reason to suspect). Document the decision either way — no-file decisions are exam-reviewable too.

High-risk customers reviewed annually, medium every 2 years, low every 3. Re-verify identifiers, beneficial ownership for entities, and that expected activity still matches actual activity.

Any change to wire instructions received via email requires a verbal call-back to a known phone number on file — never the number in the change-request email. Business email compromise is the most common operational fraud vector in financial services.

Tailor content by role: tellers and CSAs see CTR/structuring scenarios, lending sees layered fraud schemes, advisors see PEP and source-of-wealth red flags. Generic one-size training is an exam finding.

BSA pillar requires independent testing — internal audit, an outside firm, or a qualified person not involved in day-to-day BSA operations. Scope covers CIP, CDD/EDD, monitoring, SAR/CTR, OFAC, training, and recordkeeping.