Workflow Templates for Financial Services: Anti-Money Laundering (AML) Checklist

Customer Identification Program (CIP)

Collect required CIP identifiers

Capture name, date of birth, residential address (no PO boxes for individuals), and SSN or TIN per 31 CFR 1020.220. For non-US persons, collect passport number and country of issuance plus a US taxpayer ID where applicable.

Verify identity through documentary or non-documentary methods

Run identity verification through LexisNexis Bridger, IDology, or equivalent. Document the method used — drivers license image match, knowledge-based authentication, or credit-header lookup. Discrepancies (address mismatch, deceased indicator) require manual resolution before account funding.

Run OFAC and sanctions screening on all parties

Screen the account holder, joint owner, beneficiaries, trustees, authorized traders, and any 25%+ beneficial owner against the OFAC SDN list, consolidated sanctions, and PEP databases. Re-screen on every party add — not just at onboarding.

Block account funding pending OFAC resolution

Confirmed SDN match requires immediate blocking of any assets and 10-business-day reporting to OFAC. Do not notify the customer of the block. Escalate to the BSA officer before any further action.

Customer Due Diligence and Risk Rating

Collect beneficial ownership for entity accounts

Per FinCEN's CDD rule, collect identifying information for each individual owning 25%+ of the legal entity plus one control person. Common gotcha: trusts and tiered LLCs require look-through to the ultimate beneficial owner, not just the first layer.

Document expected source of funds and activity

Capture expected funding source (W-2 income, business proceeds, inheritance, sale of property), expected monthly transaction volume, and purpose of the account. This is the baseline that transaction monitoring measures activity against.

Assign customer risk rating

Score using the firm's risk matrix: customer type, geography (FATF high-risk jurisdictions), product (cash-intensive, private banking, correspondent), and delivery channel. PEPs, foreign nationals, and cash-intensive businesses default to high risk.

Perform Enhanced Due Diligence on high-risk customers

EDD includes adverse media search, source-of-wealth documentation (not just source of funds), senior management approval for PEPs, and a heightened ongoing review cadence. Document the specific EDD steps taken in the customer file.

Transaction Monitoring and Investigation

Review automated monitoring alerts daily

Pull alerts from Verafin, Actimize, Alessa, or the bank core's monitoring module. Common alert types: structuring (transactions just under $10K CTR threshold), velocity (sudden activity spike vs. baseline), high-risk geography, and rapid in-and-out movement.

Investigate flagged transactions and document rationale

For each alert, document the customer's expected baseline, what triggered the alert, the investigator's review of recent activity, and the disposition. Thin documentation (just "cleared - no concerns") is the most common BSA exam citation.

File CTR for currency transactions over $10,000

FinCEN Form 112 due within 15 calendar days of the reportable transaction. Aggregate same-day cash transactions by the same person across branches. File via the BSA E-Filing System.

Convene SAR review committee

BSA officer, compliance, and a business-line representative review the case file and decide whether the activity meets the SAR threshold (knows, suspects, or has reason to suspect). Document the decision either way — no-file decisions are exam-reviewable too.

File SAR within 30 days of detection

FinCEN Form 111 narrative is the heart of the filing — describe the who, what, when, where, why, and how in plain language. Weak narratives draw MRAs at the next exam. Maintain strict SAR confidentiality; do not tip off the subject.

Recordkeeping and Ongoing Review

Refresh CDD information at the risk-based cadence

High-risk customers reviewed annually, medium every 2 years, low every 3. Re-verify identifiers, beneficial ownership for entities, and that expected activity still matches actual activity.

Verify wire instruction changes via call-back

Any change to wire instructions received via email requires a verbal call-back to a known phone number on file — never the number in the change-request email. Business email compromise is the most common operational fraud vector in financial services.

Retain BSA records for five years

CIP records, CTRs, SARs and supporting documentation, monitoring alerts, and investigation files all retained for at least five years from account closure or filing date. SAR-related records have specific confidentiality controls.

Training and Independent Audit

Deliver annual BSA/AML training to all staff

Tailor content by role: tellers and CSAs see CTR/structuring scenarios, lending sees layered fraud schemes, advisors see PEP and source-of-wealth red flags. Generic one-size training is an exam finding.

Test staff comprehension and document completion

Commission independent BSA audit

BSA pillar requires independent testing — internal audit, an outside firm, or a qualified person not involved in day-to-day BSA operations. Scope covers CIP, CDD/EDD, monitoring, SAR/CTR, OFAC, training, and recordkeeping.

Track audit findings to remediation

Each finding gets a named owner, target date, and verification step. Repeat findings cycle-over-cycle are the most damaging exam pattern — treat closure as a hard SLA, not a goal.