Anti-Money Laundering Compliance Checklist

Score each practice area against the ABA's risk indicators — real estate closings, trust and estate work, company formation, and large cash retainers carry elevated risk. Solo immigration and family practices are typically lower risk. Cite the matter-type breakdown from the prior year's matter open log.

Pull the current FATF black-list and grey-list and cross-reference against any client domicile, beneficial owner residence, or counterparty location in the matter book. OFAC sanctioned jurisdictions (Cuba, Iran, North Korea, Syria, Russia/Crimea) trigger automatic EDD or representation decline.

The written risk assessment must be approved by the managing partner or AML compliance committee and dated. Bar examiners and Treasury/FinCEN guidance both expect a written, dated, partner-signed assessment refreshed at least annually.

The MLRO is the named partner-level attorney responsible for SAR decisions, OFAC escalations, and bar inquiries. Record the appointment in the firm's policy manual and notify all attorneys and staff. Include a backup MLRO so the program is not single-point-of-failure when the primary is on vacation or in trial.

The manual should cover client onboarding identification, beneficial-ownership collection under the Corporate Transparency Act, OFAC/PEP screening cadence, IOLTA red-flag indicators, SAR triggers, and the no-tipping-off rule under 31 U.S.C. § 5318(g)(2). Reference Rule 1.15 (safekeeping property) and the state bar's IOLTA handbook.

Walk the policy manual against the ABA's Voluntary Good Practices Guidance for Lawyers to Detect and Combat Money Laundering. Note any gaps in writing — the gap log is what auditors and bar counsel will ask to see.

Collect and image a passport, driver's license, or state ID for each individual client. For entity clients, collect formation documents, EIN, and certified beneficial-ownership information. Hard-block matter open in the practice management system until ID is on file.

Run the client, beneficial owners, and known counterparties through the OFAC SDN list and a PEP/adverse-media database (LexisNexis Bridger, Refinitiv World-Check, or Clio's screening integration). False-positive name matches happen often; document the disposition reasoning before clearing.

Capture every individual owning 25%+ of the entity plus one individual exercising substantial control, per FinCEN's Corporate Transparency Act reporting standard. Layered ownership through holding companies is a known structuring pattern — trace through to the human at the top.

For PEPs, sanctions-list possible matches, or clients tied to high-risk jurisdictions, document source of funds and source of wealth, obtain MLRO written approval before matter open, and set the file for quarterly re-screening rather than annual.

Pull the trust ledger for the period and flag deposits structured below the $10,000 CTR threshold, third-party retainer payments, unexplained cash, and refund requests shortly after deposit. Cross-reference against three-way reconciliation already performed under Rule 1.15.

The MLRO reviews flagged transactions against the Bank Secrecy Act suspicious-activity indicators. Note that attorney-client privilege does not override the SAR obligation when the firm itself acts as a financial institution (settlement agent, real estate closing). Document the reasoning either way — the file is what bar counsel will ask for.

SARs are due within 30 days of detecting suspicious activity. File through the FinCEN BSA E-Filing System and store the BSA ID confirmation in the encrypted compliance folder — never in the matter file. Do not communicate the filing to the client; the no-tipping-off rule under 31 U.S.C. § 5318(g)(2) carries criminal penalties.

All attorneys, paralegals, intake staff, and bookkeepers attend. Cover the firm's risk assessment findings, current red-flag typologies, the OFAC screening workflow, and the no-tipping-off rule. State bar ethics CLE credit can usually be claimed for the attorney portion.

Intake specialists are the first line of defense — they see retainer source, third-party payers, and structuring attempts before anyone else. Walk through three real (anonymized) red-flag scenarios from the prior year so the training is concrete, not abstract.

Capture the sign-in sheet and any quiz-completion certificates. Bar audits frequently ask for the training log going back five years, so retention here matters as much as the training itself.

Use an outside compliance consultant or a non-MLRO partner from a different practice group — the auditor cannot be the MLRO or anyone reporting to the MLRO. Scope covers risk assessment, CDD samples, screening logs, SAR file, training records, and policy manual currency.

The managing partner or AML committee receives the findings in a written report. Categorize each finding by severity and assign a partner owner before the meeting closes — open findings without an owner is the most common audit follow-through failure.

Capture each audit finding, the remediation plan, the partner owner, and a target completion date. The remediation log feeds the next year's risk assessment in section one — close the loop.