AML / BSA Compliance Checklist

Capture the four CIP elements per 31 CFR 1020.220: legal name, date of birth, residential or business address (no P.O. boxes for individuals), and TIN / SSN / EIN. Retain a copy of the government-issued photo ID. Reject foreign-only ID without secondary documentation.

Run the applicant through LexisNexis Bridger, IDology, or your core's KYC module. Document any non-match findings and clear them before account opening — a soft hit on address mismatch is often a red flag worth a phone call before approval.

Per the FinCEN CDD rule, identify every individual owning 25% or more of the legal entity plus one control person. Collect the FinCEN Certification of Beneficial Owners form and screen each named individual through CIP and OFAC. Common gotcha: trust and LLC layering that obscures the ultimate beneficial owner.

CDD requires understanding the nature and purpose of the relationship. Document occupation, employer, expected transaction volume, and source of initial funding (payroll, business revenue, sale of property, inheritance). Vague answers like 'savings' on a $500K opening deposit warrant follow-up.

Run the customer and beneficial owners through your PEP and adverse media list (Refinitiv World-Check, ComplyAdvantage, or equivalent). PEP status doesn't prohibit the relationship but triggers enhanced due diligence and senior management approval.

For confirmed PEPs: obtain senior management approval before opening, document expanded source-of-wealth narrative (not just source of funds), and set monthly transaction review for the first year. Foreign PEPs from high-risk jurisdictions require BSA officer sign-off.

Review Verafin, Actimize, or Alessa rule thresholds against current customer base composition. A community bank scenario tuned at industry-default thresholds tends to bury the BSA team in false positives — calibrate to your risk profile and document the rationale.

Each alert needs a documented disposition: cleared, monitor further, or escalate. Avoid the common audit finding of stale alerts more than 30 days old without resolution. Capture the analyst's reasoning, not just the disposition code.

Pull cash deposits and withdrawals between $9,000 and $9,999 and look for customers with multiple sub-CTR transactions across branches or days. Structuring is itself a SAR-reportable suspicious activity, separate from any underlying offense.

For each investigation, write a narrative covering what was reviewed (account history, prior alerts, KYC file), what the customer's stated business purpose is, and why the activity is or is not suspicious. The narrative is what an examiner reads — bullet-point dispositions aren't enough.

Run the full customer base — including beneficial owners, signers, and recent wire counterparties — against the current OFAC SDN list, sectoral sanctions lists, and any active country-based programs (Russia, Iran, North Korea, Cuba, Syria, Venezuela). OFAC updates the SDN list frequently; weekly minimum cadence.

Beyond OFAC, screen against your PEP and adverse media data feed. Negative news on a customer — fraud allegations, indictments, regulatory actions — is a CDD trigger to revisit risk rating even when not a sanctions hit.

Most hits are false positives on common names. Compare DOB, address, nationality, and any other identifiers before clearing. Document the comparison; OFAC enforcement looks for the analyst's work, not just the final cleared status.

On a confirmed SDN match, block the property immediately and file a Blocked Property Report with OFAC within 10 business days. Reject (don't block) for non-SDN sanctions program transactions per OFAC guidance. Annual report due September 30.

Score each customer on geography (FATF high-risk jurisdictions), customer type (cash-intensive business, MSB, NGO, foreign correspondent), product use (wires, ACH, foreign), and behavior. Document weighting and don't override the model output without a written justification.

The final tier drives review cadence: Low = annual refresh, Medium = semi-annual, High = quarterly with senior compliance review. Be prepared to defend Medium ratings on cash-intensive small businesses — examiners often expect High.

Calendar the next refresh date in the BSA system based on the assigned tier. The most common audit finding here is missed annual refreshes on Low-risk customers — set the recurring ticker before closing this file.

For High-tier customers, lower transaction monitoring thresholds, add manual quarterly account review, document expected activity baseline, and require BSA officer sign-off on any product expansion (wires, foreign correspondents, RDC).

FinCEN Form 112 for any cash transaction or aggregated same-day cash transactions over $10,000. Aggregate across branches and across the same beneficial owner. File via the BSA E-Filing System; late filings draw FinCEN civil money penalties.

FinCEN Form 111. The 30-day clock runs from the date suspicion is established, not the transaction date. Narrative is the most-cited weakness in BSA exams — cover the five Ws plus why-this-is-suspicious in plain language. Never tip off the customer.

The BSA pillar requires independent testing — internal audit, external CPA firm, or qualified consultant. Scope must cover CIP, CDD, monitoring, OFAC, training, and SAR/CTR. Findings memo goes to the board's audit committee.

Retention runs from the date of the SAR or CTR filing, or from account closure for CIP records. Confirm document management (NetDocuments, Laserfiche, or core archive) holds the full file: CIP, CDD, beneficial owner certification, risk rating, alerts, narratives, and filings.

Quarterly board reporting from the BSA officer: SAR/CTR volumes, alert backlog, training completion, audit findings status, and material risk changes. Document board minutes — a common exam request.