Anti-Money Laundering Compliance Checklist

Annual AML compliance program for an accounting or bookkeeping firm whose services fall within BSA/FinCEN scope. The compliance officer runs this with support from partners, client-facing staff, and an independent reviewer.

6 sections 20 steps Collects data
1

Firm-Wide Risk Assessment

  1. Map services in BSA and FinCEN scope
    • Identify which of the firm's engagements trigger AML obligations — trust account administration, company formation, third-party payment handling, and certain advisory services. Pure tax-prep and audit work generally fall outside FinCEN's MSB rules but may be captured by state-level requirements or proposed AICPA guidance.

  2. Score client and geographic risk
    • Apply a tiered scoring model — low, medium, high — using FATF high-risk jurisdiction lists, OFAC sanctioned countries, client industry (cash-intensive businesses, MSBs, crypto), and entity opacity (multi-layer LLCs, foreign trusts). Document the scoring matrix; examiners want to see the methodology, not just the outcome.

  3. Document the risk assessment workpaper
    • Attach the completed risk assessment, including methodology, scoring rubric, top-risk clients, and partner sign-off. This is the foundation document referenced by every downstream control; refresh annually or upon a material change in services or client base.

    Collects file
2

AML Policies and Internal Controls

  1. Update the written AML compliance program
    • The written program must address the four pillars: internal controls, designated compliance officer, ongoing training, and independent testing. Cross-reference the firm's WISP (IRS Pub 4557) so data-security and AML controls are not maintained as parallel siloes.

  2. Designate the BSA/AML compliance officer
    • Name a partner or senior manager with authority and resources to enforce the program. Document reporting lines to the managing partner; the officer cannot be the same person whose work they review for SAR triggers.

  3. Document the SAR detection workflow
    • Define how staff escalate red flags — structuring, rapid pass-through transactions, unexplained third-party deposits — to the compliance officer. Include a written timeline (typically 24–48 hours from detection to officer review) and a non-tip-off rule per 31 CFR 1023.320(e).

3

KYC and Customer Due Diligence

  1. Collect beneficial ownership per the CDD rule
    • Identify each individual owning 25%+ and one control-prong individual. Capture name, DOB, address, and SSN/ITIN/passport. Coordinate with the firm's BOI reporting workflow under the Corporate Transparency Act — the data overlap is significant but the retention rules differ.

  2. Screen clients against OFAC SDN and PEP lists
    • Run names through OFAC's SDN list and a PEP screening service (Refinitiv World-Check, ComplyAdvantage, or equivalent). Document each search with timestamp and result; rescreen quarterly for high-risk clients and on any list update.

    Collects list
  3. Apply enhanced due diligence to flagged clients
    • EDD includes source-of-funds documentation, expanded ownership tracing, adverse-media review, and partner approval to retain the engagement. For confirmed hits, halt onboarding and consult counsel before any further client contact to avoid tipping-off violations.

  4. Refresh KYC files for existing clients
    • Annual refresh for high-risk clients, every two years for medium, every three for low. Trigger an immediate refresh on ownership changes, name changes, address changes to a high-risk jurisdiction, or any SAR-adjacent activity.

4

Employee Training and Awareness

  1. Deliver annual AML training to client-facing staff
    • Cover the firm's program, recent FinCEN advisories, current red-flag typologies, and the staff escalation path. Tailor content by role — bookkeepers see different patterns than tax preparers or trust administrators. Most state CPA boards accept this for ethics CPE.

  2. Test staff on red-flag scenarios
    • Use a short scenario quiz drawn from FinCEN's published typologies — structuring under the $10K CTR threshold, funnel-account use, sudden wire activity inconsistent with stated business. A passing threshold of 80% is typical; remediate failures with one-on-one coaching.

  3. Capture training completion records
    • Attach the attendance roster, training deck, and quiz results. Retain for the same period as other AML records — five years minimum from termination or last engagement.

    Collects file
5

Recordkeeping and Regulatory Reporting

  1. Retain KYC and transaction records for five years
    • BSA recordkeeping is five years from account closure or transaction date. Store in the firm's document-management system (SmartVault, ShareFile, TaxDome) under access controls — not on individual laptops or personal cloud. The WISP should already cover the encryption and access-log requirements.

  2. Confirm whether suspicious activity was detected
    • Compliance officer reviews the period's escalations and red-flag reports. Document the review even when no SAR is filed — examiners want to see the analysis trail, not just the filings.

    Collects list
  3. File the SAR with FinCEN within 30 days
    • SAR is filed via the BSA E-Filing System within 30 calendar days of initial detection (60 if no suspect identified). Narrative must include the who/what/when/where/why/how. Do not disclose the filing to the client or any third party — non-disclosure is statutory under 31 USC 5318(g)(2).

  4. File CTRs for cash transactions over ten thousand dollars
    • Aggregate cash transactions by or on behalf of the same person in a single business day. Form 8300 (the equivalent for trades and businesses receiving cash) is due within 15 days of the transaction. Watch for structuring patterns — multiple sub-$10K deposits across days are themselves a SAR trigger.

6

Independent Testing and Remediation

  1. Engage an independent reviewer for the annual audit
    • The reviewer cannot report to or be supervised by the compliance officer. Options include a different partner, an outside CPA firm with AML expertise, or a specialty consultancy. Scope must cover all four pillars — examiners specifically check that testing reaches into transaction sampling, not just policy review.

  2. Walk through audit findings with the compliance officer
    • Review each finding, assign an owner, and set a remediation due date. Attach the final report; this is the document examiners ask for first when opening a BSA exam.

    Collects file
  3. Track remediation of audit findings to closure
    • Open findings carry forward to the next year's audit and weigh heavily in any examiner review. The managing partner should sign off on each closure; unaddressed prior-year findings are the most common citation in BSA enforcement actions against small firms.

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.


Sections 6
Steps 20
Category Accounting
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Run Anti-Money Laundering Compliance Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.