Anti-Money Laundering Compliance Checklist

Identify which of the firm's engagements trigger AML obligations — trust account administration, company formation, third-party payment handling, and certain advisory services. Pure tax-prep and audit work generally fall outside FinCEN's MSB rules but may be captured by state-level requirements or proposed AICPA guidance.

Apply a tiered scoring model — low, medium, high — using FATF high-risk jurisdiction lists, OFAC sanctioned countries, client industry (cash-intensive businesses, MSBs, crypto), and entity opacity (multi-layer LLCs, foreign trusts). Document the scoring matrix; examiners want to see the methodology, not just the outcome.

Attach the completed risk assessment, including methodology, scoring rubric, top-risk clients, and partner sign-off. This is the foundation document referenced by every downstream control; refresh annually or upon a material change in services or client base.

The written program must address the four pillars: internal controls, designated compliance officer, ongoing training, and independent testing. Cross-reference the firm's WISP (IRS Pub 4557) so data-security and AML controls are not maintained as parallel siloes.

Name a partner or senior manager with authority and resources to enforce the program. Document reporting lines to the managing partner; the officer cannot be the same person whose work they review for SAR triggers.

Define how staff escalate red flags — structuring, rapid pass-through transactions, unexplained third-party deposits — to the compliance officer. Include a written timeline (typically 24–48 hours from detection to officer review) and a non-tip-off rule per 31 CFR 1023.320(e).

Identify each individual owning 25%+ and one control-prong individual. Capture name, DOB, address, and SSN/ITIN/passport. Coordinate with the firm's BOI reporting workflow under the Corporate Transparency Act — the data overlap is significant but the retention rules differ.

Run names through OFAC's SDN list and a PEP screening service (Refinitiv World-Check, ComplyAdvantage, or equivalent). Document each search with timestamp and result; rescreen quarterly for high-risk clients and on any list update.

EDD includes source-of-funds documentation, expanded ownership tracing, adverse-media review, and partner approval to retain the engagement. For confirmed hits, halt onboarding and consult counsel before any further client contact to avoid tipping-off violations.

Annual refresh for high-risk clients, every two years for medium, every three for low. Trigger an immediate refresh on ownership changes, name changes, address changes to a high-risk jurisdiction, or any SAR-adjacent activity.

Cover the firm's program, recent FinCEN advisories, current red-flag typologies, and the staff escalation path. Tailor content by role — bookkeepers see different patterns than tax preparers or trust administrators. Most state CPA boards accept this for ethics CPE.

Use a short scenario quiz drawn from FinCEN's published typologies — structuring under the $10K CTR threshold, funnel-account use, sudden wire activity inconsistent with stated business. A passing threshold of 80% is typical; remediate failures with one-on-one coaching.

Attach the attendance roster, training deck, and quiz results. Retain for the same period as other AML records — five years minimum from termination or last engagement.

BSA recordkeeping is five years from account closure or transaction date. Store in the firm's document-management system (SmartVault, ShareFile, TaxDome) under access controls — not on individual laptops or personal cloud. The WISP should already cover the encryption and access-log requirements.

Compliance officer reviews the period's escalations and red-flag reports. Document the review even when no SAR is filed — examiners want to see the analysis trail, not just the filings.

SAR is filed via the BSA E-Filing System within 30 calendar days of initial detection (60 if no suspect identified). Narrative must include the who/what/when/where/why/how. Do not disclose the filing to the client or any third party — non-disclosure is statutory under 31 USC 5318(g)(2).

Aggregate cash transactions by or on behalf of the same person in a single business day. Form 8300 (the equivalent for trades and businesses receiving cash) is due within 15 days of the transaction. Watch for structuring patterns — multiple sub-$10K deposits across days are themselves a SAR trigger.

The reviewer cannot report to or be supervised by the compliance officer. Options include a different partner, an outside CPA firm with AML expertise, or a specialty consultancy. Scope must cover all four pillars — examiners specifically check that testing reaches into transaction sampling, not just policy review.

Review each finding, assign an owner, and set a remediation due date. Attach the final report; this is the document examiners ask for first when opening a BSA exam.

Open findings carry forward to the next year's audit and weigh heavily in any examiner review. The managing partner should sign off on each closure; unaddressed prior-year findings are the most common citation in BSA enforcement actions against small firms.