AML Compliance Checklist: A Self-Audit Guide for FIs

When maintaining an effective and regulatorily sound anti-money laundering (AML) program, the stakes are high for banks. Law firm Paul, Weiss, Rifkind, Wharton & Garrison LLP reports that US authorities issued $940 million in AML and sanctions violation penalties in 2025.¹ 

To avoid costly penalties, remediation, and reputational damage, financial institutions must stress-test their AML programs. Following this nine-point compliance checklist will guide you through the critical components of an effective AML program to reveal vulnerabilities and position your organization for future threats and regulatory changes.

Key Takeaways

• In 2025, US businesses faced $940 million in anti-money laundering (AML) and sanctions violations in 2025, according to the law firm Paul, Weiss, Rifkind, Wharton & Garrison LLP.
• Banks and financial institutions should stress-test their AML programs using a thorough checklist to avoid facing regulatory fines, remediation, or facing regulatory damage.
• Using an AML checklist can help financial institutions uncover vulnerabilities and appoint individuals into critical roles to ensure compliance.
• Checklist processes include setting an organization’s preferred risk appetite, conducting a risk assessment, keeping records of important insights and patterns, and more. 

1. Define Your Risk Appetite, AML Framework & Culture of Compliance

Your organization will have a “risk appetite/tolerance” that sets the tone from the top and considers how much risk your organization is willing to accept in its business operations. Are they risk-averse or a risk-taker? Somewhere in between is the likely outcome. 

A risk-based approach will be the crux of your AML program and its control structure. View everything from onboarding clients to product/service usage to monitoring their activity through a risk lens. Consider your FI’s risk appetite as you move on to the next step, your risk assessment.

Hire a Money Laundering Reporting Officer (MLRO) who understands current regulations and critical jurisdictional risks. This individual must be hyper-focused on the AML program and not distracted by “additional” responsibilities. They must understand your organization’s risk appetite and build a culture of compliance across the organization that supports it. 

2. Conduct a Comprehensive AML Risk Assessment

An end-to-end risk assessment should be the next item on your FI’s AML compliance checklist. FIs need to understand if any area (or areas) of business operations, products, and/or services are vulnerable to money laundering activities. Ensure your controls address your risks; if there are gaps, fix them swiftly.

Include a Model Risk Assessment (MRA) for any AI and machine learning systems used to determine customer risk. The MRA should assess potential biases, data quality risk, and the model’s impact on outcomes.

It’s also a good time to look at the geopolitical landscape, perform horizon scanning for known or emerging typologies, and assess whether some regions are becoming riskier due to shifting political events. While you’re at it, consider if customers are still using your product and services in the same manner. Has the risk profile of your business offerings changed, and therefore, so have the risks?

“Regulators worldwide are moving beyond technical compliance and now expect proof that controls work, not just that they exist…AML programs must modernize quickly to keep up with technology that is reshaping both crime and compliance.” — Karin Yuklea, AML Subject Matter Expert, Feedzai 

3. Establish Internal Controls and AML Policies

Risk assessment complete. Next item on your FI’s AML compliance checklist: are there any gaps in your internal controls? As one of the main pillars of an AML compliance program, effective internal controls are essential. Keep them fresh, keep them applicable, and try not to layer too many when fewer are just as impactful. Consult with relevant stakeholders.

Are your controls (and processes) sorted? How are your AML policies looking? These policies range from clearly addressing AML strategy to how your organization will onboard new customers, flag and investigate suspicious activities, monitor transactions, maintain adequate record-keeping, communicate effectively, and identify the regional and global regulations the FI needs to follow. Your organization should regularly evaluate and monitor your AML compliance program for adequacy, effectiveness, and deficiencies.

4. Staff Training & Ongoing AML Education

A financial institution’s staff is responsible for ensuring the organization consistently meets its AML compliance responsibilities. Take appropriate steps to ensure staff is trained on the latest policies, understands the regulatory landscape, and operates with a compliance-first mindset. Training and education sessions should not be considered “one-and-done” tasks. This will be an ongoing effort as the regulatory landscape changes and FIs update their controls to consider new risks and threats.

5. Customer Due Diligence (CDD): Onboarding and Lifecycle

The Customer Due Diligence (CDD) pillar is a crucial component in the fight against financial crime. FIs need to understand the “why” and “how” their customers intend to interact with them. This happens during onboarding and should continue throughout the customer lifecycle. This process entails assessing the customer’s demographic data, screening them against global watchlists and adverse media, analyzing the beneficial ownership that a person has over a business (if applicable), and assessing inherent risks. 

FIs should consider taking their CDD to the next level by embracing a solution that also incorporates operational and transactional patterns as well as interactions into a customer’s risk profile. Given the continual evolution of cryptocurrency in the global economic sphere, firms should factor in these unique risks as well.

6. Sanctions, Watchlist Screening, and PEPs

The consequences of doing business with an individual or entity named on a global sanctions watchlist are severe for FIs. There will be investigations, fines, and public scandals for allowing sanctioned individuals and entities to conduct business with your institution. 

Sanctions apply to everyone, not just regulated institutions. FIs must ensure updated watchlists are considered in the process for both sanctions and risk-related lists, such as politically exposed persons (PEPs), relatives or close associates (RCAs), and adverse media. Apply sanctions screening during the payment screening process and expand the data to include risk-related and ownership data at the customer screening level.

When using technology for sanctions and watchlist screening, establish governance over system performance, including rigorous testing of matching algorithms to manage false positives/negatives and ensure accuracy against regulatory lists.

7. Transaction Monitoring & Suspicious Activity Reporting 

FIs must remember that AML compliance is ongoing. This requires keeping a close eye on transactional activity. They must establish AML transaction monitoring (TM) protocols based on risk attributes to detect potentially suspicious activity and take appropriate action to consider case creation and SAR/STR filing. Firms should consider incorporating customer risk scores into their review and decision-making process and consider embedding typologies and/or enriching the data set in their AML TM solution.

Since Transaction Monitoring often relies on risk-based rules or sophisticated models (AI/ML), FIs must implement robust Model Governance procedures. This includes regular, independent Model Validation to continuously assess the model’s efficacy, fairness, and compliance. Documentation should detail the model’s design, tuning methodology, and performance metrics.

8. Independent Compliance Testing, Audit Readiness, and Control Demonstration

An audit trail is an essential part of every AML program. You will receive questions about why decisions were made, be required to show evidence that you have followed your own policies and procedures, and have documented risks. These requests will be both internal (audit, oversight/governance committees) and external (regulators). 

Always be able to explain your actions. Maintain records of important insights of suspicious patterns to document and justify your decision-making with data-driven evidence.

Independent testing is another critical pillar of AML programs. FIs must conduct formal, periodic compliance testing to verify that their controls (from CDD to Transaction Monitoring) are operating as designed and are effective at mitigating risk. All documentation from this testing, including methodologies, results, and remediation plans, must be maintained to demonstrate control effectiveness to both internal audit and, critically, any regulator that performs an inspection.

9. Continuous Review, Improvement & Emerging AML Risks

Compliance isn’t a “one-and-done” project. As financial criminals adopt new tech, your program must evolve just as fast. Feedzai research, outlined in The AI Shift: Transforming AML Compliance into Competitive Advantage, shows 71% of AML professionals are already moving past static rules that criminals have long since outmaneuvered. By embracing supervised and unsupervised machine learning, your program can continuously learn from past cases to identify new AML threats (e.g., money mule activity or complex crypto-laundering) that traditional systems frequently miss. 

The industry is also shifting from a static checklist approach to an outcome-driven mission where you must prove your controls actually reduce illicit flows. This requires a symbiotic relationship where human analysts and AI work in a continuous feedback loop. While AI handles the heavy lifting of synthesizing vast amounts of internal and external data, your analysts provide the critical judgment that keeps the models sharp and unbiased. 

Why AML Compliance Self-Audits Matter for Financial Institutions

Before taking a boat out onto a body of water, it’s wise to inspect it for leaks. If you overlook this critical step, you risk finding yourself sinking or attempting to plug critical leaks in your vessel. 

A self-audit or stress-test of AML program is about finding the cracks in your own armor before money launders do. By proactively checking your securing your own foundation, you’re empowering your team to fix vulnerabilities in real time.

The future belongs to institutions that trade manual spreadsheets for predictive AI and automation. By taking a risk-based approach and following a thorough checklist, you aren’t just reacting to yesterday’s threats; you’re using data-driven insights to prepare for increasingly sophisticated financial crime tactics.

Additional Resources

• Blog: How AI Technology is Transforming Watchlist Screening and Sanctions Compliance
• Report: Turn AML Compliance into Competitive Advantage with AI
• Solution Sheet: Feedzai Transaction Screening
  
• Solution: Anti-Money Laundering Solutions