One Constellation
Book a Demo
AML & Financial Crime

AML Compliance Checklist 2026: 25 Steps Every Regulated Firm Must Cover

An AML programme is only as strong as its weakest control — and weak controls are usually the ones nobody is monitoring. This 25-step checklist organises every regulator-expected obligation into five operational blocks. Use it as a self-assessment, a board paper, or the spine of a remediation plan.

Published: May 2026 Category: AML & Financial Crime Read time: ~12 minutes
Quick Answer
A complete AML programme covers five operational blocks: governance (board ownership, MLRO appointment, AML policy, firm-wide risk assessment, three lines of defence); customer due diligence (KYC at onboarding, KYB for entities, UBO identification, screening against sanctions/PEP/adverse media, risk rating); ongoing monitoring (transaction monitoring rules, scenario tuning, customer-base re-screening, periodic customer reviews, source-of-funds refresh); reporting and record-keeping (internal escalation pathways, SAR/STR filing, retention periods, regulatory reporting); and training and assurance (annual staff training, MLRO annual report, internal audit, independent testing). The 25 individual controls below sit inside these five blocks. A firm with all 25 in operation — documented, tested, and refreshed — has a defensible AML programme. A firm missing any of them has an exposure that a supervisor will eventually find.

How to Use This Checklist

This checklist is current to 2026 standards under FATF, the EU AMLD/AMLR transition, MAS, FCA, FinCEN, and AUSTRAC frameworks. The specific evidentiary form each control takes will vary by jurisdiction; the underlying obligation is largely jurisdiction-agnostic.

For each item: mark whether the control exists, whether it is documented in writing, whether it is operating as designed, and when it was last tested. Items scoring "exists but not documented" or "documented but not tested" should move to the top of your remediation backlog — they carry the same regulatory risk as items that are entirely absent, because nothing is in evidence.

For background on the wider framework, see our AML compliance primer and the risk-based approach guide.

Block 1 — Governance and Framework (Items 1–5)

The governance block establishes who owns AML at the firm and how the programme is structured. Without governance, every other control is held together by good intentions rather than accountability.

  • 1. Board-level AML ownership — a designated board member or board committee is accountable for AML, with documented terms of reference and minuted regular review.
  • 2. Designated MLRO — an individual is formally appointed as MLRO (or jurisdictional equivalent), with documented responsibilities, independence, and reporting lines. See our MLRO role guide.
  • 3. Firm-wide AML risk assessment — a documented assessment of the money-laundering and terrorist-financing risks the firm is exposed to, refreshed at least annually and after material business changes.
  • 4. Written AML policies and procedures — board-approved policies covering CDD, EDD, screening, monitoring, reporting, training, record-keeping, and tipping-off; reviewed annually.
  • 5. Three lines of defence model — first-line operational controls, second-line compliance oversight, third-line independent audit, with clear ownership boundaries.

Block 2 — Customer Identification & Due Diligence (Items 6–12)

The CDD block is where the firm establishes who its customers actually are. The current regulatory direction — under MAS, FCA, the EU AMLR transition, and AUSTRAC's Tranche 2 reforms — is toward stricter beneficial-ownership verification and tighter ongoing CDD.

  • 6. KYC identity verification at onboarding — every customer's identity verified against independent sources before account approval. See our KYC verification solution.
  • 7. KYB and corporate verification — every entity customer verified for legal form, registration, directors, and good standing. See KYB verification.
  • 8. UBO identification — beneficial owners holding the threshold percentage (typically 25%) identified, verified, and documented through the ownership chain.
  • 9. Sanctions, PEP, and adverse media screening at onboarding — every customer and key controllers screened against current watchlists with documented match disposition.
  • 10. Risk rating assigned — every customer assigned a documented risk rating using the firm's risk matrix. See our customer risk rating guide.
  • 11. Enhanced Due Diligence for higher-risk customers — EDD triggers defined; SoF and SoW collected where required; documented analyst rationale.
  • 12. Reliance on third-party CDD documented — where the firm relies on another regulated party's CDD, the reliance is documented and the third party is verified as appropriately regulated.

Block 3 — Ongoing Monitoring (Items 13–18)

The monitoring block is where AML moves from a static onboarding exercise to a continuing obligation. This is where most firms have the largest gaps — monitoring tends to be the most resource-intensive control and the most subject to drift.

  • 13. Transaction monitoring system operational — automated monitoring covering all in-scope transactions, with documented scenarios mapped to typologies. See transaction monitoring.
  • 14. Scenario tuning and review — monitoring scenarios reviewed at least annually for effectiveness; threshold tuning supported by quantitative evidence.
  • 15. Daily watchlist re-screening — full customer base re-screened against sanctions, PEP, and adverse media changes daily, with delta-only alerting.
  • 16. Periodic customer reviews — every customer reviewed at risk-appropriate intervals (commonly annually for High, every 2–3 years for Medium, every 3–5 years for Low).
  • 17. Source of funds refreshed on triggers — material activity changes, large transactions, or out-of-profile patterns trigger SoF/SoW refresh outside the regular cycle.
  • 18. False positive rate measured and managed — false-positive volume tracked, with active programme to reduce it without sacrificing recall.

Block 4 — Reporting and Record-Keeping (Items 19–22)

The reporting block satisfies the firm's obligations to authorities and the firm's own future-self. Records that cannot be produced on request are records that do not exist as far as the regulator is concerned.

  • 19. Internal suspicion-escalation pathway — every employee can escalate a suspicion to the MLRO confidentially, with documented intake, logging, and disposition.
  • 20. External SAR/STR filing — process for filing suspicious activity reports to the FIU in the correct format, with MLRO sign-off and documented rationale. See our SAR filing guide.
  • 21. Threshold and currency reporting — currency transaction reports, cross-border transaction reports, and other threshold filings submitted in the format and timeframe each regulator requires.
  • 22. Records retained for required period — customer files, transaction records, CDD evidence, internal reports, and external filings retained for the period the relevant regulator requires (typically 5–7 years from end of relationship).

Block 5 — Training, Audit, and Assurance (Items 23–25)

The assurance block ensures the programme actually operates as designed. A perfectly documented AML programme that nobody is trained on or that nobody audits is a paper programme — and supervisors look for evidence the programme is real.

  • 23. Annual staff AML training — all relevant staff trained on AML obligations and the firm's specific procedures, with documented completion. Refresher content reflects current typologies and regulatory changes.
  • 24. MLRO annual report — a substantive annual report to the board covering programme effectiveness, SAR statistics, training metrics, regulatory engagement, and forward priorities.
  • 25. Independent audit of the AML programme — third-line internal audit or external review of the programme at least every 12–24 months, with findings tracked through to remediation.
Self-Assessment Practice
Run this checklist once a quarter. The act of completing it is the assurance — far cheaper than discovering during a regulator visit that controls 4, 14, and 23 are quietly failing. Items that have been "in progress" for two quarters in a row are the items that fail audits.

From Checklist to Operating Platform

Twenty-five controls are not 25 spreadsheets and 25 standalone tools. A well-architected programme operates them as one connected system: the risk assessment drives the risk-rating model; the rating model drives CDD intensity; CDD outcomes drive monitoring sensitivity; monitoring alerts drive the SAR pipeline; the SAR pipeline drives the MLRO report; the report drives the next year's risk assessment.

One Constellation's end-to-end AML/CFT platform implements every control on this checklist on a single underlying engine — with the policy versioning, audit trail, and management reporting a regulator expects to see. For specific verticals, see our industry pages including banking, fintech, and crypto.

Every Control on This Checklist, on One Platform

One Constellation delivers the full AML stack — governance, CDD, monitoring, reporting, and assurance — with the audit trail your supervisor expects.

Book a Demo Explore the AML Platform
← Risk-Based Approach What Is AML Compliance → All Articles
Scroll to Top