AML screening is far from the exclusive domain of large financial institutions. Regulatory obligations stretch across a surprisingly broad range of industries, and the threshold for compliance is considerably lower than many businesses tend to assume.
According to Alessa, understanding precisely when screening is legally required — and what it entails — is the essential foundation for building a programme that satisfies regulators and shields the organisation from serious risk.
Alessa recently delved into when is AML screening required and what businesses need to know.
What AML screening actually involves
At its core, AML screening is the process of checking customers, beneficial owners, and counterparties against regulatory databases in order to identify potential money laundering or terrorist financing risks. It typically covers three categories. Sanctions lists include designations maintained by bodies such as OFAC, the UN Security Council, and the EU; transacting with a sanctioned individual or entity constitutes a strict liability offence under US law, meaning intent is no defence.
Politically Exposed Persons (PEPs) — those who hold or have held prominent public positions, including senior government officials and their close associates — are not prohibited customers outright, but they require enhanced due diligence given the elevated risk of corruption or bribery. Finally, adverse media screening checks for negative news coverage linked to financial crime, fraud, or regulatory action, supplementing list-based checks by surfacing risks that may not yet appear on formal databases.
Crucially, screening is not a one-time exercise. It is required at onboarding, when material changes to a customer relationship occur, and on a recurring basis for existing customers to catch new designations or emerging risk indicators.
Who is required to screen
The Bank Secrecy Act (BSA) defines the categories of financial institutions required to maintain AML compliance programmes. These include banks, savings associations, and credit unions; money services businesses (MSBs) such as money transmitters and currency exchangers; broker-dealers and futures commission merchants; insurance companies offering certain products; casinos and card clubs; and mutual funds. Beyond these, the BSA’s reach extends to dealers in precious metals, stones, or jewels, operators of credit card systems, and certain loan or finance companies.
From January 2026, registered investment advisers are required to implement formal AML programmes, including written policies, a designated compliance officer, employee training, and independent testing. This represents a significant expansion of the regulatory perimeter, bringing a large sector that had previously sat outside mandatory AML requirements into line with the obligations long applied to banks and broker-dealers.
OFAC obligations extend further still. All US persons, regardless of industry or size, are prohibited from transacting with designated individuals, entities, or countries. A small business with no other AML obligations still carries an OFAC screening responsibility.
When screening must take place
Regulatory expectations are unambiguous: screening is not a box to be ticked at account opening and then set aside. The FFIEC BSA/AML Examination Manual and FinCEN’s Customer Due Diligence rule set out the lifecycle events that trigger screening or rescreening obligations.
New customer onboarding requires full KYC and sanctions/PEP screening before the relationship is established. Any update to beneficial ownership requires screening of newly identified owners against sanctions and PEP lists. High-risk transactions require real-time or near-real-time screening prior to processing. Periodic reviews must be conducted at defined intervals based on customer risk tier. When new OFAC or other sanctions designations are issued, rescreening is triggered. Material changes in customer circumstances — such as business restructuring or new ownership — also require rescreening.
Higher-risk customers demand more frequent review. A low-risk retail customer may be assessed annually, whereas a high-risk business with complex ownership structures or cross-border activity may require quarterly or even real-time monitoring.
The consequences of getting it wrong
Enforcement actions for AML screening failures consistently result in substantial penalties. Financial institutions filed approximately 2.8 million Suspicious Activity Reports with FinCEN in 2023 alone, reflecting the scale of monitoring activity regulators expect. Institutions that fail to screen, screen inadequately, or fail to act on screening results face civil penalties running into the millions, consent orders, restrictions on business activities, and — in cases involving wilful violations — criminal prosecution.
The reputational damage can prove equally severe. Correspondent banks sever relationships swiftly when they perceive compliance risk, restricting access to correspondent accounts and dollar clearing. For institutions that depend on those relationships to serve their customers, the operational consequences can be far-reaching.
Building a programme that meets the standard
A defensible AML screening programme shares several consistent characteristics regardless of institution type or size. It must cover the right lists: sanctions designations are not static, and programmes that rely on periodic manual updates rather than automated list refreshes create dangerous gaps.
A clear audit trail is essential — every screening decision, every hit disposition, and every enhanced due diligence step must be documented and retrievable for examiner review. And the programme must be calibrated to risk. Not every customer carries the same exposure, and a well-designed customer risk scoring model ensures that screening frequency and due diligence depth are proportionate to actual risk, rather than applied uniformly across the entire customer base.
Read the full Alessa post here.
Copyright © 2026 FinTech Global
