AML screening is not a practice confined to major banks. Across a wide range of industries, regulatory obligations apply, and the threshold for compliance is considerably lower than many businesses realise.
According to Alessa, understanding when screening is legally required — and precisely what it entails — is the foundation of any programme that will satisfy regulators and safeguard the institution.
Alessa recently delved into when is AML screening required and what businesses need to know.
AML screening is the process of checking customers, beneficial owners, and counterparties against regulatory databases to identify exposure to money laundering or terrorist financing risks.
It generally covers three areas. Sanctions lists comprise designations maintained by OFAC, the UN Security Council, the EU, and other bodies; transacting with a sanctioned individual or entity constitutes a strict liability offence under US law, meaning intent is not a valid defence. Politically Exposed Persons (PEPs) — individuals who hold or have held prominent public roles, including senior government officials, their immediate family members, and close associates — are not prohibited customers, but they require enhanced due diligence given their elevated exposure to corruption and bribery risks.
Adverse media screening, meanwhile, checks for negative news coverage connected to financial crime, fraud, or regulatory action, supplementing list-based checks by surfacing risks that may not yet appear on formal databases.
Crucially, screening is not a one-time exercise. It is required at onboarding, when material changes to a customer relationship occur, and on a recurring basis for existing customers to capture new designations or emerging risk indicators.
Who is obligated to screen
The Bank Secrecy Act (BSA) defines the categories of financial institutions required to maintain AML compliance programmes. These include banks, savings associations, and credit unions; money services businesses (MSBs) such as money transmitters, currency exchangers, and cheque cashers; broker-dealers and futures commission merchants; insurance companies offering certain products; casinos and card clubs; and mutual funds.
The BSA’s definition of financial institution extends further still — to dealers in precious metals, stones, or jewels, operators of credit card systems, and certain loan or finance companies. Any business designated by the Secretary of the Treasury whose cash transactions carry a high degree of relevance to criminal or regulatory matters may also fall within scope.
From January 2026, registered investment advisers are required to implement formal AML programmes, encompassing written policies, a designated compliance officer, employee training, and independent testing. This marks a significant expansion of the regulatory perimeter, bringing a large sector previously outside mandatory AML requirements into alignment with the obligations long applied to banks and broker-dealers.
OFAC obligations apply even more broadly. All US persons, regardless of industry or size, are prohibited from transacting with designated individuals, entities, or countries. A small business with no other AML obligations still carries an OFAC screening responsibility.
When screening must take place
Regulatory expectations are unambiguous: screening is not a box ticked at account opening and then disregarded. The FFIEC BSA/AML Examination Manual and FinCEN’s Customer Due Diligence rule outline the lifecycle events that require screening or rescreening.
New customer onboarding requires full KYC and sanctions/PEP screening before the relationship is established. Any beneficial ownership update triggers screening of newly identified owners against sanctions and PEP lists. High-risk transactions require real-time or near-real-time checks before processing.
Periodic reviews demand rescreening at defined intervals based on customer risk tier, while new OFAC or other sanctions designations trigger immediate rescreening of existing customers. Material changes in customer circumstances — such as business restructuring or new ownership — also require fresh screening.
Higher-risk customers require more frequent review. A low-risk retail customer may be assessed annually, whereas a high-risk business with complex ownership structures or cross-border activity may necessitate quarterly or even real-time monitoring.
The consequences of non-compliance
Enforcement actions stemming from AML screening failures consistently result in substantial penalties. Financial institutions filed approximately 2.8 million Suspicious Activity Reports with FinCEN in 2023 alone, reflecting the scale of monitoring activity regulators expect. Institutions that fail to screen, screen inadequately, or fail to act on results face civil penalties running into the millions, consent orders, restrictions on business activities, and — in cases involving wilful violations — criminal prosecution.
The reputational damage can prove equally severe. Correspondent banks move quickly to sever relationships when they perceive compliance risk, restricting access to correspondent accounts and dollar clearing. For institutions that depend on those relationships to serve their customers, the operational consequences can be far-reaching.
Building a programme that meets the standard
A defensible AML screening programme shares consistent characteristics regardless of institution type or size. It must cover the right lists — sanctions designations are added and removed on a rolling basis, and programmes relying on periodic manual updates rather than automated list refreshes inevitably create gaps.
There must be a clear audit trail: every screening decision, hit disposition, and enhanced due diligence step should be documented and retrievable for examiner review. Finally, it must be calibrated to risk. Not every customer carries the same exposure, and not every business faces identical regulatory requirements. A well-designed customer risk-scoring model ensures that screening frequency and due diligence depth are proportionate to actual risk, rather than applied uniformly across the customer base.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
