Annual AML Independent Testing Checklist

Periodic independent inspection template for evaluating the effectiveness of a firm's anti-money laundering (AML) program, documenting findings, and tracking corrective actions.

Inspection Scope and Independence

• Testing period and entity scope are defined
  Annual testing period, legal entity, business lines, and locations reviewed are clearly identified.
• Reviewer independence is documented
  Independent tester has no operational responsibility for the AML program or the controls being tested.
• Testing methodology and sample basis are documented
  Methodology, sample sizes, sampling approach, and any risk-based exceptions are recorded.
• Prior findings and open issues were considered
  Previous audit findings, regulatory issues, and outstanding corrective actions were reviewed as part of planning.
• Reference documents attached
  Policies, procedures, risk assessment, training records, monitoring reports, and case files are available for review.

AML Governance and Risk Assessment

• Board or senior management oversight is evidenced
  Minutes, reports, or approvals show regular oversight of AML program performance and issues.
• AML risk assessment is current and risk-based
  Risk assessment reflects products, services, customers, geographies, delivery channels, and inherent/control risks.
• Risk assessment update date
  Enter the date of the most recent AML risk assessment update.
• Governance issues are tracked to closure
  Findings, action plans, owners, and due dates are tracked in a formal issue management process.
• AML staffing and competency are adequate
  Compliance staffing, escalation coverage, and subject-matter expertise are sufficient for the institution's risk profile.

Transaction Monitoring and Investigations

• Monitoring scenarios are calibrated to risk
  Monitoring rules, thresholds, and scenarios reflect the institution's products, customer types, and geographies.
• Alert population reviewed for the testing sample
  Sampled alerts were traced from generation through disposition with supporting evidence.
• Investigation narratives are complete and supportable
  Case notes explain the rationale for escalation, closure, or no further action and cite supporting documentation.
• Escalation timelines are met
  Alerts and cases were escalated within required internal timeframes and documented where exceptions occurred.
• High-risk alerts were independently reviewed
  High-risk or complex alerts received appropriate secondary review or approval.
• False positives and tuning opportunities identified
  Document any recurring false-positive drivers, threshold issues, or tuning recommendations.

Suspicious Activity Reporting and Regulatory Filings

• SAR decisioning is documented and supportable
  Reviewed cases show a clear basis for filing or not filing suspicious activity reports.
• SAR filing timeliness meets internal requirements
  Filing dates were compared to internal escalation and regulatory timing requirements.
• Regulatory filing data is accurate and complete
  Key fields, narratives, and supporting data in filed reports are complete, accurate, and consistent with case records.
• Escalation of unusual activity to compliance is timely
  Business line or operations staff escalate unusual activity promptly to the AML function.
• Lookback or retrospective reviews were performed when required
  Retrospective reviews were completed for relevant periods, products, or customer segments when indicated by risk or prior issues.

Customer Due Diligence, Training, and Records

• CDD / KYC files contain required information
  Sampled customer files contain identity, beneficial ownership, risk rating, and ongoing review evidence as applicable.
• Enhanced due diligence is applied to higher-risk customers
  Higher-risk customers have documented EDD, periodic review cadence, and escalation where warranted.
• AML training completion rate
  Percentage of required personnel who completed AML training within the required period.
• Training content is role-based and current
  Training covers relevant red flags, escalation paths, and job-specific responsibilities for the audience.
• Records retention and retrieval are effective
  Required records can be retrieved promptly and are retained for the required period.