AML screening is not a practice exclusive to large banks. Regulatory obligations extend across a wide range of industries, and the threshold for compliance is lower than many businesses assume. Understanding when screening is legally required, and what it involves, is the first step toward building a program that satisfies regulators and protects the institution.
Key Highlights
- AML screening is legally required for banks, credit unions, money services businesses, broker-dealers, insurance companies, casinos, and a growing range of other sectors under the Bank Secrecy Act and USA PATRIOT Act.
- From January 2026, registered investment advisers in the U.S. are required to implement AML programs for the first time, extending obligations that have long applied to banks and broker-dealers.
- Screening must occur at onboarding, at defined trigger points during the customer lifecycle, and on an ongoing basis for existing relationships.
- All U.S. persons, not just regulated financial institutions, are required to comply with OFAC sanctions screening regardless of industry.
- Effective screening covers sanctions lists, PEP databases, and adverse media, and must be supported by documented customer due diligence processes.
- Institutions that fail to screen adequately face civil penalties, loss of correspondent banking relationships, and in serious cases, criminal prosecution.
What AML Screening Actually Involves
AML screening is the process of checking customers, beneficial owners, and counterparties against regulatory databases to identify potential money laundering or terrorist financing risks. It typically covers three categories.
Sanctions lists include designations maintained by OFAC, the UN Security Council, the EU, and other bodies. Transacting with a sanctioned individual or entity is a strict liability offense under U.S. law, meaning intent is not a defense.
Politically Exposed Persons (PEPs) are individuals who hold or have held prominent public positions, such as senior government officials, their immediate family members, and close associates. They are not prohibited customers, but they require enhanced due diligence given their elevated risk of involvement in corruption or bribery.
Adverse media screening checks for negative news coverage linked to financial crime, fraud, or regulatory action. It supplements list-based screening by surfacing risks that may not yet appear on formal databases.
Screening is not a one-time exercise. It happens at onboarding, when material changes to a customer relationship occur, and on a recurring basis for existing customers to catch new designations or emerging risk indicators.
Who Is Required to Screen
The Bank Secrecy Act defines the categories of financial institutions required to maintain AML compliance programs. These include:
- Banks, savings associations, and credit unions
- Money services businesses (MSBs), including money transmitters, currency exchangers, and check cashers
- Broker-dealers and futures commission merchants
- Insurance companies offering certain products
- Casinos and card clubs
- Mutual funds
Beyond these, the BSA’s definition of financial institution extends to dealers in precious metals, stones, or jewels, as well as operators of credit card systems and certain loan or finance companies. Any business designated by the Secretary of the Treasury whose cash transactions have a high degree of usefulness in criminal or regulatory matters may also be brought within scope.
From January 2026, registered investment advisers are required to implement formal AML programs, including written policies, a designated compliance officer, employee training, and independent testing. This is a significant expansion of the regulatory perimeter, bringing a large sector that was previously outside mandatory AML requirements into alignment with the obligations that have long applied to banks and broker-dealers.
OFAC obligations apply more broadly still. All U.S. persons, regardless of industry or size, are prohibited from transacting with designated individuals, entities, or countries. A small business with no other AML obligations still carries an OFAC screening responsibility.
When Screening Must Take Place
Regulatory expectations are clear that screening is not a one-time activity conducted at account opening and then forgotten. The FFIEC BSA/AML Examination Manual and FinCEN’s Customer Due Diligence rule set out the lifecycle events that require screening or rescreening.
| Trigger | Screening Expectation |
| New customer onboarding | Full KYC and sanctions/PEP screening before establishing the relationship |
| Beneficial ownership update | Screen any newly identified beneficial owners against sanctions and PEP lists |
| High-risk transaction | Real-time or near-real-time screening before processing |
| Periodic review | Rescreening at defined intervals based on customer risk tier |
| List update | Rescreening triggered by new OFAC or other sanctions designations |
| Change in customer circumstances | Material changes such as business restructuring or new ownership require rescreening |
Higher-risk customers require more frequent review. A low-risk retail customer may be reviewed annually; a high-risk business with complex ownership structures or cross-border activity may require quarterly or even real-time monitoring.
The Consequences of Getting It Wrong
Enforcement actions for AML screening failures consistently result in substantial penalties. Financial institutions filed approximately 2.8 million Suspicious Activity Reports with FinCEN in 2023 alone, reflecting the scale of monitoring activity regulators expect. Institutions that fail to screen, screen inadequately, or fail to act on screening results face civil penalties running into the millions, consent orders, restrictions on business activities, and in cases involving willful violations, criminal prosecution.
The reputational impact is often as damaging as the financial penalty. Correspondent banks sever relationships quickly when they perceive compliance risk, which can restrict access to correspondent accounts and dollar clearing. For institutions that rely on those relationships to serve their customers, the operational consequences can be severe.
Building a Program That Meets the Standard
A defensible AML screening program has a few consistent characteristics regardless of institution type or size.
- It covers the right lists. Sanctions lists are not static; OFAC and other bodies add and remove designations on a rolling basis. Programs that rely on periodic manual updates rather than automated list refreshes create gaps.
- There is a clear audit trail. Every screening decision, every hit disposition, and every enhanced due diligence step should be documented and retrievable for examiner review.
- It is calibrated to risk. Not every customer carries the same risk, and not every business
faces the same regulatory exposure. A well-designed customer risk scoring model ensures that screening frequency and due diligence depth are proportionate to actual risk rather than applied uniformly across the customer base.
