An AML compliance checklist is a structured framework of controls, procedures, and verification steps that banks and fintech companies must implement to comply with Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) regulations. It covers everything from customer identity verification and risk assessment to transaction monitoring, suspicious activity reporting, and staff training. This guide sets out the complete AML compliance checklist for banks and fintechs, including a practical checklist table, an explanation of each key component, and guidance on how to conduct an AML check to remain compliant with current regulatory requirements in Nigeria and across Africa.
What Is an AML Compliance Checklist?
An AML compliance checklist is a documented list of the specific controls, processes, and verification steps an organization must have in place to meet its anti-money laundering obligations under applicable law. The Financial Action Task Force (FATF), through its 40 Recommendations, provides the global standard from which most national AML frameworks are derived, including Nigeria's CBN AML/CFT Guidelines and the Money Laundering (Prevention and Prohibition) Act 2022.
For banks and fintech companies, an AML compliance checklist serves three core purposes. First, it provides a practical tool for compliance officers to verify that every required control is in place and operating effectively. Second, it creates an evidence trail that regulators can examine during on-site supervision. Third, it forces institutions to think systematically about the specific money laundering risks they face rather than applying a generic, one-size-fits-all compliance approach.
Global AML-related penalties reached $3.8 billion in 2025, according to Fenergo. Binance paid $4.3 billion in 2023 for failures to maintain an effective AML programme, implement KYC procedures, and file Suspicious Activity Reports (SARs). TD Bank paid $3 billion in 2024 for systematic AML programme deficiencies. These penalties underscore one consistent finding: AML failures are almost always systemic, not isolated. A comprehensive compliance checklist is the first line of defence.
Why Should Businesses Be AML Compliant?
AML compliance is a legal obligation for every bank, fintech, mobile money operator, and payment service provider operating in a regulated financial market. Beyond the legal obligation, AML compliance delivers five direct business benefits:
- Avoiding regulatory penalties. The CBN, EFCC, FIC (South Africa), and FRC (Kenya) all impose administrative sanctions and financial penalties on institutions with inadequate AML controls. In Nigeria, the Money Laundering (Prevention and Prohibition) Act 2022 provides for fines of up to 100 million naira for corporate bodies and criminal prosecution for individuals.
- Protecting institutional reputation. A single AML enforcement action or money laundering scandal can permanently damage customer and investor trust. Institutions that demonstrate robust, documented AML controls build the regulatory credibility that supports long-term growth.
- Maintaining market access. International correspondent banks apply enhanced due diligence to institutions in jurisdictions with weak AML frameworks. Nigerian banks that cannot demonstrate AML compliance risk losing or degrading their correspondent banking relationships, restricting their ability to process cross-border payments.
- Combating financial crime. AML compliance directly reduces the ability of criminals to use financial institutions to launder the proceeds of fraud, corruption, and other predicate offences. For African banks operating in high-risk environments, this is both a regulatory and an ethical obligation.
- Supporting business scalability. Investors and international partners increasingly require evidence of robust AML frameworks before entering commercial relationships. A documented, functioning AML compliance programme is a commercial asset, not just a compliance cost.
What are the Key Components of an AML Compliance Checklist?
Every AML compliance checklist, whether for a commercial bank, a fintech, or a mobile money operator, must cover the following nine core components. These align directly with FATF Recommendations and the CBN's AML/CFT Guidelines for Nigerian institutions.
1. AML Risk Assessment
A firm-wide AML risk assessment is the foundation of the entire compliance programme. FATF Recommendation 1 requires all institutions to identify and assess the money laundering and terrorist financing risks they face, based on their customer base, products and services, geographies of operation, and delivery channels. The risk assessment must be documented, reviewed at least annually, and approved by senior management.
For Nigerian financial institutions, the CBN AML/CFT Guidelines specifically require institutions to conduct and document a firm-wide risk assessment that identifies high-risk areas and sets out the mitigating controls applied to each. An AML risk assessment template should cover: customer risk, product/service risk, geographic risk, delivery channel risk, and emerging risk from new technologies.
Our guide on customer risk assessment and how to do it discuss the full details and how to perform a customer risk assessment.
2. Customer Due Diligence (CDD) and Know Your Customer (KYC)
Customer Due Diligence (CDD) is the process of verifying a customer's identity, understanding the nature and purpose of the business relationship, and assessing the customer's risk level. KYC compliance is the practical implementation of CDD requirements at onboarding. FATF Recommendation 10 sets out the minimum CDD requirements that all institutions must apply.
Standard CDD must include: verification of customer identity using reliable documents or data sources (for Nigerian institutions, this means BVN, NIN, and ID document verification), identification of beneficial owners controlling 25% or more of a legal entity, understanding the purpose and intended nature of the business relationship, and ongoing monitoring of the customer relationship.
3. Enhanced Due Diligence (EDD)
Enhanced Due Diligence (EDD) applies to customers who present a higher risk of money laundering. EDD requires deeper investigation, additional verification steps, and senior management approval before the business relationship proceeds. EDD is mandatory in the following circumstances:
- The customer is a Politically Exposed Person (PEP) or a close associate of a PEP
- The customer is from or operates in a FATF-designated high-risk jurisdiction
- The transaction is complex, unusually large, or follows an unusual pattern with no apparent economic purpose
- The customer has provided false or stolen identification documents
- There are negative media reports or adverse intelligence linking the customer to financial crime
4. PEP Screening and Sanctions Screening
Banks and fintechs must screen all customers and beneficial owners against Politically Exposed Persons (PEP) lists and international sanctions lists before onboarding and on a continuous basis throughout the relationship. Sanctions screening must cover the UN Security Council sanctions list, the US Office of Foreign Assets Control (OFAC) list, the EU Consolidated Sanctions List, and any Nigeria-specific watchlists issued by the CBN or EFCC.
PEP screening must include domestic PEPs, not only international ones. Nigeria's EFCC and CBN both apply heightened scrutiny to transactions involving domestic PEPs given the country's exposure to politically connected money laundering. Screening must be real-time, not batch-based, to prevent prohibited transactions from processing.
5. Transaction Monitoring
Transaction monitoring is the continuous process of analysing customer transactions in real time to identify patterns or behaviours consistent with money laundering or terrorist financing. AML transaction monitoring systems must flag:
- Transactions that exceed regulatory reporting thresholds (in Nigeria, cash transactions above 5 million naira for individuals and 10 million naira for corporate entities trigger CTR obligations under NFIU guidelines)
- Unusual transactions relative to the customer's known risk profile and business activities
- Structuring: multiple transactions just below reporting thresholds designed to avoid detection
- Transactions with high-risk countries, PEPs, or sanctioned counterparties
- Sudden changes in transaction frequency, volume, or geographic exposure inconsistent with the customer's stated business
6. Suspicious Activity Reporting (SAR)
Where transaction monitoring or staff analysis identifies activity that is known or suspected to involve money laundering or terrorist financing, the institution must file a Suspicious Transaction Report (STR) with the relevant financial intelligence unit. In Nigeria, STRs must be filed with the NFIU via the goAML portal within 24 hours of identification. In South Africa, reports go to the FIC goAML portal. In Kenya, the FRC requires filing within three business days.
The SAR process must include: clear internal reporting lines to the MLRO (Money Laundering Reporting Officer), a documented review and approval process, timely filing with the relevant authority, and strict controls to prevent tipping off the subject of the report.
7. Record Keeping
All AML records must be retained for a minimum of five years from the end of the customer relationship or the completion of the transaction. Records subject to this requirement include: customer identification and verification documents, risk assessments, CDD and EDD documentation, transaction records, internal SAR reports, and all regulatory filings. Records must be stored securely and must be accessible for examination by regulators on request.
8. AML Training
All staff who handle customer onboarding, transaction processing, or compliance functions must receive regular AML training. FATF Recommendation 18 requires institutions to have employee screening procedures and ongoing training programmes. Training must cover: recognising the red flags for money laundering and terrorist financing, understanding the institution's internal SAR reporting procedures, knowing who the MLRO is and how to escalate suspicious activity, and understanding the specific legal obligations under applicable national AML law.
9. Ongoing Customer Due Diligence and Continuous Monitoring
AML compliance is not a one-time onboarding exercise. Institutions must continuously monitor customer relationships and update CDD information when material changes occur. Ongoing monitoring is triggered by: changes in customer identity or beneficial ownership, changes in the products or services used, transactions inconsistent with the customer's known profile, new adverse media or intelligence, and periodic scheduled reviews calibrated to the customer's risk rating.
Need an automated AML compliance solution for your bank or fintech? Book a demo with our compliance experts to see how Youverify automates CDD, PEP screening, transaction monitoring, and STR reporting. |
AML Compliance Checklist for Banks and Fintech: The Complete Table
Use the checklist below to assess your institution's current AML compliance posture. This table can be used as a self-assessment tool, as the basis of an internal audit, or as supporting documentation during regulatory examination. Each item maps directly to FATF Recommendations and CBN AML/CFT Guidelines.
Section A: AML Risk Assessment
| Checklist Item | Yes | No | N/A |
|---|---|---|---|
| Has the firm documented a firm-wide AML/CFT risk assessment covering customer, product, geography, delivery channel, and emerging technology risks? | [ ] | [ ] | [ ] |
| Has the risk assessment been approved by senior management or the board? | [ ] | [ ] | [ ] |
| Has the risk assessment been reviewed and updated within the last 12 months? | [ ] | [ ] | [ ] |
| Has the institution assessed the specific risk of proliferation financing (CPF) as required by updated FATF guidance? | [ ] | [ ] | [ ] |
| Does the risk assessment inform the institution's AML/CFT policies and procedures? | [ ] | [ ] | [ ] |
| Does the institution have a documented AML risk appetite statement approved by the board? | [ ] | [ ] | [ ] |
Section B: Customer Due Diligence and KYC
| Checklist Item | Yes | No | N/A |
|---|---|---|---|
| Does the institution have documented CDD procedures that are applied consistently across all customer types? | [ ] | [ ] | [ ] |
| Does CDD include verification of customer identity using reliable and independent data sources (BVN, NIN, ID document verification for Nigerian institutions)? | [ ] | [ ] | [ ] |
| Does CDD include identification of beneficial owners for corporate and legal entity customers? | [ ] | [ ] | [ ] |
| Does the institution document the purpose and intended nature of all customer business relationships? | [ ] | [ ] | [ ] |
| Are CDD procedures applied before or at the point of establishing a business relationship (not after)? | [ ] | [ ] | [ ] |
| Are there circumstances defined where Simplified Due Diligence (SDD) may apply, and are these documented? | [ ] | [ ] | [ ] |
| Does the institution have an Enhanced Due Diligence (EDD) procedure for high-risk customers? | [ ] | [ ] | [ ] |
| Is EDD approval required from senior management before onboarding high-risk customers or PEPs? | [ ] | [ ] | [ ] |
| Are CDD records retained securely for at least five years after the end of the customer relationship? | [ ] | [ ] | [ ] |
Section C: PEP Screening and Sanctions Screening
| Checklist Item | Yes | No | N/A |
|---|---|---|---|
| Does the institution screen all customers against PEP lists at onboarding and on a continuous basis? | [ ] | [ ] | [ ] |
| Does PEP screening cover domestic PEPs as well as international PEPs? | [ ] | [ ] | [ ] |
| Does the institution screen against the UN Security Council sanctions list, OFAC, EU Consolidated Sanctions List, and CBN/EFCC watchlists? | [ ] | [ ] | [ ] |
| Is sanctions screening applied in real time (not batch-based processing with delays)? | [ ] | [ ] | [ ] |
| Does the institution screen beneficial owners and counterparties, not only the primary customer? | [ ] | [ ] | [ ] |
| Are PEP and sanctions matches reviewed and resolved by a qualified compliance analyst before onboarding proceeds? | [ ] | [ ] | [ ] |
| Is there a documented escalation path for confirmed PEP or sanctions matches? | [ ] | [ ] | [ ] |
Section D: Transaction Monitoring
| Checklist Item | Yes | No | N/A |
|---|---|---|---|
| Does the institution have an automated transaction monitoring system capable of real-time or near-real-time alert generation? | [ ] | [ ] | [ ] |
| Does the monitoring system analyse transactions in the context of the customer's full risk profile, not just raw transaction data? | [ ] | [ ] | [ ] |
| Are Currency Transaction Reports (CTRs) automatically generated for cash transactions above regulatory thresholds? | [ ] | [ ] | [ ] |
| Does monitoring cover structuring, smurfing, layering, and other common money laundering typologies? | [ ] | [ ] | [ ] |
| Are high-risk countries, PEPs, and sanctioned counterparties flagged in transaction monitoring rules? | [ ] | [ ] | [ ] |
| Is there a documented process for analysts to review, escalate, and dispose of monitoring alerts? | [ ] | [ ] | [ ] |
| Is the transaction monitoring system independently validated at least annually? | [ ] | [ ] | [ ] |
| Are false positive rates monitored and reported to senior management? | [ ] | [ ] | [ ] |
Section E: Suspicious Activity Reporting
| Checklist Item | Yes | No | N/A |
|---|---|---|---|
| Does the institution have documented internal SAR reporting procedures communicated to all relevant staff? | [ ] | [ ] | [ ] |
| Does every member of staff know who the MLRO is and how to make an internal suspicious activity report? | [ ] | [ ] | [ ] |
| Are STRs filed with the NFIU via the goAML portal within 24 hours of identification (Nigeria)? | [ ] | [ ] | [ ] |
| Does the MLRO review and approve all STRs before submission to the regulator? | [ ] | [ ] | [ ] |
| Are tipping-off controls in place to prevent disclosure to the subject of a SAR? | [ ] | [ ] | [ ] |
| Are all internal SAR reports stored securely and separately from general client files? | [ ] | [ ] | [ ] |
| Does the MLRO produce a written report to the board on SAR volumes and trends at least annually? | [ ] | [ ] | [ ] |
| Has the institution reviewed the number and type of SARs filed in the last 12 months and considered implications for the firm-wide risk assessment? | [ ] | [ ] | [ ] |
Section F: Record Keeping
| Checklist Item | Yes | No | N/A |
|---|---|---|---|
| Are all customer identification documents retained for at least five years after the end of the customer relationship? | [ ] | [ ] | [ ] |
| Are all transaction records retained for at least five years from the date of the transaction? | [ ] | [ ] | [ ] |
| Are all internal SAR reports and regulatory filings stored securely and separately? | [ ] | [ ] | [ ] |
| Are records stored in a format that can be retrieved and provided to regulators on request? | [ ] | [ ] | [ ] |
| Are records protected from inadvertent destruction or alteration? | [ ] | [ ] | [ ] |
| Is there a documented data retention and destruction policy aligned to applicable AML law? | [ ] | [ ] | [ ] |
Section G: AML Training
| Checklist Item | Yes | No | N/A |
|---|---|---|---|
| Do all relevant staff receive AML/CFT training at induction and on a regular ongoing basis? | [ ] | [ ] | [ ] |
| Is training documented, with attendance records and assessment results retained? | [ ] | [ ] | [ ] |
| Does training cover recognition of money laundering red flags, SAR reporting procedures, and the identity of the MLRO? | [ ] | [ ] | [ ] |
| Has training been updated to reflect current regulatory requirements and emerging typologies? | [ ] | [ ] | [ ] |
| Have all staff signed an annual declaration confirming awareness of the institution's AML procedures? | [ ] | [ ] | [ ] |
| Is the adequacy of training reviewed following the results of internal monitoring or regulatory findings? | [ ] | [ ] | [ ] |
Section H: Ongoing Monitoring and Governance
| Checklist Item | Yes | No | N/A |
|---|---|---|---|
| Does the institution have a designated MLRO with sufficient seniority, authority, and resources to discharge their responsibilities? | [ ] | [ ] | [ ] |
| Has the institution defined and documented ongoing CDD review cycles calibrated to customer risk ratings? | [ ] | [ ] | [ ] |
| Are CDD records updated when material changes in customer identity, ownership, or behaviour are identified? | [ ] | [ ] | [ ] |
| Does the board receive regular reporting on the operation and effectiveness of the AML programme? | [ ] | [ ] | [ ] |
| Has the institution reviewed and updated its AML policies and procedures in the last 12 months? | [ ] | [ ] | [ ] |
| Has a sample of customer files been reviewed to assess compliance with CDD procedures in the last 12 months? | [ ] | [ ] | [ ] |
| Does the institution have an independent audit or compliance testing function that reviews AML controls? | [ ] | [ ] | [ ] |
| Where third-party AML technology vendors are used, is there a vendor management framework covering procurement, implementation, incident handling, and exit? | [ ] | [ ] | [ ] |
How to Conduct an AML Check to Stay Compliant
Conducting an AML check means applying the institution's documented CDD and risk assessment procedures to a specific customer or transaction. The following steps outline the standard AML check process for banks and fintechs operating in Nigeria and across Africa.
- Collect customer identification information. For individual customers, this means full legal name, date of birth, residential address, and nationality. For corporate entities, this means company name, registration number, registered address, business activity, and the identity of all beneficial owners holding 25% or more of the company.
- Verify identity against reliable data sources. For Nigerian institutions, verification must use CBN-approved data sources including the Bank Verification Number (BVN) database and National Identification Number (NIN) system. ID document verification using machine-readable biometric data is the current standard for onboarding.
- Screen the customer against PEP lists and sanctions watchlists. This must be done in real time, covering domestic and international PEP lists, the UN Security Council list, OFAC, the EU Consolidated List, and any CBN or EFCC watchlists. Beneficial owners must be screened as well as the primary customer.
- Assess the customer's money laundering risk. Based on the customer's identity, business activities, geographic exposure, and transaction profile, assign a risk rating (low, medium, or high). Document the rationale for the risk rating. High-risk customers require EDD and senior management approval.
- Establish the purpose and nature of the business relationship. Document why the customer is opening the account or using the service, what products or services they will use, and what level of transaction activity is expected.
- Apply ongoing monitoring calibrated to the risk rating. Set transaction monitoring parameters appropriate to the customer's risk level. Schedule periodic CDD review at intervals appropriate to the risk rating. Flag any material changes in behaviour or profile for immediate review.
- File regulatory reports where required. If suspicious activity is identified at any stage, make an internal report to the MLRO without delay. The MLRO reviews and, where warranted, files an STR with the NFIU (Nigeria), FIC (South Africa), or FRC (Kenya) within the applicable deadline.
How Youverify Supports AML Compliance for Banks and Fintech
Building and maintaining a complete AML compliance programme requires integrating identity verification, risk assessment, sanctions and PEP screening, transaction monitoring, case management, and regulatory reporting into a single, audit-ready workflow. Doing this across multiple manual tools or spreadsheets is not only inefficient but creates the coverage gaps and audit trail weaknesses that regulators and examiners identify as systemic failures.
Youverify's fraud and aml platform connects every component of the AML compliance checklist in a single system. For banks and fintechs operating in Nigeria, South Africa, Kenya, and Ivory Coast, the platform provides:
- KYC and KYB identity verification integrated with BVN, NIN, and national business registry data for African markets
- Real-time PEP and sanctions screening against 1,100+ global watchlists, covering domestic PEPs and international sanctions lists
- AI-powered transaction monitoring that analyses transactions in the context of the customer's full risk profile
- Automated STR generation and NFIU goAML portal submission, with MLRO approval workflow and tamper-proof audit trail
- Customer Risk Assessment module for continuous risk scoring and review cycle management
- Adverse media screening for negative news monitoring throughout the customer lifecycle
The platform is built to meet the requirements of the CBN's March 2026 Circular BSD/DIR/PUB/LAB/019/002 on Automated AML Solutions, including real-time monitoring, integrated KYC/KYB, automated reporting, and annual AI model validation support.
Conclusion
An AML compliance checklist is not a box-ticking exercise. It is the operational backbone of a functioning AML programme. Every item on the checklist reflects a specific regulatory requirement and a specific category of money laundering risk that the institution has an obligation to manage. For Nigerian banks, fintechs, and payment service providers, the stakes have risen significantly with the CBN's 2026 Baseline Standards for Automated AML Solutions, which make automated compliance controls a legal requirement with defined deadlines and enforcement consequences.
Institutions that treat their AML checklist as a living document, reviewed annually, tested through internal audit, and supported by integrated technology, will not only satisfy regulators. They will build the compliance infrastructure that enables sustainable growth in an increasingly scrutinised financial environment.
Book a demo with our compliance experts to see how Youverify's unified FRAML platform automates every item on the AML compliance checklist, from KYC verification and PEP screening to transaction monitoring, automated STR generation, and audit trail documentation.
About the Author
Temitope Lawal is a RegTech and compliance specialist at Youverify. She has written for fintech companies and financial institutions across Nigeria and international markets, with a research focus on AML compliance, fraud prevention, and financial crime regulation. Her work covers regulatory developments from the FCA, NCA and FATF, and is informed by ongoing engagement with primary compliance sources and industry research.