AML Compliance Onboarding Explained: What Small Financial Firms Need to Know
Devon runs a nine-person registered investment advisory firm in Phoenix. Last spring, a compliance consultant he brought in for a routine review flagged something uncomfortable: Devon's client onboarding process had been collecting identity documents informally for three years, but none of it had been organized into a documented Customer Identification Program. The right documents were in the files. The dates were inconsistent. The version of the policy in force at any given onboarding had never been tracked. When the consultant asked for a complete AML onboarding record for a specific client from 18 months prior, Devon spent four hours searching email threads.
The firm wasn't doing anything wrong, exactly. Devon had built the process from memory when he launched, assumed it was solid, and never formalized it into something auditable. The gap between "we check identities at onboarding" and "we have a documented, auditable AML onboarding process" turned out to be significant.
AML compliance onboarding is the set of documented procedures a covered financial firm must follow when accepting a new client or customer — including verifying their identity, assessing risk, screening against sanctions lists, and collecting ownership information for business entities. For small financial services firms, this is not optional, and the documentation burden is real regardless of firm size.
What is AML compliance and who does it apply to?
Anti-money laundering (AML) compliance is the set of legal and regulatory obligations designed to prevent financial criminals from using legitimate businesses to disguise illegally obtained funds. In the United States, AML requirements are primarily governed by the Bank Secrecy Act (BSA), administered by the Financial Crimes Enforcement Network (FinCEN) within the Treasury Department.
Small financial services firms that currently fall under BSA/AML obligations include broker-dealers, money services businesses (anyone transmitting funds, exchanging currency, or issuing money orders), mortgage lenders and originators, certain insurance companies, and futures commission merchants. Registered investment advisers are a developing case: FinCEN finalized a rule in 2024 formally classifying RIAs as financial institutions under the BSA, but the effective date has been delayed to January 1, 2028 while FinCEN reviews and potentially retailors the rule's scope. RIAs should be planning ahead, not assuming the delay means the obligation has gone away.
The short version for small firm owners: if your firm takes in client money, manages client assets, facilitates transactions, or provides services to entities doing those things, the probability that AML obligations apply to you is high. "We're too small for that to matter" is not an exemption.
What does AML compliance require during client onboarding?
AML compliance during client onboarding typically requires four things: customer identification, risk assessment, sanctions screening, and — for business entity clients — beneficial ownership verification.
Customer Identification Program (CIP) is the foundational requirement. At minimum, a CIP requires collecting the client's legal name, date of birth, address, and government-issued identification number (Social Security Number for individuals, Employer Identification Number for businesses). For in-person onboarding, you verify identity with a physical document. For remote onboarding, non-documentary verification methods are permitted and must be documented.
Risk assessment means categorizing the client by money laundering risk at intake. A domestic individual with a straightforward source of funds is typically low risk. A business entity with complex ownership, a politically exposed person (a current or former government official or their close associates), or a client in a high-risk jurisdiction requires enhanced due diligence.
OFAC screening means checking the client against the Office of Foreign Assets Control sanctions lists before accepting them as a customer. This applies at onboarding and on an ongoing basis — a client who clears at onboarding can appear on a sanctions list later.
Beneficial ownership verification applies when the client is a legal entity (LLC, corporation, partnership, trust). The FinCEN Beneficial Ownership Rule requires covered financial institutions to collect and verify the identity of beneficial owners — individuals who own 25% or more of the entity, plus any individual who exercises significant control over it regardless of ownership percentage.
| AML onboarding step | What it requires | Documentation needed |
|---|---|---|
| Customer identification | Collect name, DOB, address, ID number | Copy of ID document or verification record |
| Risk assessment | Assign risk tier (low / medium / high / PEP) | Risk assessment record dated at onboarding |
| OFAC screening | Check name against sanctions lists | Screening log with date and result |
| Beneficial ownership | Collect owner names, DOBs, addresses, ID info | Beneficial ownership certification form |
| Enhanced due diligence | Deeper source-of-funds review for high-risk clients | Documentation of the review and findings |
What are the penalties for AML onboarding failures?
BSA civil penalties vary significantly by violation type and the regulator assessing them. Negligent violations carry relatively modest per-violation penalties; willful violations are a different matter — the statutory base is the greater of $25,000 or the transaction amount (up to $100,000), and with annual inflation adjustments that figure now exceeds $70,000 per violation. Federal banking regulators have independent authority to impose penalties ranging from $5,000 to $1,000,000 per day for ongoing program failures. In serious cases, criminal penalties and individual liability for officers and owners apply. The defining characteristic of BSA enforcement is that penalties are assessed per violation — and a defective AML program that persists across multiple offices or days generates separate violations at each occurrence.
The penalties that actually damage small firms most often aren't the headline fines — they're the remediation costs. When a regulator identifies AML deficiencies, the firm typically faces a mandatory lookback review, independent compliance testing, and enhanced supervision — all expensive even before any formal penalty is assessed. Devon's scenario, where records existed but weren't organized into an auditable program, is exactly the fact pattern that triggers remediation requirements.
The BSA framework for what constitutes a sufficient AML program covers four elements: written internal policies and procedures, designation of a compliance officer, independent testing of the program, and ongoing customer due diligence — risk-based procedures for understanding the nature of customer relationships and monitoring activity on a continuing basis. Small firms often have versions of three out of four and treat the ongoing customer due diligence component as a one-time intake check, which is the gap examiners find first.
How does AML onboarding work for remote clients?
Remote client onboarding under AML requirements is permitted but requires more documentation rigor than in-person onboarding, because you can't physically examine identity documents.
Non-documentary verification for remote clients typically involves a combination of checking identity against credit bureau records, verifying through a digital identity verification service, or relying on a third party that has completed the CIP on your behalf — with a written reliance agreement on file. Whichever method is used, it must be documented in the client file.
The documentation requirement doesn't shrink for remote onboarding — it expands. You need a record of which verification method was used, what data was checked, when it was checked, and what the result was. "We used DocuSign to collect their ID" doesn't document the verification step; it only documents that a document was received.
What annual AML obligations apply beyond onboarding?
AML obligations don't end when the client is onboarded. Covered firms are required to maintain an ongoing AML program that includes periodic employee training, transaction monitoring for suspicious activity, and Suspicious Activity Report (SAR) filing when activity meets the reporting threshold for the firm's category.
Ongoing employee AML training is a standing requirement under most covered firm categories. Training records need to be maintained and demonstrable during examination — not just "we covered this in a staff meeting." A dated completion record for each trained employee is the standard examiners look for.
Currency Transaction Reports (CTRs) are required for cash transactions exceeding $10,000 — less common for advisory and professional services firms than for banks, but relevant for any firm that handles cash payments.
The compliance calendar for a small financial services firm typically looks like this:
| Obligation | Frequency | Documentation |
|---|---|---|
| Client CIP and risk assessment | At each new client onboarding | Per-client CIP file |
| OFAC screening | At onboarding + periodic rescreening | Screening log with dates |
| Beneficial ownership collection | At onboarding for entity clients | Signed certification form |
| AML employee training | Annual | Training completion records per employee |
| Independent AML testing | Annual or per regulatory schedule | Testing report on file |
| SAR filing (when triggered) | As required | Filed SAR + internal record |
What does a defensible AML onboarding process look like?
A defensible AML onboarding process has five characteristics: it's written down, it's consistently applied, it creates a timestamped record for each step, it's version-controlled so you know which policy version was in force at any given onboarding, and it's exportable so you can produce the complete file when an examiner asks.
The most common failure point I've seen in small firm AML processes isn't intention — it's consistency. Devon's firm checked identities at every onboarding. But the record of that check was an email with an ID document attached, no record of when it was verified against a list, no documentation of the risk tier assigned. When an examiner or auditor pulls a client file, the standard isn't "did you do this?" It's "prove that you did this, on this date, according to this policy."
The good news is that digitizing the onboarding process largely solves the documentation problem. When every onboarding step — identity document upload, attestation of the CIP policy, risk tier confirmation, beneficial ownership form — runs through a structured workflow with timestamps, you have the complete record without any assembly required.
You can see how compliance tracking and documentation work in OnboardingGenie, or read through the compliance documentation framework that small professional services firms use for the broader compliance documentation context.
Frequently asked questions about AML compliance onboarding
Does AML compliance apply to small registered investment advisers?
The trajectory is clear, even if the timeline isn't final. FinCEN finalized a rule in September 2024 formally classifying registered investment advisers as financial institutions under the BSA — which would require RIAs to establish AML programs and file SARs. That rule's effective date was subsequently delayed to January 1, 2028, while FinCEN reviews and potentially refines its scope. Small RIAs are not currently required to have formal BSA-compliant AML programs, but the direction of regulation is unambiguous. Firms that begin building documentation and CIP practices now will be in a substantially better position when the rule takes effect — in whatever final form it takes.
What's the difference between KYC and AML?
Know Your Customer (KYC) is the client identification and risk assessment component of an AML program — specifically the process of verifying who your customer is and understanding their risk profile. AML is the broader regulatory framework that KYC is part of. A complete AML program includes KYC, transaction monitoring, employee training, SAR filing procedures, and independent testing. Saying a firm "does KYC" is not the same as saying it has a complete AML program.
Do small consulting or accounting firms need an AML program?
Traditional accounting and legal firms are generally not classified as financial institutions under the BSA and are not currently required to have formal AML programs under U.S. law. That said, firms that handle client funds directly, provide services to covered financial institutions, or operate in jurisdictions with broader AML frameworks should confirm their specific situation with legal counsel — the landscape has been evolving, and relying on a general rule without checking the current specifics is its own risk.
How long do AML records need to be retained?
BSA requires most AML-related records to be retained for a minimum of five years. This includes CIP records, beneficial ownership certifications, OFAC screening logs, SARs, and training records. Some firm types and certain record categories have additional retention requirements layered on top of BSA minimums — when in doubt, retain longer rather than shorter.
What's the fastest way to shore up an existing AML onboarding process?
Start with documentation audit: pull the onboarding files for five to ten recent clients and verify that each one has a complete, dated, version-identified record of every required step. The gaps you find will tell you exactly what the process is missing. From there, digitizing the process — moving from email threads and shared drives to a structured onboarding workflow — is the most reliable path to consistent documentation going forward.
If your client onboarding is running on email and a shared folder, the records you'll need aren't getting created. Try OnboardingGenie free for 30 days and see what a structured, exportable onboarding workflow looks like.
Founder, OnboardingGenie