Read your findings report carefully and translate each finding into operational terms - what would an examiner see tomorrow?

A bad AML program review is not the end of the story. It is the beginning of a different, more urgent chapter - one that requires a clear head, a structured plan, and disciplined execution. Whether your review produced a formal findings report with serious gaps, or you have come to realize that the review itself was inadequate and left real problems undetected, the path forward is the same: assess what you actually have, prioritize what needs to change, fix it in the right order, and document every step. This checklist is designed to walk you through that process systematically.

If you do not have a written findings report, commission a genuine assessment before beginning remediation - remediating without knowing the full scope of your gaps is ineffective

Before you do anything else, stop and read what you actually received. If your review produced a written findings report, read it carefully and completely - not just the executive summary. Findings reports are written in compliance language that can obscure the severity of what is being described. A finding described as a "gap in independent testing procedures" may mean that your program has never been independently tested at all. A finding described as "customer due diligence documentation inconsistencies" may mean that your CDD files are missing required verification records for a significant portion of your customer base. Read each finding and ask: what does this actually mean in operational terms? What would an examiner see if they walked in tomorrow? The answer to that question is your real starting point.

Triage findings into critical, significant, and minor - address critical findings first, regardless of how easy the minor ones are to fix

If you do not have a written findings report - because your review did not produce one, or because you have concluded that the review was inadequate - your first step is to commission a genuine assessment before you begin remediation. Remediating without knowing the full scope of your gaps is like patching a roof without knowing where all the leaks are. You will fix some things and miss others, and the ones you miss will be the ones an examiner finds. A proper assessment, conducted by a qualified compliance professional with genuine independence from your program, is the prerequisite for effective remediation. Do not skip it to save time.

A remediation plan must assign each finding to a named individual, set a specific deadline, and define what "done" looks like in concrete terms

Once you have a complete picture of your gaps, the next step is triage. Not all findings carry equal examination risk, and not all of them can be addressed simultaneously. You need to sort your findings into three categories: critical, significant, and minor. Critical findings are those that would likely generate a formal enforcement action or a Matters Requiring Attention letter if discovered by a regulator today. These are structural deficiencies - a missing independent testing function, a BSA compliance officer without adequate authority or time, a risk assessment that has not been updated in more than two years, or a customer identification program that is not actually collecting and verifying required information. Critical findings must be addressed first, and they must be addressed quickly.

Start substantive remediation with the risk assessment - every other program element is built on top of it

Significant findings are those that represent meaningful program weaknesses but are unlikely to generate immediate enforcement action on their own. These include training that has not been refreshed within the past 12 months, transaction monitoring procedures that are documented but not consistently followed, SAR filing records that are incomplete or missing required narrative elements, and CDD files that have gaps for certain customer segments. Significant findings should be addressed in the second phase of remediation, after critical findings are resolved. They are not emergencies, but they are not optional - left unaddressed, they compound over time and create the conditions for critical findings to develop.

Close the gap between written policy and actual operational practice - this is the most dangerous finding an examiner can make

Minor findings are documentation and process issues that do not represent substantive compliance failures but would be noted by an examiner as areas for improvement. These include policy documents with outdated headers or references, training records that are complete but not organized in a format that is easy to present to an examiner, and monitoring procedures that are followed consistently but not documented with sufficient specificity. Minor findings should be addressed in the third phase of remediation, after the more serious issues are resolved. Do not let the relative ease of fixing minor findings tempt you into addressing them first - that is a common mistake that leaves critical gaps open while you polish the edges.

Schedule independent testing as part of the remediation process, not after it - testing confirms whether your fixes are actually working

With your findings triaged, you are ready to build your remediation plan. A remediation plan is not a list of intentions. It is a document that assigns each finding to a specific responsible party, sets a realistic completion deadline, and defines what "done" looks like for each item. The responsible party must be a named individual, not a department or a role. The deadline must be specific - a date, not a quarter or a timeframe. The definition of done must be concrete - a revised policy document, a completed training session with attendance records, a written independent testing report, a risk assessment with a current date and sign-off from senior management. Vague remediation plans produce vague results, and vague results do not satisfy examiners.

Document every corrective action with dates, responsible parties, and evidence of completion - undocumented remediation did not happen from a regulatory perspective

The risk assessment is almost always the right place to start substantive remediation, regardless of what other findings are present. The risk assessment is the foundation of your entire program - every other element is supposed to be calibrated to the risks it identifies. If your risk assessment is outdated, incomplete, or was never genuinely conducted, every other element of your program is built on a flawed foundation. Updating or rebuilding your risk assessment first ensures that the policies, procedures, and controls you revise in subsequent steps are actually calibrated to your real risk profile rather than to a generic template or an outdated snapshot of your business.

Build a maintenance calendar after remediation is complete - the absence of structured maintenance is why programs deteriorate in the first place

A proper risk assessment update requires a structured analysis of three dimensions: your products and services, your customer base, and your geographic footprint. For each dimension, you need to document the specific risk factors present, rate them for inherent risk, identify the controls that currently mitigate those risks, and produce a residual risk rating. This analysis should be conducted through a combination of document review and structured interviews with the people who actually run your business operations - not just the compliance officer. The people who process transactions, onboard customers, and handle cash know things about your risk profile that do not appear in any policy document, and a risk assessment that does not capture their knowledge is incomplete.

With an updated risk assessment in hand, the next priority is your internal controls - specifically, the gap between what your written policy says and what your business actually does. This gap is the most dangerous finding an examiner can make, because it implies that your compliance program is performative rather than operational. Close this gap by reviewing each procedure in your policy against actual operational practice. Where the policy describes a step that is not being followed, you have two choices: update the policy to reflect what is actually happening, or change the operational practice to match the policy. The right answer depends on whether the current practice is compliant. If it is, update the policy. If it is not, change the practice - and then update the policy to reflect the corrected practice.

Independent testing is the next critical item on the recovery checklist, and it is frequently the most neglected. If your program has not been independently tested within the past 12 months, or if the testing that occurred was conducted by someone without genuine independence from the program being tested, you need to schedule a proper independent testing engagement immediately. Independent testing is not just a regulatory requirement - it is the mechanism that tells you whether your remediation is actually working. A testing engagement conducted after your initial remediation phase will confirm which gaps have been closed and identify any new issues that emerged during the remediation process. Do not wait until you believe your program is fully remediated to schedule testing. Schedule it as part of the remediation process, not after it.

Training remediation requires two parallel tracks. The first track is content: your training curriculum must be updated to reflect the current regulatory requirements for your industry, the specific risks identified in your updated risk assessment, and any new procedures introduced during remediation. Generic AML training content that is not calibrated to your industry and your specific risk profile does not satisfy the BSA's requirement that training be "appropriate for the employee's responsibilities." The second track is documentation: every training session must be documented with the course content, the date, and the name and role of each attendee. If your training records are incomplete for prior periods, document what you can reconstruct and note the gaps honestly. Attempting to backfill training records with fabricated documentation is a far more serious problem than incomplete records.

Customer due diligence remediation is often the most operationally demanding part of the recovery process, because it requires going back through existing customer files and identifying the gaps. Start with your highest-risk customer segments - entity customers, foreign nationals, politically exposed persons, and customers with complex ownership structures - and confirm that your CDD files contain all required information and verification documentation. For customers where required information is missing, you have two options: collect the missing information through a re-verification process, or close the relationship if the customer is unwilling or unable to provide it. Document every step of this process, including the customers you contacted, the information you requested, and the outcome of each outreach.

SAR and CTR filing discipline is the final substantive area of the recovery checklist. Review your transaction monitoring records for the past 12 months and confirm that alerts were generated, reviewed, and resolved consistently. For any period where monitoring was not occurring or was not documented, note the gap and document the corrective action you are taking. Review your SAR filing records and confirm that filings were made within the required 30-day window, that narratives contain the required specificity, and that continuing suspicious activity was reported on the required 90-day cycle. Review your CTR filing records and confirm that all cash transactions above the $10,000 threshold were reported accurately and on time. If you identify missed filings, consult with a compliance professional about whether voluntary self-disclosure to FinCEN is appropriate - in some circumstances, proactive disclosure is treated more favorably than a filing discovered during examination.

Throughout the entire remediation process, documentation is not optional - it is the evidence that your remediation actually happened. Every corrective action you take must be documented with the date it was completed, the name of the person responsible, and evidence of completion. A revised policy document should include a revision date and a sign-off from senior management. A completed training session should produce attendance records and certificates. A completed independent testing engagement should produce a written report. A completed risk assessment update should include a date and a sign-off. This documentation is your defense if a regulator asks what you did after discovering your gaps. It is also the evidence that demonstrates your program is actively managed rather than static - which is one of the most important signals a regulator evaluates when deciding how seriously to treat a program with prior findings.

The final step on the recovery checklist is establishing a maintenance rhythm that prevents the same gaps from developing again. The most common reason AML programs deteriorate is not negligence - it is the absence of a structured maintenance calendar. Build one. Schedule your annual risk assessment update for the same month every year. Schedule your independent testing engagement for a specific quarter. Build your training calendar at the beginning of each compliance year and assign responsibility for each session. Set a quarterly reminder to review your transaction monitoring procedures and confirm they are being followed. Assign someone to monitor FinCEN guidance and regulatory developments and brief the compliance officer when relevant changes occur. A program that is actively maintained does not require recovery. A program that is not maintained will require it again.

Recovery from a bad AML program review is not a comfortable process. It requires honest acknowledgment of what went wrong, disciplined prioritization of what needs to change, and sustained execution over weeks or months. But it is entirely achievable, and businesses that complete it emerge with programs that are genuinely stronger than what they had before. The goal is not to get back to where you were - it is to build something better. This checklist is the framework for doing that.