AML Compliance Checklist: Step-by-Step Guide to Full Compliance
Why Do You Need an AML Compliance Checklist?
Many accounting firms struggle with one big question: Are we truly compliant with anti-money laundering regulations? The requirements under AML laws are extensive and constantly evolving. Without a clear system in place, it’s easy to overlook critical tasks. The consequences of gaps can be serious – from fines and penalties to reputational damage if a regulator finds that you haven’t met your obligations.
An AML compliance checklist helps you work systematically and confidently. Instead of relying on memory or scattered notes, a checklist ensures every step in your process is completed. You save time by following a ready-made plan and reduce the stress around compliance. Most importantly, it provides peace of mind; you can confidently show an auditor or regulator that you methodically tick off all requirements – from customer due diligence to reporting.
What Does the AML Law Actually Require?
Sweden’s Anti-Money Laundering Act (Penningtvättslagen) sets clear obligations for all businesses it covers. In essence, you must take measures to prevent your operations from being used for money laundering or terrorist financing. This means you need to:
Conduct an enterprise-wide risk assessment: Identify and document the risks and vulnerabilities in your business that could be exploited for money laundering. This general risk assessment must be in writing and cover your services, customer types, delivery channels, and geographic risk factors.
Establish internal policies and procedures: Based on your risk assessment, develop written policies, controls, and procedures for customer due diligence, ongoing monitoring, reporting, and data handling. These routines should follow a risk-based approach – in other words, they must be tailored to the specific risks you’ve identified.
Assign responsible personnel: Designate a specific person in senior management to be responsible for AML compliance (an AML officer). Larger organizations are also expected to have a central compliance function and, in some cases, an independent audit function for AML. These roles ensure the risk assessment is kept up to date, that procedures are followed, and that regular reports are made to top management.
Verify customer identity and intent (KYC): For every new client relationship, you must perform customer due diligence. Identify the customer and verify their identity using reliable documents. Determine if the customer is a legal entity, find out the beneficial owners, and check if the client or their representative is a PEP (Politically Exposed Person). Also understand the purpose and intended nature of the business relationship – why is the client seeking your services?
Classify the customer’s risk level: Based on the information gathered, assess the client’s risk profile (low, normal, or high risk). A higher risk (e.g. the client has a complex company structure or ties to high-risk countries) means you must apply enhanced measures, such as extra identification checks, closer scrutiny of transactions, and more frequent review.
Perform ongoing monitoring: It’s not enough to check the client at onboarding – you need to continually monitor the business relationship. Transactions that deviate from the expected behavior should be examined. Keep client information up to date and redo KYC checks if circumstances change over time.
Report suspicious activities without delay: If you have reason to suspect money laundering, you must promptly report it to the Financial Intelligence Unit (Finanspolisen). You don’t need proof of a crime – even a reasonable suspicion triggers an obligation to report. Remember that you must not tip off the client that you have filed a report (the so-called tipping-off prohibition).
Maintain records: All documentation related to due diligence and compliance measures must be retained for at least five years. This includes copies of ID documents, registry extracts, risk assessments, training records, etc. (in certain cases up to ten years). Records should be readily available to show regulators during an inspection or investigation.
Note that to conduct certain businesses, you also need to register with the authorities. For example, accounting and bookkeeping firms in Sweden must notify the Swedish Companies Registration Office’s AML registry (Bolagsverket). Being registered is a prerequisite for legally offering those services.
As you can see, the requirements are extensive – which is exactly why a structured checklist is so useful. Below is a comprehensive AML checklist your firm can follow to meet all the obligations of the law.
Complete AML Compliance Checklist
Here is a step-by-step checklist that your team can start using immediately to ensure compliance with anti-money laundering regulations. Go through each item and check them off one by one:
Perform a general risk assessment: Document your services, client base, and other risk factors. Identify where your firm faces the highest risk of being misused for money laundering. Ensure this risk assessment is written down and approved by management. Update it at least annually or whenever there is a significant change in your business.
Implement an AML policy and procedures: Write out clear procedures for every step – from customer due diligence to filing reports. The policy should cover how you verify clients, how you handle different risk levels, how often you review existing clients, and how to escalate suspicions. Include procedures for record-keeping and protecting personal data (to meet GDPR requirements as well).
Train your staff: Make sure all employees who deal with clients understand the AML rules and your internal procedures. Schedule regular training sessions – both onboarding training for new hires and periodic refreshers for everyone. Tailor the training to each role; for example, client-facing staff should know how to spot red flags in person.
Identify and verify clients: Use a KYC checklist when onboarding each new customer. Collect basic information (name, address, personal ID number/organization number). Always verify the client’s identity document (e.g. via BankID or by inspecting a passport/ID copy) and ensure it’s valid. If the client is a company, obtain the registration certificate and verify authorized signatories.
Determine the beneficial owner: Find out who ultimately owns or controls the client if it’s a legal entity. Retrieve data from the Beneficial Ownership Register (Bolagsverket’s register) and document who the beneficial owners are, or if none, note the alternative person in control (which must then be verified and recorded).
Screen for PEPs and sanctions: Check the client (and any beneficial owners) against updated PEP lists and international sanctions lists. This step is crucial to identify politically exposed persons or sanctioned individuals, which require enhanced measures. Record that you performed these checks and the outcome (e.g. “PEP/Sanctions screening – clear”).
Understand the purpose and risk profile: Ask questions to understand the reason for the client relationship. Why do they need your services, and how will they use them? Outline the expected transaction types or volumes. Then summarize the client’s overall risk profile (low/medium/high) based on the information gathered. If something seems unusual or complex, categorize the client as higher risk and apply extra caution.
Apply enhanced scrutiny for high-risk cases: For high-risk customers, follow up with additional measures. This might include obtaining more detailed financial information, conducting more in-depth background checks, or scheduling more frequent reviews. Ensure a senior person reviews and approves the commencement of any business relationship that is rated high risk.
Monitor the business relationship continuously: After onboarding, keep an eye on the client’s activities. Establish routines to review transactions that stand out – for example, large deposits or patterns that don’t match the client’s profile. For higher-risk clients, perform periodic checks (e.g. quarterly transaction reviews and annual refresh of due diligence). Stay alert to new risk indicators as they emerge.
Report and log any red flags: If you detect something suspicious, follow your reporting procedure immediately. Submit a report to the Finanspolisen (through the goAML system) with all relevant details. At the same time, document internally what was observed and what actions you took. This is important both to fulfill the law and to allow internal tracking of the case.
Store all records securely: For every step above, make sure the documentation is stored properly. This includes the risk assessment document, copies of collected customer documents (IDs, registry excerpts), completed checklists for each client, training materials and attendance logs, any monitoring logs or alerts reviewed, and copies of reports sent to the authorities. Organize records by client and topic, so you can quickly retrieve and present them if needed.
By following this checklist diligently, you can be confident that you’re not overlooking any key obligation under the AML regulations.
How to Implement the Checklist Step by Step
So how do you put this checklist into practice in your day-to-day operations? Start by getting buy-in from leadership – ensure that managers and key personnel understand the checklist and why it’s necessary. Then decide who is responsible for each item (for example, a compliance officer might oversee the risk assessment, while a client manager handles KYC checks for new clients).
Integrate the checklist into your workflows. This could be as simple as creating a standardized checklist template (digitally or on paper) to use during every client onboarding. For each new customer, you don’t proceed until all KYC steps on the checklist are checked off. In this way, compliance becomes a seamless part of your onboarding and nothing gets forgotten. Consider using software tools to support this – many modern systems let you build in checkpoints that must be completed before a case can move forward.
Also ensure that you collect the necessary documentation in real time. As you carry out each control step, save the evidence immediately: make a copy of the ID, download company information from a registry, fill out a digital KYC form where all data is stored centrally. Doing this simultaneously while gathering client information saves time and guarantees nothing is missed.
To track progress and compliance, introduce internal audits or reviews. For example, once a quarter you might randomly select a couple of client files and verify that all checklist items were indeed completed and documented. This kind of spot-check will catch any oversights and signals to your team that AML compliance is taken seriously throughout the firm.
Documentation and Evidence
Documentation is your best friend when it comes to demonstrating that you’ve followed the law. Remember, if it isn’t documented, it’s as if it never happened. Therefore, err on the side of caution: save and log everything related to your AML measures.
Make sure you have a centralized repository (for instance, a secure cloud folder, a practice management system, or a compliance platform) where you store:
Your enterprise-wide risk assessment document (the latest version, plus archives of previous versions).
Your internal AML policy documents and procedures.
Records of training sessions and which employees attended.
Due diligence documentation for each client: copies of IDs, completed checklists, risk classification results, any enhanced due diligence findings for high-risk clients.
Logs of transaction monitoring reviews, alerts, or anomalies that were examined.
Copies of any suspicious activity reports filed with the authorities (and related correspondence or case notes).
Having things organized makes life much easier during an audit. If the County Administrative Board (Länsstyrelsen) or other regulator comes knocking and asks for your risk assessment or a particular client’s file, you should be able to retrieve them quickly. Good record-keeping also protects you in hindsight – if something is ever questioned, you can show exactly what actions were taken and when.
Be mindful of the law’s retention requirements: keep customer due diligence data for at least 5 years after the business relationship ends. Store the material securely so sensitive information is protected from unauthorized access, but also ensure you can retrieve it when needed. Investing in a system for digital archiving of KYC documents can be very worthwhile.
Continuous Monitoring and Updates
After you’ve laid the groundwork, you can’t just rest easy – AML compliance requires ongoing attention. Keep monitoring your client relationships continuously. This means having processes to detect if a client’s behavior changes or if new risk factors emerge. For example, if a client suddenly begins making transactions that are out of character compared to what you know of them, you should respond and investigate what’s happening.
Refresh client information regularly. For many firms, it’s prudent to conduct periodic reviews: high-risk clients might be reviewed annually, medium-risk perhaps every two or three years, and low-risk when specific triggers occur. A review means contacting the client to confirm that previously provided information is still up to date, and performing new checks in PEP and sanctions databases. This ensures your knowledge of the client remains current.
Stay on top of regulatory changes and new typologies as well. AML laws and regulations can change, and new methods of money laundering are constantly appearing. Consider subscribing to newsletters from regulators or industry bodies to hear about the latest developments. Whenever there’s a change in the rulebook – update your risk assessment and procedures to remain compliant with the new requirements.
It’s a good practice to have an annual internal review of your entire AML program. Go through the checklist and ask: are our controls working as intended? Do we need to tweak any procedures based on what we learned in the past year? Involve multiple team members in this evaluation to capture different perspectives.
What to Do If You Find Gaps
Even the best organizations sometimes discover gaps or missed steps in their compliance. Perhaps an internal audit revealed that some older clients never went through a full KYC process by today’s standards, or that your general risk assessment hasn’t been updated in a few years. What should you do then?
First of all, act promptly but methodically. Make a plan to close the gaps. Prioritize by risk – fix the most critical issues first. If, for example, you realize no enterprise-wide risk assessment was ever done, that should be at the top of your to-do list. If some clients have incomplete due diligence, reach out to them immediately and collect the needed information.
Be transparent within your organization about the problems. Involve senior management and explain what corrective actions will be taken. It might also be wise to seek external help, such as consulting an expert or your industry association, to get advice on the best way to remediate the deficiencies. Regulators generally look favorably on firms that self-identify and correct issues – it shows a proactive, responsible approach.
Document the remedial actions as well. When you take a late corrective step, note the reason and what was done. For example: “2025-08-18 – Conducted additional ID verification for Client X as this was missing in the file.” If it turns out something serious was overlooked (e.g. a suspicious transaction went unreported), you may need to report it to the authorities even if late. It’s better to report late than not at all if a mistake is uncovered.
Learn from any gaps you find. Adjust your procedures or update the checklist if necessary to prevent similar misses in the future. Perhaps you need more frequent internal checks, better staff training, or to leverage digital tools to keep track of everything.
How Qapla Helps You Implement the Checklist
Handling all the above steps manually can be time-consuming and complex. This is where Qapla comes in as a modern KYC and AML platform. Qapla is designed to automate and streamline the entire process – from client onboarding to ongoing monitoring.
With Qapla, you can perform digital ID verifications in seconds, instead of dealing with paper copies of passports or IDs. The platform connects to reliable databases and registers, so you can automatically pull company information, check beneficial ownership, and run PEP and sanctions screenings in real time. This replaces the need for manual KYC checklists on paper; the system guides you through all the steps, and you cannot move forward until the required information is collected.
Risk assessment and client risk scoring become easier too. Qapla helps generate a risk profile for each client based on their data and the background checks. High-risk factors are automatically flagged, which helps you focus on what matters most. The system also reminds you when it’s time for periodic review of a client or if some data has gone stale.
Another big benefit is documentation. Every piece of data and every check performed in Qapla is logged and stored centrally. You get a digital audit trail for each client’s due diligence record, updates, and any alerts. If you ever need to demonstrate your AML process to an outside examiner, you can easily pull reports from Qapla showing exactly what was done and when.
By using a platform like Qapla, you cut down significantly on manual admin work. This lowers the chance of human error – no steps are skipped because the tool ensures all requirements are met. At the same time, you free up time to focus on your core business and your clients, instead of spending hours double-checking spreadsheets and filling out forms. In short, Qapla helps you stay compliant in a smooth and efficient way, while keeping you up-to-date in a changing regulatory landscape.
Book a Compliance Review
Not sure how well your firm is meeting AML requirements right now? Schedule a compliance review with the Qapla team. Our experts will examine your current KYC process and provide concrete recommendations for improvement. A review can identify any gaps and show how a modern solution like Qapla can be integrated to strengthen your AML compliance. Contact us today to book a no-obligation compliance review and take the first step toward easier and safer AML management.