RIA AML Readiness Checklist: 9 Things to Have in Place Before 2028
Two Years Is Less Time Than It Looks
When FinCEN issued the final rule on December 31, 2025 delaying the Investment Adviser AML Rule toJanuary 1, 2028, the immediate industry reaction split along predictable lines.Some firms exhaled. Some kept building. A smaller group—typically the ones withprior BSA exposure or institutional clients pressing on AML maturity—started asking the harder question: what does a defensible program actually look like, and how much of one can we realistically build in 24 months?
This checklist is for that third group.
Two years sounds like runway. In compliance program build cycles, it isn't. Risk assessment, vendor selection, policy drafting, training rollout, independent testing, and remediation cycles routinely stretch 18 to 24 months end-to-end. Firms that start construction in mid-2027 will not finish in time. Firms that start now—using the delay as build time rather than wait time—will.
The nine items below are the working diagnostic for a 2028-ready RIA AML program. For each item, the checklist surfaces what the rule requires, what "compliant" actually looks like operationally, the gap that most commonly trips firms up, and what auditors and examiners look for. The full downloadable version includes audit cues, evidence requirements, and a self-scoring rubric (Met / Partial / Gap /Not Started) for each item.
The 9 Items
1. A Written AML Program Approved bySenior Management
What the rule requires: Covered advisers must establish and maintain a written AML/CFT program containing policies, procedures, and internal controls reasonably designed to prevent the firm from being used for money laundering or terrorist financing.The program must be approved in writing by the firm's board or, where no board exists, its equivalent governing body or senior leadership.
What compliant looks like: A firm-specific written program—not a templated download from a compliance forum—calibrated to the firm's size, client base, geographies, and product mix. The document references the firm's actual operations, names theAML/CFT compliance officer, references the most recent risk assessment, and carries a documented approval signature from senior leadership with a date.
Common gap: Generic templates lifted from broker-dealer programs or from sample policies circulating in industry working groups. Examiners spot boilerplate immediately. A program that doesn't reference the firm's specific client types, fund structures, or geographic exposure reads as performative rather than operational.
What examiners look for: Evidence of senior management ownership, alignment between the written program and the firm's actual practices, and a version history showing the program has been updated as the firm's risk profile evolved.
2. A Designated AML/CFT ComplianceOfficer With Real Authority
What the rule requires: A specifically designated AML/CFT compliance officer with sufficient authority, independence, and resources to oversee the program. The officer can be an internal employee or, for smaller firms, the existing Chief ComplianceOfficer wearing an additional hat—but the role must be explicitly named and documented.
What compliant looks like: The AMLO has direct reporting access to senior leadership or the board, sufficient resources (budget, staff support, or vendor tooling) to do the job, and explicit authority to halt or escalate transactions without retaliation.The role is documented in the written program, in employment agreements where applicable, and in the firm's compliance organizational chart.
Common gap: The AMLO role gets bolted onto an already-overloaded CCO or operations lead with no additional resources, no defined authority, and no protected reporting line. When examiners ask the AMLO to describe their escalation path, the answer reveals the structural weakness.
What examiners look for: Genuine independence and authority—not just a title. They'll often inter view the AMLO directly and assess whether the role functions as designed.
3. A Documented, Risk-Based ClientRisk Assessment
What the rule requires: A risk-based approach to CDD, which presupposes a documented assessment of the firm's specific money laundering and terrorist financing risk exposure.The assessment is the foundation for everything downstream—CDD tier design, monitoring thresholds, training content, testing scope.
What compliant looks like: A written assessment, refreshed at defined intervals (typically annually or upon material business change), that evaluates risk across client types, geographies, products and services, delivery channels, and any sector-specific exposures. The assessment is signed and dated, and the program's specific controls reference it explicitly.
Common gap: Firms produce a risk assessment as a one-time exercise during initial program build, then never refresh it. By the time examiners arrive, the assessment is two years stale, doesn't reflect the firm's current client base, and can't justify the program's calibration.
What examiners look for: Tight alignment between assessed risk and program design. If the firm rates jurisdictional risk as high for certain regions but the screening program treats all clients identically, the disconnect is a finding.
4. Customer Identification andBeneficial Ownership Procedures
What the rule requires: When the still-pending Customer Identification Program rule (jointly proposed by FinCEN and the SEC) is finalized, covered advisers will need to verify the identity of clients at onboarding using a defined set of identifyng information. CDD procedures must include beneficial ownership identification for legal entity clients, consistent with FinCEN's Beneficial Ownership Rule framework.
What compliant looks like: Documented procedures for identity verification at onboarding—governmentID, address, taxpayer identification—with appropriate handling for remote onboarding. Beneficial ownership identification down to the 25% threshold (or lower, depending on the firm's risk-based approach), plus a control person, for any legal entity client. Resolution to natural persons, not just to corporate parents.
Common gap: The CIP rule hasn't been finalized, so many firms have deferred building this entirely. That's a mistake. The CDD requirements under the IA AML Rule presuppose identity verification at onboarding; firms that wait for CIP finalization will be rebuilding their onboarding architecture under deadline pressure.
What examiners look for: Beneficial ownership resolution that doesn't stop at the first corporate layer. They'll test whether the firm can trace ownership down to natural persons for complex structures—particularly family offices, fund-of-funds vehicles, and offshore entities.
5. Ongoing Monitoring and BehavioralScreening
What the rule requires: Ongoing monitoring sufficient to maintain and update customer information and to identify and report suspicious activity. The standard is continuous, not point-in-time.
What compliant looks like: Systematic monitoring of client activity—transaction patterns, source-of-funds consistency, behavioral changes—calibrated to the client's assessed risk tier. Alert workflows route flagged activity to designated reviewers. Decisions to clear or escalate alerts are documented contemporaneously.
Common gap: Firms treat monitoring as a periodic review exercise—quarterly account reviews, annual KYC refreshes—rather than continuous infrastructure. When a client's behavior shifts in month two of a quarterly cycle, the firm catches it in month three at best, missing the SAR filing window.
What examiners look for: Evidence that monitoring actually generates alerts, that alerts get reviewed, and that the firm can produce the audit trail for both the alerts generated and the decisions made. Modern platforms like Ferretly handle continuous behavioral and identity monitoring as integrated infrastructure rather than as a periodic compliance task.
6. Sanctions Screening (Pre-Onboarding and Continuous)
What the rule requires: Compliance with OFAC sanctions obligations—independent of the IA AMLRule timeline. Screening against the SDN List, sectoral sanctions programs, and ownership chains subject to the OFAC 50% Rule. The IA AML Rule, when effective, will formalize expectations around integrating sanctions screening into the broader compliance program.
What compliant looks like: Real-time screening at onboarding against OFAC SDN, sectoral lists, and global watchlists (EU, UK HMT, UN Security Council, Canadian OSFI, Interpol).Continuous monitoring rescreens the entire client base daily against list updates. Fuzzy matching catches transliteration variants and spelling differences. Every match, clearance decision, and analyst note is captured in an immutable audit trail.
Common gap: Point-in-time screening at onboarding with no continuous monitoring. The client was clean at onboarding; OFAC adds them to the SDN List 14 months later; the firm continues transacting; the violation occurs under strict liability.This pattern is the single most common path to OFAC enforcement actions against advisers.
What examiners look for: Specifically: when did your sanctions data last update, when was the last continuous monitoring run, and where is the audit trail for the last 12months of cleared alerts? If any of those three answers is uncomfortable, the program isn't defensible.
For the full operational standard on RIA sanctions screening, see our OFAC sanctions screening guide for RIAs.
7. SAR Filing Procedures and InternalEscalation Paths
What the rule requires: When effective, the IA AML Rule will require covered advisers to fileSuspicious Activity Reports on transactions involving $5,000 or more that meet the BSA's suspicious activity criteria. SAR filings carry strict confidentiality requirements under 31 U.S.C. § 5318(g)—the "no tipping off" rule.
What compliant looks like: Documented procedures for SAR consideration, internal escalation, review, and filing. Defined decision authority (typically the AMLO, with senior management notification for material filings). Confidentiality protocols that limit SAR knowledge to authorized personnel. A documented audit trail for bothSARs filed and SAR considerations that did not result in filings.
Common gap: Firms build SAR filing capability but neglect the internal escalation infrastructure. When a client-facing adviser spots suspicious behavior, they have no clear path to surface it to the AMLO without violating the no-tipping-off rule themselves.
What examiners look for: Evidence of a functioning escalation pathway—not just the existence of aSAR filing form. They'll often ask front-line staff to describe what they would do if they observed suspicious activity, testing whether the procedures live in practice or only on paper.
8. Independent Testing on a DefinedCadence
What the rule requires: Independent testing of the AML/CFT program's adequacy, conducted by qualified personnel—internal or external—who do not have AML/CFT program responsibilities. The cadence is risk-based but generally annual or every 12–18months.
What compliant looks like: A documented testing engagement, conducted by qualified independent reiewers, that examines the program's design and operational effectiveness.The testing scope is risk-based, the findings are documented, and the firmproduces a written management response with remediation commitments andtimelines.
Common gap: Firms that have never commissioned an AML audit underestimate the leadtime. Identifying qualified testers, scoping the engagement, completingfieldwork, and finalizing the report routinely takes 4–6 months. Building thefirst test into the 2026–2027 cycle establishes baseline evidence of good-faithimplementation—and surfaces gaps with enough time to remediate before 2028.
What examiners look for: Independence of the testing function, scope appropriate to the firm'srisk profile, and management response that demonstrates the firm acted onfindings rather than filed them.
9. Training, Recordkeeping, andInformation Sharing Readiness
What the rule requires: Ongoing training appropriate to employee roles, recordkeeping for fiveyears on BSA-required records (SARs, CDD documentation, supporting evidence),and operational readiness for Section 314(a) law enforcement queries andoptional Section 314(b) information sharing.
What compliant looks like: Role-based training delivered on a defined cadence (annual, with updates on material rule changes), with documented attendance and completion records.Five-year retention infrastructure for SAR and CDD records—encrypted, access-controlled, exportable on demand. Documented procedures for responding to Section 314(a) queries within FinCEN's required timeframes.
Common gap: Generic training that doesn't differentiate by role. The client-facing adviser, the operations analyst, and the AMLO have different responsibilitiesand different red flags. One-size-fits-all training fails to equip any of them.
What examiners look for: Training records that demonstrate genuine role-appropriate education, record keeping infrastructure that can produce specific records on demand, and314(a) response capability that doesn't require a fire drill.
The 90-Day Starting Point
For firms still mapping where to begin, the first 90 days of build typically focus on the foundational layer: risk assessment refresh, AMLO designation with documented authority, written program drafting (or rewrite from generic template), and vendor scoping for screening and monitoring infrastructure. Once those are in place, the remaining items build on top.
The firms that are2028-ready by mid-2027 will have completed at least one full cycle of all nine items—including independent testing and remediation—leaving runway for refinement before the rule takes effect.
The full downloadable checklist includes a self-scoring rubric for each item, the specific evidence examiners typically request, and a recommended 18-month build sequence for firms starting from scratch.
