AML Gap Analysis Checklist Guide Regulators across the US, UK, Canada, and EU are tightening AML enforcement — and the penalties are no longer symbolic. FinCEN assessed a record $1.3 billion civil money penalty against TD Bank in October 2024, citing monitoring gaps, SAR filing backlogs, and an under-resourced compliance program. The FCA fined Starling Bank £28.9 million in 2024 because its financial crime controls failed to keep pace with growth.

What these cases share: the gaps existed long before regulators arrived.

An AML gap analysis is the structured process for finding those weaknesses before an examiner does. This guide walks through what a gap analysis involves, when to run one, and the specific checklist domains your review should cover — across governance, KYC, transaction monitoring, SAR/STR reporting, training, and recordkeeping.

TL;DR

  • An AML gap analysis compares your current program against applicable regulatory requirements to expose weaknesses before regulators do.
  • A checklist approach structures the review across seven core domains, from governance and CDD/KYC to transaction monitoring and recordkeeping.
  • The process follows six steps — from scoping and requirements mapping through gap identification, remediation planning, and ongoing monitoring.
  • Key triggers include regulatory changes, new product launches, banking partner onboarding, and annual review cycles.
  • Organizations without a full-time BSA Officer, CAMLO, or MLRO should consider external expertise to run the process objectively.

What Is an AML Gap Analysis?

An AML gap analysis is a structured comparison between an organization's current AML/CFT program and the regulatory standards it must meet — whether that's BSA/AML under FinCEN, the FCA's SYSC 6.3 and MLR 2017 in the UK, FINTRAC's PCMLTFA obligations in Canada, or AMLD/AMLR requirements in the EU.

Three components define every gap analysis:

  1. Current State: what policies, controls, and systems actually exist today
  2. Desired State: the regulatory baseline and best-practice standard your program must meet
  3. The Gap: deficiencies, missing processes, or outdated controls sitting between the two

AML gap analysis three-component framework current state desired state gap

Gap Analysis vs. AML Audit

These terms get conflated, but the distinction has real consequences for how you structure your compliance calendar.

A gap analysis is a proactive, internally driven self-assessment — its purpose is to find and fix weaknesses before anyone else sees them.

An AML audit is a formal, independent verification of compliance, conducted by a regulator, sponsor bank, or third-party auditor. The gap analysis feeds the audit; it is not a substitute for one.

Regulators don't always use the phrase "gap analysis," but the underlying activities are well-established. The FFIEC expects BSA/AML independent testing to assess a bank's compliance relative to its risk profile and evaluate overall program adequacy. FINTRAC explicitly requires a two-year effectiveness review as part of every reporting entity's compliance program.

Why AML Gap Analysis Matters

The enforcement record makes the case plainly. FinCEN's TD Bank action cited failures that included peer-to-peer monitoring gaps and approximately $1.5 billion in suspicious transactions that went unreported. FinCEN's 2022 Bittrex action imposed a $29.3 million penalty after the firm processed over 20,000 transactions per day with too few reviewers, failed to file SARs for more than three years, and processed over 116,000 transactions involving sanctioned jurisdictions. In Canada, FINTRAC penalized TD Bank CAD $9.185 million in 2024 for failing to submit 20 STRs and failing to apply required special measures to 85 high-risk clients.

None of these institutions chose to ignore compliance. Gaps accumulated over time — through growth, understaffing, outdated controls, and no structured review process in place to catch them.

For fintechs, crypto firms, and money transmitters, the stakes compound further. Regulatory expectations are moving fast:

  • EU Regulation 2024/1624 applies from July 2027
  • FinCEN's proposed program rule would require risk-based effectiveness assessments
  • EBA AML/CFT guidance extended to crypto-asset service providers from December 2024

What passed a sponsor bank's due diligence 18 months ago may not pass today.

Key Benefits of Regular Gap Analysis

  • Detects control weaknesses before a regulator or sponsor bank does
  • Creates a defensible audit trail showing proactive compliance effort
  • Focuses remediation spend on highest-risk areas
  • Reduces exposure to fines, license risk, and reputational damage
  • Supports smoother banking partner and investor due diligence reviews

When to Run One

Don't wait for an exam. The right triggers are:

  • Before a regulatory exam or independent audit
  • When entering a new product line, market, or jurisdiction
  • Following a regulatory change (new FinCEN rule, FCA guidance update, FINTRAC sector amendment)
  • After a SAR/STR-related incident or compliance finding
  • During banking partner onboarding or M&A activity
  • On a scheduled annual basis as part of your compliance calendar

A gap analysis should not be a one-time event. Regulators expect findings to be tracked, remediated, and re-verified on a defined cadence — treat it as a recurring program obligation, not a box to check.

Six triggers for conducting an AML gap analysis compliance calendar checklist

The AML Gap Analysis Checklist: Key Domains to Assess

A well-structured checklist organizes your self-assessment across the major domains of an AML program. For each domain, you're evaluating four things: whether a control exists, whether it's documented, whether it's operating effectively, and whether it still meets current regulatory standards. That last point matters more than most teams expect — regulations shift, and a control that passed muster two years ago may have a gap today.

Governance and AML Program Structure

The FFIEC requires a board-approved BSA/AML program covering internal controls, independent testing, a designated BSA officer, training, and risk-based CDD. UK FCA SYSC 6.3 and FINTRAC both require similarly structured programs — with a named officer holding documented authority and sufficient resources to act on it.

Key checklist questions:

  • Is there a designated BSA Officer, CAMLO, or MLRO with documented authority and sufficient resources?
  • Does the board receive regular AML reporting and demonstrate awareness of key risks?
  • Is the AML policy current, documented, and approved at senior level?
  • Does the program follow a documented risk-based approach aligned to the business model?

Customer Due Diligence (CDD) and KYC

FinCEN's CDD Rule, UK MLR 2017 (Regulations 27–28), and EU AMLR (Articles 19, 20, 51, and 52) all require risk-based due diligence and beneficial ownership collection for legal entity customers. The frameworks differ in thresholds and verification standards, but the common gap is the same: incomplete or stale ownership data that hasn't been refreshed since onboarding.

Ask yourself:

  • Are onboarding procedures tiered by risk, with clear triggers for enhanced due diligence?
  • Is beneficial ownership collected and verified for legal entity customers?
  • Are PEP and sanctions screening processes documented, tested, and current?
  • Is there a defined process for ongoing customer risk review and periodic refresh?

Transaction Monitoring

FFIEC suspicious activity guidance expects monitoring systems tailored to risk, with reasonable filtering criteria and documented thresholds. The Federal Reserve's interagency model risk statement applies model risk management principles to BSA/AML transaction monitoring systems.

Questions to assess:

  • Is the transaction monitoring system calibrated to the institution's specific risk profile and customer base — not just deployed with default settings?
  • Are alert thresholds documented and reviewed on a defined schedule?
  • Are alert dispositions tracked with clear escalation paths and disposition rationale?
  • Is there evidence of tuning reviews, model validation, and backtesting?

SAR/STR Reporting

FFIEC guidance sets a 30-day filing deadline after initial detection, extendable to 60 days when no suspect is identified. FINTRAC requires STRs when there are reasonable grounds to suspect ML/TF or sanctions evasion. UK POCA Section 330 establishes failure-to-disclose offences in the regulated sector.

Key checklist questions:

  • Is there a documented process for escalating, reviewing, and filing SARs (US) or STRs (UK/EU/Canada)?
  • Are filing timelines being met consistently, with evidence to demonstrate it?
  • Is there a written policy on tipping-off restrictions and staff awareness of obligations?
  • Are SAR/STR filings subject to quality review before submission?

Training and Awareness

FFIEC requires training for appropriate personnel, with documentation of materials, dates, and attendance. FINTRAC requires an ongoing training program as part of every reporting entity's compliance structure.

During your review:

  • Do all relevant employees receive AML training at onboarding and on an annual basis?
  • Is training role-specific — covering different content for front-line staff versus compliance personnel?
  • Are training completion records maintained and accessible for examination?
  • Is training content updated when red flags or regulatory guidance change?

Technology, Systems, and Recordkeeping

BSA records are generally retained for five years, including SARs and supporting documentation. UK MLR 2017 Regulation 40 and EU AMLR Article 77 both require retention of CDD and transaction records for five years after relationship termination.

Key checklist questions:

  • Are AML technology tools fit for the institution's current transaction volumes and risk profile?
  • Are records of CDD, transaction monitoring decisions, and SAR filings retained for the required period?
  • Is there a documented data governance process that supports AML recordkeeping obligations?
  • Can the institution produce records quickly if requested by a regulator or sponsor bank?

Seven AML gap analysis checklist domains from governance to recordkeeping overview

How to Conduct an AML Gap Analysis: Step by Step

The checklist defines what to assess. These steps define how to run the process — and where organizations most commonly cut corners.

Step 1 – Define Scope and Regulatory Framework

Map which jurisdictions, business lines, and regulatory frameworks are in scope. A US-only payments firm maps to BSA/FinCEN and FFIEC. A fintech operating across the US and UK maps to both BSA/AML and FCA/MLR 2017. Clarify who owns the process, who will review findings, and what the expected output is — internal report, board presentation, or remediation plan.

Step 2 – Map Regulatory Requirements

Break applicable regulations into discrete, checkable obligations by domain. For example: FinCEN's CDD Rule requirements, FCA SYSC 6.3.6 controls expectations, FINTRAC's two-year effectiveness review, or AMLR Article 69 FIU reporting obligations. This mapping becomes your "desired state" baseline — the standard against which current practices are measured.

Step 3 – Assess Current State

Gather existing policies, procedures, system configurations, training records, and SAR filing logs. Don't stop at document review.

Interview compliance staff and business unit owners to verify whether controls operate as written. A policy that exists on paper but isn't followed is a gap: examiners know exactly how to find the difference.

Step 4 – Identify and Document Gaps

Compare your current state against the regulatory baseline. Document each gap with specificity:

  • What control is missing or deficient
  • Which regulation it relates to
  • The risk level (high/medium/low)
  • The potential consequence of non-remediation

Vague findings like "transaction monitoring needs improvement" are not useful. Specific findings — "alert thresholds were last reviewed in 2022 and have not been updated to reflect the addition of crypto payment rails in Q3 2024" — are defensible and actionable.

Step 5 – Develop a Remediation Plan

Assign each gap an owner, a corrective action, a deadline, and the resources required. High-risk items go first. Prioritize:

  • Missing SAR filing procedures
  • Unvalidated transaction monitoring models
  • High-risk customer onboarding gaps

A gap report that sits on a shelf is not a remediation plan. Each item needs a named owner and a firm deadline.

Step 6 – Monitor, Re-Test, and Iterate

After corrective actions are implemented, verify that controls are now operating as intended — not just a policy update. Schedule a follow-up review to confirm closure. Regulatory expectations shift, products evolve, and new gaps emerge. Treat the gap analysis as a living process, not a one-time exercise.

Six-step AML gap analysis process flow from scope definition to iterative monitoring

How Fraxtional Can Help

Many fintechs, crypto firms, and BaaS banks lack a full-time BSA Officer, CAMLO, or MLRO on staff — which means gap analyses either don't happen, or they're run by people without the experience to identify what regulators actually look for.

Fraxtional provides fractional compliance leaders — BSA Officers, CAMLOs, and MLROs — who design, lead, and deliver AML gap analyses tailored to each institution's framework. Engagements cover BSA/AML, FCA/MLR, FINTRAC, and AMLD, including cross-jurisdictional reviews for firms operating across multiple markets.

A few things that distinguish Fraxtional's approach:

  • Director-led throughout — findings aren't delegated to junior staff. Every deliverable is reviewed at the Director level and formatted to meet what regulators and sponsor banks expect.
  • Sponsor bank alignment — Fraxtional's frameworks are pre-approved by sponsor banks across lending, crypto, and payments, so gap analysis outputs hold up during banking partner due diligence.
  • Credential holders across CAMS, CFE, FCI, and CERP lead all gap analysis work, covering transaction monitoring, beneficial ownership, SAR/STR reporting, and recordkeeping with technical precision.
  • Engagements range from a focused one-time gap review to a monthly fractional retainer with iterative re-assessment built in — structured around what each firm actually needs.

If your program has gaps — or you're not sure whether it does — contact Fraxtional to scope a review.

Frequently Asked Questions

What is an AML gap analysis?

An AML gap analysis is a structured review comparing an organization's existing AML program against applicable regulatory requirements to identify weaknesses, missing controls, or outdated procedures. The goal is proactive remediation before a regulatory exam or enforcement action surfaces the same issues.

What are the steps of an AML gap analysis?

There are six core steps:

  • Define scope and applicable regulatory framework
  • Map discrete regulatory requirements to your program
  • Assess current-state design and operating effectiveness
  • Identify and document gaps
  • Develop a remediation plan with assigned owners and deadlines
  • Monitor progress through re-testing

The process should be iterative, not a one-off exercise.

When should an AML gap analysis be performed?

Conduct a gap analysis when any of these conditions apply:

  • Upcoming regulatory exam or supervisory review
  • New market entry, product launch, or M&A activity
  • Regulatory rule changes affecting your program
  • Post-incident remediation or compliance failure
  • Banking partner onboarding or sponsor bank due diligence

Most regulated institutions should also run at least one formal review annually.

What does an AML gap analysis checklist include?

A comprehensive checklist covers seven domains:

  • Governance and program structure
  • CDD/KYC controls
  • Transaction monitoring
  • SAR/STR reporting
  • Employee training
  • Technology and systems
  • Recordkeeping

Each domain includes self-assessment questions covering existence, documentation, operating effectiveness, and regulatory currency.

How is an AML gap analysis different from an AML audit?

A gap analysis is proactive and internally driven — designed to find and fix weaknesses before a formal review. An AML audit is typically independent and external, conducted by a regulator, sponsor bank, or third-party auditor to verify compliance. The gap analysis should feed and prepare for the audit, not replace it.

How often should an AML gap analysis be conducted?

At minimum annually for most regulated institutions. Additional reviews should be triggered by regulatory changes, new products, rapid growth, or compliance incidents. Regulators expect ongoing, iterative review — not a once-a-year checkbox.