Subscribe

Audit-Ready KYC Checklist

  • Home
  • Audit-Ready KYC Checklist

The Audit-Ready KYC Checklist

What examiners actually look for in your KYC, sanctions, and AML logs — straight from a former Chief Compliance Officer.

Examiners do not arrive looking for technology. They arrive looking for evidence — that you knew the risk, took the right action, documented the rationale, and can reproduce the entire trail when asked.

Use this checklist before your next exam, before onboarding a new high-risk customer segment, or as a quick health check on your current platform. If your system can’t produce all twelve, the gap is worth addressing before regulators find it for you.

— Compiled by Dominic Suszek, Founder, Global RADAR. Former Chief Compliance Officer.

  1. Documented customer risk score with calculation methodology

    Examiners want to see HOW you got to a risk rating, not just the final score. The methodology should be reproducible by a different analyst with the same inputs.

  2. Source of funds and source of wealth documentation for high-risk customers

    For PEPs, high-net-worth individuals, and customers in high-risk jurisdictions, expect questions about how you verified the legitimacy of funds and the underlying source of wealth.

  3. UBO chain mapped to natural persons, not entities

    Beneficial ownership disclosure stops at the human being who ultimately controls the account — typically anyone with 25%+ ownership. Examiners reject opaque corporate-only chains.

  4. Sanctions screening evidence with date, list version, and disposition

    Every sanctions check needs to capture which list (and what version) was screened, when, by whom, and what action was taken — including documented justification for false-positive dismissals.

  5. PEP screening with relationship analysis, not just name match

    A name appearing on a PEP list isn’t automatically the same person. Document the verification steps that confirmed (or excluded) the match: date of birth, jurisdiction, family network.

  6. Adverse media review with reviewer notes

    Negative news hits need analyst commentary explaining whether the reported behavior constitutes ML/TF risk, jurisdictional exposure, or reputational concern only.

  7. Periodic re-screening cadence appropriate to risk tier

    Low-risk customers might be re-screened annually; high-risk monthly or quarterly. The cadence should be documented in your written AML program and consistently applied.

  8. Trigger-based re-screening on material events

    When OFAC adds new entries, when a customer’s risk profile changes, when account activity diverges from expected patterns — all should generate documented trigger-based re-screens.

  9. Audit trail with timestamp and user identity for every action

    Examiners will sample alert dispositions, document reviews, and policy changes. The trail must show who did what, when, and why — not just that the work was done.

  10. Documented deviations from standard procedure with rationale

    When an analyst overrides a system recommendation or deviates from policy, the reasoning needs to be in the file. Undocumented deviations are an examiner’s red flag.

  11. Record retention meeting jurisdictional requirements

    Most US regulators require 5+ years of KYC records; some jurisdictions require longer. Records should remain searchable and reproducible across that retention window.

  12. Independent testing and audit-trail of remediation work

    Internal audit findings, regulator MRAs, and consent-order remediation should each have documented closure evidence. Examiners check whether prior issues were actually fixed.

How does your current platform score?

If you would like a working demo with a compliance specialist (not an SDR), we will walk through this checklist against your actual KYC workflow and show you where Global RADAR’s AI-driven evidence trail closes the gaps.

Schedule an Audit-Readiness ReviewSee how Global RADAR compares

Related: Compliance FAQ · Why Global RADAR