The AML Compliance Lifecycle: Six Stages Every Regulated Team Must Cover: AML compliance is often treated as an onboarding task. Run the screening, file the check, move on. The problem is that money laundering doesn't happen at the moment of onboarding — it happens over the lifetime of the relationship. Here's what a complete lifecycle looks like.
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
When supervisors audit an AML programme, they do not just check whether you have screening in place. They look at the end-to-end process: from how you identify customers at the start of the relationship, through how you monitor them during it, to how you respond when something goes wrong and how you close out the relationship when necessary.
Most gaps are not in the onboarding check. They are in what happens after it. This guide maps the six stages of the AML compliance lifecycle, what each requires, and the most common failure points at each stage.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
Why most compliance programmes have gaps
The AML compliance lifecycle breaks down not because firms don't care, but because the tools don't connect. Onboarding is handled in one system, case management in another, monitoring in a third, and regulatory filing in a fourth (often a spreadsheet). Each handoff between systems is an opportunity for information to be lost, timelines to slip, and risks to go unacted on.
The firms with the most defensible compliance programmes are not necessarily those with the most sophisticated tools. They are the ones where the process is unbroken — where information from onboarding feeds directly into risk scoring, risk scoring feeds into monitoring decisions, monitoring feeds into case management, and case management feeds into regulatory filing, with a complete audit trail connecting every step.
The six stages
Identify — Know who you're dealing with before the relationship starts
The foundation of AML compliance is identifying the customer correctly. This means collecting identity documents, verifying them, confirming the person presenting them is actually the document holder, and establishing the legal structure of any corporate entity.
For individuals, this means identity document + liveness confirmation + sanctions and PEP screening. For corporates, it means company registration + directors + ultimate beneficial ownership (UBO) chain — traced, verified, and documented.
Screen — Check the customer against all relevant risk databases
Screening means checking the customer's identity — and all related parties — against sanctions lists, PEP databases, adverse media sources, and any sector-specific watchlists. It should run at onboarding, but also on all named parties: directors, UBOs, authorised signatories.
A hit at this stage does not necessarily mean rejection — it means the hit needs to be reviewed, documented, and either cleared or escalated. The outcome and rationale must be recorded regardless of decision.
Score — Assign a risk rating and document the basis for it
Every customer relationship needs a documented risk rating — low, medium, high, or more granular. The rating should reflect: customer type, jurisdiction, industry sector, product or service being used, source of funds, and any screening results. This rating determines the level of due diligence required and the monitoring cadence that follows.
Higher-risk customers require enhanced due diligence (EDD): deeper investigation into source of wealth and funds, additional scrutiny of business rationale, and senior management sign-off in many jurisdictions.
Decide — Review the case, make a documented decision
For cases that require human judgement — elevated risk scores, screening hits, unusual transaction patterns — there must be a documented review process. The reviewer must have access to all relevant information: identity documents, screening results, transaction history, prior decisions, and any customer-provided explanations.
The decision — accept, reject, escalate, request more information — must be documented with the rationale. "Approved by compliance officer" is not a decision record. The reason matters, because a regulator will ask for it.
Monitor — Re-screen continuously throughout the relationship
This is the stage most often treated as optional and most often where supervisors find failures. Ongoing monitoring is a legal obligation under the AML Directives and FATF Recommendations — not a nice-to-have. Every active customer must be subject to re-screening at a frequency appropriate to their risk level.
Monitoring should cover: sanctions and PEP list changes, adverse media, transaction behaviour anomalies relative to the customer's expected profile, and any material changes to the customer's circumstances (new directors, ownership changes, new jurisdictions).
File — Report suspicious activity promptly and completely
When monitoring or case review identifies activity that cannot be adequately explained and that raises a reasonable suspicion of money laundering or terrorist financing, the firm is obligated to file a Suspicious Activity Report (SAR). This is not optional — the obligation to report arises when suspicion is formed, not when certainty is established.
The filing must include a narrative that clearly explains the basis for suspicion, the activity observed, and the customer's known profile. Currency Transaction Reports (CTRs) are a separate, threshold-based obligation that applies automatically above a certain transaction value in applicable jurisdictions.
The common thread: data continuity
Every stage of this lifecycle generates information that the next stage needs. The identity documents from Stage 1 inform the screening at Stage 2. The screening result shapes the risk score at Stage 3. The risk score determines who reviews the case at Stage 4. The review decision sets the monitoring cadence at Stage 5. The monitoring output drives the SAR at Stage 6.
When these stages are siloed — different systems, manual exports, email handoffs — data gets lost, timelines slip, and the compliance programme develops invisible gaps. When they are connected, every piece of information flows forward automatically and the audit trail writes itself.
The regulator's view: Supervisors do not just audit whether each stage exists in isolation. They audit whether the stages connect — whether a monitoring hit actually leads to a case, whether a case actually leads to a decision, whether a decision is documented, and whether that documentation can be produced promptly. The gaps between stages are where most enforcement actions originate.
A self-assessment checklist
Use these questions to identify where your AML lifecycle has gaps:
- At Stage 1: Do we verify UBOs for all corporate clients, not just the primary contact?
- At Stage 2: Do we screen all named parties — directors, signatories, UBOs — or only the primary customer?
- At Stage 3: Are risk ratings updated when customer circumstances change, or only at onboarding?
- At Stage 4: Are approval decisions recorded in a system with a timestamp and a named decision-maker?
- At Stage 5: Is every active customer being re-screened on a documented schedule? Can we prove it?
- At Stage 6: Do we have a clear policy for when suspicion is sufficient to trigger a SAR? Are timelines tracked?
If any of these questions produces an uncertain answer, that stage is a gap — and it's the kind of gap that supervisors find.
All six stages in one platform
HubSecure Sentinel covers the full AML compliance lifecycle — from identity assurance at onboarding to continuous monitoring and regulatory filing — with a connected data model and a complete audit trail.
Start free trial → See it in action