Getting this wrong at the start cascades through every subsequent decision — model thresholds, list sources, data residency, and SAR filing timelines all differ by framework. Examiners will ask which regulations you are subject to within the first ten minutes of any BSA/AML exam. A common mistake is assuming only US frameworks apply when correspondent banking relationships trigger OFAC obligations internationally.

Scope creep in the other direction — screening too few entity types — is one of the most common exam findings. FATF guidance requires screening beneficial owners at the 25% threshold, but many programs only screen direct account holders. Third-party vendors are increasingly in scope under OCC guidance after several enforcement actions involving vendor-facilitated money laundering.

List update triggers are the most frequently missed. When OFAC adds a new entity, your obligation to screen against that addition is essentially immediate — not at the next scheduled review. Several 2024–2025 enforcement actions cited failures to re-screen existing customers after list updates as a primary violation. Name and address changes are also commonly overlooked trigger events.

Your latency SLA directly determines which model architectures and infrastructure approaches are viable — you cannot make this decision after model selection. FedNow and RTP both require payment decisioning well under one second. Cloud-routed screening APIs with unpredictable network latency frequently fail to meet sub-100ms requirements under load, which is why edge inference is often the only viable architecture for real-time rails.

Industry benchmarks show rules-based programs run 85–95% false positive rates — meaning 85–95 analyst hours spent investigating non-issues for every real match found. Defining your tolerance before model tuning ensures you are optimizing for a real operational target rather than minimizing false negatives at any cost. Regulators increasingly expect FP rates to trend downward year-over-year as programs mature.

Choosing a cloud-hosted screening vendor before mapping data residency constraints is one of the most expensive architectural mistakes an institution can make. GDPR Article 44 restricts transfers of EU personal data to third countries without adequate protection. Several institutions have had to rebuild their screening infrastructure mid-deployment after discovering their chosen vendor's data center locations violated residency requirements.

The February 2025 amendment was the most significant change to FATF's core standards in a decade. It explicitly requires institutions to avoid uniform "one size fits all" AML controls and to differentiate measures based on assessed risk level. Examiners in FATF member jurisdictions are expected to reference the updated standard in mutual evaluations from 2025 onward — meaning programs that apply the same threshold to a rural grocery store and a high-risk MSB will face findings.

FATF's June 2025 guidance marks a genuine shift — institutions can now face examiner criticism for being too aggressive in excluding customers, not just for being too permissive. Regulators are specifically looking at whether geographic flags, demographic proxies, or blanket country-level blocks are applied without individual risk assessment. For institutions in retail banking or serving immigrant communities, this is an immediate fairness and compliance risk.

The proposed rule is the most consequential FinCEN rulemaking in over a decade. The explicit protection for institutions with sound programs — where only "significant or systemic failures" trigger major enforcement — is a meaningful safe harbor, but it requires documented evidence of a risk-based approach. Institutions with well-documented programs will have a defensible position under examiner scrutiny; those with undocumented or process-driven programs will not.

The 2024–2025 enforcement cycle revealed consistent failure patterns across institutions of very different sizes and geographies. TD Bank's $3B penalty was driven primarily by transaction monitoring failures and failure to file SARs — both of which are among the most mechanical and documentable compliance obligations. Benchmarking your program against actual enforcement findings is more valuable than benchmarking against regulatory guidance because it shows what examiners actually penalize in practice.

Most institutions know they screen OFAC SDN but undercount their full list obligations. The EU Consolidated list and UN Security Council list are legally mandatory for regulated entities in those jurisdictions and are often overlooked by US-centric programs. Internal watchlists of prior SAR subjects are frequently absent despite being high-value — a previously flagged customer is statistically more likely to generate the next SAR.

OFAC does not define "reasonable" numerically, but enforcement actions and industry guidance have converged on 15 minutes as the practical standard for institutions on real-time payment rails. A newly added SDN entity could conduct transactions in the window between list publication and your index updating — that window is your liability exposure. Cloud-based screening services that batch list syncs hourly or daily create computable exposure windows that examiners can and do calculate.

Retroactive re-screening policy is a formal regulatory expectation — not having one is itself an exam finding. OFAC's 50% rule complicates this: if a newly sanctioned entity owns 50%+ of an entity you have an existing relationship with, that relationship becomes prohibited even if the entity itself was not directly added to the SDN list. Automated retroactive screening within 24 hours is the gold standard but requires efficient list indexing to be operationally feasible at scale.