On this page (AML Scan):

AML Scan Overview: What It Is and Who Needs It

An AML scan in the crypto context is the process of submitting a blockchain address or transaction to a risk-scoring tool that traces its on-chain history and assesses proximity to known illicit activity. The goal is not to surveil all users — it is to identify whether specific funds have passed through entities associated with criminal proceeds: darknet markets, ransomware operators, cryptocurrency tumblers, and OFAC-sanctioned wallets.

Blockchain Analytics KYC/AML Compliance VASP Obligations Transaction Monitoring CTF Screening

Who is legally required to scan

Virtual Asset Service Providers (VASPs) — centralised exchanges, custodians, payment processors, OTC desks, and fiat-to-crypto on-ramps — are obligated entities under FATF Recommendation 15. They must apply a risk-based AML programme that includes transaction monitoring equivalent to traditional financial institutions. See the full FATF virtual asset guidance at fatf-gafi.org.

Exchanges (CEX)CustodiansOTC desks

Who benefits from voluntary scanning

DeFi protocols managing treasury funds, DAOs accepting contributions, and individual users expecting large inbound transfers can voluntarily screen counterparty addresses. Proactive screening prevents unknowingly accepting tainted funds — which can trigger asset freezes and create downstream regulatory exposure for the recipient.

DeFi protocolsDAOsIndividual users
Operational truth: Scanning is not about passing moral judgment. It is about understanding fund provenance to meet legal obligations and protect your platform from processing criminal proceeds. A documented, risk-calibrated scanning policy protects both compliance staff and users.

Crypto Illicit Activity: Key Statistics (2024–2026)

Understanding the scale of illicit crypto activity contextualises why AML scanning matters operationally — not just as a compliance checkbox. These figures come from Chainalysis's 2024 Crypto Crime Report and on-chain analytics published by the FATF.

$24.2B
Illicit crypto transactions identified in 2023
(Chainalysis 2024)
0.34%
Share of all crypto volume flagged as illicit
(down from 0.42% in 2022)
$7.8B
Crypto laundered via DeFi protocols in 2023
(Chainalysis, cross-chain bridges)
60%+
VASPs with inadequate AML controls
(FATF 2023 mutual evaluation rounds)
Why these numbers matter for compliance teams: Illicit volume as a share of total crypto transactions is falling — but the absolute dollar amount is rising as the overall market grows. Regulators cite the absolute figure, not the percentage, when assessing whether existing AML frameworks are adequate. The Chainalysis data is available at chainalysis.com/reports.

How Blockchain Analytics Trace Fund Flows On-Chain

Blockchain analytics firms build entity databases by clustering wallet addresses they believe are controlled by the same entity — exchanges, cryptocurrency tumblers, darknet markets, ransomware groups — then trace transaction flows through the graph to calculate exposure. The core technique is heuristic clustering.

Heuristic clustering: how addresses get attributed

The most widely used clustering heuristic is "common input ownership" — if multiple addresses appear as inputs to the same transaction, they are likely controlled by the same entity. Analytics firms layer on top of this: exchange deposit patterns (deposits from the same customer appear in a predictable pattern), proprietary intelligence from law enforcement partnerships, open-source intelligence, and blockchain memo/tag data. The result is entity clusters — named groups like "Binance hot wallet cluster" or "Hydra Market cluster."

Common input heuristicDeposit patternsOSINT

Direct vs indirect exposure: why distance matters

Direct exposure (1 hop): your address transacted directly with a known illicit cluster. Indirect exposure (2+ hops): one of your counterparties did so. Tools weight these very differently — direct mixer exposure is treated as a strong red flag; indirect exposure at three hops through a legitimate exchange may score near-zero. Understanding hop distance is the most important skill for reading AML scan reports accurately.

1 hop = direct2+ hops = indirectDistance weighted
Fundamental limitation to build policy around: All clustering heuristics are probabilistic, not deterministic. False positives happen — particularly for CoinJoin (see the cryptocurrency tumbler Wikipedia entry for a clear explainer on how mixing obscures transaction graphs), multi-sig setups, and exchange hot wallets shared across thousands of users. Risk scores are inputs to compliance decisions, not conclusions.

Risk Categories in an AML Scan Report: What Each Label Means

Not all risky exposure categories carry equal compliance weight. Treating a gambling flag the same as a sanctions flag is a miscalibrated risk programme.

Low (0–25)
Proceed
Medium (26–74)
EDD
High (75–100)
Block/SAR
Category Risk level What it means Compliance response
Sanctioned entity (OFAC SDN) Critical Direct or near-direct exposure to OFAC-listed wallet Immediate block; SAR filing mandatory; no exceptions
Mixer / tumbler High Funds passed through a cryptocurrency tumbler to obscure provenance Block above volume threshold; enhanced due diligence; possible SAR
Darknet market High Direct/near-direct interaction with known darknet marketplace deposit addresses Block; SAR filing strongly recommended; investigate source of funds
Ransomware High Payments to tracked ransomware operator wallets Block; SAR; note that paying ransomware may itself be prohibited in some jurisdictions
Unregulated P2P exchange Medium High-volume flow through non-KYC P2P platforms Enhanced due diligence; request source-of-funds documentation
Gambling Medium Interaction with crypto gambling platforms Jurisdiction-dependent; document; assess volume and frequency
Scam / fraud Medium–High Connection to known investment scam or phishing operation Enhanced review; consider whether the user is a victim or participant
Regulated exchange Low Exposure only to licensed, KYC-compliant exchanges Proceed; standard monitoring
Calibration rule: Build tiered responses per category — not a single score threshold. Sanction exposure → automatic block regardless of score. Indirect P2P below a value threshold → document and allow with monitoring. One-size thresholds produce unnecessary false positives.

VASP AML Obligations: When Scanning Is Legally Required

Whether your AML scanning is a legal obligation or a voluntary best practice depends on jurisdiction and business model. The regulatory landscape as of 2026:

  • FATF Recommendations (global standard): Recommendation 15 requires VASPs to apply the full AML/CFT framework — customer due diligence (CDD), transaction monitoring, record-keeping, and suspicious transaction reporting. See fatf-gafi.org — The 40 Recommendations for the current text.
  • EU Transfer of Funds Regulation (TFR): applies to all crypto transfers with no minimum threshold — full originator/beneficiary data required. Effective June 2023, this is the strictest Travel Rule implementation globally.
  • US Bank Secrecy Act / FinCEN: Money services businesses (MSBs) dealing in virtual currency must file SARs for suspicious activity and comply with the Travel Rule above USD 3,000. See FinCEN virtual currency guidance.
  • UK FCA: Cryptoasset businesses registered under the Money Laundering Regulations 2017 must conduct full CDD and ongoing monitoring equivalent to regulated financial services firms.

FATF Travel Rule in practice

The Travel Rule requires VASPs to collect and transmit originator and beneficiary identity data with each transfer above the jurisdiction's threshold (USD/EUR 1,000 in most countries; no threshold under EU TFR). The challenge: crypto transfers lack the SWIFT messaging infrastructure banks use. Solutions like Sygna Bridge, Notabene, and Verifyvasp have emerged specifically to handle VASP-to-VASP Travel Rule data exchange.

$1,000 threshold (most)No threshold (EU)IVMS101 standard

Unhosted wallet EDD requirements

When a customer transfers to or from an unhosted (self-custody) wallet, VASPs in most jurisdictions must apply enhanced due diligence above the Travel Rule threshold — collecting evidence that the customer controls the unhosted wallet and understanding the source of funds. The FATF's guidance on unhosted wallets is at fatf-gafi.org.

Proof of wallet ownershipSource of fundsEDD trigger

How to Run an AML Scan: Step-by-Step Workflow

  1. Confirm the blockchain network before submitting. An Ethereum address submitted to a BTC-only query returns nothing. Most modern tools auto-detect the chain, but verify — Tron and BSC addresses can look superficially similar to Ethereum.
  2. Select the right tool for your volume and use case. Enterprise compliance teams typically use Chainalysis KYT or Elliptic Navigator via API. Smaller operations may use TRM Labs or Crystal Blockchain. Individual spot-checks can use lower-cost or free-tier tools. Match the tool to your throughput and integration needs.
  3. Submit the address or transaction hash and retrieve the full risk report — not just the score. Save the report reference number or screenshot for your compliance records.
  4. Read the category breakdown first, headline score second. A high score driven by a single indirect P2P connection at three hops requires a different response from a high score driven by direct mixer interaction.
  5. Apply your documented risk policy thresholds. Compare the output to your tiered response framework — proceed, enhanced due diligence, or block. Your policy must be documented before the scan, not written around its output.
  6. Record everything with a timestamp. Address, scan date and time, tool used, score, category breakdown, your risk assessment, the decision, and the policy basis for that decision. This is your audit trail.
  7. Re-screen for ongoing relationships. A wallet clean today can transact with a mixer tomorrow. Periodic re-screening — at least quarterly for high-value counterparties — is standard compliance practice.
Best practice: Integrate scanning as an automated API call at deposit and withdrawal — not a manual step. Manual processes get skipped under operational pressure. Automation ensures every transaction is screened and logged.

AML Scan Tool Comparison: Coverage, Strengths, and Integration

Major blockchain analytics platforms overlap significantly but have different strengths. No single tool covers all chains equally — choose based on your user base's asset mix and your integration requirements.

Tool Chain coverage Key strength Best for
Chainalysis KYT BTC, ETH, SOL, Tron, 20+ more Broadest entity database; law enforcement track record; deep BTC attribution Large exchanges; financial institutions; forensic investigations
Elliptic Navigator BTC, ETH, cross-chain, DeFi Strong DeFi and cross-chain protocol coverage; holistic risk scoring DeFi protocols; cross-chain operations; multi-asset fintechs
TRM Labs 30+ chains including SOL, AVAX, NEAR Wide chain support; Travel Rule tooling; competitive API pricing Mid-market VASPs; neobanks; emerging market operations
Crystal Blockchain BTC, ETH, ERC-20, LTC Detailed BTC graph tracing; EU compliance reporting templates European VASPs; BTC-focused compliance teams
No single tool is complete. Running the same address through two providers and comparing outputs is reasonable practice for high-stakes decisions. Methodology documentation is available at chainalysis.com/reports and elliptic.co/resources.

SAR Filing Basics: When and How to Report Suspicious Activity

A Suspicious Activity Report (SAR) — called a Suspicious Transaction Report (STR) in some jurisdictions — is a mandatory disclosure to the financial intelligence unit (FIU) of your jurisdiction when you identify transactions that you know, suspect, or have reasonable grounds to suspect involve proceeds of crime or terrorist financing.

When a SAR is triggered

Direct exposure to an OFAC-sanctioned address (US VASPs). Direct or near-direct interaction with tracked darknet market, ransomware, or fraud wallets. Transactions that appear designed to evade AML controls (structuring below reporting thresholds, rapid chain-hopping). Customers whose stated source of funds does not match their on-chain transaction profile. A compliance decision to block based on a high-risk scan result is often accompanied by a SAR.

Sanctions exposureStructuringSource of funds mismatch

SAR filing rules

File with your jurisdiction's FIU: FinCEN (US), NCA (UK), FINTRAC (Canada), etc. Do not disclose ("tip off") the subject that a SAR has been filed — this is prohibited in most jurisdictions and can constitute a criminal offense. US VASPs file at bsaefiling.fincen.treas.gov. Retain records of SAR filings and the supporting evidence for the required period (5 years under US BSA; varies by jurisdiction).

No tipping off5-year recordsJurisdiction FIU

What Makes a Reliable AML Scanning Service (2026)

Evaluating blockchain analytics vendors requires assessing dataset quality and methodology transparency — not just UI or price. The wrong tool creates false positives that freeze legitimate users and false negatives that create regulatory exposure.

Quality signals to look for

Published, updated methodology documentation explaining how risk scores are calculated. Regular public illicit activity reports (Chainalysis's annual Crypto Crime Report; Elliptic's Typologies reports). Demonstrated law enforcement usage — tools used in actual prosecutions tend to have higher-quality entity attribution. Clear false-positive dispute process. Transparent data retention and privacy policy. SOC 2 Type II or equivalent security certification.

Red flags in vendor selection

No published methodology — risk scores with no explanation cannot be defended in a compliance audit or legal proceeding. Overconfident language ("this address is criminal") rather than probabilistic framing ("this address has X% exposure to category Y"). Poor coverage for the chains your users actually transact on. No audit trail or exportable evidence for your compliance records.

2025/2026 regulatory trend: Regulators in the EU (MiCA), UK (FCA), and US (FinCEN) are now examining the quality of VASPs' AML programmes — not just whether they "have a tool." Exam findings increasingly ask: did you act appropriately on your tool's output? Tool selection is now an auditable decision.

Handling False Positives: Dispute Process and User Rights

False positives — legitimate users flagged as high-risk due to incorrect entity attribution or outdated datasets — are an inherent feature of probabilistic heuristic systems. Managing them well protects users and your platform's reputation.

  • Inform the user of the specific category flagged. Regulated VASPs in most jurisdictions must provide the basis for adverse action on request. "Your account was flagged by our compliance system" is not sufficient — the user needs to know whether to provide source-of-funds documentation or challenge an attribution.
  • Collect source-of-funds evidence before blocking. Exchange withdrawal records, bank statements, payroll documentation, or OTC desk receipts all constitute valid source-of-funds evidence for a legitimate user whose funds originated from a regulated entity.
  • Provide a documented dispute path. Users whose addresses are incorrectly attributed can also contact the analytics provider directly — most providers have a process for challenging incorrect entity clustering at Chainalysis support and equivalent pages for other vendors.
  • Review with a human analyst, not just the algorithm. Automated blocks on medium scores without human review create unnecessary false positives. Build a review queue into your workflow for anything below your hard-block threshold.
Hard rule: Never take adverse action on a risk score alone without reviewing the underlying category breakdown. "The tool said 75, so we blocked" is not a defensible compliance programme — it is algorithmic decision-making without the human judgment regulators require.

Manual vs Automated vs API-Integrated AML Scanning

MethodBest forProsCons
Manual (dashboard) Low volume; individual investigations; spot checks No integration required; analyst context; flexible interpretation Doesn't scale; gaps under pressure; no systematic coverage
Batch screening Periodic review of existing user books; portfolio monitoring Covers existing users; catches newly-attributed risk Lagging — not real-time; requires scheduling and data export
Real-time API Exchanges; payment processors; high-volume VASPs Every transaction screened; automated decision flow; full audit log Integration cost; requires codified risk policy; latency to manage
Decision rule: Any regulated VASP processing more than a few hundred transactions per day needs real-time API screening. Manual screening at scale is not a compliance programme — it is a documentation liability.

Best Practices for Crypto Compliance Teams Running AML Scans

  • Define your risk appetite in writing before configuring any tool. Your compliance thresholds should drive tool configuration — not the vendor defaults. Know your user base, jurisdiction, and risk tolerance before asking a vendor to calibrate thresholds.
  • Screen on deposit AND withdrawal, not just at onboarding. A wallet clean at onboarding can interact with a mixer or darknet market later. Ongoing transaction monitoring is required by FATF Recommendation 15 and is the standard expected by regulators.
  • Train analysts to interpret scores, not just read them. Understanding clustering heuristics, hop distance, and category weighting is the difference between a compliance programme that protects users and one that generates false positives at scale.
  • Document every decision with the underlying rationale. "Tool score = 80, policy threshold = 75, blocked per policy section 4.2" is defensible. "Tool flagged it, so we blocked" is not.
  • Build a dispute resolution SLA before you need it. False positives will occur. A documented 5-business-day review SLA for flagged accounts — with a human analyst reviewing the evidence — protects your users and your regulatory relationship.
  • Run periodic false positive rate analysis. Track what share of blocked accounts are subsequently cleared after review. A false positive rate above 10–15% suggests your thresholds are miscalibrated.
Most common compliance mistake: Single threshold across all risk categories. Effective programmes apply different responses to different category combinations — direct sanctions exposure triggers an automatic block; indirect P2P exposure at three hops triggers a documentation request. Write the matrix before the next edge case arrives.

Troubleshooting Common AML Scan Issues

"My address scores high but I've never used a mixer"

  • You may have received funds from a counterparty who interacted with a cryptocurrency tumbler — indirect exposure at 1–2 hops can still produce a high score on some tools depending on volume and hop weighting.
  • Run the address on two different tools and compare the category breakdowns. Significant divergence between vendors suggests a dataset-specific attribution rather than clear illicit exposure.
  • If funds came from a regulated exchange, request a certificate of withdrawal from that exchange. Most major exchanges will provide documentation confirming the funds' origin within their custodial system for compliance dispute purposes.

"The score changed significantly without any new on-chain activity"

  • Analytics providers update entity attribution databases continuously. A wallet in a previously-unidentified cluster may now be attributed to a newly-discovered darknet market — without any change to the on-chain transaction history itself.
  • This is expected behaviour. Record the previous and new scores with dates. Investigate whether the updated attribution appears credible given the actual transaction history.

"Two tools show very different scores for the same address"

  • Divergent scores between vendors reflect genuine differences in entity databases, clustering heuristics, and hop-distance weighting methodology. One tool may attribute an intermediate cluster to a regulated exchange; another may leave it unattributed, producing a higher indirect exposure score.
  • For high-stakes decisions, the more conservative score is the safer compliance starting point. Document both results and apply human analyst judgment on the category breakdown rather than averaging the scores.
Best debugging approach: Always drill into the actual transaction path that generated the score — not just the number. Most tools visualise the fund flow graph. Identifying the specific entities and their distances from your address turns an opaque score into an actionable compliance assessment.

AML Scan: Sources & Authoritative References

All sources are official regulatory documents, primary research publications, or established industry analytics providers.

Regulatory standards

Industry research & analytics methodology

About: Prepared by Crypto Finance Experts as a practical, SEO-focused knowledge base covering AML scanning of crypto wallets and transactions: heuristic clustering, risk categories, VASP legal obligations, FATF Travel Rule, SAR filing, tool comparison, and troubleshooting. Updated March 2026. Not legal advice.

AML Scan: Frequently Asked Questions

An AML scan for crypto is the process of submitting a blockchain wallet address or transaction hash to a risk-scoring analytics tool that traces its on-chain transaction history and returns a risk score with a breakdown by exposure category.

The tool works by maintaining a database of entity clusters — groups of addresses it believes are controlled by the same real-world entity. These include regulated exchanges, cryptocurrency tumblers, darknet marketplaces, ransomware operators, and OFAC-sanctioned wallets. When you submit an address, the tool calculates how many "hops" that address is from each known entity cluster and what volume of funds flowed across those paths.

The output is a risk score (typically 0–100) and a category breakdown showing what percentage of the address's exposure derives from each risk type. This output is an input to a compliance decision — not the decision itself. Low scores allow you to proceed with standard monitoring. Medium scores typically require enhanced due diligence. High scores — particularly with sanction or mixer exposure — typically trigger blocking and possible SAR filing depending on your jurisdiction.

AML scan reports typically break exposure into several named categories, each representing a different type of entity the scanned address has interacted with. The most significant categories from a compliance standpoint are:

Sanctioned entities — OFAC SDN list matches are a legal obligation regardless of score, requiring immediate action for US-nexus transactions. Mixers and cryptocurrency tumblers — services that deliberately obscure fund provenance; even indirect exposure at one or two hops is a serious red flag. Darknet markets — deposits to known illicit marketplace addresses. Ransomware wallets — payment addresses associated with known ransomware groups. Fraud and scams — addresses linked to investment fraud, phishing, or rug pulls. Unregulated P2P exchanges — non-KYC platforms that facilitate AML-avoidant transfers.

Lower-risk categories include gambling platforms (jurisdiction-dependent), high-risk exchange deposits, and peer-to-peer transfers without clear entity attribution. The category breakdown — not just the headline score — is the actionable information in any AML scan report.

Yes — for regulated Virtual Asset Service Providers (VASPs). FATF Recommendation 15 requires VASPs to apply the full AML/CFT framework, which includes ongoing transaction monitoring as a core obligation. In the EU, the Transfer of Funds Regulation (TFR) extends this to all transfers with no minimum threshold. In the US, FinCEN's Bank Secrecy Act rules require registered money services businesses dealing in virtual currency to file SARs for suspicious activity.

What constitutes a "VASP" varies by jurisdiction — exchanges, custodians, OTC desks, and fiat on-ramps clearly qualify. Truly decentralised protocols without a centralised operator currently occupy a grey area in most jurisdictions, though FATF guidance is pushing toward broader coverage. The safe assumption for any team receiving large crypto transfers regularly is that some form of screening obligation applies.

Blockchain analytics tools produce probabilistic estimates based on heuristic clustering — they are not forensic certainties. Several common scenarios produce elevated risk scores for entirely legitimate users:

CoinJoin and privacy wallets: users exercising legitimate financial privacy by using CoinJoin protocols may receive mixer-exposure flags even though their activity is legal in most jurisdictions. Exchange hot wallets: large exchange hot wallets are shared across thousands of users — any user who withdraws from a large exchange technically shares indirect exposure to every other user who deposited to that wallet, including any illicit depositors. Outdated attribution: an address previously attributed to a neutral cluster may now be attributed to a newly-identified illicit entity, changing its score retroactively without any change to the on-chain history.

This is why risk scores are described as "inputs to compliance decisions" rather than conclusions — human analyst review and source-of-funds evidence are necessary components of any robust compliance programme.

First, request the specific exposure category that triggered the freeze in writing. Regulated exchanges in most jurisdictions must provide the basis for adverse action. Second, gather source-of-funds documentation relevant to the flagged category: exchange withdrawal records if the funds came from a centralised exchange, bank statements if you on-ramped via fiat, payroll documentation if the funds represent employment income, or OTC desk transaction records if you purchased over-the-counter.

Third, run the flagged address through a second analytics tool yourself to understand what exposure is being cited and whether the attribution appears credible. Fourth, submit a formal dispute through the exchange's compliance channel with your supporting evidence. Most exchanges have a compliance review queue and will re-evaluate flagged accounts within 5–10 business days when clear source-of-funds evidence is provided.

If the issue appears to be an incorrect entity attribution by the analytics provider (not genuine illicit exposure), you can also contact the analytics vendor directly — most have a process for correcting incorrect entity clustering.

The FATF Travel Rule requires VASPs to collect originator and beneficiary identity data for virtual asset transfers above a threshold — USD/EUR 1,000 in most jurisdictions, with no threshold under the EU's Transfer of Funds Regulation. This is separate from, but complementary to, AML transaction screening.

AML scanning tells you whether the funds are risky. The Travel Rule tells you whether you have verified the identity of the sender and recipient. Both are required components of a complete VASP compliance programme. In practice, an AML scan showing clean results does not discharge the Travel Rule obligation — you still need to collect and transmit identity data. Conversely, Travel Rule compliance does not eliminate the need for AML scanning.

A Suspicious Activity Report (SAR) is a mandatory disclosure to your jurisdiction's financial intelligence unit when you identify transactions you suspect involve criminal proceeds or terrorist financing. In the US, VASPs file with FinCEN. In the UK, with the National Crime Agency. In the EU, with the relevant national FIU.

An AML scan result triggering a block does not automatically require a SAR — but the scenarios that require one include: direct sanction exposure (OFAC), clear evidence of funds flowing from darknet markets or ransomware, structuring behaviour designed to evade reporting, and any situation where you "know, suspect, or have reasonable grounds to suspect" criminal proceeds.

Critically: once you have filed or are filing a SAR, you must not "tip off" the subject — telling the customer that their account was blocked due to a SAR filing is prohibited in most jurisdictions. You can notify them that their account is restricted for compliance reasons without disclosing the SAR itself.

The right choice depends on your chain coverage requirements, volume, budget, and integration sophistication. Chainalysis KYT has the broadest entity database and the strongest law enforcement track record — making it the default choice for large exchanges and financial institutions where forensic quality and legal defensibility matter most. Elliptic Navigator has stronger DeFi and cross-chain coverage, making it better for protocols operating across multiple chains simultaneously.

TRM Labs offers coverage across 30+ chains at competitive pricing — a good fit for mid-market VASPs with diverse asset mixes. Crystal Blockchain is strong for Bitcoin-focused operations and has good EU compliance reporting templates.

Before committing, run the same test set of addresses through your shortlisted vendors and compare both the scores and the category breakdowns. Vendors' methodology documents are public — reading them reveals how each tool handles edge cases like CoinJoin, shared hot wallets, and newly-discovered entities.

For individual deposits and withdrawals: scan in real time via API at every transaction. A wallet clean at onboarding will accumulate new transaction history — potentially including mixer interaction or darknet market activity — as time passes. Onboarding-only screening misses this.

For existing user wallets in your book: periodic batch re-screening is standard practice. Monthly or quarterly for standard-risk users; more frequently for high-value accounts. Analytics providers also update their entity attribution databases continuously — a wallet in a previously-neutral cluster may be re-attributed to a newly-identified illicit entity, changing its score without any new on-chain activity.

Build periodic re-screening into your compliance calendar with documented run dates and records of the results. This demonstrates the ongoing monitoring obligation required by FATF Recommendation 15 and gives you evidence of a mature, ongoing AML programme rather than a point-in-time onboarding check.