Following AML compliance construction best practices does not require a dedicated compliance department. It requires a structured checklist that your team follows on every project. In 2025, the DOJ noted that GCs with documented AML procedures faced 80% fewer enforcement actions than firms without formal programs, even when both groups encountered similar risk exposures.

This checklist gives you a repeatable process for preventing money laundering involvement on your construction projects.

Subcontractor Onboarding Checklist

Before adding any subcontractor to a project, complete these verification steps.

Confirm the sub's business registration is active with the state Secretary of State. Record the registration number, formation date, and registered agent.

Verify beneficial ownership. Identify all individuals who own 25% or more of the company. Check names against the OFAC Specially Designated Nationals list.

Search SAM.gov for exclusions or debarments. Print the search results and save them to the sub's file.

Request and review three years of tax returns or audited financial statements. Compare reported revenue to the sub's stated project capacity.

Check the sub's physical presence. Verify that the business address is a real location (not just a mail drop). For subs bidding on scopes above $100,000, conduct an in-person visit or virtual office tour.

Contact at least two client references. Ask about project performance, payment history, and any compliance concerns.

Collect and verify W-9 information. Confirm that the EIN matches the business name and state registration.

Onboarding Step	Document Collected	Verification Method	File Location
Business registration	State filing printout	Secretary of State website	Sub compliance folder
Beneficial ownership	Ownership disclosure form	FinCEN BOI database	Sub compliance folder
OFAC screening	SDN search results	OFAC website	Sub compliance folder
SAM.gov check	Exclusion search results	SAM.gov	Sub compliance folder
Financial review	Tax returns or financials	Direct from sub	Sub compliance folder
Physical presence	Address verification	Site visit or virtual tour	Sub compliance folder
Client references	Reference check notes	Phone calls	Sub compliance folder
W-9	Completed W-9 form	IRS TIN matching	Sub compliance folder

Payment Processing Checklist

For every subcontractor payment, verify these items before releasing funds.

Confirm the invoice matches a valid subcontract or purchase order. Reject invoices for work not covered by an executed agreement.

Verify that invoiced amounts correspond to documented work progress. Require field verification (superintendent sign-off, progress photos, or inspector reports) for all invoices above $10,000.

Check that payment routing matches the sub's established banking information. Flag any changes to account numbers, bank names, or payee entities.

Verify that the payment does not exceed the remaining subcontract balance (including approved change orders). Overpayments create exposure.

Confirm the sub's insurance certificates and certifications remain valid. SubcontractorAudit flags expired coverage before payments process.

Process the payment through your standard AP system. Avoid off-system payments, cash transactions, or wire transfers to accounts not on file.

Document the payment with a remittance advice that references the invoice number, subcontract number, and project name.

Red Flag Monitoring Checklist

Review these indicators monthly for each active subcontractor.

Compare cumulative billings to observed work progress. If a sub has billed 60% of its subcontract but work appears only 30% complete, investigate.

Review change order patterns. Flag subs with change orders totaling more than 15% of the original subcontract value without clear technical justification.

Monitor payment timing requests. Subs that repeatedly request early payment, advance payment, or payment acceleration without justification warrant scrutiny.

Check for round-number invoicing. Legitimate invoices reflect actual costs and rarely land on exact round numbers. A pattern of $50,000, $75,000, and $100,000 invoices suggests the amounts may not be tied to actual work.

Watch for subcontracting patterns. If your sub is subcontracting the majority of its work to firms you have not vetted, the payment chain may be obscuring the ultimate recipient of funds.

Review materials procurement. Verify that materials invoiced by the sub correspond to materials delivered to the project site. Compare unit prices to market rates.

Annual Program Review Checklist

Once a year, assess the health of your AML compliance program.

Review and update your written AML policy. Confirm it reflects current regulations and enforcement trends.

Update your risk assessment. Consider new project types, geographic markets, subcontractor pools, and materials sources that may introduce new risks.

Verify that all staff on federal projects completed AML awareness training within the past 12 months. Update training content to reflect new red flag indicators.

Audit a sample of subcontractor onboarding files from the past year. Confirm that KYS procedures were followed for each sub. Note any gaps and implement corrective actions.

Audit a sample of payment transactions. Verify that field verification was documented, banking information was confirmed, and invoices matched subcontract terms.

Review any red flags identified during the year. Confirm that each was investigated, documented, and resolved. Identify patterns that may indicate systemic weaknesses.

Test your reporting channels. Confirm that employees know how to report suspicious activity through your whistleblower hotline and that reports are routed to the compliance officer.

Update your record retention schedule. Confirm that AML documentation is stored for at least five years after project completion.

Read the full AML compliance construction best practices guide for detailed step-by-step procedures.

FAQs

How long should a GC retain AML compliance records? Retain all AML-related records for at least five years after project completion. This includes subcontractor due diligence files, payment verification documents, red flag investigation records, and training completion records. Federal investigations can look back several years, and complete records are your primary defense.

What is the minimum AML compliance program for a small GC? At minimum, a small GC should maintain a written AML policy, perform basic due diligence on all subcontractors (business registration, OFAC check, reference verification), verify that invoices match documented work before paying, and train staff annually on financial red flags. This basic program costs under $5,000 to implement.

How often should a GC screen subcontractors against sanctions lists? Screen at onboarding and again annually for ongoing relationships. For subs on long-duration projects (over 12 months), screen at onboarding, at 12-month intervals, and before any payment above $100,000. Sanctions lists update frequently, so a one-time check at onboarding is insufficient.

Can a GC rely on its bank for AML compliance? No. Your bank monitors transactions passing through its system and files SARs when it identifies suspicious activity. But the bank cannot verify that your subcontractor invoices match actual work or that your payment recipients are legitimate businesses. GCs must maintain their own AML controls to address construction-specific risks.

What training should AP staff receive on AML? AP staff should learn to identify payment red flags: changes to banking information, payments to unfamiliar entities, round-number invoices, requests for early payment, and invoices without supporting documentation. Training should include real examples from construction cases and clear instructions for escalating concerns.

How does a GC's AML program affect its bonding capacity? Surety companies increasingly evaluate a GC's compliance programs when setting bonding limits. A documented AML program signals corporate governance maturity and reduces the surety's risk assessment. Some sureties offer favorable rates to GCs with formal compliance programs, including AML controls.

Automate Your AML Compliance Checklist

SubcontractorAudit automates subcontractor due diligence, payment verification, and compliance documentation. The platform flags red flags in real time and generates audit-ready records. Request a demo to turn this checklist into an automated workflow.