Aml Compliance Construction Best Practices Requirements: State-by-State Guide for GCs
AML compliance construction best practices look different depending on where you build. Federal rules apply everywhere, but California and Texas each add layers that change what you need to document, report, and retain. This guide uses a real-pattern case study from Texas federal construction to show what goes wrong, how to fix it, and what the state-level differences mean for your compliance program.
Key Takeaways
- FinCEN filed over $2 billion in construction-related suspicious activity reports annually; Texas and California account for a disproportionate share by construction volume
- The Corporate Transparency Act affects ~32 million small businesses; sub-tier subs with complex ownership structures are the highest-risk entities
- Manual compliance tracking costs GCs 15-20 hours per week; the Texas GC in this case study cut that to under 4 hours per week after implementing systematic controls
- Government contractor whistleblower compliance training gaps were a secondary finding in 71% of federal construction audits reviewed in the SubcontractorAudit 2026 GC Compliance Report
- Top-quartile GCs achieve 95%+ subcontractor compliance rates; the GC in this case started at 34% and reached 91% in 8 months
- California's DIR registration requirement adds a state-specific layer that intersects directly with AML subcontractor screening
- Texas does not have a state-level prevailing wage law, but prevailing wage requirements still apply on all federally funded Texas projects under Davis-Bacon
- OFAC re-screening at closeout caught an active sanctions violation in 1 out of every 280 cases reviewed in the SubcontractorAudit 2026 dataset
The Setup: A Texas GC on a $22 Million Federal Infrastructure Project
Meridian Civil Group (a composite based on real audit patterns, identifying details changed) was a mid-size general contractor based in San Antonio, Texas. They had been in business for 14 years. Their revenue in 2024 was approximately $38 million, split roughly 60/40 between private commercial and federally funded infrastructure work.
In the spring of 2025, Meridian was awarded a $22 million contract to rehabilitate a federal highway interchange in Bexar County. The project was funded through the Federal Highway Administration under the Bipartisan Infrastructure Law. It was their largest federal contract to date.
They had 22 active subcontractors on the project at peak. Most were relationships they had used before. Four were new to Meridian's network, brought in specifically because the project required specialized work Meridian had not previously needed at this scale.
From the outside, everything looked standard. The project started on schedule, certified payrolls were being submitted, and the first FHWA progress inspection came back clean.
The Problem: What the Audit Found
Seven months into the project, Meridian received a letter from the FHWA Office of Inspector General. An anonymous complaint had been filed under the government contractor whistleblower protections of 41 U.S.C. § 4712. The complaint alleged wage theft on one of the specialty subcontracts.
The OIG investigation was initially focused on prevailing wage compliance. But federal audits do not stay narrow. Within six weeks, the scope expanded to include a full review of Meridian's subcontractor documentation practices.
The audit team found five categories of compliance failures:
1. Missing beneficial ownership records on 9 of 22 subcontractors. Meridian had collected W-9s and certificates of insurance. They had not collected Corporate Transparency Act-compliant beneficial ownership certifications. For 9 subs, they had no documentation of who actually owned or controlled the entities they were paying.
2. OFAC screens conducted at award, never repeated. Meridian had screened all 22 subs at contract award. That was the last time any OFAC check was run. By the time of the audit, one subcontractor's principal officer had been added to the OFAC SDN list 4 months earlier. Meridian had made two progress payments totaling $187,000 to that entity after the designation date.
3. Certified payroll discrepancies on 3 subcontracts. Three subcontractors had submitted certified payrolls showing more workers than site inspection photos could account for. The discrepancy ranged from 2 to 7 workers per pay period. The auditors treated these discrepancies as potential evidence of phantom worker fraud, which is a known money laundering scheme in construction.
4. No Form 8300 filing for a materials payment. One subcontractor had received a cash advance on materials of $12,400. Meridian's accounting team had not flagged it for Form 8300 reporting because the transaction went through a project petty cash account rather than the main checking account. The threshold applies regardless of the account it moves through.
5. Government contractor whistleblower compliance training was not documented. Meridian had held a project kickoff safety meeting. They had not documented that whistleblower rights were explained or that the required 41 U.S.C. § 4712 notice was posted at the job site.
None of these failures were the result of intentional wrongdoing. They were the result of a compliance program that was not built for the scale and complexity of federal contracting.
The Immediate Cost
Before Meridian fixed anything, the audit created direct financial exposure.
The OFAC finding was the most serious. Two payments totaling $187,000 to a newly sanctioned entity triggered a mandatory referral to the OFAC Civil Enforcement team. Meridian voluntarily disclosed the violation, which is a significant mitigating factor under OFAC's enforcement guidelines. Even with voluntary disclosure, the civil penalty process took 9 months and resulted in a $43,000 fine.
The missing Form 8300 filing resulted in a $5,000 IRS civil penalty.
The project was placed on payment hold while the certified payroll discrepancies were investigated. The 63-day hold created cash flow pressure that cost Meridian approximately $90,000 in bridge financing costs.
The whistleblower training documentation gap meant Meridian could not affirmatively defend against the retaliation allegation in the original complaint. The case settled for $28,000.
Total direct cost before remediation: approximately $166,000.
The Fix: What Meridian Changed
Meridian brought in a compliance consultant and implemented a systematic remediation program over 90 days. Here is what they built.
Phase 1: Retroactive Documentation (Days 1-30)
Meridian sent formal written requests to all 22 active subcontractors demanding beneficial ownership certifications within 10 business days. They used a standardized form aligned with FinCEN's beneficial ownership rule. 19 of 22 subs responded within the deadline. The other 3 were placed on payment hold until they complied.
They ran fresh OFAC screens on every sub, every principal, and every key individual identified in the beneficial ownership certifications. They documented each screen with a timestamp and the OFAC database version.
They hired a prevailing wage specialist to conduct a line-by-line reconciliation of the three subcontracts with certified payroll discrepancies. The reconciliation found that one sub had been submitting payroll for workers who were legitimately on-site but listed under incorrect trade classifications. The others had minor documentation errors, not actual phantom entries.
Phase 2: Process Redesign (Days 31-60)
Meridian redesigned their subcontractor onboarding process from scratch. The new process had five required gates before a subcontractor received any payment:
- Completed beneficial ownership certification on file
- OFAC and SAM.gov screen documented
- Executed subcontract including whistleblower protection language and prevailing wage certification
- First certified payroll submitted and reviewed against site head count
- Whistleblower rights notice posted at project site and documented with a photo and timestamp
They also implemented a 90-day OFAC re-screening calendar for all active subcontractors. An administrative assistant was assigned 2 hours per week specifically for re-screening. The cost was small relative to the $43,000 penalty that had just been paid.
They implemented a cash transaction alert in their accounting system. Any project-related cash transaction over $8,000 triggered a review flag, giving their accountant a $2,000 buffer before the $10,000 Form 8300 threshold.
Phase 3: Training and Documentation (Days 61-90)
Meridian conducted government contractor whistleblower compliance training for all project supervisors and superintendents. They used a third-party training provider that produced individual certificates of completion. They created a project compliance binder that included the training certificates, site posting photos, and a compliance status log updated weekly.
They adopted SubcontractorAudit to automate ongoing screening, track beneficial ownership document status, and flag certified payroll discrepancies without manual comparison.
The Results: 8 Months Later
| Metric | Before Remediation | 8 Months After |
|---|---|---|
| Subcontractor compliance rate | 34% | 91% |
| Time spent on compliance tasks (per week) | 18 hours | Under 4 hours |
| OFAC re-screen frequency | Never (after award) | Every 90 days |
| Beneficial ownership files complete | 59% | 100% |
| Certified payroll discrepancies flagged | 3 undetected | 0 unresolved |
| Form 8300 filings missed | 1 | 0 |
| Whistleblower training documented | 0% | 100% |
Meridian completed the project with no further audit findings. They were awarded two follow-on federal contracts within 12 months of closing out the FHWA audit. Their bonding capacity, which had been temporarily reduced during the audit investigation, was fully restored.
The compliance program they built cost approximately $47,000 in consultant fees, software, and staff time during the 90-day remediation period. That is less than one-third of the direct penalties and financing costs they incurred because the program did not exist.
State-by-State Requirements: Texas vs. California
Federal AML requirements apply equally in both states. The differences come from state-level labor law, contractor licensing, and subcontractor registration requirements.
Texas
| Requirement | Details | AML Intersection |
|---|---|---|
| No state prevailing wage law | Davis-Bacon applies on federal projects only | Certified payroll requirements still apply on FHWA, HUD, and other federally funded Texas projects |
| No mandatory contractor licensing (most trades) | Local licensing varies by municipality | Verify license status through city or county, not a single state database |
| Texas Secretary of State entity verification | Confirm sub is a registered Texas entity or registered as a foreign entity | Cross-reference with beneficial ownership certification |
| Texas Workforce Commission | Employer registration and unemployment insurance | Discrepancies between TWC registration and certified payroll employee counts are an audit flag |
Texas's lack of a state prevailing wage law means federal project compliance is driven entirely by Davis-Bacon determinations. Use the prevailing wage lookup tool for every Texas federal project to confirm the applicable wage determination before your first certified payroll submission.
California
| Requirement | Details | AML Intersection |
|---|---|---|
| DIR public works registration | All contractors and subs must register with the CA Department of Industrial Relations | Required for any public works project; unregistered subs are a red flag and a compliance violation |
| State prevailing wage law (Labor Code § 1720+) | Applies to public works, broader than Davis-Bacon | Certified payroll requirements apply on state-funded projects as well as federal |
| CSLB licensing | Contractors State License Board tracks all contractor licenses by classification | License verification is a standard KYC step on CA projects |
| AB 5 worker classification rules | Strict independent contractor tests | Subcontractors using 1099 workers on public works may be misclassifying; this intersects with prevailing wage and payroll fraud risk |
California adds the DIR registration check as a mandatory AML best practice step. A subcontractor who is not registered with the DIR before performing public works in California is operating outside the regulatory framework, which raises the same concerns as a sub with no prior federal work history.
Frequently Asked Questions
Does the AML compliance failure described here represent a criminal matter or civil? In Meridian's case, all findings were resolved civilly. OFAC civil enforcement, IRS Form 8300 penalties, and the whistleblower settlement were all administrative or civil proceedings. Criminal exposure arises when violations are intentional, willful, or repeated. Voluntary disclosure, cooperation with auditors, and prompt remediation are the primary factors that keep AML findings in the civil category.
How did the OFAC sanctions violation happen if Meridian screened at award? The OFAC SDN list updates multiple times per week. Meridian screened at the time of contract award and never re-screened. The subcontractor's principal officer was added to the SDN list 4 months later due to an unrelated business matter. Meridian had no knowledge of the designation and made two routine progress payments after the designation date. OFAC's strict liability standard means lack of knowledge is not a defense, only a mitigating factor.
What is the difference between prevailing wage compliance and AML compliance? Prevailing wage compliance ensures workers on federally funded projects are paid the government-set wage rate for their trade and location. AML compliance ensures that financial transactions on the project are not being used to move or conceal criminal proceeds. They overlap because certified payroll records document that wage payments went to real workers, which is the same documentation an AML auditor wants to see. Failures in prevailing wage compliance are often the first visible sign of deeper financial irregularities.
How did the government contractor whistleblower complaint start this audit? An employee of one of Meridian's subcontractors filed a complaint alleging that their wages were not being paid at the Davis-Bacon prevailing wage rate. That complaint was filed under 41 U.S.C. § 4712, which protects government contractor employees from retaliation for reporting fraud, waste, or abuse. The complaint triggered an OIG review that expanded far beyond the original wage complaint. Government contractor whistleblower compliance training helps GCs recognize and respond to these complaints appropriately, which reduces the risk that a wage complaint escalates into a broader audit.
Is a 91% subcontractor compliance rate considered good? Top-quartile GCs in the SubcontractorAudit 2026 GC Compliance Report achieve 95%+ compliance rates. Meridian's post-remediation rate of 91% is above average but below the top quartile. The remaining 9% represented subcontractors who required multiple follow-up contacts for document updates. Moving from 91% to 95%+ typically requires either automated reminders or a stricter no-documentation, no-payment policy at the contract level.
What should a GC do when they discover they paid a sanctioned entity? Stop payments immediately. Do not notify the sanctioned entity that you are aware of the designation. Contact OFAC's compliance hotline and an AML-specialized attorney on the same day. Voluntary self-disclosure to OFAC is a significant mitigating factor under OFAC's enforcement guidelines and can reduce penalties by 50% or more. Document every action you take, including timestamps, from the moment you discover the issue.
The Lesson Is the Cost of Waiting
Meridian spent $166,000 on direct costs because their compliance program had gaps that a systematic process would have caught. The 90-day remediation cost $47,000. The math is straightforward.
Federal construction volume is growing. The Bipartisan Infrastructure Law is directing billions into state and local projects across Texas, California, and every other state. More federal money means more federal oversight.
If you are a GC doing federal work without systematic AML compliance controls, Meridian's story is a preview of a conversation you do not want to have with an OIG auditor.
See how SubcontractorAudit builds that system for you at SubcontractorAudit.com/demo
Founder & CEO
Founder and CEO of SubcontractorAudit. Building AI-powered compliance tools that help general contractors automate insurance tracking, pay application auditing, and lien waiver management.