AML compliance construction best practices apply to your firm right now, and there is a reasonable chance you do not know that yet. I am not saying that as a scare tactic. I am saying it because after working with hundreds of general contractors on compliance issues, the gap between what GCs believe about AML and what federal law actually requires is one of the most consistent blind spots I have seen in this industry.

Let me explain what I mean, and why it matters in 2026 more than it did in 2020.

Key Takeaways

FinCEN filed over $2 billion in construction-related suspicious activity reports in the most recent annual reporting period
The Corporate Transparency Act (2024) created beneficial ownership disclosure requirements for ~32 million small businesses, including most of your subcontractors
Manual compliance tracking costs GCs 15-20 hours per week on average, and most of those hours are not catching the right things
OFAC maintains over 13,000 entries on its SDN sanctions list; strict liability means you are responsible even without knowledge of a designation
Top-quartile GCs achieve 95%+ subcontractor compliance rates; the median GC is around 60%
Government contractor whistleblower compliance training is required on federal contracts, and most GCs treat it as a checkbox rather than a program
78% of GCs in the SubcontractorAudit 2026 GC Compliance Report had at least one subcontractor with an incomplete beneficial ownership file
The Bipartisan Infrastructure Law is pushing more federal money through state and local contractors than at any point in the past 30 years

The Belief That Keeps GCs Exposed

When most people hear "anti-money laundering compliance," they think banks. They think financial institutions, wire transfers, offshore accounts, and compliance officers in pinstripe suits running transaction monitoring software.

That mental model is wrong in the context of construction, and the wrongness has a cost.

Construction is one of the most cash-intensive industries in the United States. It generates $1.9 trillion in annual output. Projects involve dozens of subcontractor entities, many of them small businesses with limited financial transparency, crossing multiple state lines, and receiving large progress payments on tight timelines.

That description is also a near-perfect description of an environment where money laundering happens easily.

The Financial Action Task Force, which sets international AML standards, has identified construction as a high-risk sector for money laundering for over a decade. FinCEN has filed billions of dollars in construction-related suspicious activity reports. Federal prosecutors have brought money laundering cases against construction firms in every major metro in the country.

And yet, when I ask GCs whether AML compliance applies to their business, the most common answer I get is some version of "we're not a bank."

What Actually Triggers AML Obligations for GCs

You do not need to be a bank to have AML obligations. You need to be doing specific things.

Federal contract funding. If you receive federal funding, including through state and local agencies administering federal grants, you are in a heavily scrutinized financial environment. The agencies administering that funding, from FHWA to HUD to the Army Corps of Engineers, have OIG investigators whose job is to find financial irregularities. AML compliance documentation is what they look at first.

Large cash transactions. IRS Form 8300 requires any business, in any industry, to report cash transactions over $10,000. This is not a banking rule. It is a tax code rule that applies to general contractors, subcontractors, and specialty trade firms equally. The IRS conducts construction-industry audits specifically because cash transactions are common in the field.

Payments to sanctioned entities. OFAC's sanctions regulations apply to any U.S. person or entity making payments. If you pay a subcontractor whose principal is on the SDN list, you have potentially violated OFAC regulations. The fact that you did not know about the designation is a mitigating factor, not a defense.

The Corporate Transparency Act. Effective January 1, 2024, the CTA requires most small business entities to disclose beneficial ownership information to FinCEN. Your subcontractors are subject to this rule. Your obligation as the GC is to collect and retain that documentation for due diligence purposes.

None of these triggers require you to be a financial institution. They require you to be a business that pays other businesses and receives government money.

The Three Things GCs Consistently Get Wrong

I have reviewed compliance programs at dozens of construction firms. The failures concentrate in three areas.

Getting Wrong #1: Treating Onboarding as a One-Time Event

The most common AML compliance failure I see is a screening process that runs at subcontractor onboarding and never again.

You screen a sub at award, collect their W-9, run them through SAM.gov, and consider the job done. That is better than nothing, but it misses the way sanctions designations actually work.

OFAC updates its SDN list multiple times per week. A subcontractor who was clean at award can be designated 3 months into your project. An individual whose company you vetted can be added to the list for reasons entirely unrelated to your project. If you make a payment after the designation date, you have a potential OFAC violation regardless of when you last checked.

The fix is simple: schedule re-screens at 90-day intervals for every active subcontractor. Document each screen. The process takes about 20 minutes per sub and it creates the audit trail that demonstrates due diligence.

Getting Wrong #2: Conflating Paperwork Completion with Compliance

When I ask GCs about their subcontractor compliance rate, they almost always tell me a number between 85% and 100%. When we audit the actual documentation, the real number is almost always 20-30 points lower.

The gap is not lying. It is a definitional problem. GCs define compliance as "we have something on file." Federal auditors define compliance as "the documentation is current, complete, and accurate for every line item in the regulatory requirement."

A W-9 is not beneficial ownership documentation. A certificate of insurance is not an OFAC screen. A signed subcontract is not evidence of government contractor whistleblower compliance training.

Actual compliance means having the right document, not just a document.

Getting Wrong #3: Treating Whistleblower Obligations as a Human Resources Issue

Government contractor whistleblower compliance training requirements under 41 U.S.C. § 4712 are a compliance and documentation obligation, not just an HR policy.

Most GCs I talk to know they are supposed to have a non-retaliation policy. A smaller number know the specific statutory protections under 41 U.S.C. § 4712. Very few have documented that they delivered training, posted the required notices, and preserved that documentation in a format that survives a federal audit.

The whistleblower protections extend to the entire subcontractor chain, not just your direct employees. A worker employed by one of your third-tier subs has federal whistleblower protections on your project. If something happens to that worker after they raise a concern, the audit starts at the top of the project, which is you.

Documentation of your whistleblower training program is what separates a "we have a policy" defense from an affirmative defense.

What I Think Most GCs Should Do Right Now

I am not going to pretend this is simple. AML compliance construction best practices require time, systems, and, in some cases, outside expertise. But there are three things most GCs can do this month that would materially reduce their exposure.

First, run beneficial ownership certifications on your active subcontractors. Start with the ones on federally funded projects. You are looking for a completed FinCEN-compliant beneficial ownership form that identifies every individual with 25%+ ownership and every individual with substantial control. If you do not have this for your current subs, you have a gap.

Second, set up a recurring OFAC screen. You can do this manually using OFAC's free online search tool if you have fewer than 10 active subs. If you have more, use software. The key is that it happens on a schedule, not just at onboarding, and that you document every search with a date stamp.

Third, verify your Davis-Bacon certified payroll submissions are accurate before your next pay application. Certified payroll discrepancies are the single most common trigger for an expanded federal audit. Use the prevailing wage lookup tool to confirm the applicable wage determinations on each federal project, and cross-check the headcount on your certified payrolls against your site records.

None of these steps require a compliance department or outside legal counsel. They require a process, a calendar, and someone accountable for following it.

The Honest Assessment of Where the Industry Is

The US construction industry generates $1.9 trillion annually. The compliance infrastructure supporting that activity has not kept pace with either the regulatory environment or the scale of federal investment flowing through the sector.

The Bipartisan Infrastructure Law is directing more federal money through state and local contractors than at any point in the past 30 years. More federal money means more federal oversight. More oversight means more audits. More audits means more GCs who are going to discover that their compliance program has gaps they did not know existed.

I started SubcontractorAudit because I watched competent, honest GCs get caught in compliance failures that were preventable. Not because they were doing anything wrong. Because they were managing 20 subcontractors with spreadsheets and tribal knowledge, and the regulatory environment had quietly moved past what that approach could handle.

The GCs who are going to do well in the federal construction market over the next five years are the ones who build systematic compliance programs now, before an audit forces them to. The cost of building the program is a fraction of the cost of remediating the audit findings.

A Different Way to Think About AML Compliance

Most GCs think about compliance as a cost center. Something you have to do, not something that creates value.

I think about it differently. A 95%+ subcontractor compliance rate means you know who is on your project, who controls the entities you are paying, and that your payments are going where you think they are going. That is not just compliance. That is operational clarity.

The top-quartile GCs achieving 95%+ compliance rates are not just avoiding penalties. They are managing their projects with better information. They know when a subcontractor is a shell entity. They know when a change order is inconsistent with the work actually performed. They know when certified payroll does not match the bodies they are paying for.

That information has value beyond the audit file.

AML Compliance Requirements: Quick Reference by Project Type

Project Type	Federal Funding	AML Requirements	Priority Level
Federal highway / FHWA	Yes	OFAC, Davis-Bacon, Form 8300, CTA, whistleblower	Critical
HUD-funded housing	Yes	Same as above plus LIHTC investor screening	Critical
State-funded public works	Partial	OFAC, CTA, state prevailing wage	High
Private commercial	No	CTA, Form 8300, OFAC (if international subs)	Moderate
International projects	No (US law)	OFAC, FCPA, export controls	High
Private residential	No	Form 8300, CTA	Moderate

The "moderate" categories are not safe to ignore. Form 8300 applies regardless of project type. The Corporate Transparency Act applies to your subcontractors regardless of whether your project is public or private. The difference is the intensity of federal oversight and the audit probability.

Frequently Asked Questions

Why is AML compliance suddenly a bigger issue for GCs in 2026 than it was 5 years ago? Three things changed. The Corporate Transparency Act took effect in 2024, creating explicit beneficial ownership requirements for the first time. The Bipartisan Infrastructure Law dramatically increased the volume of federal money flowing through construction projects, which increased federal audit activity. And FinCEN issued updated guidance in 2023 specifically identifying construction as a high-risk sector, which shifted OIG audit priorities toward the industry.

If I have never had an AML issue in 14 years of federal contracting, why should I worry now? Audit probability and penalty severity are different concepts. Many GCs have operated with compliance gaps for years without being audited. The two things that change audit probability are complaint-driven investigations (any disgruntled sub or worker can trigger an OIG review through a whistleblower complaint) and the volume of federal oversight activity, which has increased significantly in the past two years. Past non-detection is not evidence that the gaps do not exist.

How does government contractor whistleblower compliance training relate to AML? Whistleblower complaints under 41 U.S.C. § 4712 frequently trigger audits that start as labor complaints and expand to financial compliance reviews. A GC whose whistleblower training program is documented can demonstrate that workers were informed of their rights before any complaint was filed. That documentation is evidence that the program was functioning, not retrofitted after the complaint.

What is the first thing I should do if I receive an OIG inquiry letter? Contact an attorney with federal construction compliance experience before responding or providing any documents. Do not assume the inquiry is routine. OIG inquiry letters are often the visible portion of an investigation that has already been underway for weeks. Voluntary cooperation and proactive disclosure of known compliance gaps, made with legal counsel, is almost always better than a defensive posture.

Can a subcontractor's AML failure become my problem as the GC? Yes, in two ways. If you make payments to a subcontractor that is later found to be a sanctioned entity, you bear the OFAC liability regardless of the sub's culpability. If a sub's fraudulent activity on your project is investigated, your documentation practices will be scrutinized as part of the investigation into whether the GC exercised adequate due diligence. Downstream liability is real.

How do I explain AML compliance requirements to subcontractors who have never heard of it? Frame it in terms they already understand: "We need to know who owns your company and that you are not on any federal exclusion list. This is a requirement for all of our federal projects, and it protects both of us if there is ever an audit." Most subs who push back are not trying to hide anything. They are unfamiliar with the requirement. A clear, businesslike explanation and a simple form process gets 90%+ compliance in most cases.

Build the System Before You Need It

Every GC I have talked to who went through a federal audit said the same thing afterward: they wished they had built the compliance program before the auditors showed up. Not because the audit found fraud. Because the audit found preventable administrative gaps that cost them time, money, and stress.

You can build that program now, at a fraction of the cost of building it under pressure.

See what SubcontractorAudit can do for your compliance program at SubcontractorAudit.com/demo