AML Lookback Review: What It Is and When It Is Required

An AML lookback review is a regulatory mandate to examine a financial institution’s historical transaction records for signs of suspicious activity, typically triggered after a compliance failure is discovered or when regulators order one during an examination. The institution selects transactions according to a defined sampling methodology, documents what should have been flagged, and reports its findings to regulators and law enforcement.

What triggers an AML lookback review requirement

Regulators require a lookback review when an institution has failed to file a Suspicious Activity Report (SAR) on a transaction that it should have. The discovery can happen in three ways: during a regulatory examination, when internal compliance staff uncover the gap, or when a whistleblower alerts the agency. Once a regulatory agency determines that the institution missed a reportable transaction—or an entire pattern—they issue a directive to conduct a comprehensive historical review of a specified period.

The period covered is almost always several years. A five-year lookback is typical; some orders extend to ten years or more. The scope depends on the nature of the gap: if the failure was systematic (a procedural deficiency affecting all transactions of a certain type), the lookback spans the full period. If it was isolated, the scope may be narrower, though regulators tend toward caution and order broad reviews to ensure no other gaps are missed.

Scope and sampling methodology

The institution is required to review all transactions that match the characteristics of the ones it missed, or to apply a documented statistical sampling methodology approved by regulators. In practice, most institutions use sampling when the universe is huge—for example, all wire transfers over a certain amount, all cash deposits by a particular customer type, or all transactions in a high-risk geography.

The sampling plan itself is negotiated between the institution and the regulator. A common approach is stratified random sampling: divide the transaction population into layers (by size, customer type, or risk rating) and randomly select a percentage from each layer. Regulators often expect the sample to be large enough that the results are defensible—typically 5 to 10 percent of the universe, though this varies.

The institution must document the methodology in writing, showing how it was designed, which transactions were selected, and how the results will be extrapolated to the full population. If the sample reveals that, say, 12 percent of transactions should have triggered a SAR, the institution will typically estimate that 12 percent of the entire universe likewise should have been reported.

What the review looks for

The review applies the institution’s own SAR filing thresholds and suspicious indicators as they were written during the lookback period. Examiners ask: if we applied today’s compliance procedures to these old transactions, how many red flags would we have caught?

Common patterns that emerge include:

• Structuring activity: Cash deposits just below reporting thresholds, made by the same customer or related parties within a short time window.
• Rapid movement: Money in and out of an account within hours or days, with no apparent business purpose.
• Geographic mismatch: Transactions inconsistent with the customer’s stated business or residence.
• Beneficial ownership gaps: Wire transfers on behalf of entities whose true owners are unknown or undisclosed.

The institution documents each transaction that should have been reported, the reason it was missed (inadequate filtering, human error, ambiguous guidance), and what policy change would have caught it.

Remediation and reporting obligations

Once the review is complete, the institution must file SARs retroactively for all transactions identified in the lookback, regardless of how long ago they occurred. There is no statute of limitations on SAR filing; a transaction from ten years prior that was missed is filed today. The SAR itself is backdated to note the original transaction date, but it is marked to indicate it is a remedial filing arising from a compliance review.

The institution also files a detailed remediation report with its primary regulator and, in many cases, with law enforcement (typically FinCEN for U.S. institutions). The report explains:

• The root cause of the compliance failure.
• The sampling methodology and results.
• The number of SARs being filed retroactively.
• The corrective actions taken to prevent recurrence.

Regulators may order enhanced monitoring going forward, more frequent compliance examinations, or—in severe cases—civil money penalties. The institution may face orders to hire an independent consultant to validate the review or to audit its compliance program more broadly.

Distinction from customer risk assessment reviews

An AML lookback review is distinct from a customer risk assessment review, though the two sometimes overlap. A lookback focuses on missed SARs; a customer risk assessment examines whether the institution’s original identification, verification, and ongoing monitoring of a customer was adequate. A regulator might order both if it suspects both inadequate reporting and weak customer due diligence.

Real-world outcomes

Lookback reviews have identified tens of millions of dollars in unfiledSAR cases. In prominent enforcement actions, institutions have been ordered to file thousands of retroactive SARs and pay substantial penalties. The public record shows that lookback reviews often uncover not just a handful of missed transactions but systemic gaps—a business line with inadequate controls, a geographic region where risk assessment was deficient, or a customer type that was not being monitored to standard.

Institutions now often conduct voluntary lookback reviews as an internal governance measure, before examiners find the gap. This approach, coupled with prompt remediation and transparent reporting, typically results in lighter regulatory consequences than waiting for a regulator to discover the problem.

See also