Guide to Conducting Effective AML Audits

Introduction

Regulators don't just want to see that your AML program exists — they want evidence it actually works. That distinction has driven some of the largest enforcement actions in recent years. In 2024, FinCEN assessed a record $1.3 billion penalty against TD Bank, with the OCC's consent order explicitly citing deficiencies in independent testing.

That same year, Bank of America and Wells Fargo both received OCC orders identifying failures in the independent testing components of their BSA programs.

These aren't isolated cases. Enforcement actions increasingly name the absence or inadequacy of independent audit functions alongside second-line deficiencies. The audit itself is under scrutiny — not just what it was supposed to find.

This guide is for compliance officers, BSA officers, MLROs, and founders at fintechs, crypto firms, and banks who need a practical understanding of AML audits. Not a definitional overview. An operational one. We'll cover what an AML audit must include, how to run one step by step, and — most importantly — where organizations consistently fall short before regulators get there first.

TL;DR

  • An AML audit is an independent test of whether your compliance program is designed, documented, and actually functioning — not a financial audit
  • US, UK, EU, and Canadian regulations all require independent AML testing — frequency is risk-based
  • A complete audit covers CIP/KYC, transaction monitoring, SAR/CTR filings, sanctions screening, training records, and prior findings
  • The BSA officer or MLRO cannot audit their own program — independence is a hard requirement
  • Most audits fail due to weak scoping, inadequate sample sizes, or unresolved prior findings — not missing checklists

What Is an AML Audit?

An AML audit is an independent assessment that evaluates whether a financial institution's anti-money laundering program is adequate, operational, and effective at preventing the firm from being used to facilitate money laundering or terrorist financing.

The purpose is verification, not investigation. An AML audit confirms that your policies, procedures, systems, and controls are designed to detect and report suspicious activity — ideally before a regulator finds the gaps first.

How It Differs from a Financial Audit

A financial audit examines the accuracy of a firm's books and financial statements, conducted by a registered accounting firm under accounting standards. An AML audit examines whether the firm's compliance infrastructure is appropriately designed and functioning. Entirely different mandates, methodologies, standards, and reviewers.

Confusing the two — or assuming your annual financial audit satisfies your AML testing obligation — is a compliance gap that regulators specifically look for.

Why AML Audits Are Non-Negotiable

The Regulatory Mandate

Independent AML testing is a legal or regulatory requirement across major jurisdictions:

Jurisdiction Requirement
US (BSA) 31 CFR 1020.210 requires independent testing as one of five mandatory AML program components for banks; 31 CFR 1022.210 covers MSBs
US (FINRA) Rule 3310 requires annual independent testing for broker-dealers
UK (MLRs 2017) Regulation 21 requires an independent audit function where appropriate to the size and nature of the business
Canada (PCMLTFA) FINTRAC requires a two-year effectiveness review at minimum
EU (4AMLD) Article 8(4)(b) requires an independent audit function where appropriate

This covers fintechs, money transmitters, crypto firms, BaaS banks, and broker-dealers — not just traditional banks.

The Cost of Getting It Wrong

According to Fenergo's enforcement research, global AML, KYC, and sanctions fines totaled $6.6 billion in 2023 — a 57% increase from $4.2 billion the prior year. Crypto firms accounted for 69% of those penalties; payments firms, 21%.

Weak independent testing was cited explicitly in the USAA ($140M), Binance ($3.4B), TD Bank ($1.3B), Bank of America, and Wells Fargo enforcement actions. In each case, audit deficiencies were named violations, not incidental observations.

The Strategic Case Beyond Compliance

A well-executed AML audit does more than satisfy regulators. It:

  • Strengthens sponsor bank relationships by providing third-party validation of your controls
  • Supports investor due diligence with board-ready documentation
  • Surfaces control gaps before an examiner finds them
  • Demonstrates institutional commitment when regulators assess your culture of compliance

For fintechs preparing for sponsor bank onboarding, an independent audit is typically a prerequisite — one sponsors expect to see before they'll move forward.

What an Effective AML Audit Covers

A risk-based approach determines scope. Testing depth should match the firm's actual risk profile — products, customer types, transaction volumes, and geographies all factor in. A crypto exchange serving high-risk jurisdictions needs substantially deeper testing than a small domestic payments processor.

That said, every AML audit should cover these core components:

Core Audit Components

  • AML/BSA policies — Are they current, complete, and board-approved? Do they reflect how the business actually operates?
  • CIP and CDD/EDD — Onboarding files, beneficial ownership documentation, and high-risk customer handling. File quality matters as much as policy existence.
  • Transaction monitoring systems — Testing of alert thresholds, rule logic, and calibration to the firm's actual risk profile. USAA's consent order found that 40% of active monitoring scenarios hadn't been tuned in over two years, directly contributing to at least 3,873 late SARs.
  • SAR and CTR filings — Assessment of whether reports are filed accurately, timely, and for the right reasons. Not just whether they were filed at all.
  • OFAC/Sanctions screening — Watchlist coverage, match-review processes, and false positive/negative management.
  • Employee training records — Verification that relevant staff received role-appropriate AML training at required frequency.
  • Prior audit findings — Whether previously identified deficiencies were remediated on time. Regulators typically check this first.

Seven core AML audit components checklist infographic for compliance programs

How to Conduct an AML Audit: A Step-by-Step Guide

Before fieldwork begins, define scope and objectives: which areas will be tested, at what depth, and against which regulatory frameworks. That scope document needs to be defensible — and the steps below show what a defensible one looks like in practice.

Step 1: Pre-Audit Planning and Risk Assessment

Review the firm's most recent enterprise-wide AML risk assessment, prior audit reports, and any regulatory examination findings. This determines where to concentrate testing effort.

Then identify material changes since the last audit, which shift where risk actually lives:

  • New products or services launched
  • New customer segments onboarded
  • Geographic expansion into new jurisdictions
  • Significant transaction volume growth

FinCEN's Binance consent order criticized a 2020 independent review that sampled only 31 KYC fiat accounts, excluded no-KYC users, and conducted no transaction testing. That's a scope failure before a single control is evaluated.

AML audit pre-planning risk assessment process identifying material program changes

Step 2: Documentation Review

Conduct a full review of the firm's written AML program. Assess whether documentation is complete, current, and aligned with applicable requirements:

  • BSA/AML policies and procedures
  • Compliance manuals and written supervisory procedures
  • Board approvals and governance documentation
  • Organizational structure and role assignments

A policy unchanged since launch, while the business has grown significantly, is itself a gap. Documentation review often surfaces these misalignments before any operational testing begins.

Step 3: Transactional Testing and File Review

Sample customer files, onboarding records, and transaction data to test whether procedures are being followed in practice. This includes CDD/EDD quality, alert review decisions, and SAR/CTR filing records.

Sampling methodology matters. Samples should be risk-weighted: high-risk customers, high-volume accounts, and flagged transactions warrant deeper review than low-risk segments. A uniform random sample often misses the highest-risk activity entirely.

Step 4: Systems and Controls Evaluation

Evaluate the AML technology stack: transaction monitoring rules, alert logic, OFAC screening configuration, and data feeds. Test whether systems are functioning as designed and whether parameters have been validated against the firm's actual risk profile.

Confirming that a system exists is not the same as confirming it's calibrated correctly.

Step 5: Interviews and Walkthroughs

Interview the BSA officer/MLRO and key compliance staff to assess institutional knowledge, awareness of regulatory obligations, and whether controls are understood and consistently applied. Conduct walkthroughs of key processes — onboarding, alert investigation, SAR filing — to verify that documented procedures match operational reality.

Gaps between written procedures and actual practice are among the most common findings in regulatory examinations.

Step 6: Findings, Reporting, and Remediation Planning

The audit concludes with a written report that:

  1. Identifies each deficiency with enough specificity to act on
  2. Rates severity (critical, significant, or moderate) with supporting rationale
  3. Recommends specific corrective actions with assigned ownership and realistic timelines
  4. Gets delivered to senior management and the board, not just the compliance team

AML audit findings report four-component structure with severity ratings and ownership

Subsequent audits must assess whether prior findings were actually resolved. TD Bank's OCC consent order required the board to ensure management remedied audit deficiencies and to report on that process at least quarterly.

Who Should Conduct Your AML Audit — and How Often

The Independence Requirement

The auditor — whether internal or external — must be independent of the functions and areas being tested. Under US regulations, the BSA/AML compliance officer cannot conduct the independent audit of their own program. FINRA Rule 3310 goes further, barring anyone who performs the tested functions or reports to those persons.

For growing fintechs, crypto companies, and embedded finance firms without staff who are genuinely independent of AML risk areas, engaging a qualified external party is almost always the only viable path.

Choosing Your Auditor

  • Internal audit teams can conduct AML audits if they have no involvement in AML functions and have the right technical background
  • External third parties are the practical default for smaller firms, offering the clearest independence argument to regulators and sponsor banks
  • Fractional compliance leadership — a fractional BSA Officer, CAMLO, or MLRO — provides director-level expertise to scope, manage, or support an independent audit without the cost of a full-time hire

Once you've settled on who conducts the audit, the next question is cadence — and that answer depends entirely on your risk profile.

How Often Should You Audit?

Frequency is risk-based, not arbitrary.

  • FFIEC guidance points to 12–18 month intervals as a baseline for US banks, with additional testing when risk profile, systems, or processes materially change
  • FINRA Rule 3310 requires annual testing for most broker-dealers
  • FINTRAC requires a formal effectiveness review at least every two years for Canadian reporting entities

Beyond scheduled cycles, firms should conduct targeted thematic reviews when they:

  • Launch new products or enter new geographies
  • Onboard a new sponsor bank
  • Experience significant growth in transaction volume
  • Undergo leadership changes in the compliance function

Common AML Audit Mistakes to Avoid

Treating It as a Documentation Exercise

The most common mistake: reviewing policies and calling it an audit. Regulators and FFIEC examination guidance are explicit — the objective is to assess adequacy and effectiveness of the program, not to confirm that documents exist. Without transactional testing and walkthroughs, you haven't conducted an audit. You've done a policy review.

Poor Scoping Decisions

Audits that are too narrow miss real risk. Audits that try to cover everything superficially produce unreliable results. The Binance enforcement action is the clearest example: FinCEN found the independent review sampled too few accounts, excluded entire user populations, and omitted transaction testing entirely.

Scope decisions should be documented, risk-based, and defensible — not determined by what's convenient to review.

Inadequate or Non-Risk-Weighted Samples

Small or uniform samples routinely fail to surface real weaknesses. Risk-weight your samples toward:

  • High-risk customers and elevated-risk geographies
  • High-volume accounts with atypical transaction patterns
  • Exception transactions flagged but not escalated

If your sample excludes the accounts most likely to generate suspicious activity, your conclusions about program effectiveness aren't reliable.

Failing to Close Prior Findings

According to Fenergo's 2024 enforcement data, transaction monitoring failures alone accounted for $3.3 billion of the $4.6 billion in global enforcement actions that year — many involving issues that had appeared in prior examinations or audits.

Recurring findings — issues identified in one audit that reappear in the next — are among the most significant red flags to regulators. Sustainable corrective actions, not just policy updates, demonstrate institutional commitment.

Updating a policy to address a finding while leaving the underlying operational gap in place is visible to any competent examiner.

Frequently Asked Questions

What is an AML audit?

An AML audit is an independent review that tests whether a firm's anti-money laundering program is appropriately designed, documented, and operating effectively. It is a separate exercise from a financial audit — different purpose, different methodology, different regulatory basis.

What are the AML 3 stages?

The three stages of money laundering are placement (introducing illicit funds into the financial system), layering (obscuring the origin through complex transactions), and integration (reintroducing funds as apparently legitimate assets). AML controls — including transaction monitoring and SAR filing — target activity across all three stages.

What are the 5 pillars of AML?

The five pillars of an effective AML program are: written internal policies and procedures, a designated compliance officer, ongoing employee training, independent testing/audit, and customer due diligence. Independent testing is codified as a required component, not an optional enhancement.

How often should an AML audit be conducted?

Frequency is risk-based. FFIEC guidance references 12–18 month intervals as a baseline for US institutions, while FINRA requires annual testing for most broker-dealers and FINTRAC requires a review at least every two years. Firms should also conduct targeted reviews after major changes — new products, new geographies, or significant volume increases.

Who can conduct an independent AML audit?

The auditor must be independent of the areas being tested — the BSA officer or MLRO cannot audit their own program. Audits may be conducted by qualified internal staff from unaffected departments or by qualified external third parties. For most smaller fintechs and crypto firms, an external party is the practical and defensible choice.

What is the difference between an AML audit and a financial audit?

A financial audit assesses the accuracy and integrity of a company's financial statements, conducted by a registered accounting firm. An AML audit tests whether the firm's compliance program is adequate and functioning. They serve different regulators and follow different methodologies. Completing one does not satisfy the other.