An independent AML audit is no longer a quiet annual exercise tucked away in the compliance calendar. It is the document a regulator opens first, the report a banking partner asks for before they renew correspondent access, and the deliverable an acquirer requests on day one of due diligence. When examiners arrive — at FINTRAC in Canada, the FCA in the UK, FinCEN in the US, the CBUAE or DFSA in the UAE, FINMA in Switzerland — the quality of your last AML audit shapes the tone of the entire engagement.
This guide explains what an AML audit is, what regulators in each major jurisdiction expect, how the process actually runs, what auditors look for, and how to prepare. It draws on ComplyFactor’s audit work across Canadian MSBs and PSPs, UK payment institutions, UAE exchange houses and DIFC firms, Swiss DSFIs, and US money services businesses, and it is structured to be useful whether you are an MLRO preparing for your first independent review or a board member asking why the report came back the way it did.
What Is an AML Audit?
An AML audit is an independent assessment of whether a firm’s anti-money laundering and counter-terrorist financing programme is designed, documented and operated in a way that meets the regulatory obligations applicable to that firm and is effective in identifying, mitigating and reporting financial crime risk in practice.
Three elements matter in that definition. First, independence — the audit cannot be performed by the people who designed or operate the programme. Second, design and operation — auditors are not just reviewing policies on paper; they are testing whether what is written is actually what happens. Third, effectiveness — the question is not only “is the programme compliant” but “does it work”.
In Canada, this function is referred to in the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations as a review of the compliance programme’s effectiveness. In the United States, it appears in the Bank Secrecy Act framework as the “independent testing” pillar. In the United Kingdom, the Money Laundering Regulations 2017 require an independent audit function where appropriate to the firm’s size and nature. In the UAE, the CBUAE, DFSA, FSRA and VARA each impose their own variants. The label changes; the underlying obligation is broadly consistent across the global AML regulatory landscape.
AML Audit at a Glance
| Element | What It Means |
|---|---|
| Purpose | Independent verification that the AML/CFT programme is compliant and effective |
| Who performs it | Internal staff independent of AML functions, or an external third party |
| Frequency | Risk-based; typically every 12–24 months depending on jurisdiction |
| Scope | Risk assessment, policies, KYC/CDD, transaction monitoring, sanctions screening, training, governance, recordkeeping |
| Output | Written audit report with findings, ratings and remediation recommendations |
| Audience | Senior management, board, MLRO, regulator on request |
| Statutory basis | PCMLTFR (Canada), BSA & 31 CFR (US), MLR 2017 (UK), CBUAE Decision 74/2020 & DFSA AML Module (UAE), AMLA & AMLO-FINMA (Switzerland) |
Why AML Audits Matter More in 2026
Three forces have shifted the weight that regulators, banks and investors now place on the AML audit report.
The first is enforcement intensity. FINTRAC has issued the largest administrative monetary penalties in its history in the past two years, including a CAD 7.4 million penalty against Royal Bank of Canada in 2023 and CAD 9.1 million against TD Bank, and Canadian banks have absorbed multi-billion-dollar settlements in the United States for BSA failures. The FCA’s £21.1 million fine against Monzo and £39.3 million against Barclays are part of a broader pattern in which AML programme inadequacies — not isolated transactions — drive enforcement. The audit report is often where those inadequacies first appear in writing.
The second is examination scope. Examiners no longer accept policy documentation as evidence of operational compliance. They sample transactions, interview staff, replay alert dispositions and read training records. An AML audit that does not test the same way an examiner tests is increasingly worthless as a defence document.
The third is third-party reliance. Banking partners conducting correspondent due diligence, payment networks reviewing programme participants, and acquirers performing transaction due diligence all request the most recent independent AML audit report. A weak report — or no report — can quietly close access to banking before any regulator becomes involved.
AML Audit vs Financial Audit
These are routinely confused, particularly by founders preparing for their first regulatory examination, but they are fundamentally different exercises with different scopes, different practitioners and different outputs.
| Dimension | Financial Audit | AML Audit |
|---|---|---|
| Object of testing | Financial statements, accounting records | AML/CFT programme, controls, transactional behaviour |
| Performed by | Registered public accounting firm (typically) | AML specialist, MLRO, compliance consultancy or internal audit |
| Standard | GAAP, IFRS, ISA | FATF Recommendations, jurisdiction-specific AML rules |
| Output | Audit opinion on financial statements | Independent assurance report on AML programme |
| Frequency | Typically annual for material entities | Risk-based, often 12–24 months |
| Regulator interest | Tax authority, securities regulator | Financial intelligence unit, prudential and conduct regulator |
| Failure consequence | Restated accounts, going-concern issues | AML enforcement, licence risk, banking loss |
A clean financial audit tells stakeholders the books are accurate. A clean AML audit tells stakeholders the firm is not unknowingly being used for money laundering or terrorist financing. They are not substitutes. For Canadian operators, this distinction is examined further in our guide to accounting and tax compliance for MSBs and PSPs versus AML compliance.
AML Audit vs AML Review vs Effectiveness Review
The terminology varies by jurisdiction and the variation has practical consequences. ComplyFactor’s deep-dive on the difference between an AML review and an AML audit covers this in detail; the short version is below.
An AML audit is a comprehensive, end-to-end test of the entire programme against the applicable regulatory framework, typically resulting in a formal opinion or rating.
An AML review is often narrower in scope — for example, a thematic review of transaction monitoring rules, a sample-based test of KYC files, or an assessment of one product line. It may or may not produce a formal opinion.
An effectiveness review is the term used in Canadian regulation under PCMLTFR. It must cover the policies and procedures, the risk assessment, the training programme and the operational implementation of the programme. FINTRAC expects this to occur at least every two years, regardless of size.
For most firms, the distinction matters most when interpreting what a regulator asked for. A FINTRAC examiner asking for the “biennial effectiveness review” is asking for something specific; producing a one-line attestation will not satisfy them. An FCA supervisor asking for the “independent audit” expects a comparable level of depth.
The Regulatory Basis Across Jurisdictions
Independent testing is not optional in any major financial centre. The legal hooks differ but converge on the same outcome.
Canada. The PCMLTFA and the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), Part 1 Division 2, require reporting entities — including MSBs and FMSBs — to test the effectiveness of their compliance programme at least every two years through an internal or external review. The review must cover the policies and procedures, the risk assessment, the training programme and how they have been applied. The detailed expectations for FINTRAC AML requirements and the FINTRAC-compliant AML programme framework are unpacked in dedicated guides.
United States. The Bank Secrecy Act, implemented through Title 31 of the Code of Federal Regulations, requires independent testing as one of the four pillars of an AML programme — alongside internal controls, a designated compliance officer and ongoing training. The fifth pillar, customer due diligence, was added in 2018. For MSBs the obligation sits in 31 CFR 1022.210; for banks in 31 CFR 1020.210; for loan and finance companies in 31 CFR 1029.210. For broker-dealers, FINRA Rule 3310 requires annual independent testing. The forthcoming FinCEN AML/CFT Program rule, currently in notice-of-proposed-rulemaking form, will further codify risk-based programme expectations.
United Kingdom. The Money Laundering Regulations 2017, Regulation 21(1)(c), require relevant persons to establish an independent audit function — where appropriate to the size and nature of the business — to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures. The FCA’s expectations are set out in its Financial Crime Guide, and the supervisory pattern is examined in our analysis of why FCA-regulated firms are failing AML audit inspections and the FCA AML audit preparation checklist for UK payment institutions.
United Arab Emirates. CBUAE Decision 74 of 2020 imposes independent audit requirements on licensed financial institutions, with specific AML/CFT guidelines for exchange houses layered on top. The DFSA’s AML Module (within the GEN module) imposes equivalent requirements on Authorised Firms in the DIFC, examined in our DIFC AMI compliance handbook and the Category 3C and Category 3D guides. VARA’s Compliance and Risk Management Rulebook imposes independent compliance review obligations on virtual asset service providers, and the UAE crypto regulation framework sets out how the regimes overlap.
Switzerland. The Anti-Money Laundering Act (AMLA) and the FINMA AMLO-FINMA Ordinance require directly subordinated financial intermediaries (DSFIs) and prudentially supervised institutions to undergo regular AML audits performed by FINMA-licensed audit firms. The cadence and scope are set out in our Switzerland AML audit and independent review guide, with practical preparation covered in our Swiss AML audit preparation checklist and the common pitfalls in Swiss AML audits.
European Union. The 6th Anti-Money Laundering Directive and the forthcoming AML Regulation (AMLR) and AML Authority (AMLA) regime impose independent audit function requirements on obliged entities. The MiCA Regulation imposes parallel governance and internal control obligations on CASPs. The practical 6AMLD compliance framework and MiCA regulation guide cover both regimes in depth.
The unifying principle is FATF Recommendation 18, which requires financial institutions and DNFBPs to implement internal controls, including independent audit functions where appropriate to the size and nature of the business.
The 9-Stage AML Audit Process
A well-run AML audit follows a predictable structure. The depth at each stage varies with the size and complexity of the firm, but the sequence does not.
1. Scoping and Engagement
The auditor agrees with management what is in scope, what is out of scope, the period under review, the regulatory framework against which the firm will be tested, the methodology, the deliverables and the timeline. For multi-jurisdictional firms, scoping is critical — testing a UK EMI and its UAE subsidiary against a single framework will produce a defective report.
2. Information Gathering
The auditor issues an initial information request list covering the AML/CFT programme documentation, governance records, the enterprise-wide risk assessment, transaction data extracts, KYC files, alert and SAR/STR/UTR data, training records and prior audit reports. A well-prepared firm can respond to this list in days; a poorly prepared firm spends weeks.
3. Risk Assessment Review
The auditor evaluates whether the firm has a documented enterprise-wide risk assessment, whether it covers the FATF risk categories (customer, geographic, product, channel, transaction), whether the methodology is defensible, and whether the resulting risk ratings drive operational controls.
4. Policy and Procedure Review
The auditor maps the firm’s written AML/CFT policies and procedures against the applicable regulatory requirements. Gaps are identified at the level of specific obligations — for example, whether the firm’s politically exposed persons procedure covers domestic PEPs in jurisdictions that require it.
5. Operational Testing
This is where most firms find out whether their programme actually works. The auditor selects samples — KYC files, alerts, SAR/STR filings, training completions, sanctions hits, transaction monitoring rule outputs — and tests whether what was supposed to happen actually happened. Sample sizes are risk-based.
6. Walkthroughs and Interviews
The auditor interviews the MLRO, deputy MLRO, KYC analysts, transaction monitoring analysts, customer-facing staff and senior management. Interviews test whether stated procedures are understood and followed in practice.
7. Findings Development
Findings are drafted, rated by severity (typically high / medium / low or critical / significant / observation), tied to specific regulatory references, and supported by evidence. Each finding is matched with a recommendation.
8. Management Response and Reporting
Findings are shared with management in draft. Management responds with action plans, owners and target dates. The final report incorporates these and is delivered to senior management and, where applicable, the board.
9. Follow-Up
A high-quality audit programme includes follow-up testing of the implementation of prior recommendations. This is the stage that distinguishes a real audit function from a tick-box exercise.
Scope: What an Independent AML Audit Actually Covers
A complete AML audit covers ten domains. A defensible audit report addresses each of them explicitly, even if only to record that a domain is not applicable to the firm.
- Governance and oversight — board and senior management engagement, MLRO appointment and authority, three-lines-of-defence structure, management information.
- Enterprise-wide risk assessment — methodology, completeness, currency and linkage to controls.
- Customer due diligence — onboarding, identification and verification, beneficial ownership, source of funds and source of wealth, ongoing monitoring, periodic review, KYC requirements calibration.
- Enhanced due diligence and high-risk categories — PEPs, high-risk jurisdictions, complex ownership structures, circular ownership, correspondent relationships.
- Transaction monitoring — rule design, calibration, alert disposition quality, false positive rates, model validation.
- Sanctions and PEP screening — list coverage, screening logic, fuzzy matching, hit disposition, screening at onboarding and on an ongoing basis.
- Suspicious transaction reporting — STR/SAR/UTR filing process, timeliness, quality, escalation, defensive filing review.
- Recordkeeping — retention periods, retrieval capability, audit trail.
- Training — coverage, frequency, role-based content, testing, attendance records.
- Independent audit function itself — recursive review of how prior audit findings have been managed.
The scope of a comprehensive AML programme sets the floor; the audit tests whether each component is operating to that standard.
Auditor Independence and Competence
Two requirements distinguish a credible AML audit from a defective one.
Independence. The auditor cannot be the person or team responsible for designing or operating the programme being audited. In smaller firms with no internal audit function, this typically means engaging a qualified third party. The MLRO cannot audit themselves. A consultant who wrote the firm’s AML policies cannot then audit them — a point regulators across multiple jurisdictions have made in recent enforcement actions.
Competence. The auditor must have demonstrable AML/CFT expertise relevant to the firm’s regulatory framework, products and jurisdictions. A generalist financial auditor without specific AML experience will produce a report that examiners will discount. Relevant credentials include CAMS (ACAMS), ICA diplomas, CGSS, jurisdiction-specific MLRO experience, and prior regulator or Big 4 AML practice background.
The trade-off between cost and competence is real, but the floor is set by the firm’s exposure. A small VASP whose audit is performed by a non-specialist will spend more on remediation after a regulatory examination than they saved on the audit fee. ComplyFactor’s global MLRO services and AML advisory services operate on the principle that audit competence is a precondition, not a deliverable.
AML Audit Frequency by Jurisdiction
There is no single global cadence. The table below summarises the practical baseline in each major jurisdiction.
| Jurisdiction | Baseline Frequency | Notes |
|---|---|---|
| Canada | At least every 2 years | PCMLTFR effectiveness review; higher risk profile may require more frequent |
| United States (banks) | Risk-based; typically every 12–18 months | BSA examination expectations |
| United States (MSBs) | Risk-based | 31 CFR 1022.210 — depth/frequency must match risk |
| United States (broker-dealers) | Annual | FINRA Rule 3310 |
| United Kingdom | Risk-based, typically annual for material firms | MLR 2017 Reg 21(1)(c); FCA expectation |
| UAE (CBUAE-licensed) | Annual | CBUAE Decision 74 of 2020 framework |
| UAE (DFSA Authorised Firms) | Annual | DFSA AML Module |
| UAE (VARA-licensed VASPs) | Annual | Compliance and Risk Management Rulebook |
| Switzerland (DSFIs and prudentially supervised) | Annual | FINMA AMLO-FINMA |
| EU (6AMLD / AMLR) | Risk-based; typically annual for credit and financial institutions | National implementation varies |
| EU CASPs (MiCA) | Risk-based; ongoing internal audit function | MiCA Article 67 |
The frequency stated in regulation is a floor, not a ceiling. A firm that has just gone through a material change — new product launch, new jurisdiction, M&A integration, new banking partner, regulatory change — should consider an off-cycle audit regardless of where it sits in its statutory schedule.
Common AML Audit Findings
ComplyFactor’s audit work across hundreds of firms produces a distribution of findings that is depressingly consistent. The same issues appear across MSBs in Canada, payment institutions in the UK, exchange houses in the UAE and DSFIs in Switzerland.
Risk assessment is stale or generic. The enterprise-wide risk assessment was prepared at licensing, has not been updated to reflect actual transactional behaviour, and uses a methodology lifted from a template. It does not drive control design.
KYC files are incomplete or undocumented. Beneficial ownership identification is not always evidenced, source-of-funds documentation is missing for higher-risk clients, periodic review timelines are not met, and the link between risk rating and CDD intensity is broken. The 15 critical areas in our AML audit checklist covers this in granular detail.
Transaction monitoring is uncalibrated. Rules were set at go-live and have not been tuned. False positive rates are extreme, alert backlogs build, and analysts triage by closing alerts rather than investigating them. Model validation has never been performed.
Sanctions screening has coverage gaps. Lists are not refreshed at the required frequency, fuzzy matching thresholds are arbitrary, and ongoing screening of the existing book is not performed — only at onboarding.
STR/SAR filings are late, thin or absent. Filings are made but the underlying narrative is generic; or filings are not made because the threshold for reasonable grounds to suspect is misunderstood; or the firm has never filed and cannot articulate why.
Training is generic and not role-based. All staff receive the same e-learning module. Customer-facing staff receive no specific training on red flags relevant to their role. Senior management receive no specific governance training.
Governance and management information are weak. The MLRO does not produce regular reports to senior management. The board does not receive AML metrics. The three-lines-of-defence structure exists on paper but not in practice.
Prior audit findings are not closed. Recommendations from the previous audit appear again in the current audit, often verbatim.
How to Prepare: A 90-Day Plan
Preparation does not begin when the auditor’s engagement letter is signed. It begins 90 days earlier.
Days 90–60: Internal stocktake. Re-read the most recent audit report. Pull the action plan. Verify every recommendation has been implemented and evidenced. Refresh the enterprise-wide risk assessment. Pull a sample of KYC files yourself and test them against your own procedures.
Days 60–30: Document hygiene. Ensure all policies and procedures are current and version-controlled. Confirm training records are complete. Pull MLRO reports to senior management for the period under review and check the cadence is consistent. Confirm board minutes reflect AML governance discussions. Run a sample of alerts and confirm dispositions are documented.
Days 30–0: Engagement and information request. Engage the auditor early enough to allow scope agreement and information gathering before fieldwork. Prepare data extracts in clean formats. Brief staff likely to be interviewed. Set realistic timelines.
During the audit. Respond to information requests promptly. Do not redact or filter without raising the redaction with the auditor. Disagree with draft findings constructively and on the basis of evidence.
After the audit. Treat the management response as a binding action plan, not a comment field. Assign owners, dates and budget. Hold a closing meeting. Track recommendations through to closure with documented evidence.
This sequence is set out in operational detail in our guide on how to prepare for your annual independent AML audit and in the AML audit checklist for 2025.
What an AML Audit Report Should Contain
A defensible AML audit report has a predictable structure. The absence of any of the elements below is itself a sign that the audit was inadequate.
The report should open with an executive summary that states the scope, the period, the methodology, the overall opinion or rating, and the headline findings. A regulator who reads only the first two pages should understand what was tested, against what standard, and what the outcome was.
The body should set out the regulatory framework against which the firm was tested, the scope and approach including sample sizes and selection methodology, the detailed findings organised by domain (governance, risk assessment, CDD, transaction monitoring, screening, reporting, training, recordkeeping), each with a severity rating, supporting evidence and specific regulatory references, and the management response to each finding with action owners and target dates.
The report should close with an opinion — whether the programme is satisfactory, requires improvement, is materially deficient, or some equivalent rating — and an appendix containing the auditor’s qualifications, the information request list, and the population from which samples were drawn.
The regulator-ready independent AML review framework sets out what a strong report looks like in practice.
The Cost of Getting It Wrong: Recent Enforcement
Three recent matters illustrate the practical consequences when the AML audit function fails or is ignored.
TD Bank absorbed a record-setting penalty package in the United States in 2024, approximately USD 3 billion, for systemic BSA failures. Reporting on the matter has indicated that prior audit and review work had identified material gaps that were not closed before the conduct giving rise to the enforcement action.
Monzo was fined £21.1 million by the FCA in 2025 for AML and financial crime systems failings. Our analysis of the Monzo enforcement action sets out the gap between policy and operation that the audit function should have caught.
Royal Bank of Canada was assessed CAD 7.4 million by FINTRAC and the City National Bank subsidiary fined USD 65 million by the OCC in 2024 for risk management and BSA failings. The pattern in each case is the same: the audit function existed but did not produce findings sharp enough — or close findings fast enough — to prevent the conduct that triggered the enforcement.
The lesson is straightforward and uncomfortable. Where an AML audit identifies a gap and the firm chooses not to close it within the timelines set out in the management response, the audit report ceases to be a defence document and becomes the regulator’s evidence file. Lessons from Canada’s historic CAD 9.1 million FINTRAC penalty against TD Bank and from Barclays’ £39.3 million fine reinforce the same point: timeline of remediation is everything.
Frequently Asked Questions
What is an AML audit?
An AML audit is an independent assessment of whether a firm’s anti-money laundering and counter-terrorist financing programme meets its regulatory obligations and operates effectively in practice. It tests both design and operation and produces a written report with findings and recommendations.
What are the 5 pillars of AML compliance?
The five pillars under the US BSA framework are: internal controls; a designated compliance officer; ongoing employee training; an independent audit function; and customer due diligence (added in 2018). Other jurisdictions use different framings — Canada, for example, structures its programme around five elements that include a compliance officer, written policies, risk assessment, training, and the biennial effectiveness review — but the underlying components overlap substantially. Our FINTRAC-compliant AML programme guide sets out the Canadian framework.
How often is an AML audit required?
It depends on the jurisdiction and the firm’s risk profile. Canadian reporting entities must conduct an effectiveness review at least every two years. UK firms typically run an annual independent audit. US broker-dealers are subject to annual independent testing under FINRA Rule 3310; US MSBs must scope frequency to risk under 31 CFR 1022.210. UAE-licensed firms generally face annual audit cycles. Switzerland mandates annual AML audits for DSFIs and prudentially supervised institutions.
Who can conduct an AML audit?
The auditor must be independent of the AML programme being tested. Internal staff can perform the audit if they have no operational AML responsibilities and report through a separate line — typically internal audit. External third parties are common where the firm lacks an internal audit function or where regulators expect external independence. The auditor must have demonstrable AML/CFT expertise relevant to the firm’s products, jurisdictions and risk profile.
What’s the difference between an AML audit and a financial audit?
A financial audit tests the accuracy of financial statements against accounting standards and is performed by a registered public accounting firm. An AML audit tests the effectiveness of an AML/CFT programme against the applicable regulatory framework and is performed by an AML specialist. They are not substitutes.
What’s the difference between an AML audit and an AML review?
An AML audit is comprehensive and produces a formal opinion or rating across the entire programme. An AML review is typically narrower — focused on a single domain, a thematic question or a sample-based test. Both can be useful; they answer different questions. Our comparison of AML reviews and audits covers this in depth.
How long does an AML audit take?
Fieldwork typically runs four to eight weeks for a small-to-medium firm and three to four months for a larger institution. Add scoping at the front end and reporting at the back end and the full cycle is often three to six months end-to-end. Firms that have not been audited before typically take longer the first time.
What does an AML audit cost?
Cost is a function of firm size, transaction volume, product complexity, jurisdiction count and the depth of testing required. A small single-jurisdiction MSB may sit in a four-figure range; a multi-jurisdictional EMI or VASP can sit comfortably in five or six figures. Cost should be compared against the cost of remediation following an examination, not against zero.
What happens if an AML audit identifies serious issues?
The auditor sets out findings with severity ratings and recommended remediation. Management responds with action plans, owners and target dates. The findings are reported to senior management and, where applicable, the board. Material issues may need to be reported to the regulator depending on jurisdiction-specific requirements; the firm should also consider whether banking partners and other stakeholders need to be informed.
Can the same firm that built our AML programme also audit it?
No. Independence is a foundational requirement. The firm or person that designed or operated the programme cannot also audit it. This is a point regulators have made with increasing clarity, and a defective independence position is itself an audit finding.
Closing the Loop
An AML audit is not a regulatory cost; it is the document that decides how a regulatory examination opens. Firms that treat it that way produce reports that close findings inside the audit cycle, satisfy banking partners on first request, and reduce the probability and severity of regulatory action. Firms that do not, eventually appear in someone else’s enforcement summary.
Two facts are worth holding alongside each other. First, examination intensity across FINTRAC, the FCA, FinCEN, the CBUAE, the DFSA, FINMA and the EU AML supervisor is rising — not slowing. Second, the gap between a strong AML audit and a weak one is rarely about budget; it is about the design of the engagement, the competence of the auditor, the quality of preparation, and what the firm does with the findings after the report lands.
ComplyFactor’s audit teams operate across Canada, the UK, the UAE, Switzerland, the EU and the US. If you want a scoping conversation about what a credible audit looks like for your firm, our team is here.