AML Compliance Audits: What to Expect

A person holding a clipboard and pen.

It is a regulatory requirement for most businesses operating in the regulated sector to carry out an ‘Independent Audit of Anti-Money Laundering (AML) Policies, Controls and Procedures’ to comply with Regulation 21 of the Money Laundering Regulations 2017.

An independent audit examines and evaluates a business’s AML procedures, including making suggestions for any changes that might be required.

It is recommended that a business operating in the regulated sector performs such a review every two years, although large corporations may consider that annually is more appropriate.

AML audits can be stressful if firms are not adequately prepared.

Moreover, firms can often struggle to satisfy the ‘independence’ requirement of Regulation 21. This states that an audit should not be carried out by a company’s Money Laundering Reporting Officer (MLRO), Money Laundering Compliance Officer (MLCO), or anyone else responsible for maintaining the AML function within the company.

In this blog, we give an overview of the audit process and provide our top tips on preparing for an independent AML audit review.

What does an AML Audit Involve?

The Regulations do not stipulate exactly what is required of an AML audit. Regulation 21 of the Money Laundering Regulations states:

“Where appropriate with regard to the size and nature of its business, a relevant person must:

Establish an independent audit function with the responsibility:

  • To examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations.
  • To make recommendations in relation to those policies, controls, and procedures.
  • To monitor the relevant person’s compliance with those recommendations.”

The lack of detail in these instructions makes it vital that businesses engage the services of an experienced independent AML auditor who can proactively interpret the requirements and undertake a thorough investigation.

At AML & Compliance, we work with businesses of all sizes across all regulated sectors and have a comprehensive understanding of what is required of firms to ensure compliance.

For more information about our Anti-Money Laundering Compliance Service, call us on 0203 985 8553 or email

During an AML Audit under Regulation 21, firms can expect the following:

  1. Initial meeting.

This is when the auditor will meet with members of the organisation to scope out and agree on the approach and focus of the review.

  • Review of documentation.

The independent AML auditor will analyse several key documents, including:

  • The firm-wide risk assessment.
  • The company’s AML policies, procedures and controls.
  • AML training records and what the training consists of.
  • Standard file risk assessments.
  • AML registers, such as reports to the MLRO.
  • Review of High Risk and Suspicious Activity Registers.

The auditor will need to see the process a company has in place for all customers, including any high-risk Politically Exposed Persons (PEPs), and may ask to see any Suspicious Activity Reports that have been submitted.

4.  Interviews with staff.

A good independent AML auditor will delve into the practical application of AML policies and controls by conducting interviews with various employees to establish firm-wide understanding and knowledge. These can include:

  • Interviews with directors, partners, and other senior staff members.
  • Interviews with file handlers.
  • Interviews with junior and support staff.

5. Report.

Following their investigation, the AML auditor will produce a formal report detailing the information obtained in the review. This will include the current approach adopted by the business and identify any gaps with a series of recommendations and solutions, along with a statement of compliance.

For more information about what a Regulation 21 Independent Audit under the Anti-Money Laundering Regulations involves, click here.

Five Top Tips for an AML Audit

  • Instruct an experienced auditor.

Engaging with an AML auditor who understands your business and the sector and will be aware of the associated AML risks will ensure an audit is completed thoroughly and to a high standard.  

  • Be prepared.

Knowing what to expect before an audit, gathering the relevant information and informing the necessary people within your organisation will ensure it runs smoothly.

  • Have your client information ready.

Make sure you use a simple naming convention for your files so you can locate everything quickly. An auditor will likely ask to review files from a cross-section of clients, including some high-risk customers, so it is worth compiling a report covering all your customers in advance.

  • Do some spot checks.

Giving some thought to what the auditor will be looking for and wanting to see what can help you plug any gaps ahead of their visit.

  • Expect feedback.

You don’t want a non-compliant report, but some recommendations and suggestions from your auditor about how you can strengthen controls will help you remain compliant and keep you, your customers, and your business safe.

Independent AML Auditors

At AML & Compliance, we work with a range of regulated businesses across all regulators to ensure the business has appropriate policies, controls and procedures (PCPs) in place and maintains them.

We focus our activity on ensuring businesses have an approach which is compliant, which enables a business to respond quickly to any issues that arise, allowing for issues to be addressed before they become reportable to a regulator. In the event of a serious compliance issue that is reportable, we will ensure the business is ready for any reports that need to be made and any regulatory enquiry or investigation.

All regulated businesses must be both compliant with the requirements of their regulator and adopt best practice. At AML & Compliance, we ensure all policies are bespoke and reflect how a business manages compliance. It is imperative the policies match how a business operates and are not ‘off the shelf’ generic documents which are not reflective of the business.

We work with businesses to understand them and to document the processes being adopted, train the staff, maintain procedures and monitor their effectiveness through ongoing guidance and advice and maintenance of breach registers.

The type of business we work with for regulation purposes are:

  • Banks and Lenders.
  • Financial and credit businesses.
  • Accountants, tax advisers, auditors and insolvency practitioners.
  • Insurers and Brokers.
  • Trust and company service providers.
  • Estate Agents and Letting Agencies.
  • Casinos.
  • High-value dealers.
  • Art market participants.
  • Solicitors – independent legal professionals.

 The regulators that operate in the fields of business we work with are:

  • The Financial Conduct Authority (FCA), including The Financial Ombudsman Service.
  • The Solicitors Regulation Authority (SRA), including The Legal Ombudsman.
  • HMRC.
  • The Gambling Commission.
  • The Financial Reporting Council (FRC).

To learn more about our services and find out how AML & Compliance can work with your business, call us on 0203 985 8553, email us at, or complete an enquiry form.