Independent AML Audit: What Examiners Look For in a Crypto Programme

Part 4 — the close — of our "CASP Compliance Toolkit" series. Everything earlier in this toolkit — the BWRA, the SARs, the risk scoring — eventually gets tested by an independent auditor whose entire job is to find where the programme is theatre rather than control. Here is what they look for.

An independent AML audit is a requirement, not a favour: most regimes expect a periodic review of the AML programme by someone outside the first and second lines. The audit is where a programme that looks complete on paper either holds up or falls apart, because the auditor's method is not to read the policies but to test whether they are actually operating. Knowing what they test is how you prepare for it — or better, how you build so there is nothing to fear.

What the Audit Tests

• Is the BWRA real and current? — does it reflect the actual business, is it evidenced, and has it been updated as the business changed
• Do the controls trace to the risks? — are EDD triggers, monitoring thresholds, and risk scoring calibrated to the BWRA, or set arbitrarily
• Does screening actually fire at every touchpoint? — onboarding, deposits, withdrawals, continuous re-screening — tested with real records, not described
• Is monitoring calibrated? — what's the false-positive rate, are thresholds back-tested, is the alert queue worked or rubber-stamped
• Are alerts and SARs handled properly? — documented rationale on every disposition, MLRO sign-off, timely filing, tipping-off discipline
• Is the audit trail retrievable? — can you produce, for a named customer or transaction, the full screening and decision history within the retention window

The Method: Walk-Throughs

Auditors don't grade policies; they trace cases. A typical test takes a specific alert and walks it from generation to resolution: what fired it, how it was enriched, who reviewed it, what they decided and why, whether a SAR followed, and whether every step is documented and timestamped. They take a specific customer and ask to see the complete screening and risk-scoring history. They take a designated entity and check whether your screening would have caught a customer's exposure to it. The programme passes or fails on whether these walk-throughs produce a clean, evidenced trail — not on the quality of the policy binder.

Findings and Remediation

An audit ends in findings rated by severity and a remediation plan with owners and deadlines. What an examiner later cares about is not that you had findings — everyone does — but that you closed them on time and didn't let the same finding recur. An unremediated finding from a prior audit is among the worst things a regulator can discover, because it shows the firm knew about a gap and lived with it.

How BA helps. The on-chain controls an AML audit tests — screening at every touchpoint, exposure scoring, the fund-flow evidence behind alerts and SARs — run on BA's platform with the audit trail produced automatically: list versions, timestamps, decisions, and reproducible traces across 80+ chains. When the auditor asks to walk a case, the evidence is already there. For the programme being audited, see Governance, Risk & Internal Controls.

This closes our "CASP Compliance Toolkit" series — BWRA, SAR filing, customer risk scoring, and independent audit: the four documents and processes that turn an AML policy into a programme that survives inspection.