AML Audit & Programme Advisory · EU-Regulated Firms

Independent AML audit
and programme advisory
for EU-regulated firms.

Two services, one purpose: identify gaps before your regulator does, and build programmes that hold up under scrutiny. Our team conducts independent AML audits and designs or rebuilds AML programmes for EMIs, payment institutions, fintechs and CASPs across the EU.

Request a Scoping Call AML Audit Programme Advisory
ACAMS-certified team leads
Fixed fee per engagement
Board-ready written output
10+ EU NCAs covered
MiCA CASP experience
Request a Free Scoping Call
Tell us your situation and we will respond within one business day with a proposal and indicative fee. No obligation.

By submitting you agree to our Privacy Policy. GDPR-compliant data handling.

4–6 wks
Typical AML audit: from kick-off to final written report
3–8 wks
Programme design: gap assessment through to full policy suite
10+
EU NCAs whose expectations we know in practice
ISO 19011
Audit methodology: structured findings and evidence
Service 01

AML Audit and Independent Review

An independent review of your AML programme's effectiveness, conducted against AMLD6 requirements, EBA guidelines and your NCA's specific supervisory expectations. The output is a structured written report: a finding-by-finding breakdown, severity rating, root cause analysis for material issues, and a prioritised remediation plan your board can act on and your NCA can inspect.

We conduct AML audits at four specific moments: pre-NCA examination health checks, as part of annual governance cycles, following regulatory changes that have altered your obligations, and where there is a specific concern about a control area, sanctions screening match rates, PEP identification coverage, or transaction monitoring alert quality.

Our auditors have operated inside the regulated entities they audit, not just reviewed them from the outside. This means findings are practical and actionable, not just technically accurate.

Commissioned by CLOs, MLROs and Heads of Compliance at EMIs, payment institutions, fintechs and CASPs. Also used by legal and risk teams preparing board submissions or investor due diligence packs where AML programme quality is a disclosure item.

Indicative fixed fee
Fixed fee
Scope and fee agreed in writing before engagement starts. No variations without written agreement. Fee depends on the size of the institution, scope of the review and number of regulatory frameworks applicable. Requested in the scoping call.
Discuss your audit
Audit output
Executive summary for board presentation
Finding-by-finding breakdown with severity rating (critical, high, medium, low)
Root cause analysis for each material finding
Prioritised remediation plan with suggested timeline
Evidence reviewed appendix (documentation basis for each finding)
Board presentation available on request
SCANLEX INDEPENDENT AML AUDIT AML/CFT Effectiveness Review Report PREPARED FOR EU-licensed Payment Institution REFERENCE SX-AML-2026-047 REPORT DATE March 2026 REGULATORY FRAMEWORK AMLD6 · EBA/GL/2021/05 · EBA/GL/2024/01 SCOPE OF REVIEW Business-wide risk assessment CDD and EDD procedures Transaction monitoring controls SAR filing and FIU liaison PEP and sanctions screening Staff training and governance Outsourcing governance Compliance officer oversight FINDINGS SUMMARY 2 CRITICAL findings 5 HIGH findings 8 MEDIUM findings 12 LOW findings CONFIDENTIAL For the exclusive use of the client named above. Not for further distribution. scanlex.eu Page 1 of 34

Sample audit report cover. All engagements produce a structured written report with severity-rated findings, root cause analysis and a prioritised remediation plan.

What the audit covers

  • AML programme effectiveness review against AMLD6 and EBA guidelines
  • Customer risk assessment framework and risk appetite alignment
  • CDD and EDD procedures: design, execution and documentation quality
  • PEP identification and screening programme effectiveness
  • Sanctions screening: lists covered, alert rates, disposition quality
  • Transaction monitoring: rule coverage, alert volumes, case quality
  • SAR process: identification quality, decision documentation, timeliness
  • Staff AML training: coverage, content quality and completion records
  • Governance: compliance officer reporting, board oversight, escalation path
  • Pre-NCA examination readiness review on request
Service 02

AML Programme Design and Advisory

Gap assessment, policy documentation and full AML programme design for regulated entities building their programme from scratch, inheriting a stale or undocumented framework, or expanding into a new jurisdiction or regulatory regime such as MiCA. This is the structured work that turns a compliance obligation into an operable, documented programme a regulator can inspect.

We start from your current state, however incomplete, and produce a documented, defensible AML programme. That means a BWRA populated for your actual customer base, a policy suite that reflects your specific products and risk appetite, and a governance framework with clear escalation paths and accountability. Not generic templates downloaded from the EBA website.

Engagements are scoped in writing before work starts. Deliverables are agreed upfront. The implementation roadmap assigns owners and timelines so there is a clear path from the documentation to a live, functioning programme. Where we identify critical gaps during the assessment phase, we flag them immediately rather than waiting for the final report.

Indicative fixed fee
Fixed fee
Scope and fee agreed in writing before engagement starts. Smaller scope (gap assessment only, or single-policy documentation) is priced accordingly. Full programme build for a complex entity or MiCA CASP is scoped separately. Full transparency in the written proposal.
Discuss your programme

Typically commissioned at three moments: before a licence application where the NCA needs to see a complete AML programme, after acquiring or inheriting an entity with a deficient or undocumented framework, and by CASPs preparing for MiCA pre-registration review. Also used by firms that have received an NCA finding requiring remediation of the overall programme rather than a single control.

What programme advisory covers:

  • AML gap assessment against current AMLD6 requirements and EBA guidelines
  • Business-wide risk assessment (BWRA) design and documentation
  • AML policy suite: CDD, EDD, PEP, sanctions, TM, SAR, training
  • Customer risk scoring framework and risk appetite definition
  • Transaction monitoring rule design and typology documentation
  • MiCA AML substance: AMLCO appointment, CASP-specific policies, Travel Rule
  • AML governance framework: compliance officer reporting, escalation paths, committee structure
  • Pre-licence AML programme build for EMI or PI licence applications
  • Remediation roadmap where a gap assessment identifies critical findings
Programme advisory output
Written gap assessment report with priority ranking
Full AML policy documentation suite (editable, ready for the compliance officer to operate)
BWRA template populated for your customer base and products
Implementation roadmap with owner assignment and timeline
30-day follow-up review available to confirm remediation progress
Who Needs This

The situations where
an audit or programme review is overdue

EMIs scaling rapidly

High growth strains AML frameworks built for smaller volumes. A current-state audit identifies where the programme has not kept pace with the business and what needs to change before the NCA notices it first.

CASPs preparing for MiCA registration

MiCA requires demonstrable AML substance. An audit against MiCA Title VI and EBA CASP guidelines shows where the gap is. A programme build closes it in a form the NCA can inspect.

Payment institutions facing NCA examination

An upcoming examination is the most common trigger. A pre-examination health check identifies and allows remediation of findings before examiners arrive, not after they write them up.

Firms with inherited or stale AML programmes

Many fintechs inherit AML frameworks from previous management or original founders. Where the programme has not been reviewed against current AMLD6 requirements, it is likely materially deficient.

New licence applicants

The NCA wants to see a documented, coherent AML programme before granting a licence. We build that programme in a form that satisfies the NCA's pre-authorisation review requirements.

Firms following a SAR or regulatory incident

After a significant compliance event, an independent audit of the programme that produced it, and a redesign of the controls that failed, is both prudent and often required by the NCA as a condition of continued authorisation.

NCA Experience

Our audit findings align
to what your NCA
actually expects.

AML audit findings and programme design must reflect what specific NCAs look for in examination, not just what the EBA guidelines say. The DNB in the Netherlands has different examination priorities from the Bank of Lithuania or the Central Bank of Ireland. Our experience across 10+ NCAs means our findings are calibrated to your regulator.

Audit and programme experience across DNB (Netherlands) MFSA (Malta) Bank of Lithuania CySEC (Cyprus) Central Bank of Ireland Finantsinspektsioon (EE) KNF (Poland) FCMC · FCA · BaFin · AMF · and more
Engagement Process

How a typical engagement
runs from start to output.

All engagements are fixed-scope and fixed-fee. We scope and agree before we start. The scope does not expand mid-engagement without a written variation.

01
Scoping call

We understand your regulatory framework, NCA, current programme state and what is driving the engagement. Within two business days we provide a written proposal: fixed scope, fixed fee, clear deliverables. No engagement begins without a signed proposal.

02
Document review and kick-off

We review your AML policies, risk assessments, training records, anonymised case samples, governance documentation and any prior NCA correspondence. Secure document sharing is arranged at kick-off. Where documents are missing or incomplete, that is itself a finding, we do not ask you to prepare materials that should already exist.

03
Assessment and fieldwork

For an audit: we test controls against documented standards, regulatory requirements and NCA supervisory guidance, not just EBA guidelines in the abstract. For programme design: we map current state against AMLD6 and EBA requirements, identify gaps by severity, and draft the programme structure before the final report is produced.

04
Written report and handover

The report is issued in draft for factual accuracy review, then delivered as final. All findings are evidence-referenced. For programme design engagements, the full policy suite and implementation roadmap are delivered alongside the gap assessment report. Board presentation available. Remediation follow-up advisory is available separately.

FAQ

Questions about
AML audit and
programme advisory

Can't find your answer? Contact us directly. We respond within one business day.

What does the AML audit report look like?+
The report contains an executive summary suitable for board presentation, a finding-by-finding breakdown with severity ratings (critical, high, medium, low), root cause analysis for material findings, a prioritised remediation plan with suggested timelines, and an appendix of evidence reviewed. The format is designed both for internal use and for presentation to the NCA if required. We issue a draft for factual accuracy review before finalising.
Can you present findings to our board?+
Yes. Board presentation is available as part of the engagement scope or as an additional deliverable. We prepare an executive summary specifically designed for board consumption and can attend the board or audit committee meeting to present findings and answer questions. This is particularly relevant for audit engagements where the board needs to demonstrate awareness of AML programme effectiveness to the NCA.
How long does an AML audit take?+
A standard AML effectiveness audit takes 3 to 6 weeks from kick-off to final report, depending on the size and complexity of the institution. Pre-NCA examination health checks can be compressed to 2 to 3 weeks where there is an examination deadline. Timeline is agreed at scoping and written into the engagement proposal.
How long does an AML programme build take?+
A gap assessment alone takes 2 to 3 weeks. A full programme design including all policy documentation takes 4 to 8 weeks, depending on the number of products, customer segments and jurisdictions covered. A MiCA CASP programme build is typically at the longer end of this range due to the crypto-specific requirements around travel rule, on-chain monitoring and AMLCO appointment documentation.
What if our AML programme is already documented?+
A gap assessment against current AMLD6 requirements is still valuable even with an existing programme. Many documented programmes were written at licence application stage and have not been updated to reflect AMLD6 changes, EBA guideline updates or the evolution of the firm's customer base and risk profile. We start with what you have and assess what is current versus what needs updating, which is usually faster and cheaper than a full build.
Do you cover MiCA-specific AML requirements?+
Yes. We conduct AML programme reviews and builds specifically against MiCA Title VI and EBA CASP guidelines. This includes the AMLCO appointment requirement, crypto-specific CDD (wallet screening, blockchain analytics integration, DeFi exposure assessment), Travel Rule implementation, and on-chain transaction monitoring. For CASPs preparing for MiCA registration, see our MiCA / CASP AML page for the full service scope.
Can you help with NCA examination preparation?+
Yes. Pre-NCA examination readiness is one of the most common reasons clients engage us for an audit. We conduct the health check, identify critical findings, prioritise remediation by examination timeline, and brief your MLRO and compliance team on examination conduct. We have supported companies through NCA examinations across Estonia, Lithuania, Latvia, Poland, Malta and the Netherlands.
Can an audit identify capacity gaps the KYC/ODD team can address?+
Yes, and this is a common outcome. An AML audit frequently surfaces operational gaps: backlog in periodic reviews, insufficient EDD case quality, inadequate adverse media screening. Where the audit identifies that the problem is analytical capacity rather than programme design, we can recommend and provide an outsourced KYC/ODD team to close the gap. See our KYC / ODD Outsourcing page.
Get in Touch

Tell us what you need.
We will respond within
one business day.

A senior advisor will assess your situation and come back with an honest view of scope, fee and timeline. No obligation, no generic proposals.

Fixed fee agreed in writing before engagement starts
ACAMS-certified team leads on every engagement
Board-ready written output as standard
10+ EU NCAs: we know what your regulator looks for
MiCA CASP AML programme experience
Board presentation available on request

We respond within one business day · Data handled under GDPR · Never shared with third parties

Other Services

Other ways our team
can help you

KYC / ODD

KYC / ODD Team Outsourcing

EU-based KYC and ODD analyst teams. Operational in two weeks. Fixed monthly rate. Addresses capacity gaps that an AML audit often surfaces.

View service →
Compliance Officer

Compliance Officer Outsourcing

Interim, fractional and licence-stage compliance officer provision. Gap cover after departure, licence applications, Deputy compliance officer resilience.

View service →
Crypto / MiCA

MiCA / CASP AML Compliance

AML programme build and KYC teams for crypto CASPs under MiCA. Travel Rule implementation, AMLCO support and NCA pre-registration preparation.

View service →
AI Compliance

AI Compliance for Regulated Firms

Risk classification, conformity assessment and cross-regulatory advisory for regulated institutions using AI in credit, insurance or HR decisions.

View service →