NCA examinations of AML programmes at EU-regulated financial institutions have become more structured, more technically detailed, and more consequential in recent years. The era of cursory reviews that could be addressed with a policy update after the fact is over. DNB, MFSA, CySEC, the Central Bank of Ireland, and the Bank of Lithuania all conduct targeted examinations that go into specific case-level evidence, not just policy documents.
This article covers the ten areas regulators test most rigorously, the most common findings across EU NCAs, and the practical steps to prepare an AML function that holds up to scrutiny before an examination takes place.
The single most important thing to understand about NCA examinations: finding a problem before the NCA does is almost always better than having the NCA find it first. A self-identified gap addressed with documented remediation is received very differently from a gap the examiner discovers and documents as a finding. Pre-examination health checks exist for this reason.
The BWRA must reflect the current business: current customer segments, current product mix, current geographic exposure. A BWRA written at licensing that has not been updated as the business scaled is among the most common critical findings across EU NCAs. Examiners check the date, the coverage, and whether the risk ratings are calibrated to the actual customer base or appear generic.
Examiners pull case files and review CDD documentation at the individual customer level. They look for: completeness of identification and verification, timeliness of review, evidence that the analyst assessed source of funds and wealth, and documentation of the decision. A case file with documents but no documented reasoning is treated as a failure of the CDD process, not just a documentation gap.
PEP misidentification is a persistent finding. Examiners test whether the PEP screening process catches: domestic PEPs (often missed), family members and close associates, politically exposed persons in non-obvious jurisdictions, and recently appointed PEPs. Sanctions screening list coverage and alert false positive rates are also reviewed in detail.
Examiners review not just the number of SARs filed but the quality of the decision documentation. An underfiled SAR (where a suspicious pattern existed but was not escalated or was closed without a filing) is more serious than a late filing. The decision trail must show that an analyst reviewed the case, a senior reviewed the decision, and the outcome was documented with reasoning.
TM rules must cover the risk typologies in the BWRA. A mismatch between documented risks and TM rule coverage is a finding. Examiners also review alert volumes (too low suggests inadequate coverage; too high suggests poor calibration), alert disposition quality, and evidence of rule tuning over time.
The compliance officer must report to the board independently of the commercial function. Examiners test this by reviewing board minutes for evidence of AML reporting, the content of AML reports to the board, and whether the compliance officer has meaningful access to the board. A compliance officer who reports through the CEO or whose board reports contain no material findings is a red flag regardless of what the governance documents say.
Training records must show that all staff with AML responsibilities have completed relevant training within the required period. Examiners increasingly test content quality, not just completion records. Generic e-learning that staff cannot demonstrate they absorbed is treated more critically than before. Role-specific training (different for KYC analysts, relationship managers, and senior management) is expected at regulated entities of any significant size.
Examiners select high-risk customers from the risk scoring system and review EDD documentation against the firm's own EDD policy. Gaps between the documented EDD standard and what is actually in the file are findings regardless of what the policy says. EDD cases that were risk-rated high but treated with standard CDD procedures are often among the most serious examination findings.
For firms using outsourced KYC, ODD or compliance officer functions, examiners review the outsourcing agreement, DPA, oversight records, and quality assurance documentation. An outsourcing arrangement without documented oversight is treated as though no oversight exists. Weekly or monthly QA reports from the outsourced team to the compliance officer are the standard evidence set.
If the firm has received previous findings from an NCA or an internal/external audit, examiners check whether those findings were remediated. Unaddressed prior findings, or findings that were nominally addressed but where the underlying control gap persists, are among the most serious outcomes from any examination. A prior finding that has been repeated is treated as deliberate non-compliance.
A pre-examination health check is not a compliance review for its own sake. It is a structured exercise to identify and remediate the gaps the NCA will find before they arrive. The most useful approach is to replicate the NCA's examination methodology as closely as possible.
Review all AML policies against current AMLD6 requirements and EBA guidelines. Identify gaps, stale content, and policies that do not reflect current operations. Particular attention to BWRA currency and TM rule coverage.
Pull a representative sample of customer files across risk tiers. Review documentation quality against the firm's own CDD and EDD standards. This is where most material findings surface.
The compliance officer should be able to speak to every section of the AML programme, the rationale for risk ratings, and the firm's SAR filing history. Preparation sessions against likely examination questions.
Review the last four quarters of AML board reports. Assess content quality, completeness, and whether findings and key risk indicators are reported with appropriate context and action plans.
The window to remediate material findings before an examination is typically 4 to 10 weeks, depending on the nature of the gap. A BWRA update takes 2 to 3 weeks. Addressing a systematic CDD documentation gap requires process changes plus a catch-up review of the worst-affected accounts. The earlier a health check is commissioned relative to an examination date, the more remediation is possible.
DNB (Netherlands) places particular emphasis on the quality of EDD documentation and the independence of the compliance officer. Their examinations frequently include direct questioning of the compliance officer by the examination team. Programme documentation quality and BWRA specificity are examined in detail.
MFSA (Malta) focuses heavily on SAR quality and timeliness, and on the BWRA's coverage of the specific customer base and products of the licensed entity. Generic documentation is identified quickly.
CySEC (Cyprus) has increased its examination depth significantly in recent years. TM rule coverage and alert disposition quality are primary examination areas. EDD documentation on high-risk accounts is reviewed at case level.
Central Bank of Ireland emphasises board governance and compliance officer independence. Their examination approach includes review of board minutes and questioning of the compliance officer's role and authority within the firm.
Bank of Lithuania conducts structured pre-examination document requests that signal the examination focus areas. Prompt, complete responses to these requests are themselves assessed as evidence of programme quality.
Scanlex conducts independent pre-NCA examination health checks for EMIs, payment institutions, fintechs and CASPs across the EU. Written findings with severity ratings and a prioritised remediation plan. Fixed fee agreed before engagement starts. Typically 4 to 6 weeks from kick-off to final report.
View AML Audit and Advisory service →For firms that need to address a KYC backlog or strengthen their KYC/ODD function ahead of an examination, see KYC / ODD Team Outsourcing. For firms that need compliance officer support during or after an examination, see Compliance Officer Support.
A senior advisor will review your details and come back with an honest assessment of which service fits your situation. No obligation.