AML Compliance Audits and FATF Standards

The FATF 40 Recommendations are organised into six thematic groups: AML/CFT policies and coordination, money laundering and confiscation, terrorist financing and proliferation, preventive measures, transparency and beneficial ownership, and powers and responsibilities of competent authorities. For forensic auditors, the preventive measures group (Recommendations 9 to 23) is the most operationally relevant because it defines what a financial institution or DNFBP must do: apply CDD, maintain records, report suspicious transactions, maintain internal controls, and screen for politically exposed persons.

The Recommendations are not directly binding on institutions. They bind governments, which then enact domestic legislation. The forensic auditor therefore works with the domestic statute and regulations, checking their content against the FATF standard where there is any ambiguity about what the domestic rule requires. In the United States, the primary domestic instruments are the Bank Secrecy Act, the USA PATRIOT Act, and FinCEN regulations. In the United Kingdom, the Proceeds of Crime Act 2002 and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are the key instruments. In India, the Prevention of Money Laundering Act 2002 and the rules made under it, together with RBI Master Directions on Know Your Customer, implement the FATF framework for banks.

FATF conducts mutual evaluations of member countries to assess both technical compliance (whether the law is in place) and effectiveness (whether the law is actually producing results). Published Mutual Evaluation Reports are publicly available and are used by forensic auditors to calibrate country risk. A country placed on the FATF grey list (enhanced monitoring) or blacklist (call to action) is treated as high-risk by most financial institutions, which in turn affects the enhanced due diligence obligations that apply to business conducted with counterparties from that jurisdiction.

An AML programme has four structural components that financial supervisors assess: governance and board oversight, policies and procedures, transaction monitoring and controls, and training. A forensic audit of AML programme adequacy works through each component systematically, gathering evidence at each stage.

Governance is assessed by examining board minutes, committee charters, and the reporting lines of the compliance function. A programme where the Chief Compliance Officer does not have direct access to the board, or where AML reports are filtered through business-line management, fails the governance test. The forensic auditor looks for evidence that the board received meaningful information about AML risks and acted on it, not just formal sign-off on a policy document. In many enforcement cases in the US and UK, the evidence of board-level failure has been the decisive factor in regulatory censure.

Policies and procedures are tested for completeness and currency. An AML policy that does not address virtual assets, for example, fails to reflect the current risk environment and Recommendation 15 on new technologies and virtual assets. Procedures must be specific enough to guide analyst behaviour: a procedure that says 'conduct enhanced due diligence on high-risk customers' without defining what enhanced due diligence consists of or who classifies a customer as high-risk is not an effective control.

Training adequacy is assessed by reviewing training curricula, completion records, and testing or certification outcomes. Training that does not cover the institution's specific risk profile, that has not been updated following regulatory changes, or that shows low completion rates among front-line staff is a control gap. Some regulators, including the FCA in the UK and RBI in India, expect documented evidence that training has actually modified staff behaviour, not just that staff sat through it.

Transaction monitoring is the operational core of an AML programme. Most institutions use automated systems that apply rules or machine-learning models to transaction data and generate alerts when patterns match defined typologies. Forensic auditors test these systems across three dimensions: rule calibration, alert generation, and case management.

Rule calibration testing begins with the system's scenario library. The auditor maps each scenario against the institution's documented risk assessment: does the institution process the types of transactions the scenario is designed to detect? Are the thresholds set at a level that reflects the institution's actual transaction profile, or were they inherited from a vendor default without adjustment? A threshold set too high misses suspicious transactions; a threshold set too low generates so many alerts that analysts become desensitised and productive review becomes impossible. Both failure modes have appeared in major enforcement actions.

Retrospective alert testing involves constructing a sample of transactions that are known, from subsequent criminal proceedings or regulatory findings, to have been suspicious, and running them through the institution's current rule set to determine whether the system would have generated an alert. This is a demanding but powerful technique because it produces direct evidence of whether the system would have caught real misconduct. The US Department of Justice and FinCEN have both used versions of this technique in enforcement investigations.

Case management review tests the quality of analyst decisions on generated alerts. The auditor samples closed alerts and reviews whether the analyst documented the information sources reviewed, the rationale for the disposition, and whether a suspicious activity report was filed or a decision not to file was recorded and approved at the correct level. Decisions to close an alert without a SAR are as important to document as the decision to file. A programme where analyst decisions are undocumented or where dispositions are inconsistent on similar fact patterns has a systemic case-management failure.

Customer due diligence assessment starts with the institution's customer risk rating methodology. FATF and domestic regulations require a risk-based approach: higher-risk customers receive more intensive scrutiny than lower-risk ones. The forensic auditor examines whether the risk rating criteria are documented, whether they cover the relevant risk factors (customer type, geography, product, delivery channel), and whether the methodology is consistently applied across the customer population.

The three CDD tiers demand different audit procedures. For simplified due diligence customers, the auditor checks that the institution has documented the rationale for the simplified treatment and that the customers actually meet the criteria for it. For standard CDD, the auditor samples onboarding files to verify that identity verification documents are present, current, and authenticated, and that beneficial ownership has been identified to the required threshold (25% control or ownership is the most common domestic standard, derived from FATF Recommendation 10). For enhanced due diligence customers, the auditor checks whether the additional measures required, such as senior management sign-off, source of wealth analysis, and more frequent periodic reviews, are actually being performed and documented.

Politically exposed persons (PEPs) receive special treatment under Recommendation 12. A PEP is an individual who is or has been entrusted with a prominent public function: heads of state, senior government officials, senior executives of state-owned enterprises, senior politicians, and their family members and close associates. PEP screening requires the institution to check whether customers or their beneficial owners meet the PEP definition at onboarding and on an ongoing basis as a customer's status changes. The forensic auditor tests the screening tool's coverage, the quality of the PEP lists used, and whether positive matches have been reviewed and escalated appropriately.

A forensic AML audit produces evidence that may be used in regulatory proceedings, civil litigation, or criminal prosecution. The evidentiary standards that apply are therefore higher than those of a routine internal audit. The forensic auditor must document the chain of custody for all evidence collected, distinguish between original documents and copies, and record the basis for every factual finding.

Data extraction from the transaction monitoring system must be done in a manner that preserves data integrity. The auditor should request a read-only export of the relevant dataset, verify the export against the system's own record counts, and retain the extraction query together with the resulting dataset. If the institution's IT team performs the extraction, the auditor should witness the process and obtain a written attestation of what was extracted. Any manipulation of the data for analysis purposes, such as deduplication or reformatting, must be documented and the original extraction preserved separately.

Interviews of compliance staff, analysts, and management are an important evidence source. In a forensic AML engagement, interview notes should record who was present, the date and duration, the questions asked, and the substantive responses. Where a response is directly relevant to a finding, the key statement should be noted verbatim or near-verbatim. In jurisdictions where privilege may be claimed over interview notes, the engagement letter and the interview protocol should address this issue before interviews begin. See Interviewing Suspects and Witnesses for detailed technique.

Applicable evidence rules vary by jurisdiction. In India, the Bharatiya Sakshya Adhiniyam 2023 governs admissibility of electronic evidence in court proceedings, replacing the Indian Evidence Act 1872; it includes provisions on electronic records and their authentication. In the United States, the Federal Rules of Evidence govern admissibility in federal proceedings; the Stored Communications Act governs access to electronic records held by third parties. In the United Kingdom, the Police and Criminal Evidence Act 1984 and the Civil Evidence Act 1995 are the relevant frameworks for different types of proceedings. Forensic auditors working across borders must understand which evidentiary framework will govern the use of their findings.

The forensic AML audit report serves two different audiences with different needs. The board and audit committee need findings expressed in terms of risk to the institution: what controls failed, what the exposure is, and what remediation is required. Regulators need findings expressed in terms of regulatory compliance: which specific rules were not followed, what evidence supports that conclusion, and what the institution has done or proposes to do to correct the deficiency. A well-structured AML audit report addresses both audiences, usually in separate sections.

When the audit uncovers evidence of actual money laundering rather than simply control failures, the reporting obligation changes character. The institution, as a reporting entity under the applicable domestic AML statute, may have an obligation to file a suspicious transaction report. In India, section 12 of the Prevention of Money Laundering Act 2002 places an obligation on reporting entities to maintain records and report transactions to FIU-IND. In the UK, Part 7 of the Proceeds of Crime Act 2002 places a nominated officer disclosure obligation on persons in the regulated sector who know or suspect money laundering. In the US, FinCEN regulations require financial institutions to file a SAR within 30 days of detecting a suspicious transaction.

The forensic auditor's own reporting obligations depend on the nature of the engagement. Where the auditor is appointed by the regulator under a formal supervisory direction, such as a skilled person review under section 166 of the UK Financial Services and Markets Act 2000, the report goes directly to the regulator and the institution simultaneously. Where the engagement is a private retainer by the institution, the report goes to the board or the audit committee. In either case, the forensic auditor should not take any action that could constitute tipping off: telling a subject of investigation that a SAR has been filed or is contemplated is a criminal offence in most jurisdictions.