Preparing for an AML Audit: A Checklist for Financial Institutions

Anti–money laundering expectations are shifting quickly. In 2024–2025, U.S. regulators advanced multiple rulemakings, adjusted beneficial ownership reporting, updated examination approaches for community banks, and stepped up enforcement. If your audit is coming up in Q4 2025 or early 2026, use this end‑to‑end guide to align your program with what examiners now prioritize and to evidence an effective, risk‑based, and reasonably designed AML/CFT program.

What’s new in 2024–2025 that changes your audit prep

1) Corporate Transparency Act (CTA) reporting changed in 2025

On March 21, 2025, FinCEN issued an interim final rule removing beneficial ownership reporting requirements for U.S. companies and U.S. persons; only foreign entities registered to do business in the U.S. remain “reporting companies,” with new filing deadlines starting in 2025. Calibrate KYC and onboarding procedures so teams know when BOI may exist and when it won’t, and update any reliance on BOI access workflows accordingly. ([fincen.gov](https://www.fincen.gov/beneficial-ownership-information-reporting?utm_source=openai))

2) AML/CFT program modernization: risk‑based and “reasonably designed”

Regulators proposed updates that explicitly require programs to be effective, risk‑based, and reasonably designed. Even before finalization, exam teams are assessing against these principles—so be prepared to demonstrate a fresh, enterprise‑wide risk assessment and evidence of risk‑aligned controls, testing, and metrics. ([fincen.gov](https://www.fincen.gov/index.php/news/news-releases/fincen-issues-proposed-rule-strengthen-and-modernize-financial-institutions?utm_source=openai))

3) Investment adviser rules: timing matters

FinCEN finalized AML/CFT obligations for certain investment advisers but announced plans to postpone the effective date to January 1, 2028 and revisit scope. If you are an RIA/ERA in a financial group, track the postponement and any reopened rulemaking; align your internal playbook and audit requests to the (delayed) compliance horizon. ([fincen.gov](https://www.fincen.gov/news/news-releases/fincen-issues-final-rules-safeguard-residential-real-estate-investment-adviser?utm_source=openai))

4) Real estate transparency

FinCEN’s new residential real estate rule will require reporting of certain all‑cash transfers involving entities or trusts, effective December 1, 2025. If your institution touches settlement, escrow, or affiliated real‑estate services, expect auditors to ask how you will identify in‑scope transactions and coordinate reporting. ([reuters.com](https://www.reuters.com/legal/transactional/fincen-rule-targets-all-cash-residential-real-estate-deals-involving-entities–pracin-2025-09-09/?utm_source=openai))

5) Examination materials and tailoring

While the FFIEC BSA/AML Examination Manual continues to emphasize risk‑focused supervision, the OCC announced “Community Bank Minimum BSA/AML Examination Procedures” effective for exams beginning February 1, 2026. Community banks should prepare for tailored scoping and be ready to explain low‑risk rationales and reduced testing footprints. ([bsaaml.ffiec.gov](https://bsaaml.ffiec.gov/manual?utm_source=openai))

6) Jurisdiction risk is moving

FATF removed several countries from increased monitoring in 2025 (e.g., South Africa, Nigeria), while other jurisdictions were added/removed earlier in the year. Refresh country risk models and correspondents’ due diligence accordingly and document why residual ratings did or did not change. ([reuters.com](https://www.reuters.com/world/africa/south-africa-nigeria-among-african-countries-dropped-fatf-grey-list-2025-10-24/?utm_source=openai))

7) Enforcement signals the “so what”

Recent actions underline classic pitfalls: weak SAR governance, misaligned resources, and transaction‑monitoring backlogs. Expect targeted audit sampling in these areas and questions about board reporting and issue remediation velocity. ([occ.gov](https://occ.gov/news-issuances/news-releases/2024/nr-occ-2024-116.html?utm_source=openai))

The AML Audit Readiness Checklist

1) Governance, culture, and accountability

• Board‑approved AML/CFT policy updated in 2025; clear risk appetite statements.
• Documented roles and Lines 1–2–3 accountability; current charters for AML Committee and Model Risk Committee.
• Resourcing analysis: caseloads, backlogs, vacancy rates, and throughput by team.

2) Enterprise‑wide risk assessment (EWRA)

• Quantify inherent risks by product, customer, channel, geography; reflect 2025 FATF country movements and any portfolio shifts.
• Map control strength and testing results to each risk; show net‑risk rationale and 12‑month trendlines.
• Evidence an annual refresh with change‑management triggers for interim updates.

3) Customer identification, CDD/EDD, and beneficial ownership

• Refresh procedures for entity onboarding to reflect CTA changes (e.g., when BOI may be unavailable for domestic entities). Clarify acceptable alternative documentation and risk‑based EDD triggers for opaque ownership or foreign registrations. ([fincen.gov](https://www.fincen.gov/beneficial-ownership-information-reporting?utm_source=openai))
• Ensure CIP/KYC data quality controls, periodic refresh cadences, and negative news screening are risk‑tiered and monitored.
• For FI‑FI relationships, align correspondent due diligence and private banking procedures with FFIEC expectations. ([bsaaml.ffiec.gov](https://bsaaml.ffiec.gov/whatsnew?utm_source=openai))

4) Sanctions screening and payments risk

• Document OFAC governance: ownership aggregation rules, evasion patterns, and escalation SLAs for potential true hits.
• Evidence tuning and testing for name screening and payment interdiction; maintain robust change logs for list updates.

5) Transaction monitoring and model governance

• Maintain transparent methodology for scenario coverage, thresholds, and segmentation; link each scenario to specific risks in the EWRA.
• Show independent model validation, periodic effectiveness testing, back‑testing outcomes, and documented threshold changes with before/after KPIs.
• For NYDFS‑regulated entities, retain your annual Part 504 certification and underlying evidence; confirm the April 15 filing calendar and supporting documentation inventories. ([dfs.ny.gov](https://www.dfs.ny.gov/industry_guidance/transaction_monitoring?utm_source=openai))

6) Case management, SAR/CTR quality, and quality assurance

• Demonstrate triage logic, aging controls, and escalation protocols; produce MI covering alert‑to‑SAR conversion rates and false positives.
• Evidence SAR decisioning with investigative narratives tied to red flags and transactional evidence; cross‑reference law‑enforcement 314(b)/(a) usage where applicable.
• Perform QA on a statistically valid sample; track error‑type trends and root‑cause fixes.

7) Training and communications

• Role‑based curricula for front office, operations, and senior management; include 2025 regulatory changes and case studies.
• Attestations and quiz results; remediation plans for low‑scores.

8) Independent testing and internal audit

• Clear scope aligned to EWRA; include end‑to‑end customer lifecycle, monitoring models, sanctions, and filing accuracy.
• Issue management with owners, milestones, and timely closures; show challenge of management self‑assessments.

9) Third‑party and fintech relationships

• Central inventory with risk rankings; onboarding due diligence covering AML controls, model transparency, and data lineage.
• Right‑to‑audit clauses tested; periodic performance and control reviews.

10) Data governance and recordkeeping

• Lineage maps for key AML data elements; reconciliations from source systems to monitoring engines and regulatory reports.
• Retention policies that meet regulatory timeframes and support Part 504/FFIEC evidencing. ([bsaaml.ffiec.gov](https://bsaaml.ffiec.gov/manual?utm_source=openai))

Sample pre‑audit document request list

• Latest EWRA with change log; mapping to program controls and KRIs.
• Board/committee minutes and AML dashboards for the last 4–6 quarters.
• Policies, standards, and procedures (current and prior versions); model documentation and validation reports.
• Alert inventory snapshots; investigator playbooks; SAR/CTR QA reports; training matrices and completion evidence.
• Vendor due diligence files; SOC/ISO certifications; service‑level reports; right‑to‑audit results.

90‑day timeline to audit day

Day 90–60

• Lock scope, assemble “audit room” drive, and update EWRA with 2025 changes (CTA, FATF, OCC procedures roadmap, real estate rule exposure). ([fincen.gov](https://www.fincen.gov/beneficial-ownership-information-reporting?utm_source=openai))

Day 60–30

• Complete evidencing packs for CDD, monitoring, sanctions, and filings; finish model effectiveness testing; remediate quick‑wins.

Day 30–7

• Run mock auditor interviews; ensure issue trackers are current; refresh training attestations for late completions.

Audit week

• Daily huddles; track RFIs; control single‑voice responses; document any “walk‑through” commitments and target dates.

Common audit findings in 2025—and quick wins

• Gaps between EWRA and monitoring scenarios. Quick win: one‑pager linking each residual risk to named scenarios and thresholds, with evidence of last tuning cycle.
• Backlogs and aging in alert investigations. Quick win: surge staffing plan with quantified burn‑down and priority criteria.
• Weak SAR narratives. Quick win: narrative checklist and exemplars; peer QA before filing.
• Unclear BOI expectations post‑CTA change. Quick win: updated onboarding script and FAQ for front‑line teams. ([fincen.gov](https://www.fincen.gov/beneficial-ownership-information-reporting?utm_source=openai))

Interview: Insights from a senior AML audit consultant

Q: What’s the first thing you look for when you walk into an AML audit in late 2025?

A: Traceability. I want a straight line from the EWRA to policies, to controls, to testing results, to board reporting. If your top inherent risks aren’t clearly covered by tuned scenarios and EDD triggers, we’ll find it fast.

Q: Where do institutions underestimate effort?

A: Model governance. Threshold changes without a hypothesis, challenger results, and pre/post KPIs are red flags. Have one slide per scenario that tells the story.

Q: Biggest 2025 change to socialize internally?

A: The CTA shift. Train onboarding and KYC teams on what BOI is still available and when, and how to escalate opacity risks for entities that fall outside domestic reporting. ([fincen.gov](https://www.fincen.gov/beneficial-ownership-information-reporting?utm_source=openai))

FAQs: Preparing for an AML audit

Does the 2025 CTA change mean we can stop collecting ownership information?

No. Regulatory BOI reporting has changed for domestic entities, but financial institutions still must identify and verify customers and beneficial owners under existing CIP/CDD frameworks and risk‑based EDD. Calibrate procedures to the new landscape rather than stopping ownership diligence. ([fincen.gov](https://www.fincen.gov/index.php/news/news-releases/fincen-issues-proposed-rule-strengthen-and-modernize-financial-institutions?utm_source=openai))

We’re a community bank. Will our 2026 exam really be “lighter”?

The OCC has announced tailored “Community Bank Minimum BSA/AML Examination Procedures” effective for exams beginning February 1, 2026. Expect more proportional scoping, but only where your risk profile justifies it—and you can evidence it. ([occ.treas.gov](https://www.occ.treas.gov/news-issuances/bulletins/2025/bulletin-2025-37.html?utm_source=openai))

Do FATF list changes affect our risk ratings right away?

They should trigger a review, not an automatic change. Document your assessment and any interim controls when counterparties or corridors are affected. ([ft.com](https://www.ft.com/content/7f4eb3cf-6a33-4ac9-886b-8a217bcd1375?utm_source=openai))

We have an RIA subsidiary—what should we do now?

Track FinCEN’s postponed investment adviser rule and any reopened proposals. Prepare gap analyses and phased implementation plans keyed to the new effective date under consideration. ([fincen.gov](https://www.fincen.gov/index.php/news/news-releases/treasury-announces-postponement-and-reopening-investment-adviser-rule-updated?utm_source=openai))

Related searches

• AML audit checklist for banks
• How to prepare for a BSA/AML exam
• FinCEN BOI rule changes 2025
• FFIEC BSA/AML Manual updates
• Part 504 annual certification guide
• Investment adviser AML rule postponement
• FATF grey list October 2025
• Real estate all‑cash reporting rule 2025

Citations

FinCEN BOI interim final rule and deadlines for foreign reporting companies; removal of domestic BOI reporting: March 2025 updates and fact sheets. ([fincen.gov](https://www.fincen.gov/beneficial-ownership-information-reporting?utm_source=openai))

AML/CFT program modernization NPRM and interagency statement: July 2024. ([fincen.gov](https://www.fincen.gov/index.php/news/news-releases/fincen-issues-proposed-rule-strengthen-and-modernize-financial-institutions?utm_source=openai))

Investment adviser AML/CFT final rule and postponement plan to 2028: July–September 2025 notices. ([fincen.gov](https://www.fincen.gov/news/news-releases/fincen-issues-final-rules-safeguard-residential-real-estate-investment-adviser?utm_source=openai))

Residential real estate rule effective December 1, 2025. ([reuters.com](https://www.reuters.com/legal/transactional/fincen-rule-targets-all-cash-residential-real-estate-deals-involving-entities–pracin-2025-09-09/?utm_source=openai))

FFIEC BSA/AML Manual and OCC Community Bank Procedures effective February 1, 2026. ([bsaaml.ffiec.gov](https://bsaaml.ffiec.gov/manual?utm_source=openai))

FATF list changes in 2025: October removals and June updates. ([ft.com](https://www.ft.com/content/7f4eb3cf-6a33-4ac9-886b-8a217bcd1375?utm_source=openai))

NYDFS Part 504 annual certification and evidencing. ([dfs.ny.gov](https://www.dfs.ny.gov/industry_guidance/transaction_monitoring?utm_source=openai))

Recent enforcement themes: TD Bank (2024) and Bank of America (2025). ([occ.gov](https://occ.gov/news-issuances/news-releases/2024/nr-occ-2024-116.html?utm_source=openai))

aml audit