AML Audit for a Regulated Crypto Firm: What to Expect (2026)

Annual independent AML audit is mandatory for CASPs under EBA Guidelines¹^[1] and the AML programme expectations of every credible NCA. Most CASPs treat it as a pass/fail compliance task: engage an auditor, give them what they ask for, hope the report is clean, file it.

That framing is wrong, and increasingly expensive. The right framing is a structured pre-emptive review — a deliberate exercise that surfaces gaps before the supervisor does, that produces an evidence trail the firm can present at inspection, and that drives the year's compliance investment plan. Done right, the AML audit is one of the most valuable annual exercises in the firm's calendar. Done as a tick-box, it is a wasted spend and a missed warning.

This guide covers the eight workstreams of a serious AML audit, the auditor selection question (Big-4 vs specialist boutique), the timeline and deliverables, the findings we see most often in 2026, and how to convert findings into programme improvement rather than into a drawer document.

Generic financial-services AML audits do not work for CASPs. The on-chain risk surface — mixers, bridges, sanctions-listed addresses, Travel Rule, custody architecture — is invisible to a fiat-only auditor. Under MiCA²^[2] the supervisor expects evidence of crypto-native depth in the audit, not a fiat audit with a chapter on crypto added at the end.

The audit team should include analysts familiar with on-chain forensics tools (Chainalysis, Elliptic, TRM Labs), the Travel Rule protocol stack, and the operational realities of mixer-policy enforcement. If the auditor cannot speak fluently about Tornado Cash exposure handling or self-hosted-wallet verification, the audit will miss what matters.

The firm's documented AML risk assessment — customer base, products, geographies, channels, technology — tested for whether it actually reflects the operational reality. Auditor pulls a sample of customers, products, and corridors and checks whether the risk model captures them with the right weights.

Onboarding flow walkthrough, sample of 30–50 customer files pulled from each risk segment, evidence of CDD performance vs policy, refresh cadence checking, and PEP / sanctions-screening result handling. The most common finding: file completeness gaps that don't show up in dashboards.

EDD trigger list, evidence of EDD execution on triggered customers, source-of-funds and source-of-wealth dossiers, ongoing monitoring uplift. Auditors look specifically for EDD that was triggered but not completed or completed superficially.

Rule inventory, false-positive and true-positive rates, alert backlog, investigation timeliness, escalation workflow, tuning history with documented rationale. For crypto: KYT (Know-Your-Transaction) integration with the analytics provider, deposit and withdrawal screening thresholds, alert-to-SAR conversion rate.

Coverage of OFAC SDN, EU consolidated, UN, UK HMT lists, refresh frequency, fuzzy matching threshold tuning, on-chain SDN address screening, exception handling. Auditor pulls suspected near-misses and checks the resolution.

Travel Rule provider integration (Notabene, Sumsub, Sygna, Veriscope), protocol coverage (TRP, IVMS101), threshold logic, sunrise-jurisdiction handling, self-hosted-wallet policy. Aligned to FATF Recommendation 16³^[3] and EU Travel Rule transposition. The most common gap: counterparty-coverage holes that have not been quantified.

MLRO seniority, independence from operational pressure, time allocation, training currency, board-reporting cadence, SAR/STR filing record, supervisory dialogue. Auditors are increasingly asked to evidence MLRO independence — that the role can act on findings without being overruled by commercial leadership.

Training records, content review, role-tailoring, refresher cadence, board-level training, completion-rate tracking, post-training assessment. Templated annual e-learning is no longer enough — auditors check role-specific tailoring for onboarding, ops, and customer-service teams.

Two credible categories of provider, with different trade-offs.

Pros: brand recognition for supervisory and bank-counterparty purposes, depth of methodology, multi-jurisdiction coverage, ability to scale to a large engagement. Cons: typically expensive, often staff a junior team led by a partner, may lack crypto-native depth at the analyst level. Right when the firm is signalling supervisory comfort — to a supervisor, a banking counterparty, or an investor.

Pros: senior on-chain depth, faster turnaround, often more practical findings, materially lower cost. Cons: less brand recognition with traditional counterparties, smaller bench for surge work. Right when the firm is using the audit primarily for programme improvement rather than as an external signalling instrument.

The hybrid pattern many CASPs adopt: Big-4 every other year, boutique in alternate years. Captures supervisor-credibility and operational-depth across the cycle.

Realistic engagement timeline for a mid-sized CASP:

• Weeks 1–2: scoping, document request, kickoff.

• Weeks 3–6: fieldwork — interviews, sample testing, walk-throughs, on-site visit.

• Weeks 7–8: findings drafting, management response cycle, report finalisation.

• Weeks 9–10: board sign-off, supervisor delivery, remediation plan.

Indicative cost range for a mid-sized CASP audit: €80,000–€220,000, depending on provider category and scope. Larger or multi-jurisdiction CASPs scale up; smaller CASPs scale down but rarely below €40,000 for a credible audit.

With AMLR⁴^[4] applying from 10 July 2027, auditors increasingly score firms against AMLR substance bar even before application. Self-hosted wallet verification, lower CDD thresholds, AMLA-readiness — all flagged where gaps exist.

Rules tuned at launch and never re-baselined. Alert backlog grows; effective coverage shrinks. Annual TM tuning review with documented rationale is the standard remediation.

Customers transacting with counterparties whose Travel Rule status is unclear, with no quantified policy on uncovered corridors. Findings invariably require a formal Travel Rule coverage register and an explicit risk acceptance for residual gaps.

EDD triggered by the system but not completed by the team — typically because the trigger volume exceeded staffing. Remediation: either expand staffing or recalibrate the trigger to a defendable risk rationale.

MLRO carrying multiple roles (DPO, COO, Head of Risk) with insufficient time on AML. Common at smaller CASPs. Remediation: dedicated MLRO with clear time allocation, supported by a retainer for depth.

The audit report has three audiences: the board (governance), the supervisor (evidence), and the compliance team (operational improvement). Most firms produce one report that satisfies the first two and is filed before reaching the third.

The pattern that converts findings into programme improvement:

• Categorise every finding by severity and time-to-remediate.

• Assign each finding a named owner with a target date.

• Quarterly steering review until all material findings are closed.

• Pre-audit baseline of next year's findings — drive the closure rate up year-on-year.

• Use the audit cycle as the spine of the year's compliance investment plan.

For obliged entities under EBA Guidelines and most NCA expectations, yes — an independent review of the AML programme is mandatory at least annually. The form (full audit, thematic review, internal-audit-led review) varies; the existence of an independent function does not.

For larger CASPs with mature internal audit functions, yes — supplemented by an external review every 2–3 years. For smaller CASPs without dedicated internal audit, an external auditor is the practical answer. Either way, the work must be genuinely independent from the AML function being reviewed.

Run a self-assessment 6 weeks before the auditor arrives, against the same eight workstreams. Surface the issues yourself, plan the remediation, document the rationale. The auditor's job is then to validate the self-assessment, not discover the issues. The reports that result are stronger and the relationship is more constructive.

Yes — most NCAs require the audit report to be filed annually or made available on request, with an attestation that the board has reviewed and signed off. Treat the report as a supervisory document from the moment it is drafted.

Findings are expected. A clean audit with no findings is itself a flag — supervisors interpret it as the auditor not having looked hard enough. The right posture is a manageable list of findings with credible remediation. A clean audit at year 1 is suspicious; an unclean audit at year 1 with year-2 closure is healthy.

• AML Compliance for Crypto Firms — the underlying programme the audit examines.

• AMLR Readiness 12-Month Roadmap — what the audit will increasingly score against in 2026–2027.

• AML Compliance Retainer for CASPs — the bench that turns audit findings into closed remediation.

• Compliance Advisory — our service: pre-audit self-assessment, remediation, supervisor preparation.

The AML audit is the most-honest mirror a CASP gets each year — provided the audit is structured to look at what matters, the findings are converted into operational change, and the report is used not filed. Done well, the audit pays for itself in supervisory credibility, banking-relationship strength, and programme improvement. Done as a tick-box, it is the most expensive piece of paper in the year's compliance budget.