The Annual Bank Review File: 11 Documents Every Regulated Crypto Firm Should Submit Before It's Asked

Most regulated crypto firms treat the annual bank review as an event that happens to them. A questionnaire arrives from the financial crime team, panic spreads across compliance and finance, three weeks vanish into evidence-gathering, and the relationship manager fields awkward calls about why nothing is ready.

The top-quartile firms do the opposite. They ship an 11-document pre-built pack to the bank in the week before the anniversary date. Reviews close in 4 weeks instead of 16, exception rates fall sharply, and pricing conversations move in the customer's favour.

This guide names the pack — The 11-Document Annual Review File — and walks through every document, who in the firm owns it, what cadence keeps it current, and how the file pre-empts the deeper inquiries that turn a routine review into a relationship-threatening event.

Banks are required to refresh customer due diligence on higher-risk relationships at a defined cadence — typically every 12 months for a regulated CASP or VASP customer. The standard sits inside the EBA Guidelines on customer due diligence¹^[1], which require institutions to keep CDD information current, adequate, and risk-sensitive.

When the bank's financial crime team opens that refresh, they have two choices. They can build a bespoke questionnaire — usually 60 to 120 questions — and wait. Or they can pick up a pre-built pack that already answers 80% of the questions, and close the file faster.

Pre-submission changes three things at once. First, it compresses the timeline — the reviewer's draft notes are now built from your evidence, not against the absence of it. Second, it narrows the exception rate — the reviewer rarely escalates a file whose self-disclosed risks are already mitigated on the page. Third, it reframes the relationship — you are the customer who runs ahead of the bank's process, not the one who has to be chased.

The reverse path matters too. The EBA Guidelines on de-risking² ^[2]are explicit that banks must base exit decisions on evidence, not on blanket sector views. A complete, well-organised file is the strongest defence against a de-risking exit — it makes the lazy decision the harder one.

There is also a quieter benefit. The financial crime team at a Tier-1 bank or specialist EMI works the same review across dozens of crypto customers in a quarter. The customer that arrives with a clean, paginated, version-controlled pack reduces the reviewer's effort by 40 to 60 percent. Reviewers remember which customers made their lives easy — and that institutional memory survives staff turnover and shows up in next year's risk-rating discussion.

The cost of building the pack is real but front-loaded. Year one demands roughly 40–60 hours of compliance, treasury, and company-secretary time. Year two and beyond drop to 6–10 hours per refresh cycle because the templates, ownership, and data pipelines already exist. The payback period is one annual review.

The pack is built around a single principle: every question a financial crime reviewer can ask about a regulated crypto firm should already have a document in the file. The 11 documents map to the four review pillars — risk, controls, governance, and operations — and to the three product-specific concerns a bank carries about a crypto customer: sanctions exposure, custody risk, and counterparty contagion.

Two rules govern the file. Every document carries a version number, an owner, and a refresh date. And every document is refreshed on a fixed cadence — not when the bank asks, and not at the last minute.

The reviewer's first question is always the same: how have your risks changed in 12 months? Doc 1 answers it before the question is asked. The AMLR³^[3] requires obliged entities to maintain a documented business-wide risk assessment covering customer, product, geographic, channel, and transaction risks — refreshed when material change occurs.

The annual refresh should show deltas — not the static document. Three columns: prior-year rating, current-year rating, driver. New jurisdictions, new product lines, new counterparty categories, and the regulator's most recent NRA should all show as inputs.

Two pages are enough. A reviewer who can see what changed, why, and what the firm did about it has the information the questionnaire would otherwise have spent three rounds extracting. Append the underlying methodology as an annex for any reviewer who wants to dig deeper.

Reviewers want three numbers from your transaction monitoring system: total alert volume, true-positive rate, and average review time. Most firms produce these monthly but never package them for the bank.

• Total alerts triggered, by typology, over the rolling 12 months

• True-positive rate — defined and benchmarked against prior year

• Average alert-to-disposition time — separated by complexity tier

• Rule tuning changes made in the period — what, why, and the measured effect

A bank reviewer reading these numbers learns more in five minutes than from any narrative. A 5% true-positive rate with falling average review time tells a maturity story; a 0.5% rate with rising backlog tells the opposite.

The bank cannot ask which SARs you filed — and you cannot tell them, because doing so breaches tipping-off rules. But the bank can — and will — ask for the shape of your SAR programme.

Doc 3 reports the aggregated picture — total filings, typology distribution, average time from detection to filing, and average time from filing to customer exit decision. Nothing identifies a customer; everything demonstrates a functioning MLRO pipeline.

The bank reviewer reading Doc 3 is looking for three diagnostics. Is the firm detecting suspicious activity — does the volume of internal escalations track expected typologies for the product set? Is the firm filing — does the conversion rate from internal escalation to FIU filing make sense? Is the firm acting — does a filing trigger downstream measures, including customer exit where appropriate?

Banks want proof that the licence on file is the licence in force. Under MiCA⁴^[4] and the equivalent regimes in the UK and Asia, a CASP must notify the regulator of material changes — services added, board changes, qualifying shareholders, branches opened. Doc 4 lists every notification filed in the period and the regulator's acknowledgement.

Include a screenshot of the public regulator register entry, a copy of any updated authorisation conditions, and the dates of any supervisory engagement — inspections, thematic reviews, follow-up letters.

Most regulated crypto firms are required to commission an independent annual AML audit — the requirement sits in FCA SYSC 6⁵^[5] for UK firms, in MFSA, CySEC, and BaFin guidance for EEA firms, and in MAS Notice PSN02 for Singapore DPT licensees.

The bank does not need the full report. Doc 5 is a two-page summary: scope, methodology, number of findings by severity, management response, and remediation status as of today. Auditor name and signature on the cover.

What banks read first is the remediation timeline. A high-severity finding open for nine months is more damaging than a critical finding closed in six weeks. Where a finding remains open, name the target close date, the responsible officer, and the resourcing committed.

Provide the full audit report only on request, under NDA, and only to a named recipient. The summary's job is to make the request unnecessary in 90% of cases.

AML is not a compliance-team responsibility — it is a board responsibility. Doc 6 is the extracted AML resolutions from board minutes in the period — risk appetite approved, policy refresh approved, audit findings noted, MLRO report received, remediation programmes signed off.

Redact the parts the bank does not need. Keep the date, attendees, motion, vote, and action owner. This single document defeats more tone-from-the-top challenges than any policy update.

Sanctions risk is the bank's number-one product concern about a crypto customer. Doc 7 closes the question with data: screening provider, list refresh cadence (real-time, daily, weekly), hit volume, false-positive rate, average hit-to-disposition time, and the rules in place for PEP and adverse-media screening.

For crypto-native screening: the blockchain analytics vendor, the rule-set risk thresholds, exposure to mixers, sanctioned addresses, and high-risk jurisdictions — with the dispositions taken when threshold breaches occurred.

The Travel Rule is the bank's litmus test for whether your firm operates at FATF Recommendation 16 standard. Doc 8 names the protocol your firm uses, the percentage of in-scope transfers exchanging full originator and beneficiary data, the sunrise-period treatment applied to counterparties without messaging capability, and exception volumes.

Include the counterparty due diligence framework — the questionnaire used on other VASPs before data is exchanged with them, and the refresh cadence for that diligence.

Banks now expect Travel Rule coverage above 95% on regulated counterparties and a clear written policy on how unregulated or sunrise-period counterparties are handled. A snapshot that shows declining exception volumes year-on-year is a powerful signal. A flat or rising exception trend without explanation is a red flag.

For any crypto firm holding client assets, the bank's second-largest concern is custody risk. Doc 9 is a one-page architecture diagram plus a short narrative: hot/warm/cold wallet split, custody model (self, qualified-custody, hybrid), signing-policy thresholds, insurance position, and proof-of-reserves cadence.

Any change in the period — new custody provider added, new geography, new asset class custodied — is the most important section of this document.

For client-asset-bearing firms, attach the latest proof-of-reserves attestation or its functional equivalent (segregation report, custodian statement, on-chain attested addresses). The bank wants to know that the funds flowing through its rails are matched by client assets on the chain — not commingled, not lent out, not rehypothecated without disclosure.

This is the document banks never get and most want. Doc 10 lists, by category, the firm-controlled wallet addresses the bank's settlements interact with, and the top counterparty exposures the firm has on-chain — by counterparty type, not name.

Categories: regulated exchanges, unregulated exchanges, qualified custodians, market makers, payment processors, OTC desks, and institutional customers. For each category: percentage of volume, jurisdiction, and the diligence file held on file.

This is also the document where the bank's blockchain analytics team will independently verify your claims. Treat it as a published statement — every wallet listed is one that an analytics tool will cluster, label, and check against sanctions and high-risk exposure. The pack should pre-empt that review by including the firm's own analytics output for the same addresses.

Banks pay close attention to who is in the room. Doc 11 lists every SMF change — CEO, CFO, MLRO, Head of Compliance, NEDs — and the regulator approvals received. Where a key role changed, name the regulator notification reference.

Add the current organisational chart, the three lines of defence headcount split, and the compliance budget trend over the last three years.

Banks escalate when three things appear at once: a missing document, an unexplained variance in expected behaviour, and slow responses. The JMLSG Guidance Parts I and II⁶^[6] describes this pattern as the composite suspicion trigger — no single fact is suspicious, but the combination is.

• Volume above expected — pre-empted by the Transaction Monitoring Stats Pack with year-on-year context

• New geography in flows — pre-empted by the updated Customer Risk Assessment

• Adverse media on the firm or its principals — pre-empted by the SMF Governance Update including media-monitoring outputs

• Counterparty appearing on a sanctions list — pre-empted by the Sanctions Screening Performance Report

• Unannounced change of MLRO — pre-empted by the SMF Changes document with regulator approval references

The economics of a deeper inquiry are brutal: an additional 8–12 weeks of review work, a likely freeze on new product, and a paper trail that propagates to your other banks the next time they refresh.

The pack pre-empts the trigger by giving the reviewer first-mover narrative control. When the bank's system flags a 30% jump in monthly settlement volume, the reviewer's first action is to check whether the customer has explained it. If the answer is in the Transaction Monitoring Stats Pack — new institutional customer signed in Q2, expected to add €40M monthly — the alert closes in minutes rather than triggering a Section 2 request.

The pattern repeats across every routine alert type: pre-explained anomalies stay routine; unexplained anomalies escalate. The 11-document file is, in effect, the firm's annual pre-explanation of everything the bank's monitoring will see in the next 12 months.

An annual review is the bank's refresh of customer due diligence under EBA/GL/2023/03 or equivalent local guidance. It reassesses your risk profile, controls maturity, governance, sanctions exposure, custody architecture, and counterparty profile. Reactively, expect 12–16 weeks; proactively with the 11-Document Annual Review File, 3–4 weeks.

For higher-risk relationships — which most regulated crypto firms are classified as — refresh is annual. For very high-risk profiles it can drop to semi-annual. Lighter EMI relationships sometimes refresh every 18–24 months. The exact cadence is set by the bank's internal customer risk rating, not by your licence type.

No — naming the subject of a specific SAR to a third party (including your bank) breaches tipping-off rules and is a criminal offence in most jurisdictions. What you can share is the aggregate volume, typology distribution, and pipeline metrics — the SAR Volume and Pattern Summary in the pack does exactly this.

The core 11 documents are constant. The cover letter, the emphasis in the executive summary, and the format adapt to each bank's questionnaire history. A specialist EMI banking partner typically wants the Transaction Monitoring Stats Pack and Custody Architecture Update front-loaded; a correspondent Tier-1 bank will prioritise the Sanctions Screening Performance Report and Board AML Minutes.

In the 7–14 days before the anniversary of account opening — early enough that the financial crime team is opening the refresh ticket with your file already in hand, late enough that the figures are current. Submitting more than a month early invites the bank to ask for a fresher version.

Yes — and the economics improve. Once the pack is built and refreshed at the cadences in the ownership table, the marginal cost of submission to a second or third bank is small. Firms running the Three-Bank Resilience Standard use the same pack across three relationships with light cover-letter customisation.

• AML Compliance Retainer for CASPs — the on-going MLRO support and policy refresh service that keeps several of these documents current

• AML Audit for a Regulated Crypto Firm — what an independent annual audit covers and how to package the summary for the bank

• Bank Diligence File for Regulated Crypto Firms — the onboarding-stage cousin of the annual review file

• The Three-Bank Resilience Standard — why running the same pack across three relationships is the strongest defence against de-risking

The bank's annual review will happen whether you prepare for it or not. The only question is whether your firm shows up as the customer that runs ahead of the process or the one that responds to it. The 11-document pack — versioned, owned, refreshed on cadence, and submitted in the week before the anniversary — is the cheapest, highest-leverage investment a regulated crypto firm can make in the longevity of its banking relationships.