--- title: "The Annual Bank Review File: 11 Documents Every Regulated Crypto Firm Should Submit Before It's Asked" slug: annual-bank-review-file-crypto publishedAt: 2026-05-24T13:30:00Z author: Finconduit Editorial Team tags: AML, AMLR, MiCA, PSD2 canonicalUrl: https://finconduit.com/resources/annual-bank-review-file-crypto --- # The Annual Bank Review File: 11 Documents Every Regulated Crypto Firm Should Submit Before It's Asked The 11-document pack regulated crypto firms should submit at the anniversary date — closing annual reviews in 4 weeks instead of 16. Most regulated crypto firms treat the **annual bank review** as an event that happens *to them*. A questionnaire arrives from the financial crime team, panic spreads across compliance and finance, three weeks vanish into evidence\-gathering, and the relationship manager fields awkward calls about **why nothing is ready**. The top\-quartile firms do the opposite. They ship an **11\-document pre\-built pack** to the bank in the week *before* the anniversary date. Reviews close in **4 weeks instead of 16**, exception rates fall sharply, and pricing conversations move in the customer's favour. This guide names the pack — **The 11\-Document Annual Review File** — and walks through every document, who in the firm owns it, what cadence keeps it current, and how the file pre\-empts the deeper inquiries that turn a routine review into a relationship\-threatening event. ## Why Pre\-Submission Beats the Questionnaire Banks are required to **refresh customer due diligence** on higher\-risk relationships at a defined cadence — typically **every 12 months** for a regulated **CASP** or **VASP** customer. The standard sits inside the [EBA Guidelines on customer due diligence](https://www.eba.europa.eu/regulation-and-policy/anti-money-laundering-and-countering-financing-terrorism/guidelines-customer-due-diligence-and-factors-credit-and-financial-institutions-should-consider)¹[^1], which require institutions to keep CDD information **current, adequate, and risk\-sensitive**. When the bank's financial crime team opens that refresh, they have two choices. They can build a **bespoke questionnaire** — usually 60 to 120 questions — and wait. Or they can pick up a **pre\-built pack** that already answers 80% of the questions, and close the file faster. Pre\-submission changes three things at once. First, it **compresses the timeline** — the reviewer's draft notes are now built *from your evidence*, not against the absence of it. Second, it **narrows the exception rate** — the reviewer rarely escalates a file whose self\-disclosed risks are already mitigated on the page. Third, it **reframes the relationship** — you are the customer who runs ahead of the bank's process, not the one who has to be chased. The reverse path matters too. The [EBA Guidelines on de\-risking](https://www.eba.europa.eu/regulation-and-policy/anti-money-laundering-and-countering-financing-terrorism/guidelines-policies-and-procedures-de-risking)² [^2]are explicit that banks must base **exit decisions on evidence**, not on blanket sector views. A complete, well\-organised file is the strongest defence against a **de\-risking exit** — it makes the lazy decision the harder one. There is also a quieter benefit. The financial crime team at a Tier\-1 bank or specialist EMI works the same review across dozens of crypto customers in a quarter. The customer that arrives with a **clean, paginated, version\-controlled pack** reduces the reviewer's effort by 40 to 60 percent. Reviewers remember which customers made their lives easy — and that **institutional memory** survives staff turnover and shows up in next year's risk\-rating discussion. The cost of building the pack is real but front\-loaded. Year one demands roughly **40–60 hours** of compliance, treasury, and company\-secretary time. Year two and beyond drop to **6–10 hours** per refresh cycle because the templates, ownership, and data pipelines already exist. The payback period is one annual review. ## The 11\-Document Annual Review File — Overview The pack is built around a single principle: every **question a financial crime reviewer can ask** about a regulated crypto firm should already have a document in the file. The 11 documents map to the four review pillars — **risk, controls, governance, and operations** — and to the three product\-specific concerns a bank carries about a crypto customer: **sanctions exposure**, **custody risk**, and **counterparty contagion**. > **Note:** The 11\-Document Annual Review File: \(1\) Updated Customer Risk Assessment \(2\) Transaction Monitoring Stats Pack \(3\) SAR Volume and Pattern Summary \(4\) Licence Maintenance Proof \(5\) Annual AML Audit Summary \(6\) Board AML Minutes \(7\) Sanctions Screening Performance Report \(8\) Travel Rule Compliance Snapshot \(9\) Custody Architecture Update \(10\) Wallet Address Inventory and Counterparty Map \(11\) Senior Management Function changes / governance update. Two rules govern the file. Every document carries a **version number, an owner, and a refresh date**. And every document is **refreshed on a fixed cadence** — not when the bank asks, and not at the last minute. ## Doc 1 — Updated Customer Risk Assessment The reviewer's first question is always the same: *how have your risks changed in 12 months*? Doc 1 answers it before the question is asked. The [AMLR](https://eur-lex.europa.eu/eli/reg/2024/1624/oj)³[^3] requires obliged entities to maintain a documented **business\-wide risk assessment** covering customer, product, geographic, channel, and transaction risks — refreshed when material change occurs. The annual refresh should show **deltas — not the static document**. Three columns: prior\-year rating, current\-year rating, driver. New jurisdictions, new product lines, new counterparty categories, and the **regulator's most recent NRA** should all show as inputs. Two pages are enough. A reviewer who can see **what changed, why, and what the firm did about it** has the information the questionnaire would otherwise have spent three rounds extracting. Append the underlying methodology as an annex for any reviewer who wants to dig deeper. ## Doc 2 — Transaction Monitoring Stats Pack Reviewers want three numbers from your **transaction monitoring system**: total alert volume, **true\-positive rate**, and **average review time**. Most firms produce these monthly but never package them for the bank. - **Total alerts triggered, by typology**, over the rolling 12 months - **True\-positive rate** — defined and benchmarked against prior year - **Average alert\-to\-disposition time** — separated by complexity tier - **Rule tuning changes** made in the period — what, why, and the measured effect A bank reviewer reading these numbers learns more in five minutes than from any narrative. A **5% true\-positive rate with falling average review time** tells a maturity story; a **0.5% rate with rising backlog** tells the opposite. ## Doc 3 — SAR Volume and Pattern Summary The bank cannot ask which **SARs** you filed — and you cannot tell them, because doing so breaches **tipping\-off rules**. But the bank can — and will — ask for the *shape* of your SAR programme. Doc 3 reports the **aggregated picture** — total filings, typology distribution, average time from detection to filing, and average time from filing to **customer exit decision**. Nothing identifies a customer; everything demonstrates a functioning **MLRO** pipeline. The bank reviewer reading Doc 3 is looking for three diagnostics. Is the firm **detecting** suspicious activity — does the volume of internal escalations track expected typologies for the product set? Is the firm **filing** — does the conversion rate from internal escalation to FIU filing make sense? Is the firm **acting** — does a filing trigger downstream measures, including customer exit where appropriate? > **Tip:** A SAR\-to\-exit ratio of zero is a red flag. It tells the bank reviewer that the MLRO files reports but the firm never acts on them — which suggests either weak governance or a tipping\-off problem in the wrong direction. Expect 15\-40% of SARs to lead to managed customer exit within 90 days. ## Doc 4 — Licence Maintenance Proof Banks want proof that the licence on file is the licence in force. Under [MiCA](https://eur-lex.europa.eu/eli/reg/2023/1114/oj)⁴[^4] and the equivalent regimes in the UK and Asia, a **CASP** must notify the regulator of material changes — services added, board changes, qualifying shareholders, branches opened. Doc 4 lists every notification filed in the period and the regulator's acknowledgement. Include a screenshot of the **public regulator register entry**, a copy of any updated authorisation conditions, and the dates of any **supervisory engagement** — inspections, thematic reviews, follow\-up letters. ## Doc 5 — Annual AML Audit Summary Most regulated crypto firms are required to commission an **independent annual AML audit** — the requirement sits in [FCA SYSC 6](https://www.handbook.fca.org.uk/handbook/SYSC/6/)⁵[^5] for UK firms, in MFSA, CySEC, and BaFin guidance for EEA firms, and in MAS Notice PSN02 for Singapore DPT licensees. The bank does not need the full report. Doc 5 is a **two\-page summary**: scope, methodology, **number of findings by severity**, management response, and **remediation status as of today**. Auditor name and signature on the cover. What banks read first is the **remediation timeline**. A high\-severity finding open for nine months is more damaging than a critical finding closed in six weeks. Where a finding remains open, name the target close date, the responsible officer, and the resourcing committed. Provide the full audit report only on request, under NDA, and only to a named recipient. The summary's job is to **make the request unnecessary** in 90% of cases. ## Doc 6 — Board AML Minutes \(Key Resolutions\) AML is not a compliance\-team responsibility — it is a **board responsibility**. Doc 6 is the extracted **AML resolutions** from board minutes in the period — risk appetite approved, policy refresh approved, audit findings noted, **MLRO report received**, remediation programmes signed off. Redact the parts the bank does not need. Keep the **date, attendees, motion, vote, and action owner**. This single document defeats more *tone\-from\-the\-top* challenges than any policy update. ## Doc 7 — Sanctions Screening Performance Report Sanctions risk is the bank's number\-one product concern about a crypto customer. Doc 7 closes the question with data: **screening provider, list refresh cadence** \(real\-time, daily, weekly\), **hit volume**, false\-positive rate, average **hit\-to\-disposition time**, and the rules in place for **PEP** and adverse\-media screening. For crypto\-native screening: the **blockchain analytics vendor**, the rule\-set risk thresholds, exposure to mixers, sanctioned addresses, and **high\-risk jurisdictions** — with the dispositions taken when threshold breaches occurred. ## Doc 8 — Travel Rule Compliance Snapshot The **Travel Rule** is the bank's litmus test for whether your firm operates at **FATF Recommendation 16** standard. Doc 8 names the protocol your firm uses, the percentage of in\-scope transfers exchanging full originator and beneficiary data, the **sunrise\-period treatment** applied to counterparties without messaging capability, and exception volumes. Include the **counterparty due diligence framework** — the questionnaire used on other **VASPs** before data is exchanged with them, and the refresh cadence for that diligence. Banks now expect Travel Rule coverage above **95% on regulated counterparties** and a clear written policy on how unregulated or sunrise\-period counterparties are handled. A snapshot that shows declining exception volumes year\-on\-year is a powerful signal. A flat or rising exception trend without explanation is a red flag. ## Doc 9 — Custody Architecture Update For any crypto firm holding client assets, the bank's second\-largest concern is **custody risk**. Doc 9 is a one\-page architecture diagram plus a short narrative: **hot/warm/cold wallet split**, custody model \(self, qualified\-custody, hybrid\), **signing\-policy thresholds**, insurance position, and proof\-of\-reserves cadence. Any change in the period — new custody provider added, new geography, new asset class custodied — is the most important section of this document. For **client\-asset\-bearing firms**, attach the latest proof\-of\-reserves attestation or its functional equivalent \(segregation report, custodian statement, on\-chain attested addresses\). The bank wants to know that the funds flowing through its rails are matched by client assets on the chain — not commingled, not lent out, not rehypothecated without disclosure. ## Doc 10 — Wallet Address Inventory & Counterparty Map This is the document banks *never get* and most want. Doc 10 lists, by category, the **firm\-controlled wallet addresses** the bank's settlements interact with, and the **top counterparty exposures** the firm has on\-chain — by counterparty type, not name. Categories: **regulated exchanges**, unregulated exchanges, **qualified custodians**, market makers, payment processors, OTC desks, and **institutional customers**. For each category: percentage of volume, jurisdiction, and the diligence file held on file. This is also the document where the bank's blockchain analytics team will independently verify your claims. Treat it as a **published statement** — every wallet listed is one that an analytics tool will cluster, label, and check against sanctions and high\-risk exposure. The pack should pre\-empt that review by including the firm's own analytics output for the same addresses. ## Doc 11 — Senior Management Function Changes / Governance Update Banks pay close attention to **who is in the room**. Doc 11 lists every **SMF change** — CEO, CFO, MLRO, Head of Compliance, NEDs — and the regulator approvals received. Where a key role changed, name the regulator notification reference. Add the **current organisational chart**, the **three lines of defence** headcount split, and the **compliance budget** trend over the last three years. ## Reactive vs Proactive Submission — What Actually Changes *Table: Reactive \(wait for the bank\) vs Proactive \(submit ahead of the anniversary\) — measured impact on a typical CASP relationship.* | Dimension | Reactive Submission | Proactive 11\-Doc Pack | | --- | --- | --- | | Review duration | 12–16 weeks | 3–4 weeks | | Exception rate \(findings raised\) | High — bank infers gaps from silence | Low — gaps are pre\-flagged and remediated | | Escalation to credit / risk committee | Common | Rare | | Pricing implication | Re\-priced upward or risk\-weighted | Often held flat or reduced | | Limit & velocity caps | Tightened or frozen | Maintained or expanded | | Relationship\-manager workload | Defensive, escalations | Strategic, growth conversations | | De\-risking exit probability | Materially higher | Materially lower | | Internal cost of the review | High — fire\-drill across 4\+ teams | Low — file is already current | ## Document Ownership & Refresh Cadence *Table: Owner and refresh cadence for each of the 11 documents. Version, owner, and refresh date should be visible on every cover page.* | \# | Document | Owner | Refresh Cadence | | --- | --- | --- | --- | | 1 | Customer Risk Assessment | MLRO | Annual \+ on material change | | 2 | Transaction Monitoring Stats Pack | Head of Financial Crime | Monthly \(rolled into annual\) | | 3 | SAR Volume & Pattern Summary | MLRO | Quarterly | | 4 | Licence Maintenance Proof | Head of Compliance | Continuous \+ annual roll\-up | | 5 | Annual AML Audit Summary | Internal Audit / external auditor | Annual | | 6 | Board AML Minutes \(extracts\) | Company Secretary | After every board meeting | | 7 | Sanctions Screening Performance | Head of Financial Crime | Monthly \(rolled into annual\) | | 8 | Travel Rule Compliance Snapshot | Head of Financial Crime | Quarterly | | 9 | Custody Architecture Update | CTO / Head of Custody | Semi\-annual \+ on change | | 10 | Wallet Address & Counterparty Map | Head of Treasury | Quarterly | | 11 | SMF Changes / Governance Update | Company Secretary | Continuous \+ annual roll\-up | ## What Triggers a Deeper Inquiry — And How the File Pre\-Empts It Banks escalate when three things appear at once: a **missing document**, an **unexplained variance** in expected behaviour, and **slow responses**. The [JMLSG Guidance Parts I and II](https://www.jmlsg.org.uk/guidance/current-guidance/)⁶[^6] describes this pattern as the *composite suspicion trigger* — no single fact is suspicious, but the combination is. - **Volume above expected** — pre\-empted by the Transaction Monitoring Stats Pack with year\-on\-year context - **New geography in flows** — pre\-empted by the updated Customer Risk Assessment - **Adverse media on the firm or its principals** — pre\-empted by the SMF Governance Update including media\-monitoring outputs - **Counterparty appearing on a sanctions list** — pre\-empted by the Sanctions Screening Performance Report - **Unannounced change of MLRO** — pre\-empted by the SMF Changes document with regulator approval references The economics of a deeper inquiry are brutal: an additional **8–12 weeks** of review work, a **likely freeze on new product**, and a paper trail that **propagates to your other banks** the next time they refresh. The pack pre\-empts the trigger by giving the reviewer **first\-mover narrative control**. When the bank's system flags a 30% jump in monthly settlement volume, the reviewer's first action is to check whether the customer has explained it. If the answer is in the Transaction Monitoring Stats Pack — new institutional customer signed in Q2, expected to add €40M monthly — the alert closes in minutes rather than triggering a Section 2 request. The pattern repeats across every routine alert type: **pre\-explained anomalies stay routine**; unexplained anomalies escalate. The 11\-document file is, in effect, the firm's annual *pre\-explanation* of everything the bank's monitoring will see in the next 12 months. ## FAQ ### What does an annual bank review involve for a regulated crypto firm? An annual review is the bank's refresh of customer due diligence under **EBA/GL/2023/03** or equivalent local guidance. It reassesses your risk profile, controls maturity, governance, sanctions exposure, custody architecture, and counterparty profile. Reactively, expect 12–16 weeks; proactively with the **11\-Document Annual Review File**, 3–4 weeks. ### How often do banks review regulated crypto customers? For higher\-risk relationships — which most regulated crypto firms are classified as — refresh is **annual**. For very high\-risk profiles it can drop to **semi\-annual**. Lighter EMI relationships sometimes refresh every 18–24 months. The exact cadence is set by the bank's internal customer risk rating, not by your licence type. ### Can I share SAR information with my bank? No — naming the subject of a **specific SAR** to a third party \(including your bank\) breaches **tipping\-off rules** and is a criminal offence in most jurisdictions. What you can share is the **aggregate volume, typology distribution, and pipeline metrics** — the SAR Volume and Pattern Summary in the pack does exactly this. ### Should the 11\-document pack be the same for every bank? The **core 11 documents are constant**. The cover letter, the emphasis in the executive summary, and the format adapt to each bank's questionnaire history. A specialist EMI banking partner typically wants the Transaction Monitoring Stats Pack and Custody Architecture Update front\-loaded; a correspondent **Tier\-1 bank** will prioritise the Sanctions Screening Performance Report and Board AML Minutes. ### When in the year should the pack be submitted? In the **7–14 days before the anniversary** of account opening — early enough that the financial crime team is opening the refresh ticket with your file already in hand, late enough that the figures are current. Submitting more than a month early invites the bank to ask for a fresher version. ### Does this work for a firm with three banking partners? Yes — and the economics improve. Once the pack is built and refreshed at the cadences in the ownership table, the **marginal cost of submission to a second or third bank** is small. Firms running the **Three\-Bank Resilience Standard** use the same pack across three relationships with light cover\-letter customisation. > **Call to action:** Want the 11\-document pack pre\-built and refresh\-managed? Finconduit's annual review retainer keeps the file current and submits it on the anniversary. Book a free assessment. ## Related Guides - [AML Compliance Retainer for CASPs](/resources/aml-compliance-retainer-casp) — the on\-going MLRO support and policy refresh service that keeps several of these documents current - [AML Audit for a Regulated Crypto Firm](/resources/aml-audit-crypto-firm) — what an independent annual audit covers and how to package the summary for the bank - [Bank Diligence File for Regulated Crypto Firms](/resources/bank-diligence-file-crypto-firm) — the onboarding\-stage cousin of the annual review file - [The Three\-Bank Resilience Standard](/resources/three-bank-resilience-standard) — why running the same pack across three relationships is the strongest defence against de\-risking The bank's annual review will happen whether you prepare for it or not. The only question is whether your firm shows up as the customer that **runs ahead of the process** or the one that responds to it. The 11\-document pack — versioned, owned, refreshed on cadence, and submitted in the week before the anniversary — is the cheapest, highest\-leverage investment a regulated crypto firm can make in the longevity of its banking relationships. ## Footnotes [^1]: EBA Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions \(EBA/GL/2023/03\). [^2]: EBA Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer — including supplements addressing de\-risking \(EBA/GL/2023/04\). [^3]: Regulation \(EU\) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing \(AMLR\). [^4]: Regulation \(EU\) 2023/1114 of the European Parliament and of the Council on markets in crypto\-assets \(MiCA\), OJ L 150, 9.6.2023. [^5]: FCA Handbook, SYSC 6 — Compliance, internal audit and financial crime. [^6]: Joint Money Laundering Steering Group \(JMLSG\) Guidance, Parts I and II — UK financial sector guidance on the prevention of money laundering and combating terrorist financing. --- Source: https://finconduit.com/resources/annual-bank-review-file-crypto