Financial Crime Assurance

AML and Financial Crime Internal Audit

Independent assurance over anti-money laundering, counter-terrorism financing, KYC, sanctions, transaction monitoring and financial crime controls, for regulated firms where the cost of getting this wrong is significant.

FCA enforcement is active. Financial crime remains one of the FCA's highest supervisory priorities. Firms with inadequate AML controls, weak transaction monitoring, or poor suspicious activity reporting face enforcement action, skilled person reviews and significant reputational risk. Internal audit is expected to provide independent assurance over financial crime controls, not just review the policy framework.

Why financial crime audit is a specialist discipline

Most internal audit teams can review a policy, test a sample and write a finding. Financial crime audit requires more than that. To reach a credible conclusion on whether transaction monitoring is calibrated correctly, whether PEP and sanctions screening is working as designed, or whether suspicious activity is being identified and escalated in the way regulators expect, you need practitioners who understand the underlying regulatory framework and the operational realities of running these controls.

The FCA's enforcement decisions and Dear CEO letters have been consistent: firms with internal audit programmes that stay at the level of process compliance, without testing whether controls actually work, are not meeting supervisory expectations. The question is not whether the TM system has been set up. The question is whether it catches the typologies that matter for this firm's business model and customer base.

Where we bring direct experience

Our financial crime audit work draws on direct experience of AML enforcement, Consent Orders, s166 skilled person reviews and financial crime remediation programmes in UK financial services. We understand what the FCA looks for when it examines a firm's financial crime controls and we apply that perspective to audit scoping, fieldwork and reporting.

We can provide subject matter expert input at the scoping and fieldwork stage, or take on specific thematic reviews where the in-house team lacks the depth to cover the area credibly.

Regulatory context

FCA priorityFinancial crime is a standing supervisory priority. Enforcement is active across all regulated sectors.

MLR 2017Money Laundering Regulations require proportionate, risk-based controls and independent audit coverage.

JMLSG guidanceThe standard against which UK financial crime controls are assessed in supervisory and enforcement contexts.

s166 riskSkilled person reviews are frequently used where the FCA has concerns about AML control adequacy.

ECCTA connectionThe failure to prevent fraud duty overlaps directly with existing AML and fraud risk frameworks.

Speak to us →

What we deliver

Five service components, built around your risk profile

Each component can be commissioned independently or structured as a rolling assurance programme covering the full financial crime control environment.

Financial Crime Gap Analysis

Diagnostic against legal and regulatory expectations

A rapid, structured diagnostic of your financial crime control framework against MLR 2017, JMLSG guidance, FCA expectations and your own policy commitments. Identifies gaps in design before the regulator does.

Review of financial crime risk appetite and policy framework

Control design assessment across AML, CTF, KYC and sanctions

Gap analysis against MLR 2017 and JMLSG guidance

RAG-rated findings with prioritised remediation actions

Board-ready output with overall assurance opinion

Enquire →

AML Readiness Assessment

For firms in change, remediation or regulatory scrutiny

Assesses whether your firm's AML framework is ready to withstand regulatory examination. Particularly relevant for firms that have recently undergone change, are facing a supervisory review, or are implementing a remediation programme.

End-to-end readiness assessment against FCA supervisory expectations

MLRO and senior management accountability review

Customer risk assessment model and calibration review

CDD and EDD process effectiveness testing

Training, governance and escalation framework assessment

Enquire →

Control Design and Operating Effectiveness

Testing whether controls actually work

Tests whether your KYC, CDD, transaction monitoring, SAR and escalation controls are operating as designed, not just whether they exist. Goes behind management information to test the controls themselves.

Transaction monitoring scenario calibration review

Alert investigation quality and closure rationale testing

Sanctions and PEP screening effectiveness review

SAR quality, completeness and timeliness assessment

Onboarding and ongoing monitoring sample testing

Enquire →

Thematic Internal Audit

Deep dives into high-risk areas

Focused thematic reviews of individual high-risk areas within your financial crime control framework. Each review is scoped to the specific risk and produces a standalone audit report suitable for the audit committee.

Politically exposed persons (PEP) controls and oversight

Sanctions screening and alert management

Suspicious activity reporting quality and process

High-risk customer onboarding and EDD

Third-party and outsourced operations oversight

Correspondent banking and wire transfer controls

Enquire →

Remediation Validation

Confirming fixes have reduced residual risk

Independent validation that remediation actions have been completed and that the underlying risk has actually reduced. Internal validation by the team that designed the fix is not sufficient for the FCA.

Issue closure validation against original finding criteria

Root cause confirmation and residual risk assessment

Re-testing of previously failed controls

Particularly relevant for firms that have received FCA findings, completed a skilled person review, or are at the end of a Consent Order remediation programme.

Consent Order and s166 remediation sign-off support

Regulator-facing remediation completion report

Ongoing monitoring recommendations post-remediation

Enquire →

Coverage areas

The full financial crime control environment

Our work covers the complete range of financial crime obligations in UK regulated firms, from AML and CTF through to sanctions, fraud controls and third-party oversight.

AML and CTF controls

Anti-money laundering and counter-terrorism financing controls, including customer risk assessment methodology, CDD and EDD processes, ongoing monitoring, and the adequacy of your AML programme relative to your business model and risk profile.

KYC and onboarding

Know Your Customer processes at onboarding and refresh. We test whether identity verification is robust, whether risk ratings are assigned correctly, and whether high-risk customers are subject to proportionate enhanced due diligence in practice, not just in policy.

Transaction monitoring

Whether your TM system is calibrated to catch the typologies relevant to your business, whether alerts are investigated to an adequate standard, and whether the closure rationale is defensible. Commonly the weakest link in financial crime control frameworks.

Sanctions and PEP screening

Screening coverage, alert investigation quality, escalation processes and the adequacy of your lists and matching thresholds. Sanctions compliance carries significant legal risk and is treated as a high-priority area in all our financial crime audit work.

Suspicious activity reporting

SAR quality, completeness and timeliness. Whether your tipping-off controls are adequate. Whether the escalation path from frontline staff to the MLRO is working. Whether your SAR decisions are documented to a standard that would withstand scrutiny.

Outsourcing and third parties

Oversight of outsourced AML operations, including KYC utilities, screening providers and processing centres. Whether your oversight framework is proportionate to the risk, and whether reliance on group-level controls is adequately evidenced and documented.

Reporting

Findings framed for board and regulator

Financial crime audit findings need to do two things: give the audit committee a clear, accurate picture of the firm's position; and frame that picture in a way that reflects the regulatory risk each finding represents.

A finding that says "alert closure is behind target" is a process metric. A finding that says "alert closure is behind target, creating the risk that suspicious activity is not being identified and reported in a timely manner under POCA and MLR 2017" is a risk finding. The audit committee needs the latter. So does the regulator, if it asks to see your internal audit reports.

Our reports include an overall assurance opinion, RAG-rated findings with regulatory context, an action plan with clear ownership and timelines, and, where relevant, a section on matters we consider appropriate for escalation to the board or MLRO. Every report is structured to be used, not filed.

Related services

Compliance

ECCTA Compliance Advisory

The failure to prevent fraud duty overlaps with existing AML and fraud risk frameworks. We cover both disciplines and understand where they connect.

Advisory

Risk and Regulatory Advisory

For firms dealing with FCA findings or Consent Orders beyond financial crime, our broader regulatory advisory practice covers remediation and skilled person support.

Assurance

Consumer Duty Assurance

Many firms manage financial crime obligations alongside Consumer Duty. We provide both, with practitioners who understand how the two frameworks interact.

Get in touch

Facing regulatory scrutiny or planning your financial crime audit programme?

We work with firms at all stages, from initial diagnostic through to remediation validation and ongoing thematic audit coverage. A short conversation is usually enough to establish what you need and whether we are the right people to help.

Email us directly → Read our financial crime insight