Anti-Money Laundering (AML) rules are designed to stop criminals from using businesses to hide illegal money. But just having policies in place isn’t enough. You also need to prove that your business is following them correctly. That’s where AML audits come in.

An AML audit checks whether your anti-money laundering systems are working. It also helps you stay compliant with government regulations. But to pass an AML audit, you need to meet certain requirements—these are called AML audit requirements.

This blog explains what those requirements are, why they matter, and how to meet them. Whether you run a bank, law firm, accounting firm, or real estate agency, this guide will help you understand what’s expected.

What Are AML Audit Requirements?

AML audit requirements are the minimum standards your business must meet to stay compliant with anti-money laundering laws. These requirements ensure that your internal systems are strong enough to prevent money laundering and that you’re ready for regulatory review.

Key AML audit requirements include:

  • Written AML policies and procedures
  • Risk assessment for your business
  • Ongoing customer due diligence (CDD)
  • Training for staff on AML rules
  • Clear governance and internal controls
  • Independent AML audits done regularly
  • Proper record-keeping and documentation
  • A system for detecting and reporting suspicious activity

Meeting these requirements shows regulators that your business is taking AML compliance seriously. Ignoring them can lead to fines, audits, or even criminal investigations.

1. Risk Assessment

The first requirement for an AML audit is a risk assessment. Your business must identify and document all the risks of money laundering that could apply. This includes looking at:

  • Who your customers are
  • Where they’re located
  • The services you offer
  • How your business is structured

The idea is to understand where your biggest risks are, so you can create stronger controls in those areas.

An auditor will want to see a current risk assessment report. It should be specific to your business—not a generic template—and updated regularly.

A weak or outdated risk assessment is one of the most common reasons businesses fail an AML audit.

2. AML Policies and Procedures

You must have written AML policies and procedures that explain how your business will prevent and detect money laundering.

This document should clearly outline:

  • How you onboard new clients
  • How customer identity is verified (KYC)
  • When and how enhanced due diligence is done
  • How transactions are monitored
  • How suspicious activity is reported
  • What staff training is required

Your policies must be tailored to your specific business model. Auditors often look for signs that you copied someone else’s policy without adjusting it for your own risks.

Also, your policy must be up to date. If the laws change or your business changes, your policy should reflect that.

3. Customer Due Diligence (CDD)

A strong CDD process is one of the most critical AML audit requirements.

This means:

  • Verifying the identity of all customers before doing business
  • Collecting extra information for high-risk customers
  • Monitoring customer activity over time

CDD isn’t something you do once. It’s ongoing. You must keep an eye on unusual or unexpected behaviour—especially for customers in high-risk industries or countries.

Auditors will check whether you’re actually applying your CDD policy—not just writing about it.

They’ll look at client files, interview staff, and test your onboarding process to make sure it’s working in practice.

4. Suspicious Activity Reporting

Another key AML audit requirement is the ability to detect and report suspicious transactions.

You must:

  • Train staff to spot red flags (e.g. large cash deposits, complex company structures, etc.)
  • Have a system for escalating concerns
  • File Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) with the right government agency

Auditors will want to know:

  • Have you ever filed a suspicious activity report?
  • If not, why not?
  • Are your staff aware of the reporting process?

Not reporting suspicious activity is a serious offence. Even if nothing is found, you must be able to prove that you’re checking for suspicious activity regularly.

5. AML Training for Staff

Your staff need to understand what AML is, why it matters, and how to follow your internal processes.

AML training should be:

  • Mandatory for all relevant staff
  • Repeated at least once a year
  • Updated when laws or risks change
  • Documented (attendance, topics, and dates)

Auditors will often ask your team questions to check if they understand their AML responsibilities.

If your staff can’t answer basic AML questions, it may count against you—even if your policies are perfect on paper.

6. Independent AML Audit

You must carry out an independent AML audit at regular intervals.

In many countries (e.g., New Zealand, Australia, UK), this is a legal requirement. The audit must be done by someone who:

  • Is not involved in your day-to-day compliance activities
  • Has enough AML knowledge and experience
  • Can provide an honest and independent review

The audit should check whether your AML program is working in real life—not just whether your documents are in place.

The auditor will test systems, review files, interview staff, and then give you a report with findings and recommendations.

This audit must be documented, and actions must be taken based on the results.

7. Record-Keeping

Keeping proper records is another AML audit requirement. You must store:

  • Customer identification documents
  • Risk assessments and audit reports
  • Training logs and materials
  • Transaction records
  • Suspicious activity reports

In most countries, you must keep these records for at least 5 years.

Auditors will check whether your records are:

  • Easy to access
  • Complete and accurate
  • Stored securely

Missing or poorly stored records is a common AML audit failure point.

8. Governance and Compliance Oversight

Your AML program must have clear leadership and oversight. That means:

  • Someone is responsible for AML compliance (called the Compliance Officer)
  • They have enough authority to make decisions
  • They report regularly to senior management or the board

If your compliance person is too junior, too busy, or not supported, auditors will take notice.

Strong governance shows that AML is taken seriously at all levels of the business—not just as a box to tick.

FAQ: AML Audit Requirements

1. Are AML audits required for all businesses?

No. Only businesses that are classified as reporting entities under your country’s AML laws need to do audits. This includes banks, accountants, law firms, real estate agents, and other financial services. If your business doesn’t handle funds or financial transactions, AML laws might not apply. Always check your local regulations.

2. How often do I need to do an AML audit?

In most countries, AML audits are required every 1–2 years, depending on your industry and risk level. For example, in New Zealand, an independent AML audit is required every two years. However, if your business changes or your risk level increases, it’s smart to do audits more often. Your risk assessment should guide the timing.

3. What happens if I don’t meet AML audit requirements?

If you don’t meet AML audit requirements, you could face serious consequences, including fines, enforcement action, or even prosecution. Regulators may inspect your business, ask for documents, or issue penalties. Even if you’re not fined, failing an AML audit can damage your reputation and relationships with clients, banks, and partners.

4. Can I use a template AML policy?

You can use a template as a starting point, but your AML policy must be tailored to your specific business. Auditors and regulators often reject generic policies because they don’t reflect real risks. It’s better to work with a compliance expert or auditor to adjust the template and make it your own.

5. Who can perform an independent AML audit?

An independent AML audit must be done by someone who is not involved in your daily operations. This can be an external consultant, an audit firm, or a staff member from a different department (if they’re independent). The person should have strong AML knowledge and a structured approach to the audit process.

Final Thoughts

AML audit requirements exist to protect your business and the wider economy from financial crime. Meeting these requirements isn’t just about avoiding penalties—it’s about building trust, improving systems, and staying ahead of risks.

Here’s a quick recap of what you need:

  • Do a proper risk assessment
  • Keep your AML policies current
  • Apply customer due diligence
  • Train your staff regularly
  • Report suspicious activity
  • Keep accurate records
  • Ensure independent AML audits
  • Maintain strong governance

By following these steps, you’ll be ready for your next AML audit—and ready to protect your business.