In recent years, the amounts of fines for AML compliance breaches in the EU have consistently exceeded €6–7 billion annually, with a significant portion of regulators’ claims related not to “criminal” transactions but to banal gaps in documentation and poor preparation for an AML audit. At COREDO we regularly see companies with strong businesses lose accounts, licenses and spend months “unfreezing” operations simply because, at the time of the AML review, they do not have a systematic checklist of documents.
If you are scaling in the EU, entering Asia or developing business in the CIS countries, the key question is not “will the company pass an AML audit”, but: “what will the damage be if you enter the audit unprepared?” Lost months, blocks, frozen payments to partners, deal failures and banks’ risk reassessments — this is the reality my team faces in client cases every quarter.
In this guide I will go through which documents are needed before an AML audit in 2025, how to build a practical AML audit checklist under FATF AML standards, 6AMLD, AMLR and the future supranational regulator AMLA, and I will show, using live COREDO cases, how preparing for an audit turns from a formality into a tool for strategic risk management.
AML audit checklist
The minimum set of documents I expect to see at a company before an internal or external AML audit in Europe, Asia or the CIS usually includes:
– AML / CFT policy and CDD/EDD procedures
– KYC documents for clients (individuals and corporates)
– documents on ultimate beneficial owners (UBO) and ownership structure
– beneficial ownership registry / register of controlling persons (where mandatory)
– transaction monitoring logs and rules for transaction anomaly detection
– log of suspicious activity reports (SAR) and correspondence with regulators/banks
– PEP identification and sanctions watchlist / adverse media reports
– results of risk assessment with a description of the risk-based AML approach
– training logs for staff training on AML procedures
– audit trail documentation on key compliance decisions.
At COREDO we structure this into a table for convenience (simplified version):
| Document/artifact | Purpose in AML audit | Risk if absent |
|————————————–|—————————————————–|———————————————-|
| AML / CFT Policy | To demonstrate the existence of a robust compliance framework | Fines, claims against management |
| CDD/EDD procedures | To show how you apply FATF AML standards | Being classified as a high-risk institution |
| KYC files on clients | To confirm a correct onboarding workflow | Account blocks/licenses |
| UBO register / beneficial owners AML | Disclosure of ownership structure | suspicion of circumventing sanctions/taxes |
| Transaction monitoring logs | Confirmation of post-monitoring | accusations of failing to detect suspicious transactions |
| SAR reports | Demonstration of interaction with the FIU | questions about non-reporting in clear risk cases |
| PEP / sanctions screening reports | Screening of high-risk persons and jurisdictions | sanctions and reputational risks |
| Risk assessment / risk model | Justification of the risk-based AML approach | tick-box accusations from auditors |
| Training & internal audit reports | Confirmation of AML program maturity | findings of merely formal compliance |
Next, we’ll examine each block in more detail.
AML audit: what it is and why you should prepare documentation
By AML audit I always mean not only a formal inspection, but also a stress test of your entire anti-money laundering and counter-terrorist financing risk management system:
– internal AML audit (internal AML audit): your own review or an audit commissioned from an independent consultant before the regulator or bank arrives;
– external AML audit: an inspection by the licensing authority, AMLA / national supervisor, central bank or an auditor accredited by the regulator.
Essentially, an AML audit is a check of how well your compliance framework aligns with FATF recommendations, 6AMLD requirements, future AMLR regulations and national AML laws.
– reduces the risk of false positives, since you can calibrate rules, revise the risk model and explain the logic of filters to the auditor;
– reduces false negatives — at the internal review stage COREDO often finds clients or transactions that external audits would later certainly flag.
According to European banking associations, up to 40% of business account blocks in the EU are related to incomplete KYC and unstructured client data, rather than actual AML violations. This is an area that proper preparation for an AML audit fully controls.
Documents for AML audit and KYC
Any AML audit checklist starts with KYC documents. This is the foundation on which the entire AML review relies.
Basic set of KYC verification documents:
– for individuals:
– passport / ID;
– proof of address (utility bill, bank statement, eID);
– source of income / source-of-funds verification (salary, dividends, asset sales);
– for companies:
– incorporation documents, registration certificate;
– charter / articles of association;
– list of directors and shareholders;
– licenses (banking, payment, investment, crypto, etc.);
– UBO information.
To simplify the structure for clients, at COREDO we use a table:
| Client type |Required files | Storage format |
|————————–|————————————————–|—————————————–|
| Individual | Passport, proof of address, SOF/SOW | PDF/scan + structured fields in CRM |
| Corporate client | Reg. documents, charter, licenses, UBO data | DMS + linked record in AML system |
| Trust / fund | Trust deed, settlor/beneficiaries data | DMS + separate UBO/beneficial owners AML module |
Preparing for an AML audit using a risk-based approach
A modern AML audit relies on a risk-based AML approach. Regulators and the AMLA expect that you:
– segment clients by risk (using customer risk scoring);
– take into account geographic risk profiling (high-risk jurisdictions in Asia, offshore centres, countries with special sanctions regimes);
– document source-of-funds verification and enhanced Due Diligence (EDD) for elevated risks.
COREDO’s practice has shown: companies that document the risk assessment in a separate package for the AML audit (a separate file on the risk model, protocols of its review, committee minutes), pass external AML audits more easily. It’s easier for the auditor to see not an «ideal world», but your conscious risk management model.
Classic cycle:
- Initial KYC / CDD at onboarding.
- Enhanced checks (EDD) for high-risk clients (PEP, complex structures, high-risk jurisdictions).
- Ongoing post-onboarding monitoring (transaction monitoring, adverse media, sanctions).
- Periodic risk model review and KYC document updates.
Trend for 2025: shift to digital onboarding, eKYC for AML and biometric identification, especially in fintech, payment companies, crypto services, and online banking.
A separate area that the COREDO team is currently working on most often: how to prepare KYC documents for an AML inspection in 2025 taking into account eIDAS, 6AMLD and the expected AMLRs:
- ensure the legal validity of eKYC (electronic signatures, verifiable identifiers);
- set up KYC storage with proper data normalization (unified formats for names, addresses, identifiers for subsequent screening);
- integrate APIs for AML screening with main sanctions watchlists and adverse media.
eKYC documents for AML audits of non-bank companies
For non-bank companies (realtors, investment platforms, PSPs, venture funds) requirements for eKYC documents are often less formalized, but the practical responsibility is the same.
In one of COREDO’s projects for a large real estate holding in the EU, we built a list of documents for an internal AML audit of realtors taking eKYC into account:
– scans of IDs + selfie / video identification;
– address verification via utility APIs;
– confirmation of source of funds for large transactions (investment migration, purchase through an SPV);
– verification logs via API for AML screening (PEP, sanctions, adverse media).
Comparison of approaches:
| Method | Advantages | 6AMLD / 2025 requirements |
|—————–|———————————————–|———————————-|
| Traditional KYC | Understood by regulators, easy in an audit | Must be digitized and have a trail |
| eKYC | Speed, scalability, digital onboarding | Reliable identification, data protection, audit trail |
Beneficial Owners AML and UBO Registry
– completeness of disclosure of ultimate beneficial owners (UBO);
– maintenance and updating of the beneficial ownership registry;
– documenting the chain of ownership, including trusts, funds and SPVs.
At COREDO we often conduct a corporate structure audit for clients prior to an AML audit: we build an ownership map, check sanctions risks at each level, and analyze the 50% rule in relation to sanctions. For businesses from the CIS, non-disclosure of UBOs in the EU and the UK already leads to:
- refusal to open accounts;
- refusals of licenses;
- blocking during attempts at M&A or investment migration.
Your AML audit checklist must include:
- up-to-date shareholder registers;
- group structure documents;
- protocols for updating UBO data;
- compliance with national registers (where they are mandatory).
AML compliance checklist for an audit
For a sustainable business I always separate two levels of review:
- internal AML audit, a regular self-check that allows you to see gaps before a regulator or bank;
- external AML audit / AML compliance audit – audits by regulators, the AMLA, central banks, licensing authorities, as well as independent external auditors.
A well-structured internal AML audit is a tool for regulatory fine mitigation and for increasing AML program maturity.
– share of false positives in AML screening and the trend of their reduction;
– alert handling and escalation time;
– share of cases that result in suspicious activity reports (SAR);
– average time to prepare SARs;
– number of violations identified in a test audit vs. external AML audit.
For realtors, fintech platforms, and payment companies we build the internal AML audit around documents and logs.
| Category | Examples of documents | Frequency of review |
|——————————|———————————————–|————————-|
| Policies and procedures | AML policy, KYC/CDD/EDD, SAR procedures | Annually / on changes |
| Client files (KYC) | KYC packs, risk scoring, UBO data | Selectively quarterly |
| transaction monitoring | Transaction monitoring logs, velocity checks | Monthly |
| Screening & PEP | PEP screening AML reports, sanctions lists | Continuously + sampling |
| Third parties | third-party risk assessment for providers | Annually |
| Training | Training logs, employee tests | Annually|
| Internal findings | Internal AML audit reports | Quarterly |
Separately, we include verification of transaction anomaly detection – how the rules are configured, what types of scenarios are used, how manual reassessment is documented.
Preparing SAR reports before an AML audit
For many companies the weak spot is the SAR block. Regulators and banks look not only at the fact of filing suspicious activity reports (SAR), but also at:
– the quality of case descriptions;
– the justification of suspicions;
– the linkage between transaction monitoring logs and the decision taken;
– the presence of audit trail documentation for each SAR case.
A task that COREDO is often approached with: preparing SAR reports before an external AML audit and establishing a standard that complies with FATF recommendations and the requirements of FIUs in different jurisdictions.
– AI tools and graph neural networks (GNN) for analyzing relationships and patterns;
– implementation of velocity checks and behavioral scenarios;
– calibration of rules to reduce false positives while maintaining low false negatives.
AML requirements 2025: 6AMLD, AMLR, AMLA
– 6AMLD requirements strengthen criminal liability and expand the list of predicate offences;
– AMLR regulations move some requirements from directives (minimum harmonization) into direct regulations (uniform rules for all EU countries);
– AMLA (Anti-Money Laundering Authority) is being created, which will gain oversight of large financial institutions and will set AMLA guidelines and an AMLA compliance checklist.
For companies this means: the document checklist before an AML audit in the EU ceases to be local – you need a single standard that will withstand scrutiny in multiple countries (multi-jurisdictional compliance).
When we at COREDO prepare for a hypothetical AMLA inspection, we focus on changes to the checklist:
| Regulatory block | New requirement | Documents in the checklist |
|————————|————————————-|———————————————|
| 6AMLD | Expanded list of offences | Updated risk assessment, policy |
| AMLR | Uniform minimum CDD standards | Unified procedures and KYC templates |
| AMLA | Centralized supervision | Cross-jurisdictional risk reports |
This favors companies that have already implemented:
- a unified compliance framework across all countries of operation;
- a standardized AML audit checklist;
- a central data repository with quality audit trail documentation.
PEP screening, AML and sanctions lists
The PEP screening, AML and sanctions checking block is one of the first areas any auditor examines.
A quality process includes:
- PEP identification taking into account local and international lists;
- end-to-end screening against sanctions watchlists (OFAC, EU, UK, UN, etc.);
- monitoring adverse media with multilingual data screening (especially important for Asia and the CIS);
- use of fuzzy logic screening to find variants of name spellings.
– explainable AI in AML to explain why the system flagged a particular client;
– tools that help reduce false positive alerts without increasing blind spots.
Optimization before an AML audit
When transaction volumes grow, manual management of AML risks becomes disproportionately expensive.
In practice the COREDO team combines:
- No-Code AML integration – visual builders for quick rule changes without developer intervention;
- APIs for AML screening – connections to sanctions, PEP, and adverse media databases;
- continual learning in AML and GNN models, adapting rules as new data arrives;
- homomorphic encryption (FHE): where joint analytics with partners is required without revealing raw data.
The goal is to simultaneously:
- reduce the burden on the team;
- reduce false positive alerts;
- prepare the system for peak audit loads (regulator requests, bank inspections).
In one Asian fintech group that the COREDO team worked with, moving to a combination of No-Code AML and explainable AI in screening allowed:
- to reduce false positives by more than 35%;
- and at the same time cut the time to prepare materials for an AML audit by about half.
KPI metrics and AML testing
Any automation without metrics quickly loses manageability. Before a major regulatory AML audit we establish:
- KPI metrics to assess AML procedures before the audit:
- False positive rate and trends;
- average alert handling time;
- the share of alerts that became SARs;
- SLA for updating sanctions lists;
- testing AML procedures before the regulatory audit: essentially a rehearsal of the external AML audit.
How to prepare for an AML audit in 2025
To turn theory into a clear action plan, I use the structure with which we at COREDO approach projects in the EU, Asia and the CIS.
| Step | Timeline (estimate) | Responsible |
|————————————–|————————–|——————————|
| Assessment of the current AML framework| 2–4 weeks | Compliance / external consultants |
| Updating policies for 6AMLD/AMLR | 2–3 weeks | Compliance + lawyers |
| Inventory of KYC / UBO files | 3–6 weeks | AML / operations unit |
| Setting up eKYC and screening | 4–8 weeks | IT + AML |
| Optimization of transaction monitoring| 4–6 weeks | AML / risk management |
| Pilot internal AML audit | 3–4 weeks | Internal audit / COREDO |
| Corrective actions | 4–8 weeks | Management + functions |
| Preparation for external audit | 2–4 weeks | Compliance + external consultants |
In practice at COREDO we adapt this plan to the company’s scale, types of licenses (crypto, payment, investment, forex, banking) and jurisdictions (EU, United Kingdom, Singapore, Dubai, Czech Republic, Slovakia, Estonia, etc.).
Key findings and recommendations
If you summarize the dozens of projects the COREDO team has implemented in Europe, Asia and the CIS, the picture looks like this:
- A complete, living AML audit checklist: your best tool against fines and account freezes. It speeds up registrations and Licensing, and reduces the risk of tough questions from regulators and banks.
- Regular internal AML audits with a clear set of documents and KPIs raise your AML program maturity and make an external audit a manageable event, not a crisis.
- Investing in eKYC, No-Code AML and explainable AI in AML today means securing flexibility and ROI over a 3–5 year horizon, especially with rising transactions in Asia and multi-jurisdictional business.
If you need a practical AML audit checklist for a specific jurisdiction or you plan licensing and scaling in the EU, Singapore, Dubai or other regions, the COREDO team can run a rapid assessment for you, build a customized AML checklist and perform a trial audit before the regulator.