COREDO > AML consulting > AML Audit

AML Audit

Independent review of your company’s AML system: policies, CDD procedures, documentation, and team competencies. COREDO has conducted AML audits since 2016 for EMI, PSP, crypto companies, and other regulated entities in the EU and beyond — including the United Kingdom, Canada, Singapore, the UAE, and Switzerland.

Get a Consultation

Cost of the service
from 4 000 EUR

Regulatory Context: Why an AML Audit Is Necessary

European anti-money laundering legislation has undergone a major overhaul. In May 2024, a package of three acts was adopted: Regulation (EU) 2024/1624 (AMLR), Directive (EU) 2024/1640 (AMLD6), and Regulation (EU) 2024/1620 establishing the Anti-Money Laundering Authority (AMLA). AMLR and AMLD6 take full effect from 10 July 2027, replacing AMLD4 and AMLD5.

Under AMLR 2024/1624, obliged entities must appoint a compliance manager, ensure they have sufficient resources, and grant them the authority to implement the required measures. AMLD6 establishes the requirement for the management body to review the compliance officer’s report annually, taking into account the findings of internal or external AML audits (EBA Guidelines EBA/GL/2022/05).

In the Czech Republic, the primary act remains Act No. 253/2008 Coll. on Certain Measures against the Legalisation of Proceeds from Crime and Terrorist Financing, with significant amendments that came into force on 1 May 2024. The amendments broadened the scope of obliged entities, updated client identification requirements, and tightened supervision by the Financial Analytical Unit (FAÚ).

From 2028, AMLA in Frankfurt will exercise direct supervision over the largest financial groups operating in six or more EU member states. For other entities, national regulators will continue to oversee compliance with the single rulebook. Regular independent AML audits are a way to identify gaps proactively and address them before an inspection.

AML Requirements Beyond the EU

Anti-money laundering regulation extends far beyond the European Union. COREDO works with clients in jurisdictions where AML requirements are equally stringent — and in some cases more granular — than in the EU.

United Kingdom. Post-Brexit, the UK maintains its own AML framework. The foundation is the Money Laundering Regulations 2017 (MLR 2017) with subsequent amendments. The Financial Conduct Authority (FCA) supervises financial institutions, EMIs, and crypto services registered in the FCA register. The FCA requires supervised entities to have a designated MLRO and conduct regular risk assessments — an independent audit helps demonstrate compliance with these requirements.

Canada. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) governs AML obligations for companies registered as Money Services Businesses (MSB) with FINTRAC. The Canadian regime imposes specific compliance programme requirements, including a risk assessment every two years and an independent review of the AML system’s effectiveness. COREDO conducts such reviews for Canadian MSBs.

Singapore. The Monetary Authority of Singapore (MAS) regulates financial organisations under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA) and the Payment Services Act 2019. MAS imposes rigorous CDD and transaction monitoring requirements, including for digital payment token providers.

Dubai and the UAE. The Virtual Assets Regulatory Authority (VARA) in Dubai and the Securities and Commodities Authority (SCA) at the federal level impose AML requirements on crypto companies and financial intermediaries. For organisations obtaining a VARA licence, passing an AML audit is one of the conditions for registration and periodic reporting.

Switzerland. The Swiss Financial Market Supervisory Authority (FINMA) oversees AML compliance through the Anti-Money Laundering Act (AMLA) and FINMA ordinances. Crypto companies joining self-regulatory organisations (SROs) must demonstrate a functioning AML system — a COREDO audit helps prepare for this process.

What an AML Audit Is and What COREDO Does

An AML audit is an independent, documented assessment of how well a company’s AML/CFT system complies with applicable law and internal policy. It is not a financial statement review — it is a review of processes and control mechanisms.

COREDO offers three audit packages with clearly defined scope.

Basic AML Audit

from EUR 4,000 + VAT

Analysis of internal AML policies and procedures.
Assessment of compliance with current AML legislation.
Preparation of a list of recommendations for addressing identified gaps.
This is the baseline level — optimal for companies conducting an audit for the first time or updating documentation following legislative changes.

Extended AML Audit

from EUR 6,000 + VAT

Includes everything in the Basic package.
Review of Customer Due Diligence (CDD) practices: how closely the actual client identification and verification process aligns with internal policies and regulatory requirements.
Recommended for companies with an active client base or before submitting a licence application.

Comprehensive AML Audit

from EUR 8,000 + VAT

Combining Basic and Extended.
Structured interviews with key staff: the compliance officer, MLRO, and KYC specialists. Interviews allow assessment of the team’s actual AML competencies and understanding of their responsibilities — which is precisely what regulators examine during inspections.
Recommended as pre-regulatory preparation or when undertaking a thorough overhaul of the AML system.

The final price is determined based on the size of the company, number of clients, geography of operations, and composition of management bodies. To receive an accurate quote for your situation — submit an application.

Each package results in a written report classifying identified non-compliances (critical, significant, advisory) and a specific remediation plan.

Who the AML Audit Is For

The audit is mandatory or strongly recommended for organisations that fall within the list of obliged entities under AMLR 2024/1624 and AMLD6, as well as the national legislation of EU member states.

COREDO’s clients include electronic money institutions (EMI) and payment institutions (PI/PSP) operating under PSD2 and EMD2. Banks and credit institutions are subject to direct oversight by national regulators (ČNB in the Czech Republic, Lietuvos bankas in Lithuania, Finantsinspektsioon in Estonia, KNF in Poland) and require regular independent verification of their AML processes.

Crypto services — providers of crypto-assets (CASP under the MiCA regime, Regulation (EU) 2023/1114) and custodial wallet providers — became obliged entities in the EU following the adoption of AMLR. For them, an AML audit is often a mandatory condition for obtaining or retaining a CASP licence.

Companies preparing for a regulatory inspection or to submit a licence application (EMI, PSP, CASP) use an AML audit as a preventive measure: it helps identify non-compliances before an official review. In addition, banks increasingly require documentation on the status of an AML system as part of due diligence when opening corporate accounts — an audit report serves as compelling evidence here.

Beyond the EU, COREDO’s clients include companies registered as MSBs in Canada (FINTRAC), FCA-regulated organisations in the United Kingdom, MAS licence holders in Singapore, and companies operating under VARA jurisdiction in Dubai. For each jurisdiction, COREDO adapts the audit methodology to local regulatory requirements while maintaining a consistent report structure.

The Process: From Request to Report

A standard COREDO AML audit proceeds in four stages and takes 30–40 business days from receipt of all requested documentation.

Preparation, 3–5 days

COREDO sends a documentation request: internal AML policies, client identification procedures, risk assessment templates, training logs, and sample client files (anonymised). The client submits documents via a secure channel.

01

Document analysis, 10–20 days

Experts verify the completeness and currency of policies, cross-reference them against AMLR, AMLD6, and local legislation requirements, and assess CDD processes for the Extended and Comprehensive packages.

02

Interviews, Comprehensive only, 3–5 days

Structured conversations are held with staff responsible for AML compliance. The aim is to assess practical process understanding, not just paper compliance.

03

Report preparation, 5–10 days

COREDO prepares the final document: classification of non-compliances, risk level assessment, and specific recommendations with remediation priorities.

04

Our Experts

The AML audit is led by COREDO’s specialist team with experience in compliance support for financial and crypto organisations since 2016.

Grigorii Lutcenko

Head of Compliance at COREDO. Has headed the AML/CFT division since December 2020, specialising in audits, policy development, and regulatory engagement.

Egor Pykalev

Senior Compliance Specialist. Since February 2022, he has been involved in the practical implementation of AML projects: reviewing CDD processes, assessing client files, and supporting regulatory requests.

Frequently Asked Questions

Is an AML audit required by law?

There is no direct requirement for an external AML audit under AMLR or AMLD6 — what is mandatory is internal control and regular assessment of the AML system. However, AMLD6 requires the management body to review the compliance officer’s report annually, taking into account the findings of any AML/CFT audits (internal or external). Some national regulators and banks when opening accounts explicitly request the results of an external audit.

Can an AML audit replace a regulatory inspection?

No. The COREDO AML audit is an independent consultancy review. It is not an official inspection by the regulator. However, its findings help address non-compliances before the regulator conducts an inspection and serve as documentary evidence of the company’s good faith.

Is an audit necessary if we already have an internal compliance officer?

Yes. An internal compliance officer oversees ongoing compliance but cannot provide an independent perspective. Regulators and partner banks view an external audit as confirmation of the objectivity of the assessment — precisely because it is conducted by an independent party.

How soon will the AML system need to be updated in connection with the new regulation?

AMLR 2024/1624 and AMLD6 2024/1640 apply from 10 July 2027. The transitional period should be used for a Gap Analysis and phased implementation. We recommend conducting an initial audit in 2025–2026 to have sufficient time to address gaps.

Do you work with companies outside the Czech Republic?

Yes. COREDO conducts AML audits for organisations worldwide: in EU member states, the United Kingdom, Canada, Singapore, the UAE, Switzerland, and offshore jurisdictions. Internal policies are reviewed for compliance with the local legislation of the country of registration — whether that is AMLR/AMLD6 for the EU, MLR 2017 for the UK, PCMLTFA for Canada, or CDSA and the Payment Services Act for Singapore.

What happens if critical non-compliances are identified during the audit?

In the final report, each non-compliance is classified by severity and accompanied by a specific recommendation. Critical violations are flagged as first-priority items with a description of the necessary actions. COREDO is ready to assist with the development of revised policies as part of a separate AML support engagement.

Submit Application

Contact the COREDO team to discuss the scope of the audit and receive an individual cost estimate.