Over the past three years the average size of regulatory fines for financial companies in the EU and Asia has increased many times over, and some individual cases reached hundreds of millions in base currency units. The 2024–2025 sanctions restrictions led to account freezes and license revocations for otherwise stable businesses simply because their compliance system failed to keep up with the changes.
When is a compliance audit mandatory for companies
Regulatory framework: EU, Asia, CIS
In the work of the COREDO team I see three main drivers that make a compliance audit mandatory:
- direct regulatory requirements,
- conditions of financial licensing,
- sanctions-related and banking expectations regarding sanctions compliance and AML.
In the EU mandatory compliance audits for legal entities are established primarily for:
- credit and payment institutions, electronic money issuers, investment firms (MiFID, PSD2 licenses and their local implementations),
- crypto providers subject to the updated AML directives and MiCA,
- issuers of securities and companies whose securities are traded on regulated markets (requirements on internal control and risk management).
In Asia the picture is more fragmented, but the general trend is similar. In centres such as Singapore and Hong Kong, for licensable financial, payment and crypto companies:
- detailed regulatory requirements for internal control and compliance are established,
- regular monitoring and compliance audits are prescribed, often with involvement of external consultants,
- special attention is paid to compliance and AML (anti‑money laundering), as well as compliance and data protection.
Sectors with mandatory compliance audits
COREDO’s experience shows: regardless of the literal law, there are sectors where without a regular audit you will not pass either Licensing or banking compliance:
- the financial sector (banks, payment organizations, PSP, EMI, forex dealers, investment companies);
- crypto and fintech services operating in the EU, Singapore, Dubai, Cyprus, Estonia and the United Kingdom;
- companies registering legal entities in the EU with subsequent financial licensing;
- international holdings operating with sensitive markets and currencies: here compliance and risk management are already expected by the banks and partners themselves.
Sanctions, AML and increasing obligations
The 2025 sanctions regime turns compliance and sanctions risks into a key factor making checks mandatory. Banks and payment providers require from clients:
- formalized sanctions compliance,
- procedures for counterparty due diligence and supply chain control,
- evidence that compliance and protection from sanctions for the business are not a declaration but a functioning system.
- KYC/KYB,
- transaction monitoring,
- response to red flags and suspicious transactions,
- work with politically exposed persons and sanctions lists.
Risks of non-compliance: fines and loss of licenses
Companies whose compliance and risk management exist only “on paper” face three types of consequences:
- financial fines and freezing of operations,
- regulatory risks – revocation or suspension of licenses, restrictions on new products and markets,
- reputational losses and severing of relationships with banks, payment providers and key partners.
Stages of a compliance audit from preparation to remediation
A compliance audit is a systematic review of the company’s conformity to laws, standards and internal rules, covering all key stages: from preparation and gathering the regulatory base to identifying and remedying non-compliances. For the audit to be effective, it is important to clearly define its scope and prepare a complete set of data and documents.
Preparation: verification and data collection
When I am asked how to conduct a compliance audit in a company, I always start by defining the perimeter:
- which jurisdictions (EU, Asia, CIS),
- which licenjurisdictions and types of activities,
- what processes (KYC, sanctions screening, compliance and transaction monitoring, data protection, information security, anti-corruption).
- collects policies, procedures, regulations, process diagrams,
- requests samples of transactions and counterparties’ dossiers,
- analyzes the responsibility structure: compliance manager, legal department, operations unit, IT.
Internal compliance audit: documents and practice
Modern internal audit inevitably goes beyond a ‘paper review’. In our practice it includes:
- document analysis: compliance procedures, AML policies, anti-corruption regulations, compliance and data protection standards, information security;
- interviews with responsible persons: compliance manager, lawyers, operations specialists, risk managers;
- sample testing: how compliance and counterparty control work, how decisions on high-risk clients are documented, how red flags are recorded.
Assessment of conformity with rules and standards
The next layer: formal assessment of compliance and conformity with regulations:
- relevant EU and Asian laws on AML, sanctions, data protection and corporate governance;
- local regulatory requirements for compliance in the financial sector;
- international standards such as ISO 27001 for information security and elements of corporate governance standards.
Audit report: structure and focus
A good report is not just a list of violations. When preparing compliance audit reports I always aim for three things:
- a clear risk map by areas: AML, sanctions compliance, anti-corruption, data protection, information security, contract work;
- reference to standards: specific statutory provisions and regulator requirements that the systems fail to meet;
- impact assessment: legal, financial and reputational risks, impact on licenses and banking relationships.
Corrective measures and roadmap
The next step is recommendations to eliminate compliance gaps. At COREDO we always present them as a roadmap with prioritization:
- quick measures (1–3 months): policy amendments, strengthening counterparty due diligence procedures, additional internal control and compliance for high-risk deals;
- medium-term (3–9 months): implementation or upgrade of IT systems for compliance and process automation, strengthening compliance and information security audit, staff training;
- strategic (9–18 months): restructuring the compliance system, integration with the legal department, updating the compliance risk management model.
Monitoring and repeat checks
An audit is not the end, but a starting point. I always recommend:
- embed regular monitoring and compliance audits into policy,
- conduct selective repeat checks of key processes,
- track compliance and process maturity assessment against predefined KPIs.
The role of legal support and AML in the compliance audit
The role of legal support and AML services in the compliance audit is especially noticeable where companies need not only formal compliance with regulator requirements, but also to build a sustainable risk management system. Legal support and specialized AML services allow the compliance audit to be deeper, more accurate and directly affect the effectiveness of further integration between compliance and the legal service.
Integration of compliance and the legal department
The optimal model is integration of compliance and the legal department:
- lawyers provide legal business support, analyze legal liability, sanctions and regulatory restrictions on transactions;
- the compliance manager and his team are responsible for customer, counterparty, beneficial owner and transaction screening procedures;
- together they establish compliance and Legal review of contracts, including sanctions and AML restrictions, reps & warranties, termination clauses in case of regulatory risks.
AML services as the core of risk control
For companies applying for financial licensing or working with cross-border payments, AML services are no longer an option but a foundation:
- KYC/KYB procedures,
- screening against sanctions and PEP lists,
- transaction monitoring,
- investigation of suspicious transactions and preparation of reports to the regulator.
Company registration and compliance requirements
When registering legal entities in the EU or Asian jurisdictions, incorporation itself is no longer limited to filing documents. Banks, licensing authorities and investors expect:
- a basic compliance system,
- formalized internal control and compliance,
- compliance procedures and management of internal procedures and approval chains for transactions.
Preparation for inspections
policies, but also evidence of their real application. In such cases legal support for business and compliance work together:
- prepare a package of documents for review,
- address possible questions from the regulator,
- prepare an internal presentation of the control and sanctions risk management system.
COREDO’s experience shows: companies that have previously completed an internal compliance audit and implemented corrective measures pass external inspections noticeably more calmly.
Compliance audit under sanctions 2025
The compliance audit under sanctions in 2025 has ceased to be a “checkbox” option and has become a working tool for business survival in international markets. With increasing pressure from regulators and the growth of secondary restrictions, competent sanctions compliance has become a mandatory module of risk control systems and the basis for further steps to adapt to new requirements.
Sanctions compliance: a mandatory module
In 2025, the compliance audit under sanctions became a separate area. It includes:
- checking how sanctions filters are integrated into compliance and transaction controls;
- analysis of the geography of operations, supply chains and the financial stability of counterparties taking into account sanctions regimes;
- assessment of how quickly the company can respond to changes in lists and requirements.
Role of the compliance manager
In the sanctions agenda, the role of the compliance manager in audits is changing:
- from a “document controller” he moves to the role of a risk partner of management;
- participates in the assessment of new markets, products and partnerships;
- is responsible for compliance and the management of sanctions risks and for communication with banks and regulators.
Technology and automation
- automatic sanctions and PEP screening systems,
- transaction monitoring with rules by jurisdictions and types of operations,
- tools for information security and data protection audits,
so that compliance and process automation reduce the human factor and support regulatory requirements in real time.
Practical recommendations for entrepreneurs and managers
For entrepreneurs and managers, a mandatory audit is not just a formality, but an important tool to verify the reliability and transparency of the business. Below are practical steps and recommendations that will help you properly prepare for the audit and pass it with minimal risks.
Preparing for the mandatory audit
If you understand that your industry and jurisdictions make a compliance audit inevitable, I recommend starting with three steps:
- Define the regulatory map: which laws of the EU, Asia, CIS, which standards (AML, sanctions, information security, corporate governance) apply to you.
- Conduct a rapid assessment of the compliance system: whether there are formalized policies, procedures, internal control and compliance, allocation of roles.
- Set a budget and timeline for an internal or external compliance audit in the company.
Internal control and staff training
- regular compliance and staff training reduces operational errors and reputational incidents;
- including compliance indicators in the KPIs of division heads strengthens compliance and the management of reputational risks;
- clear documentation of internal procedure management helps to pass both internal and external audits.
Scaling the compliance system
- modularity of processes: the ability to add new jurisdictions without rewriting the entire system;
- unification of approaches to counterparties and transaction checks;
- use of technologies to reduce manual workload and errors.
KPI and ROI of compliance
- quantitative indicators: client on‑boarding time, share of returns for compliance reasons, number of incidents, volume of detected violations;
- qualitative: results of external inspections, resilience of banking relationships, absence of critical fines.
Actions when discrepancies are identified
- quickly approve corrective measures and a roadmap;
- assign responsible persons and deadlines;
- if necessary, notify regulators or banks about the steps being taken, demonstrating that the situation is under control.
The COREDO team often accompanies clients at this stage, helping to turn a crisis into an opportunity to strengthen the system and reinforce the trust of regulators and partners.
Mandatory compliance audit for business
- it reduces the risks of non-compliance with laws,
- protects against sanctions, fines and blockages,
- supports the company’s financial transparency and ethical resilience,
- facilitates the registration of legal entities in the EU, obtaining licenses and working with international banks.
Table of mandatory compliance audits by regions and industries
| Region / Industry | Mandatory compliance audit | Key regulations and requirements | Featuresand risks |
|---|---|---|---|
| EU (financial sector) | Mandatory | AML‑directives, GDPR, financial licensing regulations | High fines, license revocations, sanctions-related restrictions |
| Asia (international business) | Partially mandatory | Local regulations, AML, anti-corruption and sanctions rules | Heterogeneity of standards, complexity of process integration |
| CIS (regulated industries) | Mandatory | National AML‑laws, regulator requirements, sanctions | Risks of blocks, fines and significant reputational losses |